summaryrefslogtreecommitdiff
path: root/interface-definitions/include
AgeCommit message (Collapse)Author
2024-02-01Merge pull request #2756 from nicolas-fort/T4839Christian Breunig
T4839: firewall: Add dynamic address group in firewall configuration
2024-02-01Merge pull request #2860 from indrajitr/ddclient-update-20240119Christian Breunig
ddclient: T5966: Adjust dynamic dns config address subpath
2024-02-01Merge pull request #2914 from aapostoliuk/T5930-circinusChristian Breunig
bgp: T5930: Denied using rt vpn 'export/import' with 'both' together
2024-02-01bgp: T5930: Denied using rt vpn 'export/import' with 'both' togetheraapostoliuk
Denied using command 'route-target vpn export/import' with 'both' together in bgp configuration.
2024-02-01Merge pull request #2887 from nicolas-fort/T5977Christian Breunig
T5977: firewall: remove ipsec options in output chain rule definition…
2024-01-30reverse-proxy: T5999: Allow root for exact match in backend rule URLcleopold73
2024-01-29T5971: Rewritten ppp options in accel-ppp servicesaapostoliuk
Rewritten 'ppp-options' to the same view in all accel-ppp services. Adding IPv6 support to PPTP.
2024-01-25T4839: firewall: Add dynamic address group in firewall configuration, and ↵Nicolas Fort
appropiate commands to populate such groups using source and destination address of the packet.
2024-01-24dhcp: T3316: Change help text on `listen-interface` to be genericsarthurdev
2024-01-23T5977: firewall: remove ipsec options in output chain rule definitions, ↵Nicolas Fort
since it's not supported.
2024-01-23bfd: T5967: add minimum-ttl optionChristian Breunig
* set protocols bfd peer <x.x.x.x> minimum-ttl <1-254> * set protocols bfd profile <name> minimum-ttl <1-254>
2024-01-21ddclient: T5966: Migration script for dynamic dns config subpath changeIndrajit Raychaudhuri
2024-01-21Merge pull request #2852 from sever-sever/T5958Viacheslav Hletenko
T5958: QoS add basic implementation of policy shaper-hfsc
2024-01-18T5779: conntrack: bump version numberChristian Breunig
2024-01-18T5958: QoS add basic implementation of policy shaper-hfscViacheslav Hletenko
QoS policy shaper-hfsc was not implemented after rewriting the traffic-policy to qos policy. We had CLI but it does not use the correct class. Add a basic implementation of policy shaper-hfsc. Write the class `TrafficShaperHFS`
2024-01-17Merge pull request #2832 from aapostoliuk/T5865-circinusChristian Breunig
T5865: Moved ipv6 pools to named ipv6 pools in accel-ppp
2024-01-16T4658: Renamed DPD action value from 'hold' to 'trap'aapostoliuk
Renamed DPD action value from 'hold' to 'trap'
2024-01-16T5865: Moved ipv6 pools to named ipv6 pools in accel-pppaapostoliuk
Moved ipv6 pools to named ipv6 pools in accel-ppp services
2024-01-14bgp: T591: add VPN nexthop support per address-familyChristian Breunig
set protocols bgp address-family ipv4-unicast nexthop vpn export <ipv4-address|ipv6-address> set protocols bgp address-family ipv6-unicast nexthop vpn export <ipv4-address|ipv6-address>
2024-01-14bgp: T591: add SRv6 per address-family SID supportChristian Breunig
set protocols bgp address-family ipv4-unicast sid vpn export <auto|1-1048575> set protocols bgp address-family ipv6-unicast sid vpn export <auto|1-1048575>
2024-01-13dhcpv6: T3316: Move options to separate node and extend scopessarthurdev
* Also migrate `address-range` to `range` tag node for consistency with dhcpv4 server syntax
2024-01-11dhcp: dhcpv6: T3316: Add `subnet-id` so leases remain mapped to entries in ↵Simon
the lease file (#2796)
2024-01-10Merge pull request #2777 from aapostoliuk/T5688-multirangeChristian Breunig
T5688: Changed 'range' to multi in 'client-ip-pool' for accell-ppp
2024-01-10Merge pull request #2787 from c-po/bgp-5913Viacheslav Hletenko
bgp: T5913: allow peer-group support for ipv4|6-labeled-unicast SAFI
2024-01-10bgp: T5913: allow peer-group support for ipv4|6-labeled-unicast SAFIChristian Breunig
2024-01-10Merge pull request #2785 from sarthurdev/kea-optionsChristian Breunig
dhcp: T3316: T5787: T5912: Extend scope of DHCP options, bugfixes
2024-01-10dhcp: T3316: Fix `listen-address` handling and add `listen-interface` as ↵sarthurdev
supported by Kea
2024-01-10dhcp: T3316: Move options to separate node and extend scopessarthurdev
2024-01-09T5688: Changed 'range' to multi in 'client-ip-pool' for accell-pppaapostoliuk
Changed node 'range' to multi in 'client-ip-pool' for accell-ppp services. Added completionHelp to default-pool and next-pool. Fixed verification in vpn l2tp config script.
2024-01-09https: T5902: remove virtual-host configurationChristian Breunig
We have not seen the adoption of the https virtual-host CLI option. What it did? * Create multiple webservers each listening on a different IP/port (but in the same VRF) * All webservers shared one common document root * All webservers shared the same SSL certificates * All webservers could have had individual allow-client configurations * API could be enabled for a particular virtual-host but was always enabled on the default host This configuration tried to provide a full webserver via the CLI but VyOS is a router and the Webserver is there for an API or to serve files for a local-ui. Changes Remove support for virtual-hosts as it's an incomplete and thus mostly useless "thing". Migrate all allow-client statements to one top-level allow statement.
2024-01-06https: T5886: migrate https certbot to new "pki certificate" CLI treeChristian Breunig
2024-01-06pki: T5886: add support for ACME protocol (LetsEncrypt)Christian Breunig
The "idea" of this PR is to add new CLI nodes under the pki subsystem to activate ACME for any given certificate. vyos@vyos# set pki certificate NAME acme Possible completions: + domain-name Domain Name email Email address to associate with certificate listen-address Local IPv4 addresses to listen on rsa-key-size Size of the RSA key (default: 2048) url Remote URL (default: https://acme-v02.api.letsencrypt.org/directory) Users choose if the CLI based custom certificates are used set pki certificate EXAMPLE acme certificate <base64> or if it should be generated via ACME. The ACME server URL defaults to LetsEncrypt but can be changed to their staging API for testing to not get blacklisted. set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory Certificate retrieval has a certbot --dry-run stage in verify() to see if it can be generated. After successful generation, the certificate is stored in under /config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set interfaces ethernet eth0 eapol certificate EXAMPLE) we call vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the base64 encoded certificate into the JSON data structure normally used when using a certificate set by the CLI. Using this "design" does not need any change to any other code referencing the PKI system, as the base64 encoded certificate is already there. certbot renewal will call the PKI python script to trigger dependency updates.
2024-01-03xml: T5738: add constraint building block with alphanumeric, hypen, ↵Christian Breunig
underscore and dot
2024-01-01configverify: T5880: raise exception if interfaces sourced form dynamic ↵Christian Breunig
interfaces Interfaces matching the following regex (ppp|pppoe|sstpc|l2tp|ipoe)[0-9]+ can not be used as source-interface for e.g. a tunnel. The main reason is that these are dynamic interfaces which come and go from a kernel point of view, thus it's not possible to bind an interface to them.
2023-12-29system: T5877: Shorten system domain-search config pathIndrajit Raychaudhuri
Shorten and simplify `system domain-search` config path from: ``` set system domain-search domain <domain1> ``` to: ``` set system domain-search <domain1> ``` This will shorten the path and also make consistent with `domain-search` config in other places (like `dhcp-server`).
2023-12-28Merge pull request #2658 from aapostoliuk/T5801-circinusChristian Breunig
T5801: Rewritten L2TP to get_config_dict
2023-12-28Merge pull request #2650 from indrajitr/kea-reservation-fixChristian Breunig
dhcp: T3316: Support hostname, DUID and MAC address in reservation
2023-12-26firewall: T5834: Improve log message and simplify log-option includeIndrajit Raychaudhuri
`include/firewall/rule-log-options.xml.i` is now more aptly renamed to `include/firewall/log-options.xml.i`.
2023-12-26firewall: T5834: Remove vestigial include fileIndrajit Raychaudhuri
This file is a left over from previous refactoring and no longer referenced anywhere in the interface definitions.
2023-12-26firewall: T5834: Migration for 'enable-default-log' to 'default-log'Indrajit Raychaudhuri
2023-12-26firewall: T5834: Rename 'enable-default-log' to 'default-log'Indrajit Raychaudhuri
Rename chain level defaults log option from `enable-default-log` to `default-log` for consistency.
2023-12-25snmp: T5855: migrate "set service lldp snmp enable" to "set service lldp snmp"Christian Breunig
2023-12-21dhcp: T3316: Apply migration for valid hostname, and identifier (DUID)Indrajit Raychaudhuri
2023-12-21Merge pull request #2665 from c-po/ndp-proxyChristian Breunig
T2898: add ndp-proxy service
2023-12-21dhcp: T5846: Ensure DUID regex range is boundIndrajit Raychaudhuri
The DUID regex was missing a lower bound, which could cause it not to match when it should. We have to specify the lower bound explicitly as 0 to keep the regex behavior similar to that in Python (in Python, omitting the lower bound is equivalent to specifying 0).
2023-12-21dhcp: T5846: Fix include pathIndrajit Raychaudhuri
2023-12-21dhcp: T5846: Refactor and simplify DUID definitionIndrajit Raychaudhuri
Refactor DUID XML definition in conf-mode to be reusable. Additionally, remove explicit call to a separate validator `ipv6-duid` and inline the regex into the XML definition.
2023-12-20T2898: add ndp-proxy serviceChristian Breunig
VyOS CLI command set service ndp-proxy interface eth0 prefix 2001:db8::/64 mode 'static' Will generate the following NDP proxy configuration $ cat /run/ndppd/ndppd.conf # autogenerated by service_ndp-proxy.py # This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route route-ttl 30000 # This sets up a listener, that will listen for any Neighbor Solicitation # messages, and respond to them according to a set of rules proxy eth0 { # Turn on or off the router flag for Neighbor Advertisements router no # Control how long to wait for a Neighbor Advertisment message before invalidating the entry (milliseconds) timeout 500 # Control how long a valid or invalid entry remains in the cache (milliseconds) ttl 30000 # This is a rule that the target address is to match against. If no netmask # is provided, /128 is assumed. You may have several rule sections, and the # addresses may or may not overlap. rule 2001:db8::/64 { static } }
2023-12-20T5801: Rewritten L2TP to get_config_dictaapostoliuk
Rewritten L2TP to get_config_dict Rewritten L2TP xml to accel-ppp patterns Migrated 'idle' to 'ppp-options.lcp-echo-timeout' Migrated 'authentication.mppe' to 'ppp-options.mppe' Migrated 'authentication.radius.dae-server' to 'authentication.radius.dynamic-author' Migrated 'authentication.require' to 'authentication.protocol' Added 'authentication.radius.acct-interim-jitter' Added 'authentication.radius.preallocate-vif' Added 'authentication.radius.server.<IP>.acct-port' Added 'ppp-options.ipv4' Added smoke-tests Fixed 'preallocate-vif' in SSTP
2023-12-15firewall: T4502: add ofload to firewall table actionsGurliGebis