Age | Commit message (Collapse) | Author |
|
PAM: T5577: Backported PAM settings from circinus
|
|
Why: Smoketests fail as they can not establish IPv6 connection to uvicorn
backend server.
https://github.com/vyos/vyos-1x/pull/2481 added a bunch of new smoketests.
While debugging those failing, it was uncovered, that uvicorn only listens on
IPv4 connections
vyos@vyos# netstat -tulnp | grep 8080
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN -
As the CLI already has an option to move the API communication from an IP to a
UNIX domain socket, the best idea is to make this the default way of
communication, as we never directly talk to the API server but rather use the
NGINX reverse proxy.
(cherry picked from commit f5e43b1361fb59a9c260739bdb28729d5119507c)
|
|
In CLI we can choose authentication logic:
- `mandatory` - if RADIUS answered with `Access-Reject`, authentication must
be stopped and access denied immediately.
- `optional` (default) - if RADIUS answers with `Access-Reject`,
authentication continues using the next module.
In `mandatory` mode authentication will be stopped only if RADIUS clearly
answered that access should be denied (no user in RADIUS database, wrong
password, etc.). If RADIUS is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
|
|
Example:
set interfaces ethernet eth0 dhcp-options user-class VyOS
or
set interfaces ethernet eth0 dhcp-options user-class 56:79:4f:53
(cherry picked from commit 260645d0c6ff078cc89601f3a586195902f9c18e)
|
|
The string data type specifies either an NVT ASCII string enclosed in double
quotes, or a series of octets specified in hexadecimal, separated by colons.
For example:
set interfaces ethernet eth0 dhcp-options client-id CLIENT-FOO
or
set interfaces ethernet eth0 dhcp-options client-id 43:4c:49:45:54:2d:46:4f:4f
As of now there was no input validation performed.
(cherry picked from commit bed1cd01904ef89b5d31bd47de0f230214900f16)
|
|
T4072: firewall: backport bridge firewall to sagitta
|
|
|
|
(cherry picked from commit 019723aaa4217403f1fcbcd636f573ea403f909c)
|
|
(cherry picked from commit 64b4cfc71d402222fd6b034336b3588b5986ba24)
|
|
(cherry picked from commit 403d2ffd6e46cb082b1d16ddf515e1784bee968c)
# Conflicts:
# data/templates/frr/pim6d.frr.j2
# interface-definitions/protocols-pim6.xml.in
# smoketest/scripts/cli/test_protocols_pim6.py
# src/conf_mode/protocols_pim6.py
|
|
(cherry picked from commit dd13213ae94f071bc30cc17f5fabef02fbf95939)
|
|
IGMP and PIM are two different but related things.
FRR has both combined in pimd. As we use get_config_dict() and FRR reload it
is better to have both centrally stored under the same CLI node (as FRR does,
too) to just "fire and forget" the commit to the daemon.
"set protocols igmp interface eth1" -> "set protocols pim interface eth1 igmp"
(cherry picked from commit bc83fb097719f5c4c803808572f690fbc367b9e5)
|
|
(cherry picked from commit c5e2c25f8968c0f06a9e4e992decc46a4f690868)
|
|
xml: T5738: add source-address-ipv4-ipv6-multi building block (backport #2479)
|
|
(cherry picked from commit dccca4307339d13e5c3ae78058194baf2fd04002)
|
|
parsing, and migration to valueless node for log and state matchers
|
|
(cherry picked from commit 1d67620e656766731ad6825fd8961140eb50d8a7)
|
|
T4726: Remove accel-ppp RADIUS vendor validators (backport #2423)
|
|
Add `max-starting` option:
[common]
max-starting=N
Specifies maximum concurrent session attempts which server may processed
set service pppoe-server max-concurrent-sessions '30'
Useful to prevent high CPU utilization and compat execution
scripts per time.
(cherry picked from commit 47645f9d0243ce48a473ab7f8cdbd22c19f69f28)
|
|
The vendor name could contain Uppercase or lowercase symbols and
not rely on the dictionary name but on dictionary value
/ # cat /usr/share/freeradius/dictionary.cisco | grep -i vendor
VENDOR Cisco 9
Another example
VENDOR Alcatel-IPD 6527
This way if we use `vendor=cisco` instead of `vendor=Cisco` it
will not work at all
Delete vendor validators
(cherry picked from commit bbc7cabc6be0d5f8629724e9b0025e425168e1a8)
|
|
firewal, nat and nat66.
(cherry picked from commit 51abbc0f1b2ccf4785cf7f29f1fe6f4af6007ee6)
|
|
This enables logs capabilities for default-action in base chains.
|
|
|
|
If ethernet interface is a bond memeber:
1. Allow for changing only specific parameters which are specified
in EthernetIf.get_bond_member_allowed_options function.
2. Added inheritable parameters from bond interface to ethernet
interface which are scpecified
in BondIf.get_inherit_bond_options.
Users can change inheritable options under ethernet interface
but in commit it will be copied from bond interface.
3. All other parameters are denied for changing.
Added migration script. It deletes all denied parameters under
ethernet interface if it is a bond member.
(cherry picked from commit aa0282ceb379df1ab3cc93e4bd019134d37f0d89)
|
|
Currently VyOS VXLAN implementation uses the Linux assigned port 8472 that
predates the IANA assignment. As Most other vendors use the IANA assigned port,
follow this guideline and use the new default port 4789.
Existing configuration not defining an explicit port number will be migrated
to the old default port number of 8472, keeping existing configurations work!
(cherry picked from commit 6db8d3ded19f652b99231be0d705d76b598ac72a)
# Conflicts:
# interface-definitions/include/version/interfaces-version.xml.i
|
|
(cherry picked from commit e7cdf855ddce7dfe45af8b4b75eeee9de09f2451)
|
|
(cherry picked from commit 4c4c2b1f8a58398798f20c252bde80461320d330)
|
|
Migrate policy local-route <destination|source> to node address
replace 'policy local-route{v6} rule <tag> destination|source <x.x.x.x>'
=> 'policy local-route{v6} rule <tag> destination|source address <x.x.x.x>'
(cherry picked from commit 9f7a5f79200782f7849cab72f55a39dedf45f214)
|
|
T5165: Add option protocol for policy local-route (backport #2313)
|
|
(cherry picked from commit 81dee963a9ca3224ddbd54767a36efae5851a001)
|
|
Add option `protocol` for policy local-route
set policy local-route rule 100 destination '192.0.2.12'
set policy local-route rule 100 protocol 'tcp'
set policy local-route rule 100 set table '100'
(cherry picked from commit 96b8b38a3c17aa08fa964eef9141cf89f1c1d442)
|
|
bgp: T5596: add new features from FRR 9 (backport #2284)
|
|
* Add BGP Software Version capability (draft-abraitis-bgp-version-capability)
set protocols bgp neighbor 192.0.2.1 capability software-version
* Add BGP neighbor path-attribute treat-as-withdraw command
set protocols bgp neighbor 192.0.2.1 path-attribute treat-as-withdraw
(cherry picked from commit d285355716708a46767c18661976906812da8a3c)
|
|
* Add support for IS-IS advertise-high-metrics
set protocols isis advertise-high-metrics
* Add support for IS-IS advertise-passive-only
set protocols isis advertise-passive-only
(cherry picked from commit f7d35c15256ea74ab32c9b978a5c6fdbd659a7a0)
|
|
Add the ability to use the option all for remove-private-as.
Remove private ASNs in outbound updates.
all - Apply to all AS numbers
set protocols bgp neighbor <tag> address-family ipv4-unicast remove-private-as all
(cherry picked from commit d72024b11e127cc11931cfaee4d07944dceb1ea9)
|
|
|
|
|
|
|
|
wifi: T5491: allow white-/blacklisting station MAC addresses for security
|
|
|
|
T5450: allow inverted matcher for interface and interface-group
|
|
firewall cli
|
|
T5447: Initial support for MACsec static keys
|
|
|
|
Station MAC address-based authentication means:
* 'allow' accept all clients except the one on the deny list
* 'deny' accept only clients listed on the accept list
New CLI commands:
* set interfaces wireless wlan0 security station-address mode <accept|deny>
* set interfaces wireless wlan0 security station-address accept mac <mac>
* set interfaces wireless wlan0 security station-address deny mac <mac>
|
|
This fixes a CLI typo added in commit 77ef9f800 ("T5466: L3VPN label allocation
mode").
|
|
wireguard: T5409: Added 'set interfaces wireguard wgX threaded'
|
|
Using threaded as CLI node is a very deep term used by kernel threads. To make
this more understandable to users, rename the node to per-client-thread.
It's also not necessary to test if any one peer is configured and probing if
the option is set. There is a base test which requires at least one peer
to be configured.
|
|
|
|
|