Age | Commit message (Collapse) | Author |
|
Migrate "service ids ddos-protection threshold xxx" to
"service ids ddos-protection general threshold xxx"
Add new threshold types:
set service ids ddos-protection threshold tcp xxx
set service ids ddos-protection threshold udp xxx
set service ids ddos-protection threshold icmp xxx
|
|
|
|
This commit raises the minimum TCP MSS clamping range to the MSS value
corresponding to the minimum packet size that must be accepted for IPv4.
|
|
This extends commit 28573ffe4f ("xml: T4698: drop validator name="range" and
replace it with numeric"). The first version allowed both a range and discrete
numbers to be validated by the numeric validator.
This had a flaw as both 22 and 22-30 were valid at the same time. The generic
"port-number.xml.i" building block only allows a discrete number. Now if a user
set port 22-30 for e.g. SSH the daemon did no longer start. This is why range
validation must be explicitly enabled.
|
|
update-check: T3476: Allow update-check for VyOS images
|
|
|
|
T4699: Firewall: Add return action
|
|
|
|
In addition to the rewrite to make use of get_config_dict() the CLI is
slightly adjusted as specified in T4703.
* Rename vlan-id and vlan-range to simply vlan
* Rename network-mode to simply mode
* Re-use existing common Jinja2 template for Accel-PPP which are shared
with PPPoE and SSTP server.
* Retrieve default values via defaultValue XML node
|
|
T4699: Firewall: Add jump action in firewall ruleset
|
|
|
|
The initial Accel-PPP PPPoE implementation used:
set service pppoe-server interface <name> vlan-id <id>
set service pppoe-server interface <name> vlan-range <start-stop>
This is actually a duplicated CLI node.
|
|
ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer
|
|
|
|
Migration and Change boolean nodes "enable/disable" to
disable-xxxx, enable-xxxx and just xxx for VPN IPsec
configurations
- IKE changes:
- replace 'ipsec ike-group <tag> mobike disable'
=> 'ipsec ike-group <tag> disable-mobike'
- replace 'ipsec ike-group <tag> ikev2-reauth yes|no'
=> 'ipsec ike-group <tag> ikev2-reauth'
- ESP changes:
- replace 'ipsec esp-group <tag> compression enable'
=> 'ipsec esp-group <tag> compression'
- PEER changes:
- replace: 'peer <tag> id xxx'
=> 'peer <tag> local-id xxx'
- replace: 'peer <tag> force-encapsulation enable'
=> 'peer <tag> force-udp-encapsulation'
- add option: 'peer <tag> remote-address x.x.x.x'
Add 'peer <name> remote-address <name>' via migration script
|
|
After T4669 added support for range validation to the OCaml validator there is
no need to keep the slow Python validator in place.
Raplace all occurances of <validator name="range" argument="--min=1 --max=65535"/>
with <validator name="numeric" argument="--range 1-65535"/>.
|
|
Add new VyOS CLI command:
set protocols bgp parameters bestpath peer-type multipath-relax
This command specifies that BGP decision process should consider paths from all
peers for multipath computation. If this option is enabled, paths learned from
any of eBGP, iBGP, or confederation neighbors will be multipath if they are
otherwise considered equal cost. [1]
[1]: http://docs.frrouting.org/en/stable-8.3/bgp.html#clicmd-bgp-bestpath-peer-type-multipath-relax
|
|
firewall node
* Refactor firewall and zone-policy rule creation and cleanup
* Migrate interface firewall values to `firewall interfaces <name> <direction> name/ipv6-name <name>`
* Remove `firewall-interface.py` conf script
|
|
Ability to autocheck available new images
Parse remote URL JSON image-version.json file and compare version
VyOS with a local current version, if find diff sent wall
message that the new image is available
Also, add op-mode command to check images "show system image"
With option "auto-check" check will be once per 12 hours
set system update-check auto-check
set system update-check url 'http://example.com/image-version.json'
If new version is available shows it per login (MOTD)
|
|
firewall and in policy route
|
|
Matching criteria added: ttl/hoplimit and packet-length
|
|
|
|
|
|
|
|
* 'T4651' of https://github.com/nicolas-fort/vyos-1x:
Firewall: T4651: Change proposed cli from ip-length to packet-length
Firewall: T4651: Add options to match packet size on firewall rules.
|
|
|
|
|
|
This extends the implementation of commit 0cc7e0a49094 ("firewall: T4655: Fix
default action 'drop' for the firewall") in a way that we can now also use the
XML <defaultValue> node under "firewall name" and "firewall ipv6-name". This
is a much cleaner approach which also adds the default value automatically to
the CLIs completion helper ("?").
|
|
|
|
nat66: T4631: Add port and protocol to nat66 conf
|
|
Ability to configure src/dst/translation port and protocol for
SNAT and DNAT IPv6
|
|
Ability to drop|accept packets based on TCP MSS size
set firewall name <tag> rule <tag> tcp mss '501-1460'
|
|
Ability to set static NAT (one-to-one) in one rule
set nat static rule 10 destination address '203.0.113.0/24'
set nat static rule 10 inbound-interface 'eth0'
set nat static rule 10 translation address '192.0.2.0/24'
It will be enough for PREROUTING and POSTROUTING rules
Use a separate table 'vyos_static_nat' as SRC/DST rules and
STATIC rules can have the same rule number
|
|
Add l2tp authentication radius nas-ip-address option
which will be sent in NAS-IP-Address Radius attribute
|
|
and nat-rule.xml.i
|
|
* https://github.com/Cheeze-It/vyos-1x:
bgp: T4257: Changing BGP "local-as" to "system-as"
|
|
Ability to get MTU from DHCP-server and don't touch it per
any interface change if interface 'dhcp-options mtu' is
configured
|
|
bgp: T4257: Changing BGP "local-as" to "system-as"
This change is to change the global BGP name for the node "local-as" to "system-as"
This is needed so that there's less ambiguity with the local-as feature per neighbor.
bgp: T4257: Changing BGP "local-as" to "system-as"
bgp: T4257: Changing BGP "local-as" to "system-as"
This change is to change the global BGP name for the node "local-as" to "system-as"
This is needed so that there's less ambiguity with the local-as feature per neighbor.
|
|
lb-wan: T4518: Add XML for conf mode load-balancing wan
|
|
Directed broadcast is described in rfc1812#section-5.3.5.2 and rfc2644.
By default Linux kernel doesn't forward directed broadcast
packets unless both of `/proc/sys/net/ipv4/conf/all/bc_forwarding`
and `/proc/sys/net/ipv4/conf/$iface/bc_forwarding` are set to 1.
|
|
Add XML for configuration mode "load-balancing wan" for the future
rewriting this to Python
Remove node from Makefile as Python code is not yet completed
|
|
As we have specific configuration for each plugin:
set service monitoring telegraf xxx
- azure-data-explorer
- prometheus-client
- splunk
We should to move configuration that related to influxdb under
influxdb node
Replace:
set service monitoring telegraf
- authentication xxx
- bucket xxx
- port xxx
- url
To:
set service monitoring telegraf influxdb xxx
|
|
After discussion with @zsdc this was decided the better long term fix
* Removes hourly logrotate cron in favour of systemd timer override
|
|
firewall: T4299: Add ability to inverse match country-codes
|
|
|
|
|
|
openvpn: T4485: Accept multiple tls ca-certificate values
|
|
|
|
|
|
|