summaryrefslogtreecommitdiff
path: root/interface-definitions
AgeCommit message (Collapse)Author
2024-02-01Merge pull request #2925 from vyos/mergify/bp/sagitta/pr-2897Christian Breunig
T5989 fix: Add ipv4-prefix as a valid option for UPnP ACLs. (backport #2897)
2024-02-01dns forwarding: T5687: add missing constraints on ecs-add-for CLI nodeChristian Breunig
Completion help suggests only IPv4 and IPv6 prefixes are supported, thus add a proper constraint enforcing this. (cherry picked from commit 049560725b93de49ec2d5a779e391e61d568ceb6)
2024-02-01dns forwarding: T5687: Implement ECS settings for PowerDNS recursorkhramshinr
Fix option descriptions (cherry picked from commit c4b6c156549ea03262793c78532c2456e8713b81)
2024-02-01dns forwarding: T5687: Implement ECS settings for PowerDNS recursorkhramshinr
(cherry picked from commit eb76729d63245e2e8f06f4d6d52d2fd4aab4fb1f)
2024-02-01upnp: T5989: add ipv4-prefix as a valid option for UPnP ACLsChris Buechler
(cherry picked from commit 0307801b8928bbaaa20caf5bd10b928bae459490)
2024-02-01T4839: firewall: Add dynamic address group in firewall configuration, and ↵Nicolas Fort
appropiate commands to populate such groups using source and destination address of the packet. (cherry picked from commit 6ce5fedb602c5ea0df52049a5e9c4fb4f5a86122)
2024-02-01Merge pull request #2916 from vyos/mergify/bp/sagitta/pr-2832Christian Breunig
T5865: Moved ipv6 pools to named ipv6 pools in accel-ppp (backport #2832)
2024-02-01T5865: Moved ipv6 pools to named ipv6 pools in accel-pppaapostoliuk
Moved ipv6 pools to named ipv6 pools in accel-ppp services (cherry picked from commit d187803c31175e471397dd4f77040ab56d2e1073)
2024-02-01bgp: T5930: Denied using rt vpn 'export/import' with 'both' togetheraapostoliuk
Denied using command 'route-target vpn export/import' with 'both' together in bgp configuration. (cherry picked from commit 32a13411f47beffcbe4b49a869c99cb42374d729)
2024-02-01T5977: firewall: remove ipsec options in output chain rule definitions, ↵Nicolas Fort
since it's not supported. (cherry picked from commit 9d490ecf616eb9d019beee37a3802705c4109d9d)
2024-01-31reverse-proxy: T5999: Allow root for exact match in backend rule URLcleopold73
(cherry picked from commit f2c6cb62521bf13a51225462e8d39ee184645de1)
2024-01-23T5979: add configurable kernel boot option 'disable-mitigations'Christian Breunig
(cherry picked from commit 256346a66cc3bb20e93c68245ebca2f68f42e7b5)
2024-01-23bfd: T5967: add minimum-ttl optionChristian Breunig
* set protocols bfd peer <x.x.x.x> minimum-ttl <1-254> * set protocols bfd profile <name> minimum-ttl <1-254> (cherry picked from commit 1f07dcbddfcfdbb9079936ec479c5633934dd547)
2024-01-22T5958: QoS add basic implementation of policy shaper-hfscViacheslav Hletenko
QoS policy shaper-hfsc was not implemented after rewriting the traffic-policy to qos policy. We had CLI but it does not use the correct class. Add a basic implementation of policy shaper-hfsc. Write the class `TrafficShaperHFS` (cherry picked from commit f6b6ee636e34f98d336ee53599666afd1f395d78)
2024-01-22sflow: T5968: add VRF supportChristian Breunig
Add support to run hsflowd in a dedicated (e.g. management) VRF. Command will be "set system sflow vrf <name>" like with any other service (cherry picked from commit 64473fa6f320375fb3d3de4de9e729f456ee5ae2)
2024-01-22Merge pull request #2856 from c-po/firewall-backportsChristian Breunig
firewall: T5729: T5681: T5217: backport subsystem from current branch
2024-01-22firewall: T5729: T5681: T5217: backport subsystem from current branchChristian Breunig
This is a combined backport for all accumulated changes done to the firewall subsystem on the current branch.
2024-01-21ntp: T5692: add support to configure leap second behaviorChristian Breunig
* set service ntp leap-second [ignore|smear|system|timezone] Where timezone is the new and old default resulting in adding "leapsectz right/UTC" to chrony.conf. The most prominent new option is "smear" which will add leapsecmode slew maxslewrate 1000 smoothtime 400 0.001 leaponly to chrony. See https://chrony-project.org/doc/4.3/chrony.conf.html leapsecmode for additional information (cherry picked from commit 7ae064bab0010dff8827a0ed5e1239d2778dc7c1)
2024-01-21dhcp: T3316: add deprecation warning on RAW ISC DHCPD optionsChristian Breunig
The following CLI nodes are deprecated and will be remove in VyOS 1.5 while moving to KEA as DHCP server. * set service dhcp-server global-parameters * set service dhcp-server shared-network-name <name> shared-network-parameters * set service dhcp-server shared-network-name <name> subnet <x.x.x.x/y> subnet-parameters Please open feature requests if any DHCP option is missing and should be added as a proper CLI node to make your life easier.
2024-01-18conntrack: T5376: T5779: backport from currentChristian Breunig
Backport of the conntrack system from current branch. (cherry picked from commit fd0bcaf12) (cherry picked from commit 5acf5aced) (cherry picked from commit 42ff4d8a7) (cherry picked from commit 24a1a7059)
2024-01-18xml: T5738: re-use source-address-ipv4-ipv6 building block for config-managementChristian Breunig
(cherry picked from commit 100c2393e8732d4faa108889575a25f2a0a397d4)
2024-01-18ndp-proxy: T5863: add missing priority to honor interface dependenciesChristian Breunig
(cherry picked from commit 40ed1e4f63878a33538370f8c980c2bb73a9fbc4)
2024-01-17T5953: Changed values of 'close-action' to Strongswan valuesaapostoliuk
Changed the value from 'hold' to 'trap' in the 'close-action' option in the IKE group. Changed the value from 'restart' to 'start' in the 'close-action' option in the IKE group. (cherry picked from commit 8870fabf1b4358618fca7db459515106653214b5)
2024-01-16T4658: Renamed DPD action value from 'hold' to 'trap'aapostoliuk
Renamed DPD action value from 'hold' to 'trap' (cherry picked from commit 9f4aee5778eefa0a17d4795430d50e4a046e88b0)
2024-01-14bgp: T591: add VPN nexthop support per address-familyChristian Breunig
set protocols bgp address-family ipv4-unicast nexthop vpn export <ipv4-address|ipv6-address> set protocols bgp address-family ipv6-unicast nexthop vpn export <ipv4-address|ipv6-address> (cherry picked from commit 7349927908206fa83a7295d643f56950309efb4f)
2024-01-14bgp: T591: add SRv6 per address-family SID supportChristian Breunig
set protocols bgp address-family ipv4-unicast sid vpn export <auto|1-1048575> set protocols bgp address-family ipv6-unicast sid vpn export <auto|1-1048575> (cherry picked from commit d7e248ba514108461ca9d5875c0be077c80ceca7)
2024-01-11Merge pull request #2789 from vyos/mergify/bp/sagitta/pr-2777Christian Breunig
T5688: Changed 'range' to multi in 'client-ip-pool' for accell-ppp (backport #2777)
2024-01-11Merge pull request #2793 from sarthurdev/T5550_sagittaChristian Breunig
interface: T5550: Interface source-validation priority over global value (backport)
2024-01-10T5688: Changed 'range' to multi in 'client-ip-pool' for accell-pppaapostoliuk
Changed node 'range' to multi in 'client-ip-pool' for accell-ppp services. Added completionHelp to default-pool and next-pool. Fixed verification in vpn l2tp config script. (cherry picked from commit 4ffec67d04670192d9b722353cbaef04cb0ba129)
2024-01-10bgp: T5913: allow peer-group support for ipv4|6-labeled-unicast SAFIChristian Breunig
(cherry picked from commit f1411240c6b11ec400ac0f66eb71982259204317)
2024-01-10Merge pull request #2783 from vyos/mergify/bp/sagitta/pr-2263Christian Breunig
T5530: isis: Adding loop free alternate feature (backport #2263)
2024-01-10T5530: isis: Adding loop free alternate featureCheeze_It
(cherry picked from commit 7a2b70bd73c8579a885348b93b8addfb20fb006c)
2024-01-10https: T5902: remove virtual-host configurationChristian Breunig
We have not seen the adoption of the https virtual-host CLI option. What it did? * Create multiple webservers each listening on a different IP/port (but in the same VRF) * All webservers shared one common document root * All webservers shared the same SSL certificates * All webservers could have had individual allow-client configurations * API could be enabled for a particular virtual-host but was always enabled on the default host This configuration tried to provide a full webserver via the CLI but VyOS is a router and the Webserver is there for an API or to serve files for a local-ui. Changes Remove support for virtual-hosts as it's an incomplete and thus mostly useless "thing". Migrate all allow-client statements to one top-level allow statement. (cherry picked from commit d0d3071e99eb65edb888c26ef2fdc9e038438887)
2024-01-08https: T5886: migrate https certbot to new "pki certificate" CLI treeChristian Breunig
(cherry picked from commit 9ab6665c80c30bf446d94620fc9d85b052d48072)
2024-01-08pki: T5886: add support for ACME protocol (LetsEncrypt)Christian Breunig
The "idea" of this PR is to add new CLI nodes under the pki subsystem to activate ACME for any given certificate. vyos@vyos# set pki certificate NAME acme Possible completions: + domain-name Domain Name email Email address to associate with certificate listen-address Local IPv4 addresses to listen on rsa-key-size Size of the RSA key (default: 2048) url Remote URL (default: https://acme-v02.api.letsencrypt.org/directory) Users choose if the CLI based custom certificates are used set pki certificate EXAMPLE acme certificate <base64> or if it should be generated via ACME. The ACME server URL defaults to LetsEncrypt but can be changed to their staging API for testing to not get blacklisted. set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory Certificate retrieval has a certbot --dry-run stage in verify() to see if it can be generated. After successful generation, the certificate is stored in under /config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set interfaces ethernet eth0 eapol certificate EXAMPLE) we call vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the base64 encoded certificate into the JSON data structure normally used when using a certificate set by the CLI. Using this "design" does not need any change to any other code referencing the PKI system, as the base64 encoded certificate is already there. certbot renewal will call the PKI python script to trigger dependency updates. (cherry picked from commit b8db1a9d7baf91b70c1b735e58710f1e2bc9fc7a) # Conflicts: # debian/control
2024-01-08T5896: firewall: backport interface validator for firewall rules.Nicolas Fort
2024-01-06dns: T5900: add dont-throttle-netmasks and serve-stale-extensions powerdns ↵fvlaicu
features (cherry picked from commit 199ceb1f0a820c838dea6862371a3121b3d9f3a9)
2024-01-04xml: T5738: add constraint building block with alphanumeric, hypen, ↵Christian Breunig
underscore and dot (cherry picked from commit 82b4b2db8fda51df172210f470e5825b91e81de4)
2024-01-03Merge pull request #2719 from c-po/sagitta-backports-accel-pppChristian Breunig
Backports for Accel-PPP based serviced T5801, T5842 and T5688
2024-01-03Merge pull request #2732 from vyos/mergify/bp/sagitta/pr-2728Christian Breunig
T5880: verify_source_interface() should not allow dynamic interfaces like ppp, l2tp, ipoe or sstpc client interfaces (backport #2728)
2024-01-02T5474: remove "aws glb" XML definitions as feature is not available in VyOS 1.4Christian Breunig
Files got added by accident in commit c9eaafd9f ("T5474: establish common file name pattern for XML conf mode commands")
2024-01-02pki: T3642: add missing base64 constraint on PEM keysChristian Breunig
(cherry picked from commit 679be4c9742ffd5c317742c6c20a268a5e044f0c)
2024-01-02wireguard: T3642: use base64 validatorChristian Breunig
(cherry picked from commit a232b83601f4f8b2fe6964239a568acad3fa764a)
2024-01-01T5842: Rewritten PPTP to get_config_dictaapostoliuk
Rewritten PPTP to get_config_dict Fixed 'dynamic-author' commands. These commands did not create anything in accel-ppp config. (cherry picked from commit f39eb894d991d296a82c69d1ab783011b5d0ed2f)
2024-01-01T5801: Rewritten L2TP to get_config_dictaapostoliuk
Rewritten L2TP to get_config_dict Rewritten L2TP xml to accel-ppp patterns Migrated 'idle' to 'ppp-options.lcp-echo-timeout' Migrated 'authentication.mppe' to 'ppp-options.mppe' Migrated 'authentication.radius.dae-server' to 'authentication.radius.dynamic-author' Migrated 'authentication.require' to 'authentication.protocol' Added 'authentication.radius.acct-interim-jitter' Added 'authentication.radius.preallocate-vif' Added 'authentication.radius.server.<IP>.acct-port' Added 'ppp-options.ipv4' Added smoke-tests Fixed 'preallocate-vif' in SSTP (cherry picked from commit 09e0a2ca035ee39a68a510b28cc74560669d0420)
2024-01-01configverify: T5880: raise exception if interfaces sourced form dynamic ↵Christian Breunig
interfaces Interfaces matching the following regex (ppp|pppoe|sstpc|l2tp|ipoe)[0-9]+ can not be used as source-interface for e.g. a tunnel. The main reason is that these are dynamic interfaces which come and go from a kernel point of view, thus it's not possible to bind an interface to them. (cherry picked from commit 5062f5d313548d6ebb9c07fee6b6d6be25b8f8f0)
2024-01-01T5474: establish common file name pattern for XML conf mode commandsChristian Breunig
We will use _ as CLI level divider. The XML definition filename and also the Python helper should match the CLI node. Example: set interfaces ethernet -> interfaces_ethernet.xml.in set interfaces bond -> interfaces_bond.xml.in set service dhcp-server -> service_dhcp-server-xml.in (cherry picked from commit 4ef110fd2c501b718344c72d495ad7e16d2bd465)
2023-12-31Merge pull request #2725 from vyos/mergify/bp/sagitta/pr-2651Daniil Baturin
firewall: T5834: Rename 'enable-default-log' to 'default-log' (backport #2651)
2023-12-30T5870: ipsec remote access VPN: add x509 ("pubkey") authentication.Lucas Christian
(cherry picked from commit 656934e85cee799dba5b495d143f6be445ac22d5)
2023-12-30firewall: T5834: Improve log message and simplify log-option includeIndrajit Raychaudhuri
`include/firewall/rule-log-options.xml.i` is now more aptly renamed to `include/firewall/log-options.xml.i`. (cherry picked from commit 53a48f499ae9bcc2f657136bb7779b38aad1c242)