Age | Commit message (Collapse) | Author |
|
ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer
|
|
Migration and Change boolean nodes "enable/disable" to
disable-xxxx, enable-xxxx and just xxx for VPN IPsec
configurations
- IKE changes:
- replace 'ipsec ike-group <tag> mobike disable'
=> 'ipsec ike-group <tag> disable-mobike'
- replace 'ipsec ike-group <tag> ikev2-reauth yes|no'
=> 'ipsec ike-group <tag> ikev2-reauth'
- ESP changes:
- replace 'ipsec esp-group <tag> compression enable'
=> 'ipsec esp-group <tag> compression'
- PEER changes:
- replace: 'peer <tag> id xxx'
=> 'peer <tag> local-id xxx'
- replace: 'peer <tag> force-encapsulation enable'
=> 'peer <tag> force-udp-encapsulation'
- add option: 'peer <tag> remote-address x.x.x.x'
Add 'peer <name> remote-address <name>' via migration script
|
|
|
|
This will set the listen-host ocserv configuration option.
|
|
After T4669 added support for range validation to the OCaml validator there is
no need to keep the slow Python validator in place.
Raplace all occurances of <validator name="range" argument="--min=1 --max=65535"/>
with <validator name="numeric" argument="--range 1-65535"/>.
|
|
T3896(adjacent): Fix ocserv local user requirement, add groupconfig
|
|
Add new VyOS CLI command:
set protocols bgp parameters bestpath peer-type multipath-relax
This command specifies that BGP decision process should consider paths from all
peers for multipath computation. If this option is enabled, paths learned from
any of eBGP, iBGP, or confederation neighbors will be multipath if they are
otherwise considered equal cost. [1]
[1]: http://docs.frrouting.org/en/stable-8.3/bgp.html#clicmd-bgp-bestpath-peer-type-multipath-relax
|
|
* 'T4689' of https://github.com/jack9603301/vyos-1x:
rfs: T4689: Support RFS(Receive Flow Steering)
|
|
|
|
Kernel 5.15.y and newer only support an upper boundary of 255.
vyos@vyos:~$ sudo sysctl -w net.netfilter.nf_conntrack_tcp_max_retrans=255
net.netfilter.nf_conntrack_tcp_max_retrans = 255
vyos@vyos:~$ sudo sysctl -w net.netfilter.nf_conntrack_tcp_max_retrans=256
sysctl: setting key "net.netfilter.nf_conntrack_tcp_max_retrans": Invalid argument
|
|
Add Spain (es) and Japan (jp106) keymaps
set system option keyboard-layout es|jp106
|
|
firewall: zone-policy: T2199: T4605: Refactor firewall, migrate zone-policy
|
|
|
|
firewall node
* Refactor firewall and zone-policy rule creation and cleanup
* Migrate interface firewall values to `firewall interfaces <name> <direction> name/ipv6-name <name>`
* Remove `firewall-interface.py` conf script
|
|
This reverts commit 53355271a2864d844daca89a064c21e514e10adb.
|
|
|
|
The local-policy and local-policy6 nodes were missing their priority
property causing an ordering issue between the creation of dynamic
interfaces (like VLAN/Bonding) and referencing said interface in PBR
rules.
Add a priority value to order local-policy(6) to be after all interface
definitions.
|
|
firewall and in policy route
|
|
Matching criteria added: ttl/hoplimit and packet-length
|
|
|
|
|
|
|
|
* 'T4651' of https://github.com/nicolas-fort/vyos-1x:
Firewall: T4651: Change proposed cli from ip-length to packet-length
Firewall: T4651: Add options to match packet size on firewall rules.
|
|
|
|
|
|
This extends the implementation of commit 0cc7e0a49094 ("firewall: T4655: Fix
default action 'drop' for the firewall") in a way that we can now also use the
XML <defaultValue> node under "firewall name" and "firewall ipv6-name". This
is a much cleaner approach which also adds the default value automatically to
the CLIs completion helper ("?").
|
|
|
|
|
|
Fix wrong descriptions for the RPKI server
It was mentioned about the NTP server
|
|
|
|
nat66: T4631: Add port and protocol to nat66 conf
|
|
|
|
|
|
|
|
firewall: T4622: Add TCP MSS option
|
|
|
|
|
|
|
|
Ability to configure src/dst/translation port and protocol for
SNAT and DNAT IPv6
|
|
UPnP: T4211: T4620 Fix upnp template
|
|
From the doc miniupnpd
IP/mask format must be nnn.nnn.nnn.nnn/nn
Comment out invalid option "anchor"
|
|
Address @sever-sever's suggestion to refactor how groupconfig is
defined, parsed, and set (with his proposed conditional string
appending Py-sugar). Use the disable-mobike refactor as template
for XML simplification.
Testing:
None yet
|
|
Ability to drop|accept packets based on TCP MSS size
set firewall name <tag> rule <tag> tcp mss '501-1460'
|
|
Enterprise RADIUS configurations often utilize group selectors for
authentication and attribute distribution for connecting clients.
Ocserv implements this functionality via the `select-group` config
file attribute, repeating for multiple groups. When a user selects
their membership group and the request is passed to the RADIUS
server, ocserv will match the returned Class attribute against the
value selected by the user. This functionality also works for local
group membership resolution, although VyOS currently doesn't have
group membership configuration for this.
Expose the tunnel-all-dns option in the ocserv config file allowing
users who deploy default routes to select split-dns and those who
do not to enable full DNS tunneling.
Testing:
Smoketests & build
Configured groups in openconnect profile and verified existence
in /run/ocserv/ocserv.conf
Configured forced dns tunneling and verified presence of setting
in /run/ocserv/ocserv.conf
|
|
From ocserv documentation:
```
If the groupconfig option is set, then config-per-user will be
overriden, and all configuration will be read from radius. That
also includes the Acct-Interim-Interval, and Session-Timeout
values.
```
Implement yes/no configuration and parameter handling during jinja
rendering.
Fix bug wherein openconnect-server configuration requires creation
of local user accounts even when RADIUS authentication is used.
Testing:
Set the groupconfig=yes param and observed change in generated
/run/ocserv/ocserv.conf.
Removed the local users via `delete vpn openconnect
authentication local-users` and observed commit & service operation
|
|
Ability to set static NAT (one-to-one) in one rule
set nat static rule 10 destination address '203.0.113.0/24'
set nat static rule 10 inbound-interface 'eth0'
set nat static rule 10 translation address '192.0.2.0/24'
It will be enough for PREROUTING and POSTROUTING rules
Use a separate table 'vyos_static_nat' as SRC/DST rules and
STATIC rules can have the same rule number
|
|
There is no check if 'listen' is exist in the dictionary, fix it
Fix odd ValueHelp format
|
|
set vpn openconnect network-settings split-dns <domain>
|
|
Add l2tp authentication radius nas-ip-address option
which will be sent in NAS-IP-Address Radius attribute
|
|
and nat-rule.xml.i
|