Age | Commit message (Collapse) | Author |
|
close-action parameter is missing in the swanctl.conf file
|
|
Also add ipv6-next-hop peer-address
|
|
It accepts network as the input value but the completion help is showing
ip address, continuation of previous commit
|
|
|
|
|
|
|
|
It should be possible to send the gathered data via a VRF bound interface to
the collector. This is somehow related to T3981 but it's the opposite side of
the netflow process.
set system flow-accounting vrf <name>
|
|
It accepts network as the input value but the completion help is showing
ip address
|
|
RADIUS authentication can be handled by a variety of mechanisms,
including proxy for 2FA systems requiring user interaction with a
separate device, token acquisition, or other time-consuming action.
Given the delays required for certain 2FA implementations, a thirty
second timeout can range from onerous to untenable. Accomodate the
2FA time requirements by extending the hard-coded RADIUS time limit
from 30 seconds to 240.
Co-authored-by: RageLtMan <rageltman [at] sempervictus>
|
|
After hardning the regex validator to be preceeded with ^ and ending with $
it was no longer possible to have a comma separated list as SSH ciphers. The
migrations cript is altered to migrate the previous comma separated list
to individual multi node entries - cipher and key-exchange always had been
multinodes - so this just re-arranges some values and does not break CLI
compatibility
|
|
|
|
|
|
Instead of hardcoding the default behavior inside the Jinaj2 template, all
defaults are required to be specified inside teh XML definition. This is
required to automatically render the appropriate CLI tab completion commands.
|
|
|
|
|
|
|
|
|
|
|
|
Since introducing the XML <defaultValue> node it was common, but redundant,
practice to also add a help string indicating which value would be used as
default if the node is unset.
This makes no sense b/c it's duplicated code/value/characters and prone to
error. The node.def scripts should be extended to automatically render the
appropriate default value into the CLI help string.
For e.g. SSH the current PoC renders:
$ cat templates-cfg/service/ssh/port/node.def
multi:
type: txt
help: Port for SSH service (default: 22)
val_help: u32:1-65535; Numeric IP port
...
Not all subsystems are already migrated to get_config_dict() and make use of
the defaults() call - those subsystems need to be migrated, first before the new
default is added to the CLI help.
|
|
ipsec: T1856: Ability to set SA life bytes and packets
|
|
ipsec: T3948: Add CLI site-to-site peer connection-type none
|
|
vpn_ipsec: T3656: modified completion help for key-exchange
|
|
In latest releases, default IKE version is removed, which allows the
connection to be IKEv1 or IKEv2.
The completion help shows IKEv1 as default so removed it.
|
|
|
|
VXLAN does support using multiple remotes but VyOS does not. Add the ability
to set multiple remotes and add their flood lists using "bridge" command.
|
|
set vpn ipsec site-to-site peer 192.0.2.14 connection-type none
|
|
|
|
set vpn ipsec esp-group grp-ESP life-bytes '100000'
set vpn ipsec esp-group grp-ESP life-packets '2000000'
|
|
* t4203-dhcp:
smoketest: dhcp: T4203: move testcase to base class
static: T4203: obey interface dhcp default route distance
interface: T4203: prevent DHCP client restart if not necessary
|
|
vpn: T4254: Add cisco_flexvpn and install_virtual_ip_on options
|
|
Commit 05aa22dc ("protocols: static: T3680: do not delete DHCP received routes")
added a bug whenever a static route is modified - the DHCP interface will
always end up with metric 210 - if there was a default route over a DHCP
interface.
|
|
Ability to attach host devices to the container
It can be disk, USB device or any device from the directory /dev
set container name alp01 device disk source '/dev/vdb1'
set container name alp01 device disk destination '/dev/mydisk'
|
|
Ability to set Cisco FlexVPN vendor ID payload:
charon.cisco_flexvpn
charon.install_virtual_ip_on
swanctl.connections.<conn>.vips = x.x.x.x, z.z.z.z
set vpn ipsec options flexvpn
set vpn ipsec options virtual-ip
set vpn ipsec options interface tunX
set vpn ipsec site-to-site peer x.x.x.x virtual-address x.x.x.x
|
|
Add the include files containing the syntaxVersion element defining the
version of the respective component; these files are included by the top
level file 'xml-component-versions.xml.in'. Processing of these elements
was previously added to the python xml lib in commit 40f5359d. This will
replace the use of 'curver_DATA' in vyatta-cfg-system and other legacy
packages.
|
|
|
|
|
|
firewall: T4209: Fix support for rule `recent` matches
|
|
|
|
There is spelling mistake in "advertisement" of hello-time option's
completion help
|
|
|
|
policy: T4219: add local-route(6) inbound-interface support
|
|
|
|
|
|
upnpd: T3420: Support UPNP protocol
|
|
Add port-validators for NAT rules that prevent to set incorrect
port-ranges (21-5) and incorrect ports (70000)
|
|
firewall: T4130: T4186: ICMP/v6 updates, ipv6 state policy check fix
|
|
for icmp
|
|
|
|
|
|
policy: T4151: Add policy ipv6-local-route
|