Age | Commit message (Collapse) | Author |
|
Ability to configure SSH-server HostKeyAlgorithms.
Specifies the host key signature algorithms that the server
offers. Can accept multiple values.
|
|
Move default values of TOTP configuration from a global to a per user setting.
This makes the entire code easier as no global configuration must be blended
into the per user config dict.
Also it should be possible to set the authentication window "multiple concurrent
keys" individual per user.
set system login user vyos authentication otp key 'gzkmajid7na2oltajs4kbuq7lq'
set system login user vyos authentication plaintext-password 'vyos'
|
|
|
|
|
|
Use common "url.xml" which allow URL as domain name or IP
entrie
|
|
system login: T874: add 2FA support for local and ssh authentication
|
|
|
|
|
|
isis: T4739: ISIS segment routing being refactored
|
|
qos: T4688: add xml template for limiter actions
|
|
This is to refactor ISIS segment routing to match up with OSPF segment routing.
|
|
firewall: policy: T4741: T4742: Verify zone `from` is defined, autocomplete policy route tables
|
|
ssh: T4716: Ability to configure RekeyLimit data and time
|
|
|
|
Ability to configure SSH RekeyLimit data (in Megabytes) and
time (in Minutes)
set service ssh rekey data 1024
set service ssh rekey time 60
|
|
When log-level was introduced node `state-policy x log` was removed without migrator. This commit adds it back and improves log handling.
|
|
Add support for arbitrary netmasks on source/destination addresses in
firewall rules. This is particularly useful with DHCPv6-PD when the
delegated prefix changes periodically.
|
|
ospf: T4707: Add OSPF segment routing for FRR
|
|
|
|
In this commit we add OSPF segment routing, smoke tests, handlers,
FRR template changes, and CLI commands.
|
|
vyos-1x automatically adds a "(default: ...)" hint to the CLI help if the
<defaultValue> XML tag is used. No need to specify this manually.
|
|
policy: T4660: Changed CLI syntax in route-map set community
|
|
|
|
|
|
Changed CLI syntax in route-map set community,
set large-community, set extcommunity
Allows to add multiple communities, large-communities
and extcommunities in clear view.
Added new well-known communities.
Added non-transitive feature in extcommunities.
Fixed community's validators.
|
|
|
|
FRR supports multiple route-targets to be used for import/export:
address-family l2vpn evpn
route-target import 20:10
route-target import 20:11
route-target import 20:12
route-target import 40:40
route-target export 1:2
route-target export 1:3
route-target export 40:40
exit-address-family
Thus the <multi/> property is added to the relevant CLI nodes.
|
|
login: T4715: Auto logout user after inactivity
|
|
|
|
Ability to terminate interactive sessions (TTY/PTS) after a period
of inactivity.
set system login timeout '300'
|
|
This adds a new 'alias' property to the console-server device definition
to allow users to connect to a console using a human-readable name
rather than just the device name.
For a configuration like:
service {
console-server {
device ttyUSB0 {
speed 115200
alias my-server
}
}
}
Users can connect either by doing `connect console ttyUSB0`, or
`connect console my-server`.
Names:
* Must be unique
* Are limited to 128 characters
* Are optional - if not specified, only the `connect console ttyX`
form can be used
|
|
T4700: Firewall: add interface matching criteria
|
|
ids: T4557: Migrate threshold and add new threshold types
|
|
Migrate "service ids ddos-protection threshold xxx" to
"service ids ddos-protection general threshold xxx"
Add new threshold types:
set service ids ddos-protection threshold tcp xxx
set service ids ddos-protection threshold udp xxx
set service ids ddos-protection threshold icmp xxx
|
|
|
|
This commit raises the minimum TCP MSS clamping range to the MSS value
corresponding to the minimum packet size that must be accepted for IPv4.
|
|
This extends commit 28573ffe4f ("xml: T4698: drop validator name="range" and
replace it with numeric"). The first version allowed both a range and discrete
numbers to be validated by the numeric validator.
This had a flaw as both 22 and 22-30 were valid at the same time. The generic
"port-number.xml.i" building block only allows a discrete number. Now if a user
set port 22-30 for e.g. SSH the daemon did no longer start. This is why range
validation must be explicitly enabled.
|
|
update-check: T3476: Allow update-check for VyOS images
|
|
|
|
T4699: Firewall: Add return action
|
|
|
|
In addition to the rewrite to make use of get_config_dict() the CLI is
slightly adjusted as specified in T4703.
* Rename vlan-id and vlan-range to simply vlan
* Rename network-mode to simply mode
* Re-use existing common Jinja2 template for Accel-PPP which are shared
with PPPoE and SSTP server.
* Retrieve default values via defaultValue XML node
|
|
|
|
name
|
|
|
|
T4699: Firewall: Add jump action in firewall ruleset
|
|
|
|
The initial Accel-PPP PPPoE implementation used:
set service pppoe-server interface <name> vlan-id <id>
set service pppoe-server interface <name> vlan-range <start-stop>
This is actually a duplicated CLI node.
|
|
ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer
|
|
|