summaryrefslogtreecommitdiff
path: root/interface-definitions
AgeCommit message (Collapse)Author
2024-09-02T6679: add destination groupsNicolas Vollmar
2024-09-02Merge pull request #4018 from nicolas-fort/T6647Daniil Baturin
T6647: firewall. Introduce patch for accepting invalid ARP and DHCP
2024-08-28T6647: firewall. Introduce patch for accepting ARP and DHCP replies on ↵Nicolas Fort
stateful bridge firewall. This patch is needed because ARP and DHCP are marked as invalid connections. Also, add ehternet-type matcher in bridge firewall.
2024-08-27T6681: Add option for SLAAC to support suppress Interval Advertisement in RAsHikari Kongou
2024-08-20Merge pull request #3975 from lucasec/t6183Christian Breunig
T6183: interfaces openvpn: suppport specifying IP protocol version
2024-08-16Merge pull request #3987 from natali-rs1985/T6649-currentDaniil Baturin
ipoe_server: T6649: Accel-ppp separate vlan-mon from listen interfaces
2024-08-15T5794: change firewall priority in oder to be loaded after all interfaces.nicolas
2024-08-15T6649: Accel-ppp separate vlan-mon from listen interfacesNataliia Solomko
2024-08-13T6183: interfaces openvpn: suppport specifying IP protocol versionLucas Christian
2024-08-12T6648: dhcpv6-server: align stateless DHCPv6 options with statefulLucas Christian
2024-08-05firewall: T4694: fix GRE key include path in XMLChristian Breunig
2024-08-05Merge branch 'current' into feature/T4694/gre-match-fieldsChristian Breunig
2024-08-05Merge pull request #3920 from fett0/T6555Christian Breunig
OPENVPN: T6555: add server-bridge options in mode server
2024-08-04firewall: T4694: Adding GRE flags & fields matches to firewall rulesAndrew Topp
* Only matching flags and fields used by modern RFC2890 "extended GRE" - this is backwards-compatible, but does not match all possible flags. * There are no nftables helpers for the GRE key field, which is critical to match individual tunnel sessions (more detail in the forum post) * nft expression syntax is not flexible enough for multiple field matches in a single rule and the key offset changes depending on flags. * Thus, clumsy compromise in requiring an explicit match on the "checksum" flag if a key is present, so we know where key will be. In most cases, nobody uses the checksum, but assuming it to be off or automatically adding a "not checksum" match unless told otherwise would be confusing * The automatic "flags key" check when specifying a key doesn't have similar validation, I added it first and it makes sense. I would still like to find a workaround to the "checksum" offset problem. * If we could add 2 rules from 1 config definition, we could match both cases with appropriate offsets, but this would break existing FW generation logic, logging, etc. * Added a "test_gre_match" smoketest
2024-08-02OPENVPN: T6555: fix name to bridgefett0
2024-08-02T4072: change same helpers in xml definitions; add notrack action for ↵Nicolas Fort
prerouting chain; re introduce <set vrf> in policy; change global options for passing traffic to IPvX firewall; update smoketest
2024-08-01T6570: firewall: add global-option to configure sysctl parameter for ↵Nicolas Fort
enabling/disabling sending traffic from bridge layer to ipvX layer
2024-08-01T4072: firewall: extend firewall bridge capabilities, in order to include ↵Nicolas Fort
new chains, priorities, and firewall groups
2024-08-01Merge pull request #3221 from lucasec/t5873Christian Breunig
T5873: ipsec remote access VPN: support VTI interfaces.
2024-07-31OPENVPN: T6555: add server-bridge options in mode serverfett0
2024-07-31T5657: Add VRF support for zabbix-agentViacheslav Hletenko
To start the service under VRF requires starting under User=root otherwise it had issues with cgroups
2024-07-30pbr: T6430: Allow forwarding into VRFs by name as well as route table IDsAndrew Topp
* PBR can only target table IDs up to 200 and the previous PR to extend the range was rejected * PBR with this PR can now also target VRFs directly by name, working around targeting problems for VRF table IDs outside the overlapping 100-200 range * Validation ensures rules can't target both a table ID and a VRF name (internally they are handled the same) * Added a simple accessor (get_vrf_table_id) for runtime mapping a VRF name to table ID, based on vyos.ifconfig.interface._set_vrf_ct_zone(). It does not replace that usage, as it deliberately does not handle non-VRF interface lookups (would fail with a KeyError). * Added route table ID lookup dict, global route table and VRF table defs to vyos.defaults. Table ID references have been updated in code touched by this PR. * Added a simple smoketest to validate 'set vrf' usage in PBR rules
2024-07-29Merge pull request #3804 from HollyGurza/T6362Daniil Baturin
T6362: Create conntrack logger daemon
2024-07-29Merge pull request #3823 from srividya0208/T6571Daniil Baturin
OpenVPN CLI-option: T6571: rename ncp-ciphers with data-ciphers
2024-07-28firewall: T4694: Adding rt ipsec exists/missing match to firewall configs ↵talmakion
(#3616) * Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for fw rules * Add ipsec match-ipsec-out and match-none-out * Change all the points where the match-ipsec.xml.i include was used before, making sure the new includes (match-ipsec-in/out.xml.i) are used appropriately. There were a handful of spots where match-ipsec.xml.i had snuck back in for output hooked chains already (the common-rule-* includes) * Add the -out generators to rendered templates * Heavy modification to firewall config validators: * I needed to check for ipsec-in matches no matter how deeply nested under an output-hook chain(via jump-target) - this always generates an error. * Ended up retrofitting the jump-targets validator from root chains and for named custom chains. It checks for recursive loops and improper IPsec matches. * Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation" smoketests
2024-07-25OpenVPN CLI-option: T6571: rename ncp-ciphers with data-cipherssrividya0208
2024-07-22T5873: vpn ipsec remote-access: support VTI interfacesLucas Christian
2024-07-22T6599: ipsec: support disabling rekey of CHILD_SA.Lucas Christian
Also adds support for life_bytes, life_packets, and DPD for remote-access connections. Changes behavior of remote-access esp-group lifetime setting to have parity with site-to-site connections.
2024-07-19T6362: Create conntrack logger daemonkhramshinr
2024-07-18openvpn: T6591: deprecate OpenVPN server net30 topology (#3825)Daniil Baturin
2024-07-08vxlan: T6505: Support VXLAN VLAN-VNI range mapping in CLI (#3756)Nataliia S
2024-07-05wireless: T6496: use mac-address validator on BSSID and move it up one CLI levelChristian Breunig
2024-07-05wireless: T6496: use ascii regex for WPA passphrase constraintChristian Breunig
2024-07-05wireless: T6496: support for EAP-MSCHAPv2 client over wifiChristopher
fix: attempt to fix indentation on `wpa_supplicant.conf.j2` fix: attempt to fix indentation on `wpa_supplicant.conf.j2` fix: incorrect bssid mapping fix: use the correct jinja templating (I think) fix: “remote blank space fix: attempt to fix the formatting in j2 fix: attempt to fix the formatting in j2 feat: rename enterprise username and password + add checks in conf mode. fix: move around `bssid` config option on `wpa_supplicant.conf.j2` and fix the security config part fix: fix indentation on `wpa_supplicant.conf.j2`
2024-07-04Merge pull request #3753 from jvoss/haproxy_loggingChristian Breunig
T6539: add logging options to load-balancer reverse-proxy
2024-07-03T6539: add logging options to load-balancer reverse-proxyJonathan Voss
2024-07-03Merge pull request #3752 from sever-sever/T6538Christian Breunig
T6538: Add the ability to set GENEVE interfaces to VRF
2024-07-02Merge pull request #3721 from HollyGurza/T5878Daniil Baturin
ssh: T5878: Allow changing the PubkeyAcceptedAlgorithms option
2024-07-02T6538: Add the ability to set GENEVE interfaces to VRFViacheslav Hletenko
2024-06-28Merge pull request #3720 from sever-sever/T6477Christian Breunig
T6477: Add telegraf loki output plugin
2024-06-28Merge pull request #3730 from natali-rs1985/T5710-currentChristian Breunig
pppoe-server: T5710: Add option permit any-login
2024-06-28T6477: Add telegraf loki output pluginViacheslav Hletenko
Add Loki plugin to telegraf set service monitoring telegraf loki url xxx
2024-06-28pppoe-server: T5710: Add option permit any-loginNataliia Solomko
2024-06-28ssh: T5878: Allow changing the PubkeyAcceptedAlgorithms optionkhramshinr
2024-06-27wireless: T6320: add 802.11ax at 6GHzAlain Lamar
Authored-By: Alain Lamar <alain_lamar@yahoo.de>
2024-06-24T5735: Stunnel CLI and configurationkhramshinr
Add CLI commands Add config Add conf_mode Add systemd config Add stunnel smoketests Add log level config
2024-06-20T3202: Enable wireguard debug messagesNataliia Solomko
2024-06-20Merge pull request #3677 from HollyGurza/T5949Christian Breunig
T5949: Add option to disable USB autosuspend
2024-06-19openconnect: T6500: add support for multiple ca-certificatesChristian Breunig
Add possibility to provide a full CA chain to the openconnect server. * Support multiple CA certificates * For every CA certificate specified, always determine the full certificate chain in the background and add the necessary SSL certificates
2024-06-19T5949: Add option to disable USB autosuspendkhramshinr