Age | Commit message (Collapse) | Author |
|
|
|
T4916: Rewrite IPsec peer authentication and psk migration
|
|
Rewrite strongswan IPsec authentication to reflect structure
from swanctl.conf
The most important change is that more than one local/remote ID in the
same auth entry should be allowed
replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx'
=> 'ipsec authentication psk <tag> secret xxx'
set vpn ipsec authentication psk <tag> id '192.0.2.1'
set vpn ipsec authentication psk <tag> id '192.0.2.2'
set vpn ipsec authentication psk <tag> secret 'xxx'
set vpn ipsec site-to-site peer <tag> authentication local-id '192.0.2.1'
set vpn ipsec site-to-site peer <tag> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <tag> authentication remote-id '192.0.2.2'
Add template filter for Jinja2 'generate_uuid4'
|
|
Added the possibility to configure Pseudo-Random Functions (PRF)
in IKE group
set vpn ipsec ike-group <Ike-grp> proposal <number> prf <PRF>
|
|
When log-level was introduced node `state-policy x log` was removed without migrator. This commit adds it back and improves log handling.
|
|
* Rename table to vyos_nat
* Add static NAT smoketest
|
|
* Rename table to vyos_nat
* Refactor tests to use `verify_nftables` format
|
|
T4699: Firewall: Add jump action in firewall ruleset
|
|
The initial Accel-PPP PPPoE implementation used:
set service pppoe-server interface <name> vlan-id <id>
set service pppoe-server interface <name> vlan-range <start-stop>
This is actually a duplicated CLI node.
|
|
|
|
This extends the implementation of commit 0cc7e0a49094 ("firewall: T4655: Fix
default action 'drop' for the firewall") in a way that we can now also use the
XML <defaultValue> node under "firewall name" and "firewall ipv6-name". This
is a much cleaner approach which also adds the default value automatically to
the CLIs completion helper ("?").
|
|
For some reason after firewall rewriting we are having default
action 'accept' for 1.4 and default action 'drop' for 1.3
Fix this issue, set default action 'drop'
|
|
* Refactor nftables clean-up code
* Adds policy route test for using firewall groups
|
|
|
|
|
|
|
|
not none
We have a lot of boiler plate template code like
{% if config.interface is defined and config.interface.remote_as is defined
and config.interface.remote_as is not none %}
...
{% endif %}
This can be stripped down using a custom test to:
{% if config.interface.remote_as is vyos_defined %}
...
{% endif %}
In addition the new vyos_defined test supports comparison
{% if foo.bar.baz is vyos_defined('zoo') %}
...
{% endif %}
So the above will only evaluate to true if the variable foo.bar.baz is defined
and its content is zoo
This is inspired from https://github.com/aristanetworks/ansible-avd/ which make
heavy use of it.
All new templates should be written in this new style.
|
|
firewall: T4218: T4216: Add prefix to user defined chains, support negated groups, fixes
|
|
|
|
|
|
Example syslog: [FWNAME-default-D] ...
* Also clean-up firewall default-action
|
|
zone-policy
|
|
firewall: T4130: Fix firewall state-policy errors
|
|
Also fixes:
* Issue with multiple state-policy rules being created on firewall updates
* Prevents interface rules being inserted before state-policy
|
|
* 'firewall' of https://github.com/sarthurdev/vyos-1x:
zone_policy: T3873: Implement intra-zone-filtering
policy: T2199: Migrate policy route op-mode to XML/Python
policy: T2199: Migrate policy route to XML/Python
zone-policy: T2199: Migrate zone-policy op-mode to XML/Python
zone-policy: T2199: Migrate zone-policy to XML/Python
firewall: T2199: Migrate firewall op-mode to XML/Python
firewall: T2199: Migrate firewall to XML/Python
|
|
|
|
Peer name must not contain dots and colons, otherwise
swanct can't generate correct configuration for swanctl.conf
This is used in connection names and child SA names
Add filter 'dot_colon_to_dash' which replace dots and colons
|
|
|
|
|
|
|
|
|
|
... there was a type setting ecp512 instead of ecp521.
|
|
|
|
|
|
generate ipsec mac-ios-profile <connection> remote <ip|fqdn>
will generate a matching IPSec profile which can be loaded on an iOS device.
|
|
|
|
|
|
Support getting the IPv4 addresses from a given interface and support to strip
CIDR mask from address.
|
|
|
|
|
|
|
|
As thought in the beginning the dhcp-interface route option can not be
superseeded by the interface option. When a route is installed for a DHCP
interface, that interface is usually a broadcast interface which can not be
used for plain interface-based routes.
The old Vyatta logic was migrated to Python where the current received
next-hop address from the DHCP interface is installed as next-hop address.
|
|
Support a 1:1 or 1:n prefix translation. The following configuration will NAT
source addresses from the 10.2.0.0/16 range to an address from 192.0.2.0/29.
For this feature to work a Linux Kernel 5.8 or higher is required!
vyos@vyos# show nat
source {
rule 100 {
outbound-interface eth1
source {
address 10.2.0.0/16
}
translation {
address 192.0.2.0/29
}
}
}
This results in the nftables configuration:
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname "eth1" counter packets 0 bytes 0 snat ip prefix to ip saddr map
{ 10.2.0.0/16 : 192.0.2.0/29 } comment "SRC-NAT-100"
}
|
|
|
|
Running ISC DHCP server as backend server for multiple pools served to relay
agents requires DHCPd to explicitly listen on give interfaces or a "transit"
subnet declaration facing the network where we receive the DHCPREQ messages on.
This implements a new "listen-address" CLI node, the given address is validated
if it is assigned to the system and upon success, a proper "subnet { }" statement
is added into dhcpd.conf
|
|
|
|
|
|
Commit 6962bc53 ("vyos.template: provide general is_ip(v4|v6) helpers")
introduced new Jinja2 template filters, but the one for checking an address
if it is an IPv6 address was broken as it was yet unused.
|
|
We had two places were the is_ip, is_ipv4 and is_ipv6 helpers had been defined.
All places now have been converged into vyos.template as they are used both
in the Jinja2 templates and also in our scripts.
|
|
|