Age | Commit message (Collapse) | Author |
|
firewall: T4130: Fix firewall state-policy errors
|
|
Also fixes:
* Issue with multiple state-policy rules being created on firewall updates
* Prevents interface rules being inserted before state-policy
|
|
* 'firewall' of https://github.com/sarthurdev/vyos-1x:
zone_policy: T3873: Implement intra-zone-filtering
policy: T2199: Migrate policy route op-mode to XML/Python
policy: T2199: Migrate policy route to XML/Python
zone-policy: T2199: Migrate zone-policy op-mode to XML/Python
zone-policy: T2199: Migrate zone-policy to XML/Python
firewall: T2199: Migrate firewall op-mode to XML/Python
firewall: T2199: Migrate firewall to XML/Python
|
|
|
|
Peer name must not contain dots and colons, otherwise
swanct can't generate correct configuration for swanctl.conf
This is used in connection names and child SA names
Add filter 'dot_colon_to_dash' which replace dots and colons
|
|
|
|
|
|
|
|
|
|
... there was a type setting ecp512 instead of ecp521.
|
|
|
|
|
|
generate ipsec mac-ios-profile <connection> remote <ip|fqdn>
will generate a matching IPSec profile which can be loaded on an iOS device.
|
|
|
|
|
|
Support getting the IPv4 addresses from a given interface and support to strip
CIDR mask from address.
|
|
|
|
|
|
|
|
As thought in the beginning the dhcp-interface route option can not be
superseeded by the interface option. When a route is installed for a DHCP
interface, that interface is usually a broadcast interface which can not be
used for plain interface-based routes.
The old Vyatta logic was migrated to Python where the current received
next-hop address from the DHCP interface is installed as next-hop address.
|
|
Support a 1:1 or 1:n prefix translation. The following configuration will NAT
source addresses from the 10.2.0.0/16 range to an address from 192.0.2.0/29.
For this feature to work a Linux Kernel 5.8 or higher is required!
vyos@vyos# show nat
source {
rule 100 {
outbound-interface eth1
source {
address 10.2.0.0/16
}
translation {
address 192.0.2.0/29
}
}
}
This results in the nftables configuration:
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname "eth1" counter packets 0 bytes 0 snat ip prefix to ip saddr map
{ 10.2.0.0/16 : 192.0.2.0/29 } comment "SRC-NAT-100"
}
|
|
|
|
Running ISC DHCP server as backend server for multiple pools served to relay
agents requires DHCPd to explicitly listen on give interfaces or a "transit"
subnet declaration facing the network where we receive the DHCPREQ messages on.
This implements a new "listen-address" CLI node, the given address is validated
if it is assigned to the system and upon success, a proper "subnet { }" statement
is added into dhcpd.conf
|
|
|
|
|
|
Commit 6962bc53 ("vyos.template: provide general is_ip(v4|v6) helpers")
introduced new Jinja2 template filters, but the one for checking an address
if it is an IPv6 address was broken as it was yet unused.
|
|
We had two places were the is_ip, is_ipv4 and is_ipv6 helpers had been defined.
All places now have been converged into vyos.template as they are used both
in the Jinja2 templates and also in our scripts.
|
|
|
|
|
|
Re-organize the template code and add addtitional Jinja2 filters for processing
the ifconfig-pool statement. This reverts the changes from commit 7e546be9
("openvpn: T2994: temporary revert to 1.2 crux behavior for client pools").
|
|
Remove workaround which split (local|remote)_address and also subnet keys into
individual keys for the assigned IP address family (4/6).
During template rendering check IP version by introducing new ipv4 and ipv6
Jinja2 filters {% if foo | ipv4 %} or {% if bar | ipv6 %} options.
|
|
|
|
Apart from code cleanup, this allows any module that wants to render a
template to register custom jinja2 template filters by using the new
@register_filter decorator. Examples can be found in vyos.template
itself. Using the new render_to_string function, the rendered template
can also be returned as a string instead of being written to a file.
|
|
|
|
NTP configuration file requires the IP address and a netmask for client
subnets but the CLI will only provide a prefix based ntoation. Use custom,
reusable JInja2 template to transform a CIDR based prefix into its address
and netmask portion for IPv4 and IPv6.
Jinja2 custom filters are regular python functions - thus they can be re-used
directly when e.g. verifying the configuration in vyos-smoketests.
|
|
|
|
convert all call to jinja to use template.render
|
|
Currently the pattern is to import jinja2 and re-generate
the template in every file. Dimitriy reported a reduction
in performance (1s) when commiting.
This code provide an helper function which caches the
Environment and template renderer, and can generate
template from one line (instead of the few currently)
|