Age | Commit message (Collapse) | Author | |
---|---|---|---|
2022-05-28 | firewall: T970: Add firewall group domain-group | Viacheslav Hletenko | |
Domain group allows to filter addresses by domain main Resolved addresses as elements are stored to named "nft set" that used in the nftables rules Also added a dynamic "resolver" systemd daemon vyos-domain-group-resolve.service which starts python script for the domain-group addresses resolving by timeout 300 sec set firewall group domain-group DOMAINS address 'example.com' set firewall group domain-group DOMAINS address 'example.org' set firewall name FOO rule 10 action 'drop' set firewall name FOO rule 10 source group domain-group 'DOMAINS' set interfaces ethernet eth0 firewall local name 'FOO' nft list table ip filter table ip filter { set DOMAINS { type ipv4_addr flags interval elements = { 192.0.2.1, 192.0.2.85, 203.0.113.55, 203.0.113.58 } } chain NAME_FOO { ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10" counter packets 0 bytes 0 return comment "FOO default-action accept" } } | |||
2022-05-13 | smoketest: add sshguard allow-from case | Christian Poessinger | |
2022-05-12 | sshguard: T4408: Add service ssh dynamic-protection | Viacheslav Hletenko | |
Sshguard protects hosts from brute-force attacks Can inspect logs and block "bad" addresses by threshold Auto-generate rules for nftables When service stopped all generated rules are deleted nft "type filter hook input priority filter - 10" set service ssh dynamic-protection set service ssh dynamic-protection block-time 120 set service ssh dynamic-protection detect-time 1800 set service ssh dynamic-protection threshold 30 set service ssh dynamic-protection whitelist-address 192.0.2.1 | |||
2022-05-09 | Merge pull request #1279 from nicolas-fort/T990 | Christian Poessinger | |
Firewall: T990: Add snat and dnat connection status on firewall | |||
2022-05-08 | smoketest: policy-route: use setUpClass() | Christian Poessinger | |
2022-05-08 | policy: evpn: T3739: support "set evpn gateway-ip" | Christian Poessinger | |
2022-05-07 | vrf: T4419: support to disable IP forwarding within a given VRF | Christian Poessinger | |
2022-05-06 | bgp: T4385: verify() peer-group in interface based neighbors | Christian Poessinger | |
2022-05-05 | policy: T4414: add support for route-map "as-path prepend last-as x" | Christian Poessinger | |
2022-04-28 | arp: T4397: change CLI syntax to support interface and VRF bound ARP entries | Christian Poessinger | |
* set protocols static arp interface eth0 address 192.0.2.1 mac 01:23:45:67:89:01 | |||
2022-04-26 | smoketest: http: add decorator to suppress warnings locally | John Estabrook | |
2022-04-26 | smoketest: ethernet: bugfix - NameError: name 'af' is not defined | Christian Poessinger | |
2022-04-25 | smoketest: arp: add initial testcase for static ARP entries | Christian Poessinger | |
2022-04-25 | smoketest: ethernet: verify addresses are deleted from interface after test | Christian Poessinger | |
2022-04-25 | smoketest: openconnect: use setUpClass() over setUp() | Christian Poessinger | |
2022-04-25 | smoketest: dhcpv6-server: use setUpClass() over setUp() | Christian Poessinger | |
2022-04-25 | smoketest: pki: use setUpClass() over setUp() | Christian Poessinger | |
2022-04-25 | smoketest: migrate pppoe, and wireguard to setUpClass() scheme | Christian Poessinger | |
2022-04-25 | smoketest: bugfix on proper inheritance levels for classmethod | Christian Poessinger | |
2022-04-23 | Firewall: T990: Modifications for new connection-status cli | Nicolas Fort | |
2022-04-21 | pppoe: T4384: replace default-route CLI option with common CLI nodes already ↵ | Christian Poessinger | |
present for DHCP VyOS 1.4 still leverages PPPd internals on the CLI. pppd supports three options for a default route, none, auto, force. * none: No default route is installed on interface up * auto: Default route is only installed if there is yet no default route * force: overwrite any default route There are several drawbacks in this design for VyOS and the users. If auto is specified, this only counted for static default routes - but what about dynamic ones? Same for force, only a static default route got replaced but dynamic ones did not got taken into account. The CLI is changed and we now re-use already existing nodes from the DHCP interface configuration: * no-default-route: On link up no default route is installed, same as the previous default-route none * default-route-distance: We can now specify the distance of this route for the routing table on the system. This defaults to 210 as we have for DHCP interfaces. All this will be migrated using a CLI migration script. | |||
2022-04-21 | bgp: T4385: peer-group member cannot override remote-as of peer-group | Christian Poessinger | |
2022-04-20 | openvpn: T4369: enforce daemon-restart on openvpn-option CLI change | Christian Poessinger | |
2022-04-19 | Merge pull request #1289 from nicolas-fort/T4365 | Christian Poessinger | |
NAT: T4365: Fix for nat tables manipulation on netfilter | |||
2022-04-18 | NAT: T4365: Fix for nat tables manipulation on netfilter | Nicolas Fort | |
2022-04-18 | vxlan: geneve: T4370: support configuration of DF bit option | Christian Poessinger | |
set interfaces vxlan vxlan0 parameters ip df <set|unset|inherit> set interfaces geneve gnv0 parameters ip df <set|unset|inherit> | |||
2022-04-18 | smoketest: salt: must use cmd() instead of run() when readin stdout | Christian Poessinger | |
2022-04-18 | smoketest: salt: add special handling for KVM host | Christian Poessinger | |
2022-04-16 | smoketest: salt-minion: add dummy source-interface | Christian Poessinger | |
2022-04-15 | salt-minion: T4364: add source-interface CLI option support | Christian Poessinger | |
2022-04-15 | salt-minion: T4364: add support for source-interface definition | Christian Poessinger | |
2022-04-15 | salt-minion: T4364: migrate to get_config_dict() | Christian Poessinger | |
2022-04-15 | smoketest: salt: T4363: add initial testcase | Christian Poessinger | |
2022-04-14 | smoketest: firewall: ensure we can also run this test on a live system | Christian Poessinger | |
... by cleaning existing CLI config first | |||
2022-04-14 | smoketest: T4354: Add test for uniq bonding members | Viacheslav Hletenko | |
Extend bonding smoketest Add descriptions to bonding members We encountered a situation where adding any configuration for member of bonding interface excludes the interface from bonding | |||
2022-04-13 | smoketest: ids: bugfix AttributeError | Christian Poessinger | |
AttributeError: 'list' object has no attribute 'join' | |||
2022-04-11 | Firewall: T990: Add snat and dst connection status on firewall | Nicolas Fort | |
2022-04-10 | smoketest: ids: add initial testcase | Christian Poessinger | |
2022-04-10 | smoketest: nat: use setUpClass() over setUp() | Christian Poessinger | |
2022-04-09 | Merge pull request #1242 from goodNETnick/ocserv_local_otp | Christian Poessinger | |
ocserv: T4231: Added OTP support for Openconnect 2FA | |||
2022-04-09 | ocserv: T4231: Added OTP support for Openconnect 2FA | goodNETnick | |
2022-04-08 | Firewall: T990: Add snat and dnat connection status on firewall | Nicolas Fort | |
2022-04-08 | smoketest: vrf: T4346: IPv6 address family can no longer be disabled in the ↵ | Christian Poessinger | |
Kernel | |||
2022-04-07 | smoketest: http: add check for missing key | John Estabrook | |
2022-04-07 | smoketest: http: bind http api to unix domain socket | John Estabrook | |
2022-04-07 | policy: T4194: simplify prefix-list duplication checks | Christian Poessinger | |
Commit 5dafe255d ("policy: T4194: Add prefix-list duplication checks") added first support for FRR prefix-list duplication checks. FRR does not allow to specify the same profix list rule multiple times. vyos(config)# ip prefix-list foo seq 10 permit 192.0.2.0/24 vyos(config)# ip prefix-list foo seq 20 permit 192.0.2.0/24 % Configuration failed. Error type: validation Error description: duplicated prefix list value: 192.0.2.0/24 There is a VyOS verify() function which simply probed for the prefix, action, le and ge settings - but as Python has excellent support when comparing data, this can be as simple as a dictionary comparison using "==". | |||
2022-04-07 | ipv6: T4346: delete (migrate) CLI command to disable IPv6 address family | Christian Poessinger | |
2022-04-06 | Merge pull request #1275 from sarthurdev/firewall_limit | Christian Poessinger | |
firewall: T4345: Fix incorrect firewall rule limit rate format | |||
2022-04-06 | firewall: T4345: Fix incorrect rule limit rate syntax | sarthurdev | |
2022-04-06 | smoketest: http: test API authentication | Christian Poessinger | |