summaryrefslogtreecommitdiff
path: root/smoketest/scripts
AgeCommit message (Collapse)Author
2022-05-28firewall: T970: Add firewall group domain-groupViacheslav Hletenko
Domain group allows to filter addresses by domain main Resolved addresses as elements are stored to named "nft set" that used in the nftables rules Also added a dynamic "resolver" systemd daemon vyos-domain-group-resolve.service which starts python script for the domain-group addresses resolving by timeout 300 sec set firewall group domain-group DOMAINS address 'example.com' set firewall group domain-group DOMAINS address 'example.org' set firewall name FOO rule 10 action 'drop' set firewall name FOO rule 10 source group domain-group 'DOMAINS' set interfaces ethernet eth0 firewall local name 'FOO' nft list table ip filter table ip filter { set DOMAINS { type ipv4_addr flags interval elements = { 192.0.2.1, 192.0.2.85, 203.0.113.55, 203.0.113.58 } } chain NAME_FOO { ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10" counter packets 0 bytes 0 return comment "FOO default-action accept" } }
2022-05-13smoketest: add sshguard allow-from caseChristian Poessinger
2022-05-12sshguard: T4408: Add service ssh dynamic-protectionViacheslav Hletenko
Sshguard protects hosts from brute-force attacks Can inspect logs and block "bad" addresses by threshold Auto-generate rules for nftables When service stopped all generated rules are deleted nft "type filter hook input priority filter - 10" set service ssh dynamic-protection set service ssh dynamic-protection block-time 120 set service ssh dynamic-protection detect-time 1800 set service ssh dynamic-protection threshold 30 set service ssh dynamic-protection whitelist-address 192.0.2.1
2022-05-09Merge pull request #1279 from nicolas-fort/T990Christian Poessinger
Firewall: T990: Add snat and dnat connection status on firewall
2022-05-08smoketest: policy-route: use setUpClass()Christian Poessinger
2022-05-08policy: evpn: T3739: support "set evpn gateway-ip"Christian Poessinger
2022-05-07vrf: T4419: support to disable IP forwarding within a given VRFChristian Poessinger
2022-05-06bgp: T4385: verify() peer-group in interface based neighborsChristian Poessinger
2022-05-05policy: T4414: add support for route-map "as-path prepend last-as x"Christian Poessinger
2022-04-28arp: T4397: change CLI syntax to support interface and VRF bound ARP entriesChristian Poessinger
* set protocols static arp interface eth0 address 192.0.2.1 mac 01:23:45:67:89:01
2022-04-26smoketest: http: add decorator to suppress warnings locallyJohn Estabrook
2022-04-26smoketest: ethernet: bugfix - NameError: name 'af' is not definedChristian Poessinger
2022-04-25smoketest: arp: add initial testcase for static ARP entriesChristian Poessinger
2022-04-25smoketest: ethernet: verify addresses are deleted from interface after testChristian Poessinger
2022-04-25smoketest: openconnect: use setUpClass() over setUp()Christian Poessinger
2022-04-25smoketest: dhcpv6-server: use setUpClass() over setUp()Christian Poessinger
2022-04-25smoketest: pki: use setUpClass() over setUp()Christian Poessinger
2022-04-25smoketest: migrate pppoe, and wireguard to setUpClass() schemeChristian Poessinger
2022-04-25smoketest: bugfix on proper inheritance levels for classmethodChristian Poessinger
2022-04-23Firewall: T990: Modifications for new connection-status cliNicolas Fort
2022-04-21pppoe: T4384: replace default-route CLI option with common CLI nodes already ↵Christian Poessinger
present for DHCP VyOS 1.4 still leverages PPPd internals on the CLI. pppd supports three options for a default route, none, auto, force. * none: No default route is installed on interface up * auto: Default route is only installed if there is yet no default route * force: overwrite any default route There are several drawbacks in this design for VyOS and the users. If auto is specified, this only counted for static default routes - but what about dynamic ones? Same for force, only a static default route got replaced but dynamic ones did not got taken into account. The CLI is changed and we now re-use already existing nodes from the DHCP interface configuration: * no-default-route: On link up no default route is installed, same as the previous default-route none * default-route-distance: We can now specify the distance of this route for the routing table on the system. This defaults to 210 as we have for DHCP interfaces. All this will be migrated using a CLI migration script.
2022-04-21bgp: T4385: peer-group member cannot override remote-as of peer-groupChristian Poessinger
2022-04-20openvpn: T4369: enforce daemon-restart on openvpn-option CLI changeChristian Poessinger
2022-04-19Merge pull request #1289 from nicolas-fort/T4365Christian Poessinger
NAT: T4365: Fix for nat tables manipulation on netfilter
2022-04-18NAT: T4365: Fix for nat tables manipulation on netfilterNicolas Fort
2022-04-18vxlan: geneve: T4370: support configuration of DF bit optionChristian Poessinger
set interfaces vxlan vxlan0 parameters ip df <set|unset|inherit> set interfaces geneve gnv0 parameters ip df <set|unset|inherit>
2022-04-18smoketest: salt: must use cmd() instead of run() when readin stdoutChristian Poessinger
2022-04-18smoketest: salt: add special handling for KVM hostChristian Poessinger
2022-04-16smoketest: salt-minion: add dummy source-interfaceChristian Poessinger
2022-04-15salt-minion: T4364: add source-interface CLI option supportChristian Poessinger
2022-04-15salt-minion: T4364: add support for source-interface definitionChristian Poessinger
2022-04-15salt-minion: T4364: migrate to get_config_dict()Christian Poessinger
2022-04-15smoketest: salt: T4363: add initial testcaseChristian Poessinger
2022-04-14smoketest: firewall: ensure we can also run this test on a live systemChristian Poessinger
... by cleaning existing CLI config first
2022-04-14smoketest: T4354: Add test for uniq bonding membersViacheslav Hletenko
Extend bonding smoketest Add descriptions to bonding members We encountered a situation where adding any configuration for member of bonding interface excludes the interface from bonding
2022-04-13smoketest: ids: bugfix AttributeErrorChristian Poessinger
AttributeError: 'list' object has no attribute 'join'
2022-04-11Firewall: T990: Add snat and dst connection status on firewallNicolas Fort
2022-04-10smoketest: ids: add initial testcaseChristian Poessinger
2022-04-10smoketest: nat: use setUpClass() over setUp()Christian Poessinger
2022-04-09Merge pull request #1242 from goodNETnick/ocserv_local_otpChristian Poessinger
ocserv: T4231: Added OTP support for Openconnect 2FA
2022-04-09ocserv: T4231: Added OTP support for Openconnect 2FAgoodNETnick
2022-04-08Firewall: T990: Add snat and dnat connection status on firewallNicolas Fort
2022-04-08smoketest: vrf: T4346: IPv6 address family can no longer be disabled in the ↵Christian Poessinger
Kernel
2022-04-07smoketest: http: add check for missing keyJohn Estabrook
2022-04-07smoketest: http: bind http api to unix domain socketJohn Estabrook
2022-04-07policy: T4194: simplify prefix-list duplication checksChristian Poessinger
Commit 5dafe255d ("policy: T4194: Add prefix-list duplication checks") added first support for FRR prefix-list duplication checks. FRR does not allow to specify the same profix list rule multiple times. vyos(config)# ip prefix-list foo seq 10 permit 192.0.2.0/24 vyos(config)# ip prefix-list foo seq 20 permit 192.0.2.0/24 % Configuration failed. Error type: validation Error description: duplicated prefix list value: 192.0.2.0/24 There is a VyOS verify() function which simply probed for the prefix, action, le and ge settings - but as Python has excellent support when comparing data, this can be as simple as a dictionary comparison using "==".
2022-04-07ipv6: T4346: delete (migrate) CLI command to disable IPv6 address familyChristian Poessinger
2022-04-06Merge pull request #1275 from sarthurdev/firewall_limitChristian Poessinger
firewall: T4345: Fix incorrect firewall rule limit rate format
2022-04-06firewall: T4345: Fix incorrect rule limit rate syntaxsarthurdev
2022-04-06smoketest: http: test API authenticationChristian Poessinger