Age | Commit message (Collapse) | Author | |
---|---|---|---|
2020-05-22 | login: T2492: must use try/except when adding user for the first time | Christian Poessinger | |
2020-05-22 | login: T2492: re-use code from vyos.util | Christian Poessinger | |
2020-05-22 | login: T2492: force setting of encrypted password on first boot | Christian Poessinger | |
2020-05-22 | login: T2492: fix flake8 warnings | Christian Poessinger | |
2020-05-22 | login: T2492: do not set encrypted user password when it is not changed | Christian Poessinger | |
2020-05-22 | pppoe: T2488: bugfix, missing not in if condition prevented startup | Christian Poessinger | |
Commit 39c53aadbf9e ("pppoe: T2488: remove logfile generation") accidently missed a not in an if statement. | |||
2020-05-22 | macsec: T2491: add replay window protection | Christian Poessinger | |
2020-05-22 | macsec: T2023: flake8/autopep8 corrections | Christian Poessinger | |
2020-05-22 | macsec: T2023: fix wrong use or f-format string | Christian Poessinger | |
2020-05-22 | macsec: T2023: remove unused import | Christian Poessinger | |
2020-05-21 | pppoe: T2380: fix NameError: name 'intf' is not defined | Christian Poessinger | |
2020-05-21 | pppoe: T2380: dis-/connect should use proper systemd calls | Christian Poessinger | |
2020-05-21 | pppoe: T2488: remove logfile generation | Christian Poessinger | |
2020-05-21 | wireless: T1627: remove get_conf_file() | Christian Poessinger | |
2020-05-21 | macsec: T2023: delete wpa_supplicant config when interface is removed | Christian Poessinger | |
2020-05-21 | macsec: T2023: stop wpa_supplicant on interface deletion | Christian Poessinger | |
2020-05-21 | macsec: T2023: cleanup wpa_supplicant config file name | Christian Poessinger | |
2020-05-21 | macsec: T2023: improve verify() when encryption is enabled | Christian Poessinger | |
With enabled encryption keys must be configured. | |||
2020-05-21 | macsec: T2023: support MACsec Key Agreement protocol actor priority | Christian Poessinger | |
2020-05-21 | macsec: T2023: rename "security key" node to "security mka" | Christian Poessinger | |
MACsec always talks about MKA (MACsec Key Agreement protocol) thus the node should reflect that. | |||
2020-05-21 | macsec: T2023: use wpa_supplicant for key management | Christian Poessinger | |
2020-05-21 | macsec: T2023: cli: move "cipher" and "encryption" under new "secutiry" node | Christian Poessinger | |
This is best suited as a key is required, too. | |||
2020-05-21 | macsec: T2023: cipher suite is mandatory | Christian Poessinger | |
2020-05-21 | macsec: T2023: use list when working with Config() | Christian Poessinger | |
2020-05-21 | macsec: T2023: add optional encryption command | Christian Poessinger | |
By default MACsec only authenticates traffic but has support for optional encryption. Encryption can now be enabled using: set interfaces macsec <interface> encrypt | |||
2020-05-21 | macsec: T2023: add initial XML and Python interfaces | Christian Poessinger | |
2020-05-19 | Merge pull request #414 from thomas-mangin/T2467 | Christian Poessinger | |
util: T2467: automatically add sudo to known commands | |||
2020-05-19 | wireguard: T2481: support IPv6 based underlay | Christian Poessinger | |
2020-05-19 | util: T2467: add systemctl to autosudo | Thomas Mangin | |
2020-05-19 | nat: do not report unassigned IP address for DNAT | Christian Poessinger | |
That warning made no sense as the destination address where we forward a port to is by design not locally connected. | |||
2020-05-19 | dhcpv6-pd: T421: support ethernet based interfaces | Christian Poessinger | |
Add support for prefix delegation when receiving the prefix via ethernet, bridge, bond, wireless. | |||
2020-05-19 | configdict: T2372: interfaces must reuse interface_default_data | Christian Poessinger | |
This is to remove the amount of duplicated entries in dictionaries. It's one more part to move to a unified interface management. | |||
2020-05-19 | dhcpv6-server: T815: support delegating IPv6 prefixes | Christian Poessinger | |
2020-05-18 | flake8: T2475: fix a number of issue reported by flake8 | Thomas Mangin | |
2020-05-17 | pppoe: dhcpv6-pd: T421: stop service when config is removed | Christian Poessinger | |
2020-05-17 | pppoe: dhcpv6-pd: T421: start/stop delegation with interface status | Christian Poessinger | |
2020-05-17 | pppoe: dhcpv6-pd: T421: initial support | Christian Poessinger | |
The following configuration will assign a /64 prefix out of a /56 delegation to eth0. The IPv6 address assigned to eth0 will be <prefix>::ffff/64. If you do not know the prefix size delegated to you, start with sla-len 0. pppoe pppoe0 { authentication { password vyos user vyos } description sadfas dhcpv6-options { delegate eth0 { interface-id 65535 sla-id 0 sla-len 8 } } ipv6 { address { autoconf } enable } source-interface eth1 } vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 2001:db8:8003:400::ffff/64 u/u | |||
2020-05-17 | frr: combine all templates in frr directory | Christian Poessinger | |
2020-05-17 | powerdns: T2470: adjust config file permissions for recursor 4.3 | Christian Poessinger | |
PowerDNS recursor 4.3 now uns as user pdns and group pdns, thus the generated configuration file and directory need to have the appropriate permissions set. | |||
2020-05-16 | nat: nptv6: T2198: add XML/Python skeleton | Christian Poessinger | |
- define XML CLI interface - read CLI into Python dict | |||
2020-05-16 | nat: T2198: add support for SNAT based on source addresses | Christian Poessinger | |
CLI commands used for ruleset generation: set nat source rule 100 outbound-interface 'eth0.202' set nat source rule 100 protocol 'all' set nat source rule 100 source address '192.0.2.0/26' set nat source rule 100 translation address 'masquerade' set nat source rule 110 outbound-interface 'eth0.202' set nat source rule 110 protocol 'tcp' set nat source rule 110 source address '192.0.2.0/26' set nat source rule 110 source port '5556' set nat source rule 110 translation address 'masquerade' | |||
2020-05-16 | nat: T2198: set default protocol to all to be backwards compatible | Christian Poessinger | |
2020-05-16 | nat: T2198: sync generated DNAT rules with VyOS 1.2 | Christian Poessinger | |
The generated NAT rules in VyOS 1.2 are compared to the generated nftables ruleset in VyOS 1.3 this was done by converting the 1.2 iptables ruleset to nftables and then do the diff. To convert from iptables to nftables use the following command: $ iptables-save -t nat > /tmp/tmp.iptables $ iptables-restore-translate -f /tmp/tmp.iptables The following CLI options have been used for testing: set nat destination rule 10 description 'foo-10' set nat destination rule 10 destination address '1.1.1.1' set nat destination rule 10 destination port '1111' set nat destination rule 10 exclude set nat destination rule 10 inbound-interface 'eth0.202' set nat destination rule 10 log set nat destination rule 10 protocol 'tcp_udp' set nat destination rule 10 translation address '192.0.2.10' set nat destination rule 15 description 'foo-10' set nat destination rule 15 destination address '1.1.1.1' set nat destination rule 15 exclude set nat destination rule 15 inbound-interface 'eth0.202' set nat destination rule 15 log set nat destination rule 15 protocol 'tcp_udp' set nat destination rule 15 translation address '192.0.2.10' set nat destination rule 20 description 'foo-20' set nat destination rule 20 destination address '2.2.2.2' set nat destination rule 20 inbound-interface 'eth0.201' set nat destination rule 20 log set nat destination rule 20 protocol 'tcp' set nat destination rule 20 translation address '192.0.2.10' | |||
2020-05-16 | nat: T2198: verify translation address for SNAT and DNAT | Christian Poessinger | |
2020-05-16 | nat: T2198: extend verify() for destination ports | Christian Poessinger | |
Destination NAT configuration: destination ports can only be specified when protocol is tcp, udp or tcp_udp. | |||
2020-05-16 | nat: T2198: add some basic verify() rules | Christian Poessinger | |
2020-05-16 | nat: T2198: make use of jmespath when walking nftables JSON output | Christian Poessinger | |
2020-05-16 | nat: T2198: implement deletion of NAT subsystem | Christian Poessinger | |
2020-05-16 | nat: T2198: automatically determine handler numbers | Christian Poessinger | |
When instantiating NAT it is required to isntall some nftable jump targets. The targets need to be added after a specific other target thus we need to dynamically query the handler number. This is done by get_handler() which could be moved to vyos.util at a later point in time so it can be reused for a firewall rewrite. | |||
2020-05-16 | nat: T2198: move from iptables to nftables | Christian Poessinger | |