Age | Commit message (Collapse) | Author |
|
Add rate-limit options: attribute, muptiplier and vendor
set service ipoe-server auth radius rate-limit attribute 'Mikrotik-Rate-Limit'
set service ipoe-server auth radius rate-limit enable
set service ipoe-server auth radius rate-limit multiplier '0.001'
set service ipoe-server auth radius rate-limit vendor 'Miktorik'
|
|
|
|
* 'T4490' of https://github.com/sever-sever/vyos-1x:
bgp: T4490: Add informational message for peer withour AFI
|
|
openvpn: T4485: Accept multiple tls ca-certificate values
|
|
set service router-advert interface eth0 name-server-lifetime <value>
|
|
|
|
containers: T4473: Fix create container with not exist network
|
|
Fix correct path for removing containers and container networks
Reduce timoute from 10 (default) to 3 seconds for stopping
containers
|
|
Fix for setting container without or wrong network decalaration
|
|
As we don't use addresss-family ipv4-unicast by default we
should to send informational message about AFI for peer is required
|
|
|
|
|
|
* Refactor nftables clean-up code
* Adds policy route test for using firewall groups
|
|
|
|
firewall: T478: Add support for nesting groups
|
|
|
|
This reverts commit 6f818ee9033ee3abeedbed73eb44331dc27e7408.
|
|
It can be more then 5 symbols in top-level-domain address
for example '.photography' and '.accountants'
Firewall group can be added without address:
* set firewall group domain-group DOMAIN
Check if 'address' exists in group_config
|
|
|
|
* 'sstp_port' of https://github.com/goodNETnick/vyos-1x:
sstp: T4444. Port number changing support
|
|
firewall: T970: Add firewall group domain-group
|
|
event-handler: T3083: Add simple event-handler
|
|
Before:
set service event-handler Foo
After:
set service event-handler event Foo
|
|
* Added the ability to filter by a syslog identifier
* Added the ability to pass arguments to a script
* Added the ability to pass preconfigured environment variables to a script
* A message that triggered a script is now passed in the `message` variable and
can be used in a script
* Replaced `call()` to `run()`, since stdout are not need to be printed
|
|
Move 'system event-handler' to 'service event-handler'
|
|
* Removed dynamic generating for systemd unit
* Optimized configuration file deleting process
* Added exceptions handlers to event-handler script to protect service
from most obvious potential troubles
* Improved logging
* Moved pattern compilation outside a messages loop to avoid extra operations
* Added signal handlers for proper systemd integration
|
|
Event-handler allows executing a custom script when in logs it
detects configured "pattern"
A simple implemenation
set system event-handler first pattern '.*ssh2.*'
set system event-handler first script '/config/scripts/hello.sh'
|
|
|
|
OWAMP is a command line client application and a policy daemon used
to determine one way latencies between hosts.
OWAMP session control uses traditional client-server communication
between a control-client and a server,
TWAMP (two-way active measurement protocol)
Add configuration and operation modes
set service sla owamp-server
set service sla twamp-server
run force owping 192.0.2.120
run force twping 192.0.2.190
|
|
|
|
|
|
|
|
Commit f9e38622 ("rip: T4448: add support to set protocol version on an
interface level") also added the versionspecified on a per interface level.
the RIp version carried a default value of 2 which makes RIPv1 and RIPv2 no
longer working which is dthe default for FRR. Remove the default "2" from the
RIP version specifier to make this behavior work again.
|
|
|
|
|
|
|
|
Domain group allows to filter addresses by domain main
Resolved addresses as elements are stored to named "nft set"
that used in the nftables rules
Also added a dynamic "resolver" systemd daemon
vyos-domain-group-resolve.service which starts python script
for the domain-group addresses resolving by timeout 300 sec
set firewall group domain-group DOMAINS address 'example.com'
set firewall group domain-group DOMAINS address 'example.org'
set firewall name FOO rule 10 action 'drop'
set firewall name FOO rule 10 source group domain-group 'DOMAINS'
set interfaces ethernet eth0 firewall local name 'FOO'
nft list table ip filter
table ip filter {
set DOMAINS {
type ipv4_addr
flags interval
elements = { 192.0.2.1, 192.0.2.85,
203.0.113.55, 203.0.113.58 }
}
chain NAME_FOO {
ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10"
counter packets 0 bytes 0 return comment "FOO default-action accept"
}
}
|
|
|
|
FRR: T4020: Added CLI options for FRR daemons
|
|
|
|
|
|
|
|
monitoring: T4418: Add output plugin azure-data-explorer
|
|
Add output telegraf Plugin Azure Data Explorer
set service monitoring telegraf azure-data-explorer authentication client-id 'x'
set service monitoring telegraf azure-data-explorer authentication client-secret 'x'
set service monitoring telegraf azure-data-explorer authentication tenant-id 'x'
set service monitoring telegraf azure-data-explorer database 'x'
set service monitoring telegraf azure-data-explorer group-metrics 'single-table'
set service monitoring telegraf azure-data-explorer url 'http://localhost.loc'
|
|
|
|
sshguard: T4408: Add service ssh dynamic-protection
|
|
Sshguard protects hosts from brute-force attacks
Can inspect logs and block "bad" addresses by threshold
Auto-generate rules for nftables
When service stopped all generated rules are deleted
nft "type filter hook input priority filter - 10"
set service ssh dynamic-protection
set service ssh dynamic-protection block-time 120
set service ssh dynamic-protection detect-time 1800
set service ssh dynamic-protection threshold 30
set service ssh dynamic-protection whitelist-address 192.0.2.1
|
|
|
|
systemd has its internal reload or restart logic - we do not need to programm
it on our own.
|
|
|