Age | Commit message (Collapse) | Author |
|
firewall: T478: Add support for nesting groups
|
|
|
|
This reverts commit 6f818ee9033ee3abeedbed73eb44331dc27e7408.
|
|
It can be more then 5 symbols in top-level-domain address
for example '.photography' and '.accountants'
Firewall group can be added without address:
* set firewall group domain-group DOMAIN
Check if 'address' exists in group_config
|
|
|
|
* 'sstp_port' of https://github.com/goodNETnick/vyos-1x:
sstp: T4444. Port number changing support
|
|
firewall: T970: Add firewall group domain-group
|
|
event-handler: T3083: Add simple event-handler
|
|
Before:
set service event-handler Foo
After:
set service event-handler event Foo
|
|
* Added the ability to filter by a syslog identifier
* Added the ability to pass arguments to a script
* Added the ability to pass preconfigured environment variables to a script
* A message that triggered a script is now passed in the `message` variable and
can be used in a script
* Replaced `call()` to `run()`, since stdout are not need to be printed
|
|
Move 'system event-handler' to 'service event-handler'
|
|
* Removed dynamic generating for systemd unit
* Optimized configuration file deleting process
* Added exceptions handlers to event-handler script to protect service
from most obvious potential troubles
* Improved logging
* Moved pattern compilation outside a messages loop to avoid extra operations
* Added signal handlers for proper systemd integration
|
|
Event-handler allows executing a custom script when in logs it
detects configured "pattern"
A simple implemenation
set system event-handler first pattern '.*ssh2.*'
set system event-handler first script '/config/scripts/hello.sh'
|
|
|
|
OWAMP is a command line client application and a policy daemon used
to determine one way latencies between hosts.
OWAMP session control uses traditional client-server communication
between a control-client and a server,
TWAMP (two-way active measurement protocol)
Add configuration and operation modes
set service sla owamp-server
set service sla twamp-server
run force owping 192.0.2.120
run force twping 192.0.2.190
|
|
|
|
|
|
|
|
Commit f9e38622 ("rip: T4448: add support to set protocol version on an
interface level") also added the versionspecified on a per interface level.
the RIp version carried a default value of 2 which makes RIPv1 and RIPv2 no
longer working which is dthe default for FRR. Remove the default "2" from the
RIP version specifier to make this behavior work again.
|
|
|
|
|
|
|
|
Domain group allows to filter addresses by domain main
Resolved addresses as elements are stored to named "nft set"
that used in the nftables rules
Also added a dynamic "resolver" systemd daemon
vyos-domain-group-resolve.service which starts python script
for the domain-group addresses resolving by timeout 300 sec
set firewall group domain-group DOMAINS address 'example.com'
set firewall group domain-group DOMAINS address 'example.org'
set firewall name FOO rule 10 action 'drop'
set firewall name FOO rule 10 source group domain-group 'DOMAINS'
set interfaces ethernet eth0 firewall local name 'FOO'
nft list table ip filter
table ip filter {
set DOMAINS {
type ipv4_addr
flags interval
elements = { 192.0.2.1, 192.0.2.85,
203.0.113.55, 203.0.113.58 }
}
chain NAME_FOO {
ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10"
counter packets 0 bytes 0 return comment "FOO default-action accept"
}
}
|
|
|
|
FRR: T4020: Added CLI options for FRR daemons
|
|
|
|
|
|
|
|
monitoring: T4418: Add output plugin azure-data-explorer
|
|
Add output telegraf Plugin Azure Data Explorer
set service monitoring telegraf azure-data-explorer authentication client-id 'x'
set service monitoring telegraf azure-data-explorer authentication client-secret 'x'
set service monitoring telegraf azure-data-explorer authentication tenant-id 'x'
set service monitoring telegraf azure-data-explorer database 'x'
set service monitoring telegraf azure-data-explorer group-metrics 'single-table'
set service monitoring telegraf azure-data-explorer url 'http://localhost.loc'
|
|
|
|
sshguard: T4408: Add service ssh dynamic-protection
|
|
Sshguard protects hosts from brute-force attacks
Can inspect logs and block "bad" addresses by threshold
Auto-generate rules for nftables
When service stopped all generated rules are deleted
nft "type filter hook input priority filter - 10"
set service ssh dynamic-protection
set service ssh dynamic-protection block-time 120
set service ssh dynamic-protection detect-time 1800
set service ssh dynamic-protection threshold 30
set service ssh dynamic-protection whitelist-address 192.0.2.1
|
|
|
|
systemd has its internal reload or restart logic - we do not need to programm
it on our own.
|
|
|
|
This reverts commit d1455f936ca721633fcc04d5c84169b4ccf2f447.
New spokes can't register on hub with 'reload-or-restart' option
And requires option 'restart' for opennhrp.service
|
|
|
|
|
|
Ability to send HTTP output to Splunk via telegraf
set service monitoring telegraf splunk authentication insecure
set service monitoring telegraf splunk authentication token 'xxx'
set service monitoring telegraf splunk url 'https://x.x.x.x'
|
|
Add output Plugin "prometheus-client" for telegraf:
set service monitoring telegraf prometheus-client
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|