summaryrefslogtreecommitdiff
path: root/src/conf_mode
AgeCommit message (Collapse)Author
2022-02-12policy: T2199: bugfix verify_rule() on negated groupsChristian Poessinger
Related to #1215
2022-02-09openvpn: T3686: Fix for check local-address in script and tmplViacheslav Hletenko
Local-address should be checked/executed only if it exists in the openvpn configuration, dictionary, jinja2 template
2022-02-09openvpn: T4230: Delete checks if local-host address assignedViacheslav Hletenko
OpenVPN can't start if it depends on VRRP virtual-address as virtual-address is not yet assigned by HA (openvpn and ha in one commit) as we have checks "if address assigned" It depends on commit priorities: 460 interfaces/openvpn 800 high-availability Replace check if local-host address assigned from raise ConfigError to print (just notification) Allow to bind OpenVPN service to nonlocal address
2022-02-05Merge pull request #1206 from sarthurdev/T4209Christian Poessinger
firewall: T4209: Fix support for rule `recent` matches
2022-02-04policy: T4151: Delete unexpected print added in commit c501ae0fViacheslav Hletenko
2022-02-04firewall: T4209: Fix support for rule `recent` matchessarthurdev
2022-01-31upnpd: T3420: code cleanupChristian Poessinger
2022-01-31Merge pull request #1196 from hensur/current-ipv6-local-route-iifChristian Poessinger
policy: T4219: add local-route(6) inbound-interface support
2022-01-31firewall: T2199: Fix errors when referencing an empty chainsarthurdev
2022-01-30policy: T4219: add local-route(6) incoming-interfaceHenning Surmeier
2022-01-30policy: T4213: Fix duplicate commands from multiple rules with single tablesarthurdev
2022-01-29firewall: T4216: Add support for negated firewall groupssarthurdev
2022-01-29firewall: T4218: Adds a prefix to all user defined chainssarthurdev
2022-01-29Merge pull request #1195 from hensur/current-ipv6-local-routeChristian Poessinger
policy: T4151: bugfix multiple commits and smoketest
2022-01-30Merge pull request #789 from jack9603301/T3420Daniil Baturin
upnpd: T3420: Support UPNP protocol
2022-01-28policy: T4151: remove all previous rules on editHenning Surmeier
2022-01-27Merge pull request #1194 from sarthurdev/T4213Christian Poessinger
policy: T4213: Fix rule creation/deletion for IPv6 policy routes
2022-01-27policy: T4213: Fix rule creation/deletion for IPv6 policy routessarthurdev
2022-01-25policy: T4194: Add prefix-list duplication checksViacheslav Hletenko
Prefix-list should not be duplicatied as FRR doesn't accept it One option when it can be duplicated when it uses "le" or "ge"
2022-01-22Merge pull request #1184 from sarthurdev/firewall_icmpChristian Poessinger
firewall: T4130: T4186: ICMP/v6 updates, ipv6 state policy check fix
2022-01-21firewall: T2199: Verify correct ICMP protocol for ipv4/ipv6sarthurdev
2022-01-21firewall: T4130: Use correct table to check for state policy rulesarthurdev
2022-01-21policy: T4151: Bugfix policy ipv6-local-routeHenning Surmeier
2022-01-20Merge pull request #1144 from hensur/current-ipv6-local-routeChristian Poessinger
policy: T4151: Add policy ipv6-local-route
2022-01-18firewall: T2199: Raise ConfigError if deleted node is used in zone-policysarthurdev
2022-01-18firewall: policy: T1292: Clean up any rules required to delete a chainsarthurdev
2022-01-17Merge pull request #1174 from sarthurdev/firewallChristian Poessinger
firewall: T4178: T3873: tcp flags syntax refactor, intra-zone-filtering fix
2022-01-17firewall: policy: T4178: Migrate and refactor tcp flagssarthurdev
* Add support for ECN and CWR flags
2022-01-14Merge pull request #1167 from sarthurdev/firewallChristian Poessinger
firewall: T4178: Use lowercase for TCP flags and add an validator
2022-01-14firewall: T4178: Use lowercase for TCP flags and add an validatorsarthurdev
2022-01-14policy: T4151: Add policy ipv6-local-routeHenning Surmeier
Adds support for `ip -6 rule` policy based routing. Also, extends the existing ipv4 implemenation with a `destination` key, which is translated as `ip rule add to x.x.x.x/x` rules. https://phabricator.vyos.net/T4151
2022-01-13monitoring: T3872: Add just required interfaces for ethtoolViacheslav
Telegraf ethtool input filter expected ethX interfaces and not other interfaces like vlans/tunnels/dummy Add "interface_include" option to telegraf template.
2022-01-11policy: T2199: Refactor policy route script for better error handlingsarthurdev
* Migrates all policy route references from `ipv6-route` to `route6` * Update test config `dialup-router-medium-vpn` to test migration of `ipv6-route` to `route6`
2022-01-11firewall: T4159: Add warning when an empty group is applied to a rulesarthurdev
2022-01-11firewall: policy: T2199: Reload policy route script if `firewall group` node ↵sarthurdev
is changed
2022-01-11firewall: policy: T4159: T4164: Fix empty firewall groups, create separate ↵sarthurdev
file for group definitions.
2022-01-11policy: T4170: rename "policy ipv6-route" -> "policy route6"Christian Poessinger
In order to have a consistent looking CLI we should rename this CLI node. There is: * access-list and access-list6 (policy) * prefix-list and prefix-list6 (policy) * route and route6 (static routes)
2022-01-11containers: T2216: bugfix host networking on image upgradeMathew Inkson
The bug was partially fixed with this commit: https://github.com/vyos/vyos-1x/commit/358f0b481d8620cad4954e3fe418054b9a8c3ecd The earlier commit introduced a startup retry (up to 10 times) to allow the OS to settle before the container is started. However, it only applies if host networking is NOT used. This change applies the same for containers where host networking is employed. Since the retry portion of the code (written in the earlier commit) is now referenced twice, it has been moved to its own function.
2022-01-10nat: T2199: dry-run newly generated config before installChristian Poessinger
Before installing a new conntrack policy into the OS Kernel, the new policy should be verified by nftables if it can be loaded at all or if it will fail to load. There is no need to load a "bad" configuration if we can pre-test it.
2022-01-10conntrack: T3579: dry-run newly generated config before installChristian Poessinger
Before installing a new conntrack policy into the OS Kernel, the new policy should be verified by nftables if it can be loaded at all or if it will fail to load. There is no need to load a "bad" configuration if we can pre-test it.
2022-01-10conntrack: T3579: prepare for "conntrack timeout custom rule" CLI commandsChristian Poessinger
2022-01-10conntrack: T3579: migrate "conntrack ignore" tree to vyos-1x and nftablesChristian Poessinger
2022-01-10firewall: 4149: Fix verify steps being bypassed when base node is removedsarthurdev
2022-01-05firewall: zone-policy: T4133: Prevent firewall from trying to clean-up ↵sarthurdev
zone-policy chains * Prevent firewall names from using the reserved VZONE prefix
2022-01-05Merge pull request #1136 from sarthurdev/firewallChristian Poessinger
zone-policy: T4135: Raise error when using an invalid "from" zone.
2022-01-05zone-policy: T4135: Raise error when using an invalid "from" zone.sarthurdev
2022-01-05Merge pull request #1134 from sarthurdev/firewallChristian Poessinger
firewall: zone-policy: T2199: T4130: Fixes for firewall, state-policy and zone-policy
2022-01-05firewall: zone-policy: T2199: T4130: Fixes for firewall, state-policy and ↵sarthurdev
zone-policy
2022-01-04Merge pull request #1121 from sever-sever/T4109Christian Poessinger
keepalived: T4109: Add high-availability virtual-server
2022-01-04keepalived: T4109: Add high-availability virtual-serverViacheslav
Add new feature, high-availability virtual-server Change XML, python and templates Move vrrp to root node 'high-availability' as all logic are handler by root node 'high-availability'