Age | Commit message (Collapse) | Author |
|
login: T4790: Added check of the sum of radius timeouts
|
|
Added check of the sum of login radius timeouts.
It has to be less or eq 50 sec.
Added check of a number of login radius servers.
It has to be less or eq 8
Otherwise, log in to the device can be discarded.
Backported from 1.4
|
|
Sshguard protects hosts from brute-force attacks
It can inspect logs and block "bad" addresses by threshold
Auto-generates own tables and rules for nftables, so they are not
intercept with VyOS firewall rules.
When service stops, all generated tables are deleted.
set service ssh dynamic-protection
set service ssh dynamic-protection allow-from '192.0.2.1'
set service ssh dynamic-protection block-time '120'
set service ssh dynamic-protection detect-time '1800'
set service ssh dynamic-protection threshold '30'
|
|
(cherry picked from commit a409b255acc3dc0a67058593e31b3614e20714f0)
|
|
(cherry picked from commit ca7c063666c038d104082542f04ead6062e79246)
|
|
This is a radvd limitation.
(cherry picked from commit 8ef017a3496467433c311af63116af7657c58037)
|
|
Allow syslog messages to be sent through a VRF (e.g. management).
(cherry picked from commit 46d2bcdb0b500b4d1b9d973ab5b9ca3c6cf44e51)
|
|
cloud-init: T5190: Added Cloud-init pre-configurator
|
|
Users might add the podman network interface to a zone based firewall. This
could cuase breaking configs on upgrades to 1.4.
As container support is not yet released for 1.3 LTS version (will be 1.3.3),
we once rename the network interface to match the schema in VyOS 1.4.
|
|
Added a new service that starts before Cloud-init, waits for all network
interfaces initialization, and if requested by config, checks which interfaces
can get configuration via DHCP server and creates a corresponding Cloud-init
network configuration.
This protects from two situations:
* when Cloud-init tries to get meta-data via eth0 (default and fallback variant
for any data source which depends on network), but the real network is connected
to another interface
* when Cloud-init starts simultaneously with udev and initializes the first
interface to get meta-data before it is renamed to eth0 by udev
|
|
FastAPI v0.92.0 (starlette v0.24.0) sets default attribute
Request._form; check for value == None instead of existence when
overriding Request class.
(cherry picked from commit cac55a066e1f7d7d4c0eec5ada76570a326b5ac9)
|
|
T4727: Add RADIUS rate-limit attribute for vpn pptp
|
|
Fix for Telegraf agent hostname isn't qualified
Try to get the hostname from FQDN and then from the hostname
Used for metrics
You may have more than one machine with different domain names
r1 domain-name foo.local, hostname myhost
r2 domain-name bar.local, hostname myhost
It helps to detect from which exactly host we get metrics for
InfluxDB2
|
|
Add rate-limit attribute, multiplier, vendor specific attribute
for the [shaper] section
|
|
Container registry CLI node changed from leafNode to tagNode with the same
defaults. In addition we can now configure an authentication option per
registry.
(cherry picked from commit fe82d86d3e87cb8d92ebc9d0652c08e3dd79a12c)
|
|
container: T5047: restart only containers that changed (backport)
|
|
Commit 52e51ffb ("container: T5047: restart only containers that changed")
started to iterate over a NoneType which is invalid. This happened when a
network description was changed but no container was due for restart.
(cherry picked from commit 86d7b8d1d2b53b9fa93bd456abb4ea1b4f2949b6)
|
|
By default VyOS used to restart all containers it managed. This makes no sense
as it will be service disrupting. Instead only restart the containers that had
changes on the CLI beeing made.
(cherry picked from commit 52e51ffbb84996aee9d5b94eebf64589ead31225)
|
|
'show interfaces counters' correctly displays counter stats after a call
to 'clear interfaces counters', however, 'show interfaces detail' does
not. Add missing update to counter stats.
|
|
(cherry picked from commit 05e00b986a563681b038b226c86c83a29d6da820)
|
|
Event-handler allows executing a custom script when detects
some configured "pattern regex"
set service event-handler event first filter pattern '.*ssh2.*'
set service event-handler event first script arguments '192.0.2.5'
set service event-handler event first script environment interface value 'eth0'
set service event-handler event first script path '/config/scripts/hello.sh'
It is the backport from 1.4
|
|
T5033: Ability to generate muliple keys from a file or link
|
|
|
|
(cherry picked from commit 779f4001a4828f1af39a5b0b861d62635fcb3726)
|
|
Added the tunnel ip column to see the assigned ip address in server mode
(cherry picked from commit 500c182c4fa4e0fa030b7c68139fbe948266c49b)
|
|
Ability setting container hostname
This host name is used as /etc/hostname
set container name <tag> host-name 'mybox'
(cherry picked from commit c68d73e6720a7df2b48df17ac7b9b4c906e0294c)
|
|
options for containers
(cherry picked from commit 53aebddb4ca54b0cc4a296d6cc4c4d960c5f1d73)
|
|
We generate only one public key (string) from a file xxx.pub
op-mode with 'generate public-key-command user vyos lik_to_key_file'
Add ability to generate configuration (from op-mode) for multiple keys
As github keys don't use identifiers, generate uuid4 id for them
|
|
openconnect: T4955: Removed wrong authserver in radiusclient.conf
|
|
As we have the same variable name 'default_values' for container
name, port and volume, it rewrites default container parameters
with default port parameters
Fix it
(cherry picked from commit 679efe8ac7998ba1b8f3c7c4bfc7508d8869907d)
|
|
After merging config dictionary with default values,
radius port the default value was merged not in a proper way.
It is added as a server.
After creating radiusclient.conf added
and the illegal authserver equal 'port'.
Backported from 1.4
|
|
|
|
T4971: PPPoE server add named ip pool and attr Framed-Pool
|
|
Replace links to the phabricator site from https://phabricator.vyos.net to
https://vyos.dev
(cherry-picked form commit bd9416a6aa9d5d0a746dc2cebc8d0330fd27d1a2)
|
|
Backport "dict_search_recursive" from vyos.util 1.4 to 1.3
data = {
'interfaces': {'dummy': {'dum0': {'address': ['192.0.2.17/29']}},
'ethernet': {'eth0': {'address': ['2001:db8::1/64', '192.0.2.1/29'],
'description': 'Test123',
'duplex': 'auto',
'hw_id': '00:00:00:00:00:01',
'speed': 'auto'},
'eth1': {'address': ['192.0.2.9/29'],
'description': 'Test456',
'duplex': 'auto',
'hw_id': '00:00:00:00:00:02',
'speed': 'auto'}}}
}
dict_search_recursive(data, 'hw_id') will yield both '00:00:00:00:00:01' and
'00:00:00:00:00:02' as generator object.
|
|
This reverts commit 7b36c363cd5b0168bd83c399f50a0a360ba3ee58.
A general solution is implemented in Commit ae9dde04 ("T4975: always sync()
filesystem after commit").
|
|
(cherry picked from commit 29a44a73c638cb22839aa32986de367231b6efe9)
|
|
User profile files are not saved to disk after configuration is fully applied.
Because of this, after a fast system reset, profile files can be empty, and CLI
is broken.
This fix adds a `sync()` call after the user's configuration, which should
protect from data loss and fix the problem with profiles.
|
|
|
|
container: T4947: support mounting container volumes as ro or rw (equuleus backport)
|
|
(cherry picked from commit f0bc6c62016d285f0645c4b3ba8b1451c40c637f)
|
|
Whenever a container is used and a folder is mounted, this happenes as
read-write which is the default in Docker/Podman - so is the default in VyOS.
A new option is added "set container name foo volume mode <ro|rw>" to specify
explicitly if rw (default) or ro should be used for this mounted folder.
(cherry picked from commit 275ea7303cfdb79c042da1b710622aee17a488a8)
|
|
We get incorrect data when shows connections
As we get list of all connections we should compare the connection
name with entries in list and set correct data if they match
|
|
Changed restart to reload-or-restart in the commit.
It allows to reload the config
and not restart webproxy service during the commit.
Backported from 1.4
|
|
used
We need to ensure that source-address is assigned on source-interface before
applying the configuration, else SSH client will have a hard time talking to
someone.
(cherry picked from commit d1ef90e1eb51334b99ad716969e17c7f257e1a39)
|
|
(cherry picked from commit 87cc636bd2baf576a2a5ece7a4f8318eb4f69c2e)
|
|
Commit 846e306700a ("ssh: T2651: add cli options for source address") added
support for a basic SSH client option, but it grabbed the entire
/etc/ssh/ssh_config file without the ability to make custom user
adjustments via the /etc/ssh/ssh_config.d/ folder.
This commit places the VyOS SSH options under /etc/ssh/ssh_config.d/ leaving
the common override system alive.
(cherry picked from commit 7763de6c4b93d3372ab3f4572d9fa6b7536102b3)
|
|
|
|
T3810: Fixed all issues in T3810
|
|
1. Added in script update webproxy blacklists generation of all DBs
2. Fixed: if the blacklist category does not have generated db,
the template generates an empty dest category
in squidGuard.conf and a Warning message.
3. Added template generation for local's categories
in the rule section.
4. Changed syntax in the generation dest section for blacklist's
categories
5. Fixed generation dest local sections in squidGuard.conf
6. Fixed bug in syntax. The word 'allow' changed to the word 'any'
in acl squidGuard.conf
7. Backported all changes from 1.4 to 1.3 which were made in T3810
8. Fixed webproxy smoketest
|