Age | Commit message (Collapse) | Author |
|
Move default values of TOTP configuration from a global to a per user setting.
This makes the entire code easier as no global configuration must be blended
into the per user config dict.
Also it should be possible to set the authentication window "multiple concurrent
keys" individual per user.
set system login user vyos authentication otp key 'gzkmajid7na2oltajs4kbuq7lq'
set system login user vyos authentication plaintext-password 'vyos'
|
|
As IPsec site-so-site was rewritten we do not need replace
':' => '-' as ':' can not be in the connection name
So connection name can not use IP(v6) address as peer name
And current peers/connections not required prefix 'peer_'
Fix template that search correctly connection name of the peers
that allow to reset them again (reset ipsec peer was broken)
|
|
Telegraf checks the firewall table 'vyos_filter' but it we don't
have any firewall in the system we don't have this table by default
It cause commit error for "service monitoring"
Add exception if the table "vyos_filter" is not found
|
|
BGP directly connected neighbors (interface neighbors) do not
compatible with ebgp-multihop option
|
|
system login: T874: add 2FA support for local and ssh authentication
|
|
|
|
isis: T4739: ISIS segment routing being refactored
|
|
This is to refactor ISIS segment routing to match up with OSPF segment routing.
|
|
Set correct error message if conntrack entries not found
If we get XML raw data with len 0 it means there are no entries
in the conntrack table
|
|
ssh: T4716: Ability to configure RekeyLimit data and time
|
|
Ability to configure SSH RekeyLimit data (in Megabytes) and
time (in Minutes)
set service ssh rekey data 1024
set service ssh rekey time 60
|
|
|
|
|
|
|
|
ospf: T4707: Add OSPF segment routing for FRR
|
|
|
|
In this commit we add OSPF segment routing, smoke tests, handlers,
FRR template changes, and CLI commands.
|
|
policy: T4660: Changed CLI syntax in route-map set community
|
|
|
|
|
|
Changed CLI syntax in route-map set community,
set large-community, set extcommunity
Allows to add multiple communities, large-communities
and extcommunities in clear view.
Added new well-known communities.
Added non-transitive feature in extcommunities.
Fixed community's validators.
|
|
|
|
table name
|
|
login: T4715: Auto logout user after inactivity
|
|
Ability to terminate interactive sessions (TTY/PTS) after a period
of inactivity.
set system login timeout '300'
|
|
|
|
This adds a new 'alias' property to the console-server device definition
to allow users to connect to a console using a human-readable name
rather than just the device name.
For a configuration like:
service {
console-server {
device ttyUSB0 {
speed 115200
alias my-server
}
}
}
Users can connect either by doing `connect console ttyUSB0`, or
`connect console my-server`.
Names:
* Must be unique
* Are limited to 128 characters
* Are optional - if not specified, only the `connect console ttyX`
form can be used
|
|
The initial implementation from commit ac4e07f9 ("rfs: T4689: Support RFS
(Receive Flow Steering)") always adjusted the global rps_sock_flow_entries
configuration. So if RFS was enabled for one NIC but not the other - it did not
work.
According to the documentation:
RFS is only available if the kconfig symbol CONFIG_RPS is enabled (on by
default for SMP). The functionality remains disabled until explicitly
configured. The number of entries in the global flow table is set through:
/proc/sys/net/core/rps_sock_flow_entries
The number of entries in the per-queue flow table are set through:
/sys/class/net/<dev>/queues/rx-<n>/rps_flow_cnt
Both of these need to be set before RFS is enabled for a receive queue. Values
for both are rounded up to the nearest power of two. The suggested flow count
depends on the expected number of active connections at any given time, which
may be significantly less than the number of open connections. We have found
that a value of 32768 for rps_sock_flow_entries works fairly well on a
moderately loaded server.
This commit sets rps_sock_flow_entries via sysctl on bootup leafing the RFS
configuration to the interface level.
|
|
ids: T4557: Migrate threshold and add new threshold types
|
|
Migrate "service ids ddos-protection threshold xxx" to
"service ids ddos-protection general threshold xxx"
Add new threshold types:
set service ids ddos-protection threshold tcp xxx
set service ids ddos-protection threshold udp xxx
set service ids ddos-protection threshold icmp xxx
|
|
|
|
nat: T4605: Fix op-mode NAT table name
|
|
|
|
update-check: T3476: Allow update-check for VyOS images
|
|
nat: nat66: T4605: T4706: Refactor NAT/NAT66 and use new table name
|
|
* Rename table to vyos_nat
* Add static NAT smoketest
|
|
* Rename table to vyos_nat
* Refactor tests to use `verify_nftables` format
|
|
* Rename table to vyos_nat
* Refactor tests to use `verify_nftables` format
|
|
In addition to the rewrite to make use of get_config_dict() the CLI is
slightly adjusted as specified in T4703.
* Rename vlan-id and vlan-range to simply vlan
* Rename network-mode to simply mode
* Re-use existing common Jinja2 template for Accel-PPP which are shared
with PPPoE and SSTP server.
* Retrieve default values via defaultValue XML node
|
|
The "authentication id" option for road-warriors did not get migrated to
the new local-id CLI node. This has been fixed.
|
|
When a CLI node is set with a migrator and is not a valueLess node, we need to
specify the "value" using the value= operation in config.set().
This fixes the config load error: vyos.configsession.ConfigSessionError: Invalid
config file (syntax error): error at line 353
|
|
isis: T4693: Fix ISIS segment routing configurations, part deux
|
|
isis: T4693: Fix ISIS segment routing configurations
This change is to fix more bugs in which ISIS segment routing was broken due to a refactor. This change also introduces a few additions to the ISIS handler for checking per prefix validations for segment value and mutual exclusivity for two options.
|
|
T4699: Firewall: Add jump action in firewall ruleset
|
|
When any configured peer is set to `disable` while the Wireguard tunnel is up
and running it does not get actively revoked and removed. This poses a security
risk as connections keep beeing alive.
Whenever any parameter of a peer changes we actively remove the peer and fully
recreate it on the fly.
|
|
The initial Accel-PPP PPPoE implementation used:
set service pppoe-server interface <name> vlan-id <id>
set service pppoe-server interface <name> vlan-range <start-stop>
This is actually a duplicated CLI node.
|
|
ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer
|
|
|
|
Migration and Change boolean nodes "enable/disable" to
disable-xxxx, enable-xxxx and just xxx for VPN IPsec
configurations
- IKE changes:
- replace 'ipsec ike-group <tag> mobike disable'
=> 'ipsec ike-group <tag> disable-mobike'
- replace 'ipsec ike-group <tag> ikev2-reauth yes|no'
=> 'ipsec ike-group <tag> ikev2-reauth'
- ESP changes:
- replace 'ipsec esp-group <tag> compression enable'
=> 'ipsec esp-group <tag> compression'
- PEER changes:
- replace: 'peer <tag> id xxx'
=> 'peer <tag> local-id xxx'
- replace: 'peer <tag> force-encapsulation enable'
=> 'peer <tag> force-udp-encapsulation'
- add option: 'peer <tag> remote-address x.x.x.x'
Add 'peer <name> remote-address <name>' via migration script
|
|
policy-route: T4697: Add missing rule_id for verify_rule func
|