summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2020-05-16nat: T2198: add common ip-protocol validatorChristian Poessinger
It allows IP protocol numbers 0-255, protocol names e.g. tcp, ip, ipv6 and the negated form with a leading "!".
2020-05-16nat: T2198: add support for SNAT based on source addressesChristian Poessinger
CLI commands used for ruleset generation: set nat source rule 100 outbound-interface 'eth0.202' set nat source rule 100 protocol 'all' set nat source rule 100 source address '192.0.2.0/26' set nat source rule 100 translation address 'masquerade' set nat source rule 110 outbound-interface 'eth0.202' set nat source rule 110 protocol 'tcp' set nat source rule 110 source address '192.0.2.0/26' set nat source rule 110 source port '5556' set nat source rule 110 translation address 'masquerade'
2020-05-16nat: T2198: set default protocol to all to be backwards compatibleChristian Poessinger
2020-05-16nat: T2198: sync generated DNAT rules with VyOS 1.2Christian Poessinger
The generated NAT rules in VyOS 1.2 are compared to the generated nftables ruleset in VyOS 1.3 this was done by converting the 1.2 iptables ruleset to nftables and then do the diff. To convert from iptables to nftables use the following command: $ iptables-save -t nat > /tmp/tmp.iptables $ iptables-restore-translate -f /tmp/tmp.iptables The following CLI options have been used for testing: set nat destination rule 10 description 'foo-10' set nat destination rule 10 destination address '1.1.1.1' set nat destination rule 10 destination port '1111' set nat destination rule 10 exclude set nat destination rule 10 inbound-interface 'eth0.202' set nat destination rule 10 log set nat destination rule 10 protocol 'tcp_udp' set nat destination rule 10 translation address '192.0.2.10' set nat destination rule 15 description 'foo-10' set nat destination rule 15 destination address '1.1.1.1' set nat destination rule 15 exclude set nat destination rule 15 inbound-interface 'eth0.202' set nat destination rule 15 log set nat destination rule 15 protocol 'tcp_udp' set nat destination rule 15 translation address '192.0.2.10' set nat destination rule 20 description 'foo-20' set nat destination rule 20 destination address '2.2.2.2' set nat destination rule 20 inbound-interface 'eth0.201' set nat destination rule 20 log set nat destination rule 20 protocol 'tcp' set nat destination rule 20 translation address '192.0.2.10'
2020-05-16nat: T2198: verify translation address for SNAT and DNATChristian Poessinger
2020-05-16nat: T2198: extend verify() for destination portsChristian Poessinger
Destination NAT configuration: destination ports can only be specified when protocol is tcp, udp or tcp_udp.
2020-05-16nat: T2198: migrate "log enable" node to only "log"Christian Poessinger
2020-05-16nat: T2198: migrate "show nat" commands to XML and PythonChristian Poessinger
- "show nat source|destination statistics" is now implemented in Python - "show nat source|destination rules" needs a new implementation, see T2459 - "show nat source|destination translations" has been copied over from the old repo and is here until it is rewritten, this was not possible for "rules" as there would have been too much dependencies. This one only requires libxml-simple-perl
2020-05-16nat: T2198: add some basic verify() rulesChristian Poessinger
2020-05-16nat: T2198: add ipv4-{address,prefix,rage}-exclude validatorsChristian Poessinger
Exclude validators are required to support the ! (not) operator on the CLI to exclude addresses from NAT.
2020-05-16nat: T2198: add new ipv4-range validatorChristian Poessinger
2020-05-16nat: T2198: make use of jmespath when walking nftables JSON outputChristian Poessinger
2020-05-16nat: T2198: implement deletion of NAT subsystemChristian Poessinger
2020-05-16nat: T2198: automatically determine handler numbersChristian Poessinger
When instantiating NAT it is required to isntall some nftable jump targets. The targets need to be added after a specific other target thus we need to dynamically query the handler number. This is done by get_handler() which could be moved to vyos.util at a later point in time so it can be reused for a firewall rewrite.
2020-05-16nat: T2198: move from iptables to nftablesChristian Poessinger
2020-05-16nat: T2198: migrate to common template for source/destination NATChristian Poessinger
2020-05-16nat: T2198: destination nat template for iptables-restoreChristian Poessinger
2020-05-16nat: T2198: initial XML and Python representationChristian Poessinger
2020-05-15T2467: Restarting of service needs `sudo`kroy-the-rabbit
2020-05-13flow-accounting: T2456: Replace old functionDmitriyEshenko
2020-05-12T2449: Fixing key to appropriate onekroy-the-rabbit
2020-05-12tunnel: T2449: bugfix KeyError 'address'Christian Poessinger
Commit 9e5c6a935e2f55 ("tunnel: T2449: set accept_ra=2 if ipv6 address autoconf or dhcpv6 is set") referenced wrong key in dict.
2020-05-11wireless: T2449: set accept_ra on wireless interfacesJernej Jakob
2020-05-11vxlan: T2449: set accept_ra=2 if ipv6 address autoconf or dhcpv6 is setJernej Jakob
To make SLAAC and DHCPv6 work when forwarding=1, accept_ra must be 2 (default for accept_ra is 1).
2020-05-11tunnel: T2449: set accept_ra=2 if ipv6 address autoconf or dhcpv6 is setJernej Jakob
To make SLAAC and DHCPv6 work when forwarding=1, accept_ra must be 2 (default for accept_ra is 1).
2020-05-11pseudo-ethernet: T2449: set accept_ra on pseudo-ethernet interfacesJernej Jakob
2020-05-11openvpn: T2449: set accept_ra=2 if ipv6 address autoconf or dhcpv6 is setJernej Jakob
To make SLAAC and DHCPv6 work when forwarding=1, accept_ra must be 2 (default for accept_ra is 1).
2020-05-11l2tpv3: T2449: set accept_ra=2 if ipv6 address autoconf or dhcpv6 is setJernej Jakob
To make SLAAC and DHCPv6 work when forwarding=1, accept_ra must be 2 (default for accept_ra is 1).
2020-05-11ethernet: T2449: set accept_ra on ethernet interfacesJernej Jakob
2020-05-11bridge: T2449: set accept_ra=2 if ipv6 address autoconf or dhcpv6 is setJernej Jakob
To make SLAAC and DHCPv6 work when forwarding=1, accept_ra must be 2 (default for accept_ra is 1).
2020-05-11bonding: T2449: set accept_ra on bonding interfacesJernej Jakob
2020-05-08T2441: Fix parse errorkroy-the-rabbit
2020-05-09T2431: remove the numeric validator for it now lives in vyos-utils.Daniil Baturin
2020-05-08Merge pull request #395 from thomas-mangin/T2417Christian Poessinger
validator: T2417: try to make the code clearer
2020-05-08Merge branch 'current' of github.com:thomas-mangin/vyos-1x into T2417Thomas Mangin
2020-05-08Merge pull request #399 from jjakob/disable-address-fix-T2427Christian Poessinger
wireless: T2427: migrate to use common configdict and vlan functions, add common interface includes to template
2020-05-08Merge pull request #398 from jjakob/bridge-fix-T2241Christian Poessinger
openvpn: T2241: fix wrong indent caused by 66e15005
2020-05-08Merge pull request #402 from jjakob/fix-syntax-T2435Christian Poessinger
T2435: fix syntax errors
2020-05-08dhcpv6-relay: T2438: change systemd service typeJernej Jakob
The default of systemd services Type=simple isn't suitable for dhcrelay and other daemons. - change service type to forking - add RuntimeDirectory - set PIDFile
2020-05-08dhcp-relay: T2438: change systemd service typeJernej Jakob
The default of systemd services Type=simple isn't suitable for dhcrelay and other daemons. - change service type to forking - add RuntimeDirectory - set PIDFile
2020-05-08dhcpv6-server: T2438: change systemd service type, validate config fileJernej Jakob
The default of systemd services Type=simple isn't suitable for dhcpd and other daemons. - change service type to forking - add RuntimeDirectory - set paths to files in Environment - set PIDFile - validate config and lease file in ExecStartPre - add -q to make dhcpd quiet and only log to syslog - set Restart=always
2020-05-08dhcp-server: T2438: change systemd service type, validate config fileJernej Jakob
The default of systemd services Type=simple isn't suitable for dhcpd and other daemons. - change service type to forking - add RuntimeDirectory - set paths to files in Environment - set PIDFile - validate config and lease file in ExecStartPre - add -q to make dhcpd quiet and only log to syslog - set Restart=always
2020-05-08vxlan: T2435: fix syntax errorJernej Jakob
2020-05-08pseudo-ethernet: T2435: fix syntax and copy-paste errorJernej Jakob
2020-05-07T2431: use native versions of validate-value and numeric validator.Daniil Baturin
2020-05-07openvpn: T2241: fix wrong indent caused by 66e15005Jernej Jakob
2020-05-07wireless: T2427: migrate to use common configdict and vlan functionsJernej Jakob
Other interfaces were previously migrated, but this one was forgotten, causing a commit error: File "/usr/libexec/vyos/conf_mode/interfaces-wireless.py", line 621, in verify verify_vlan_config(wifi) File "/usr/lib/python3/dist-packages/vyos/ifconfig_vlan.py", line 155, in verify_vlan_config for vif in config['vif'].values(): AttributeError: 'list' object has no attribute 'values'
2020-05-06http api: T2395: add waitress as production WSGI serverJohn Estabrook
2020-05-06http api: T2395: replace bottle with flask as microframeworkJohn Estabrook
2020-05-06http api: use decorator to get command data from requestJohn Estabrook