summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2024-05-29nat: T6371: fix op mode display of configured ports when comma separated ↵Ginko
list of ports/ranges exists Before: Issuing the op mode command "show nat source rules" will throw an exception if the user has configured NAT rules using a list of ports as a comma-separated list (e.g. '!22,telnet,http,123,1001-1005'). Also there was no handling for the "!" rule and so '!53' would display as '53'. With this PR: Introduced iteration to capture all configured ports and append to the appropriate string for display to the user as well as handling of '!' if present in user's configuration.
2024-05-29openvpn: T6374: only check TLS role for s2s if TLS is configuredDaniil Baturin
2024-05-29Merge pull request #3534 from sever-sever/T6411Daniil Baturin
T6411: CGNAT fix sequences for external address ranges
2024-05-28Merge pull request #3528 from dmbaturin/T6374-openvpn-s2s-tls-validationChristian Breunig
openvpn: T6374: ensure that TLS role is configured for site-to-site with TLS
2024-05-28Merge pull request #3533 from natali-rs1985/T6389-currentJohn Estabrook
op_mode: T6389: Check architecture and flavor compatibility on upgrade attempts
2024-05-28Merge pull request #3529 from HollyGurza/T5786Christian Breunig
T5786: Add set/show system image to /image endpoint
2024-05-28T6411: CGNAT fix sequences for external address rangesViacheslav Hletenko
Fix the bug where address external alocation was not rely on sequences of the external IP addresses (if set)
2024-05-28op mode: T6389: Check architecture and flavor compatibility on upgrade attemptsNataliia Solomko
2024-05-28T6406: rename cpus to cpuNicolas Vollmar
2024-05-28T6406: add container cpu limit optionNicolas Vollmar
2024-05-27T5786: Add set/show system image to /image endpointkhramshinr
2024-05-27openvpn: T6374: ensure that TLS role is configured for site-to-site with TLSDaniil Baturin
2024-05-26reverse-proxy: T6402: Fix invalid checks in validation scriptAlex W
2024-05-25op-mode: T6400: pki: unable to generate fingerprint for ACME issued certificatesChristian Breunig
This fixes (for and ACME generated certificate) vyos@vyos:~$ show pki certificate vyos fingerprint sha512 Traceback (most recent call last): File "/usr/libexec/vyos/op_mode/pki.py", line 1081, in <module> show_certificate_fingerprint(args.certificate, args.fingerprint) File "/usr/libexec/vyos/op_mode/pki.py", line 934, in show_certificate_fingerprint print(get_certificate_fingerprint(cert, hash)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/vyos/pki.py", line 76, in get_certificate_fingerprint fp = cert.fingerprint(hash_algorithm) ^^^^^^^^^^^^^^^^ AttributeError: 'bool' object has no attribute 'fingerprint' After the fix: vyos@vyos# run show pki certificate vyos fingerprint sha256 10:2C:EF:2C:DA:7A:EE:C6:D7:8E:53:12:F0:F5:DE:B9:E9:D0:6C:B4:49:1C:8B:70:2B:D9:AF:FC:9B:75:A3:D2
2024-05-23Merge pull request #3399 from 0xThiebaut/suricataChristian Breunig
suricata: T751: Initial support for suricata
2024-05-23suricata: T751: use key_mangling in get_config_dict()Christian Breunig
2024-05-23suricata: T751: remove implicit default dictionaryChristian Breunig
2024-05-23suricata: T751: move CLI from "service ids suricata" -> "service suricata"Christian Breunig
2024-05-23Merge pull request #3487 from Embezzle/T6370Christian Breunig
reverse-proxy: T6370: Set custom HTTP headers in reverse-proxy responses
2024-05-23Merge pull request #3507 from c-po/nat-T6345Daniil Baturin
nat: T6345: source NAT port mapping "fully-random" is superfluous in Kernel >=5.0
2024-05-23Merge pull request #3505 from c-po/nat66-T6365Daniil Baturin
nat66: T6365: remove warnings for negated interface selections by name
2024-05-23dhcpv6-server: T6381: fix typos in select ConfigError messages in VyOS ↵Ginko
current (#3508)
2024-05-22nat: T6345: source NAT port mapping "fully-random" is superfluous in Kernel ↵Christian Breunig
>=5.0 random - In kernel 5.0 and newer this is the same as fully-random. In earlier kernels the port mapping will be randomized using a seeded MD5 hash mix using source and destination address and destination port. https://git.netfilter.org/nftables/commit/?id=fbe27464dee4588d906492749251454
2024-05-22nat66: T6365: remove warnings for negated interface selections by nameChristian Breunig
2024-05-22Merge pull request #3482 from alryaz/patch-1Christian Breunig
nat: T6365: remove warnings for negated interface selections by name
2024-05-22nat: T6365: use interface_exists() over netifaces.interfaces()Christian Breunig
2024-05-22nat: T6365: use string startswith() over [0] index accessChristian Breunig
2024-05-22nat: T6365: remove warnings for negated interface selections by nameRyazanov Alexander Mihailovich
2024-05-21reverse-proxy: T6370: Set custom HTTP headers in reverse-proxy responsesAlex W
2024-05-21T6366: CGNAT add ability to get external and internal allocationsViacheslav Hletenko
Add the ability to show port allocation per external or internal address With huge entries, it is necessary to filter it by specific external/internal IP address
2024-05-19Merge pull request #3483 from sever-sever/T6364Daniil Baturin
T6364: CGNAT drop hard limit that allows only one translation rule
2024-05-18T6349: updated pr-labels workflow permission (#3485)Vijayakumar A
2024-05-18T5169: Allow to set CGNAT multiple internal poolsViacheslav Hletenko
Allow to set multiple CGNAT internal pools ``` set nat cgnat pool internal int-01 range '100.64.0.0/28' set nat cgnat pool internal int-01 range '100.64.222.11-100.64.222.14' ```
2024-05-18T6364: CGNAT drop hard limit that allows only one translation ruleViacheslav Hletenko
As PoC for CGNAT had a hard limit of using only one translation rule for one internal pool. Drop this limit and extend the usage number of the rules. ``` set nat cgnat rule 100 source pool 'int-01' set nat cgnat rule 100 translation pool 'ext-01' set nat cgnat rule 120 source pool 'vyos-int-02' set nat cgnat rule 120 translation pool 'vyos-ext-02' ```
2024-05-17Merge pull request #3471 from natali-rs1985/T6348-currentChristian Breunig
op mode: T6348: SNAT op-mode fails with flowtable offload entries
2024-05-17Merge pull request #3472 from nvollmar/T6358Christian Breunig
T6358: Container config option to enable host pid
2024-05-17T6358: Add config option for host process namespaceNicolas Vollmar
2024-05-17T6358: Remove duplicate host name handlingNicolas Vollmar
2024-05-17Merge pull request #3466 from sever-sever/T6350Daniil Baturin
T6350: CGNAT add op-mode to show allocation
2024-05-17Merge pull request #3464 from sever-sever/T6351Daniil Baturin
T6351: CGNAT add verification if the pool exists
2024-05-17op mode: T6348: SNAT op-mode fails with flowtable offload entriesNataliia Solomko
2024-05-17Merge pull request #3463 from sever-sever/T6347Christian Breunig
T6347: CGNAT fix error if pool contain dashes in the name
2024-05-16T6350: CGNAT add op-mode to show allocationViacheslav Hletenko
Add op-mode command `show nat cgnat allocation` to get CGNAT allocations (internal address, external address, port-range)
2024-05-16Merge pull request #3458 from l0crian1/T6335-add-evpn-opChristian Breunig
T6335: Add/Update EVPN op commands
2024-05-16T6351: CGNAT add verification if the pool existsViacheslav Hletenko
Add verification if the external/internal pools are exists before we can use them in the source and translation rules
2024-05-16T6347: CGNAT fix error if pool contain dashes in the nameViacheslav Hletenko
2024-05-16T6335: Add/Update EVPN op commandsl0crian1
Converted completion helpers from python to bash for performance Previous commit: Added the following commands: show evpn show evpn es show evpn es <es-id> show evpn es detail show evpn es-evi show evpn es-evi detail show evpn es-evi vni <num> show evpn vni show evpn vni detail show evpn vni <num> Updated the following commands: show evpn access-vlan show evpn arp-cache show evpn mac show evpn next-hops show evpn rmac
2024-05-15T6335: Add/Update EVPN op commandsl0crian1
Added the following commands: show evpn show evpn es show evpn es <es-id> show evpn es detail show evpn es-evi show evpn es-evi detail show evpn es-evi vni <num> show evpn vni show evpn vni detail show evpn vni <num> Updated the following commands: show evpn access-vlan show evpn arp-cache show evpn mac show evpn next-hops show evpn rmac
2024-05-15op mode: T6339: display build flavor and comment in "show version"Daniil Baturin
2024-05-14T3420: Remove service upnpViacheslav Hletenko
Remove `service upnp` as it never worked as expected, nft rules do not integrated and custom patches do not seem like a suitable solution for now. Security: UPnP has been historically associated with security risks due to its automatic and potentially unauthenticated nature. UPnP devices might be vulnerable to unauthorized access or exploitation.