| Age | Commit message (Collapse) | Author |
|---|
|
Ability to configure SSH RekeyLimit data (in Megabytes) and
time (in Minutes)
set service ssh rekey data 1024
set service ssh rekey time 60
|
|
login: T4711: Terminate user TTY and PTS sessions
|
|
T4700: Firewall: add interface matching criteria
|
|
Ability to terminate user TTY and PTS sessions
clear session pts/1
|
|
The initial implementation from commit ac4e07f9 ("rfs: T4689: Support RFS
(Receive Flow Steering)") always adjusted the global rps_sock_flow_entries
configuration. So if RFS was enabled for one NIC but not the other - it did not
work.
According to the documentation:
RFS is only available if the kconfig symbol CONFIG_RPS is enabled (on by
default for SMP). The functionality remains disabled until explicitly
configured. The number of entries in the global flow table is set through:
/proc/sys/net/core/rps_sock_flow_entries
The number of entries in the per-queue flow table are set through:
/sys/class/net/<dev>/queues/rx-<n>/rps_flow_cnt
Both of these need to be set before RFS is enabled for a receive queue. Values
for both are rounded up to the nearest power of two. The suggested flow count
depends on the expected number of active connections at any given time, which
may be significantly less than the number of open connections. We have found
that a value of 32768 for rps_sock_flow_entries works fairly well on a
moderately loaded server.
This commit sets rps_sock_flow_entries via sysctl on bootup leafing the RFS
configuration to the interface level.
|
|
ids: T4557: Migrate threshold and add new threshold types
|
|
Migrate "service ids ddos-protection threshold xxx" to
"service ids ddos-protection general threshold xxx"
Add new threshold types:
set service ids ddos-protection threshold tcp xxx
set service ids ddos-protection threshold udp xxx
set service ids ddos-protection threshold icmp xxx
|
|
|
|
|
|
private key
This prevents habing any leftover private-key files in /tmp directory.
|
|
interfaces: T4709: raise minimum TCP MSS clamping value
|
|
This commit raises the minimum TCP MSS clamping range to the MSS value
corresponding to the minimum packet size that must be accepted for IPv4.
|
|
The initial implementation in commit 9fb9e5cade ("ethernet: T3171: add CLI
option to enable RPS (Receive Packet Steering)" only changed the CPU affinity
for RX queue 0.
This commit takes all RX queues into account.
|
|
|
|
This extends commit 28573ffe4f ("xml: T4698: drop validator name="range" and
replace it with numeric"). The first version allowed both a range and discrete
numbers to be validated by the numeric validator.
This had a flaw as both 22 and 22-30 were valid at the same time. The generic
"port-number.xml.i" building block only allows a discrete number. Now if a user
set port 22-30 for e.g. SSH the daemon did no longer start. This is why range
validation must be explicitly enabled.
|
|
system login: T874: add libpam-google-authenticator package
|
|
nat: T4605: Fix op-mode NAT table name
|
|
|
|
update-check: T3476: Allow update-check for VyOS images
|
|
nat: nat66: T4605: T4706: Refactor NAT/NAT66 and use new table name
|
|
|
|
* Rename table to vyos_nat
* Add static NAT smoketest
|
|
* Rename table to vyos_nat
* Refactor tests to use `verify_nftables` format
|
|
* Rename table to vyos_nat
* Refactor tests to use `verify_nftables` format
|
|
T4699: Firewall: Add return action
|
|
|
|
Specifying "dhcpv6-options pd 0" for any interface without an interface where
we delegate an address to resulted in a commit error:
{% for interface, interface_config in pd_config.interface.items() if pd_config.interface is vyos_defined %}
jinja2.exceptions.UndefinedError: 'dict object' has no attribute 'interface'
|
|
In addition to the rewrite to make use of get_config_dict() the CLI is
slightly adjusted as specified in T4703.
* Rename vlan-id and vlan-range to simply vlan
* Rename network-mode to simply mode
* Re-use existing common Jinja2 template for Accel-PPP which are shared
with PPPoE and SSTP server.
* Retrieve default values via defaultValue XML node
|
|
|
|
name
|
|
|
|
The "authentication id" option for road-warriors did not get migrated to
the new local-id CLI node. This has been fixed.
|
|
When a CLI node is set with a migrator and is not a valueLess node, we need to
specify the "value" using the value= operation in config.set().
This fixes the config load error: vyos.configsession.ConfigSessionError: Invalid
config file (syntax error): error at line 353
|
|
smoketest: T4118: Fix smoketest for NHRP
|
|
As we change syntax for IPSec 'esp <tag> compression disable'
to delete 'compression' if it not used, so delete it from nhtp
test
|
|
isis: T4693: Fix ISIS segment routing configurations, part deux
|
|
isis: T4693: Fix ISIS segment routing configurations
This change is to fix more bugs in which ISIS segment routing was broken due to a refactor. This change also introduces a few additions to the ISIS handler for checking per prefix validations for segment value and mutual exclusivity for two options.
|
|
T4699: Firewall: Add jump action in firewall ruleset
|
|
When any configured peer is set to `disable` while the Wireguard tunnel is up
and running it does not get actively revoked and removed. This poses a security
risk as connections keep beeing alive.
Whenever any parameter of a peer changes we actively remove the peer and fully
recreate it on the fly.
|
|
|
|
The initial Accel-PPP PPPoE implementation used:
set service pppoe-server interface <name> vlan-id <id>
set service pppoe-server interface <name> vlan-range <start-stop>
This is actually a duplicated CLI node.
|
|
vyos@vyos# show firewall
+name foo {
+ rule 1 {
+ action accept
+ packet-length 100
+ packet-length 105
+ packet-length 200-300
+ packet-length 220-250
+ }
+}
will report a nftables error upon load: Error: conflicting intervals specified
With nftables 1.0.3 there is an "auto-merge" option which corrects this:
https://lwn.net/Articles/896732/
|
|
ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer
|
|
|
|
Migration and Change boolean nodes "enable/disable" to
disable-xxxx, enable-xxxx and just xxx for VPN IPsec
configurations
- IKE changes:
- replace 'ipsec ike-group <tag> mobike disable'
=> 'ipsec ike-group <tag> disable-mobike'
- replace 'ipsec ike-group <tag> ikev2-reauth yes|no'
=> 'ipsec ike-group <tag> ikev2-reauth'
- ESP changes:
- replace 'ipsec esp-group <tag> compression enable'
=> 'ipsec esp-group <tag> compression'
- PEER changes:
- replace: 'peer <tag> id xxx'
=> 'peer <tag> local-id xxx'
- replace: 'peer <tag> force-encapsulation enable'
=> 'peer <tag> force-udp-encapsulation'
- add option: 'peer <tag> remote-address x.x.x.x'
Add 'peer <name> remote-address <name>' via migration script
|
|
policy-route: T4697: Add missing rule_id for verify_rule func
|
|
|
|
This will set the listen-host ocserv configuration option.
|
|
After T4669 added support for range validation to the OCaml validator there is
no need to keep the slow Python validator in place.
Raplace all occurances of <validator name="range" argument="--min=1 --max=65535"/>
with <validator name="numeric" argument="--range 1-65535"/>.
|
|
There is a missing 'rule_id' in verify_rule() function
We call it from the loop but don't provide argument 'rule_id'
It cause "NameError: name 'rule_id' is not defined"
Fix it
|
