summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2020-05-21macsec: T2023: add 'show interfaces macsec' op-mode treeChristian Poessinger
vyos@vyos# run show interfaces macsec 13: macsec1: protect on validate strict sc off sa off encrypt off send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 005056bf19260001 on SA 0 14: macsec2: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 005056bfefaa0001 on SA 0 vyos@vyos# run show interfaces macsec macsec2 14: macsec2: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 005056bfefaa0001 on SA 0
2020-05-21macsec: T2023: add optional encryption commandChristian Poessinger
By default MACsec only authenticates traffic but has support for optional encryption. Encryption can now be enabled using: set interfaces macsec <interface> encrypt
2020-05-21macsec: T2023: generate secure channel keys in operation modeChristian Poessinger
2020-05-21macsec: T2023: add initial XML and Python interfacesChristian Poessinger
2020-05-21ifconfig: T2023: add initial MACsec abstractionChristian Poessinger
2020-05-20interface: T2023: adopt _delete() to common styleChristian Poessinger
2020-05-20interface: T2023: remove superfluous at end of listChristian Poessinger
2020-05-20macvlan: T2023: prepare common source interface include fileChristian Poessinger
2020-05-20Merge pull request #417 from thomas-mangin/T2467Christian Poessinger
util: T2467: fix missing import
2020-05-20util: T2467: fix missing importThomas Mangin
2020-05-20Merge pull request #416 from kroy-the-rabbit/patch-5Daniil Baturin
T2465: Permissions on vyos-hostsd socket incorrect
2020-05-20Merge pull request #415 from kroy-the-rabbit/revert-413-patch-4Daniil Baturin
Revert "T2465: vyos-hostsd-client needs sudo"
2020-05-19T2465: Permissions on vyos-hostsd socket incorrectkroy-the-rabbit
The DHCP server is unable to apply entries to the hosts file because the permissions on the socket are getting created wrong. ``` $ ls -al /run/vyos-hostsd.sock srwxrwxrwx 1 root vyattacfg 0 May 20 01:38 /run/vyos-hostsd.sock ``` This gives it the correct permissions so that the nobody/nobody user/group can change it.
2020-05-19Revert "T2465: vyos-hostsd-client needs sudo"kroy-the-rabbit
2020-05-19bgp: T2387: rename new implementation else system will not bootChristian Poessinger
It is not possible to simply remove the node.def file in a tag node. Rather rename the tag node to take it out of order by default. Upcoming BGP developers simply need to remove this line in the Makefile added by the commit.
2020-05-19Merge pull request #414 from thomas-mangin/T2467Christian Poessinger
util: T2467: automatically add sudo to known commands
2020-05-19Merge pull request #378 from sever-sever/bgp-xml-confChristian Poessinger
bgp-xml: T2387:Commands in XML for [conf_mode] bgp
2020-05-19wireguard: T2481: support IPv6 based underlayChristian Poessinger
2020-05-19util: T2467: add systemctl to autosudoThomas Mangin
2020-05-19util: T2467: add autosudo as an option to commandThomas Mangin
2020-05-19nat: do not report unassigned IP address for DNATChristian Poessinger
That warning made no sense as the destination address where we forward a port to is by design not locally connected.
2020-05-19Merge pull request #413 from kroy-the-rabbit/patch-4Christian Poessinger
T2465: vyos-hostsd-client needs sudo
2020-05-19dhcpv6-pd: T421: support ethernet based interfacesChristian Poessinger
Add support for prefix delegation when receiving the prefix via ethernet, bridge, bond, wireless.
2020-05-19configdict: T2372: interfaces must reuse interface_default_dataChristian Poessinger
This is to remove the amount of duplicated entries in dictionaries. It's one more part to move to a unified interface management.
2020-05-19T2465: vyos-hostsd-client needs sudokroy-the-rabbit
There have been a number of complaints about DHCP not getting inserted into the `/etc/hosts` file. This should correct that problem.
2020-05-19bgp-xml: T2387:Commands in XML for [conf_mode] bgpsever-sever
2020-05-19configdict: T2372: use list over stringChristian Poessinger
2020-05-19configdict: T2372: add new interface_default_data dictChristian Poessinger
Dictionary is used to remove the amount of duplicated code by e.g. ethernet or bridge interface.
2020-05-19dhcpv6-server: T815: support delegating IPv6 prefixesChristian Poessinger
2020-05-18Merge pull request #412 from thomas-mangin/T2475Christian Poessinger
flake8: T2475: fix a number of issue reported by flake8
2020-05-18flake8: T2475: fix a number of issue reported by flake8Thomas Mangin
2020-05-17config: T2409: effective config should be empty at boot initializationJohn Estabrook
2020-05-17config: return empty dict if configuration under path is emptyJohn Estabrook
2020-05-17Merge branch 'ipv6-pd' of github.com:c-po/vyos-1x into currentChristian Poessinger
* 'ipv6-pd' of github.com:c-po/vyos-1x: pppoe: dhcpv6-pd: T421: change system type to forking pppoe: dhcpv6-pd: T421: stop service when config is removed pppoe: dhcpv6-pd: T421: start/stop delegation with interface status pppoe: dhcpv6-pd: T421: initial support dhcpv6-pd: T421: migrate from ISC dhclient to wide-dhcpv6-client
2020-05-17pppoe: dhcpv6-pd: T421: change system type to forkingChristian Poessinger
Wide dhcp client forks by itself
2020-05-17pppoe: dhcpv6-pd: T421: stop service when config is removedChristian Poessinger
2020-05-17pppoe: dhcpv6-pd: T421: start/stop delegation with interface statusChristian Poessinger
2020-05-17pppoe: dhcpv6-pd: T421: initial supportChristian Poessinger
The following configuration will assign a /64 prefix out of a /56 delegation to eth0. The IPv6 address assigned to eth0 will be <prefix>::ffff/64. If you do not know the prefix size delegated to you, start with sla-len 0. pppoe pppoe0 { authentication { password vyos user vyos } description sadfas dhcpv6-options { delegate eth0 { interface-id 65535 sla-id 0 sla-len 8 } } ipv6 { address { autoconf } enable } source-interface eth1 } vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 2001:db8:8003:400::ffff/64 u/u
2020-05-17dhcpv6-pd: T421: migrate from ISC dhclient to wide-dhcpv6-clientChristian Poessinger
ISC does not support running the client on PPP(oE) interfaces which makes it unusable for DHCPv6 Prefix Delegation tasks. Internet Systems Consortium DHCP Client 4.4.1 Copyright 2004-2018 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Unsupported device type 512 for "pppoe0"
2020-05-17pppoe-server: T2471: add SLAAC supportChristian Poessinger
... by setting AdvAutonomousFlag=1 when an IPv6 client pool is defined.
2020-05-17xml: split dhcp, dhcpv6 to individual filesChristian Poessinger
2020-05-17frr: combine all templates in frr directoryChristian Poessinger
2020-05-17powerdns: T2470: adjust systemd RuntimeDirectoryChristian Poessinger
2020-05-17powerdns: T2470: adjust config file permissions for recursor 4.3Christian Poessinger
PowerDNS recursor 4.3 now uns as user pdns and group pdns, thus the generated configuration file and directory need to have the appropriate permissions set.
2020-05-16nat: nptv6: T2198: add XML/Python skeletonChristian Poessinger
- define XML CLI interface - read CLI into Python dict
2020-05-16Merge branch 'nat-nftables' of github.com:c-po/vyos-1x into currentChristian Poessinger
* 'nat-nftables' of github.com:c-po/vyos-1x: (27 commits) nat: T2198: remove "tcp_udp" from "show nat dest stat"x Debian: add required dependency on systemd nat: T2198: add common ip-protocol validator nat: T2198: use Jinja2 macro for common ruleset for SNAT and DNAT nat: T2198: restructure DNAT template part for less duplicated code nat: T2198: add support for SNAT based on source addresses nat: T2198: set default protocol to all to be backwards compatible nat: T2198: sync generated SNAT rules with VyOS 1.2 nat: T2198: sync generated DNAT rules with VyOS 1.2 nat: T2198: do not run DNAT rule if rule is disabled nat: T2198: restructure DNAT template nat: T2198: verify translation address for SNAT and DNAT nat: T2198: extend verify() for destination ports nat: T2198: migrate "log enable" node to only "log" nat: T2198: add protocol completion helper and regex constraint nat: T2198: migrate "show nat" commands to XML and Python nat: T2198: add some basic verify() rules nat: T2198: split nat-address-port include into individual files nat: T2198: add ipv4-{address,prefix,rage}-exclude validators nat: T2198: add new ipv4-range validator ...
2020-05-16nat: T2198: remove "tcp_udp" from "show nat dest stat"xChristian Poessinger
2020-05-16Debian: add required dependency on systemdChristian Poessinger
2020-05-16nat: T2198: add common ip-protocol validatorChristian Poessinger
It allows IP protocol numbers 0-255, protocol names e.g. tcp, ip, ipv6 and the negated form with a leading "!".
2020-05-16nat: T2198: use Jinja2 macro for common ruleset for SNAT and DNATChristian Poessinger
By using a Jinja2 macro the same template code can be used to create both source and destination NAT rules with only minor changes introduced by e.g. the used chain (POSTROUTING vs PREROUTING). Used the following configuration for testing on two systems with VyOS 1.2 and the old implementation vs the new one here. set nat destination rule 15 description 'foo-10' set nat destination rule 15 destination address '1.1.1.1' set nat destination rule 15 inbound-interface 'eth0.202' set nat destination rule 15 protocol 'tcp_udp' set nat destination rule 15 translation address '192.0.2.10' set nat destination rule 15 translation port '3389' set nat destination rule 20 description 'foo-20' set nat destination rule 20 destination address '2.2.2.2' set nat destination rule 20 destination port '22' set nat destination rule 20 inbound-interface 'eth0.201' set nat destination rule 20 protocol 'tcp' set nat destination rule 20 translation address '192.0.2.10' set nat source rule 100 outbound-interface 'eth0.202' set nat source rule 100 protocol 'all' set nat source rule 100 source address '192.0.2.0/26' set nat source rule 100 translation address 'masquerade' set nat source rule 110 outbound-interface 'eth0.202' set nat source rule 110 protocol 'tcp' set nat source rule 110 source address '192.0.2.0/26' set nat source rule 110 source port '5556' set nat source rule 110 translation address 'masquerade' set nat source rule 120 outbound-interface 'eth0.202' set nat source rule 120 protocol 'tcp_udp' set nat source rule 120 source address '192.0.3.0/26' set nat source rule 120 translation address '2.2.2.2'