Age | Commit message (Collapse) | Author |
|
vyos@vyos# run show interfaces macsec
13: macsec1: protect on validate strict sc off sa off encrypt off send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 005056bf19260001 on SA 0
14: macsec2: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 005056bfefaa0001 on SA 0
vyos@vyos# run show interfaces macsec macsec2
14: macsec2: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 005056bfefaa0001 on SA 0
|
|
By default MACsec only authenticates traffic but has support for optional
encryption. Encryption can now be enabled using:
set interfaces macsec <interface> encrypt
|
|
|
|
|
|
|
|
|
|
|
|
|
|
util: T2467: fix missing import
|
|
|
|
T2465: Permissions on vyos-hostsd socket incorrect
|
|
Revert "T2465: vyos-hostsd-client needs sudo"
|
|
The DHCP server is unable to apply entries to the hosts file because the permissions on the socket are getting created wrong.
```
$ ls -al /run/vyos-hostsd.sock
srwxrwxrwx 1 root vyattacfg 0 May 20 01:38 /run/vyos-hostsd.sock
```
This gives it the correct permissions so that the nobody/nobody user/group can change it.
|
|
|
|
It is not possible to simply remove the node.def file in a tag node. Rather
rename the tag node to take it out of order by default. Upcoming BGP developers
simply need to remove this line in the Makefile added by the commit.
|
|
util: T2467: automatically add sudo to known commands
|
|
bgp-xml: T2387:Commands in XML for [conf_mode] bgp
|
|
|
|
|
|
|
|
That warning made no sense as the destination address where we forward a port
to is by design not locally connected.
|
|
T2465: vyos-hostsd-client needs sudo
|
|
Add support for prefix delegation when receiving the prefix via ethernet,
bridge, bond, wireless.
|
|
This is to remove the amount of duplicated entries in dictionaries. It's one
more part to move to a unified interface management.
|
|
There have been a number of complaints about DHCP not getting inserted into the `/etc/hosts` file. This should correct that problem.
|
|
|
|
|
|
Dictionary is used to remove the amount of duplicated code by e.g. ethernet
or bridge interface.
|
|
|
|
flake8: T2475: fix a number of issue reported by flake8
|
|
|
|
|
|
|
|
* 'ipv6-pd' of github.com:c-po/vyos-1x:
pppoe: dhcpv6-pd: T421: change system type to forking
pppoe: dhcpv6-pd: T421: stop service when config is removed
pppoe: dhcpv6-pd: T421: start/stop delegation with interface status
pppoe: dhcpv6-pd: T421: initial support
dhcpv6-pd: T421: migrate from ISC dhclient to wide-dhcpv6-client
|
|
Wide dhcp client forks by itself
|
|
|
|
|
|
The following configuration will assign a /64 prefix out of a /56 delegation
to eth0. The IPv6 address assigned to eth0 will be <prefix>::ffff/64.
If you do not know the prefix size delegated to you, start with sla-len 0.
pppoe pppoe0 {
authentication {
password vyos
user vyos
}
description sadfas
dhcpv6-options {
delegate eth0 {
interface-id 65535
sla-id 0
sla-len 8
}
}
ipv6 {
address {
autoconf
}
enable
}
source-interface eth1
}
vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 2001:db8:8003:400::ffff/64 u/u
|
|
ISC does not support running the client on PPP(oE) interfaces which makes it
unusable for DHCPv6 Prefix Delegation tasks.
Internet Systems Consortium DHCP Client 4.4.1
Copyright 2004-2018 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Unsupported device type 512 for "pppoe0"
|
|
... by setting AdvAutonomousFlag=1 when an IPv6 client pool is defined.
|
|
|
|
|
|
|
|
PowerDNS recursor 4.3 now uns as user pdns and group pdns, thus the
generated configuration file and directory need to have the appropriate
permissions set.
|
|
- define XML CLI interface
- read CLI into Python dict
|
|
* 'nat-nftables' of github.com:c-po/vyos-1x: (27 commits)
nat: T2198: remove "tcp_udp" from "show nat dest stat"x
Debian: add required dependency on systemd
nat: T2198: add common ip-protocol validator
nat: T2198: use Jinja2 macro for common ruleset for SNAT and DNAT
nat: T2198: restructure DNAT template part for less duplicated code
nat: T2198: add support for SNAT based on source addresses
nat: T2198: set default protocol to all to be backwards compatible
nat: T2198: sync generated SNAT rules with VyOS 1.2
nat: T2198: sync generated DNAT rules with VyOS 1.2
nat: T2198: do not run DNAT rule if rule is disabled
nat: T2198: restructure DNAT template
nat: T2198: verify translation address for SNAT and DNAT
nat: T2198: extend verify() for destination ports
nat: T2198: migrate "log enable" node to only "log"
nat: T2198: add protocol completion helper and regex constraint
nat: T2198: migrate "show nat" commands to XML and Python
nat: T2198: add some basic verify() rules
nat: T2198: split nat-address-port include into individual files
nat: T2198: add ipv4-{address,prefix,rage}-exclude validators
nat: T2198: add new ipv4-range validator
...
|
|
|
|
|
|
It allows IP protocol numbers 0-255, protocol names e.g. tcp, ip, ipv6 and the
negated form with a leading "!".
|
|
By using a Jinja2 macro the same template code can be used to create both
source and destination NAT rules with only minor changes introduced by
e.g. the used chain (POSTROUTING vs PREROUTING).
Used the following configuration for testing on two systems with VyOS 1.2
and the old implementation vs the new one here.
set nat destination rule 15 description 'foo-10'
set nat destination rule 15 destination address '1.1.1.1'
set nat destination rule 15 inbound-interface 'eth0.202'
set nat destination rule 15 protocol 'tcp_udp'
set nat destination rule 15 translation address '192.0.2.10'
set nat destination rule 15 translation port '3389'
set nat destination rule 20 description 'foo-20'
set nat destination rule 20 destination address '2.2.2.2'
set nat destination rule 20 destination port '22'
set nat destination rule 20 inbound-interface 'eth0.201'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '192.0.2.10'
set nat source rule 100 outbound-interface 'eth0.202'
set nat source rule 100 protocol 'all'
set nat source rule 100 source address '192.0.2.0/26'
set nat source rule 100 translation address 'masquerade'
set nat source rule 110 outbound-interface 'eth0.202'
set nat source rule 110 protocol 'tcp'
set nat source rule 110 source address '192.0.2.0/26'
set nat source rule 110 source port '5556'
set nat source rule 110 translation address 'masquerade'
set nat source rule 120 outbound-interface 'eth0.202'
set nat source rule 120 protocol 'tcp_udp'
set nat source rule 120 source address '192.0.3.0/26'
set nat source rule 120 translation address '2.2.2.2'
|