summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2022-08-18T3896: Use group selector and forced dns tunnelingRageLtMan
Enterprise RADIUS configurations often utilize group selectors for authentication and attribute distribution for connecting clients. Ocserv implements this functionality via the `select-group` config file attribute, repeating for multiple groups. When a user selects their membership group and the request is passed to the RADIUS server, ocserv will match the returned Class attribute against the value selected by the user. This functionality also works for local group membership resolution, although VyOS currently doesn't have group membership configuration for this. Expose the tunnel-all-dns option in the ocserv config file allowing users who deploy default routes to select split-dns and those who do not to enable full DNS tunneling. Testing: Smoketests & build Configured groups in openconnect profile and verified existence in /run/ocserv/ocserv.conf Configured forced dns tunneling and verified presence of setting in /run/ocserv/ocserv.conf
2022-08-18T3896: Drop cserv local user req, add groupconfigRageLtMan
From ocserv documentation: ``` If the groupconfig option is set, then config-per-user will be overriden, and all configuration will be read from radius. That also includes the Acct-Interim-Interval, and Session-Timeout values. ``` Implement yes/no configuration and parameter handling during jinja rendering. Fix bug wherein openconnect-server configuration requires creation of local user accounts even when RADIUS authentication is used. Testing: Set the groupconfig=yes param and observed change in generated /run/ocserv/ocserv.conf. Removed the local users via `delete vpn openconnect authentication local-users` and observed commit & service operation
2022-08-16Merge pull request #1475 from sever-sever/T4613Christian Poessinger
upnp: T4613: Verify listen key in dictionary
2022-08-16Merge pull request #1474 from DaniilHarun/currentChristian Poessinger
T4619: Replacing instead of adding a static arp entry
2022-08-16upnp: T4613: Verify listen key in dictionaryViacheslav Hletenko
There is no check if 'listen' is exist in the dictionary, fix it Fix odd ValueHelp format
2022-08-16T4619: Replacing instead of adding a static arp entryDaniilHarun
2022-08-16Merge pull request #1462 from sever-sever/T4596Christian Poessinger
ocserv: T4596: Rewrite show openconnect sessions op-mode
2022-08-16Debian: T4584: remove version number from hostap package requirementChristian Poessinger
2022-08-16Merge pull request #1471 from mkorobeinikov/currentChristian Poessinger
dhcp-relay: T4601: restart dhcp relay-agent
2022-08-16dhcp-relay: T4601: restart dhcp relay-agentmkorobeinikov
The command "restart dhcp relay-agent" doesn't restart "isc-dhcp-relay" service.
2022-08-15ocserv: openconnect: T4614: add support for split-dnsChristian Poessinger
set vpn openconnect network-settings split-dns <domain>
2022-08-15smoketest: ocserv: implement config file validationChristian Poessinger
2022-08-15ocserv: T4333: migrate to new vyos_defined Jinja2 testChristian Poessinger
2022-08-15Merge pull request #1468 from sever-sever/T4609Christian Poessinger
container: T4609: Fix restart container
2022-08-15container: T4609: Fix restart containerViacheslav Hletenko
Add 2 dashes for arg "name"
2022-08-15Merge pull request #1465 from sever-sever/T4595Christian Poessinger
dmvpn: T4595: Fix dpd profile options
2022-08-11Merge pull request #1464 from sever-sever/T4603Christian Poessinger
l2tp: T4603: Add RADIUS nas-ip-address option
2022-08-10dmvpn: T4595: Fix dpd profile optionsViacheslav Hletenko
Fix template for configuration DMVPN IKE profile dead-peer-detection delay and dead-peer-detecion timeout options
2022-08-10l2tp: T4603: Add RADIUS nas-ip-address optionViacheslav Hletenko
Add l2tp authentication radius nas-ip-address option which will be sent in NAS-IP-Address Radius attribute
2022-08-08Merge pull request #1461 from nicolas-fort/nat66-excludeChristian Poessinger
nat66: T4598: Add exclude options in nat66
2022-08-08nat66: T4598: add file nat-exclue.xml.i, which is invoked by nat66.xml.in ↵Nicolas Fort
and nat-rule.xml.i
2022-08-06ocserv: T4596: Rewrite show openconnect sessions op-modeViacheslav Hletenko
Rewrite "show openconnect-server sessions" to vyos.opmode format Ability to get raw and formatted output Ability to get data via API
2022-08-05Merge pull request #1460 from sever-sever/T4597Christian Poessinger
ocserv: T4597: Check bind port before openconnect commit
2022-08-05nat66: T4598: Add exclude options in nat66Nicolas Fort
2022-08-05ocserv: T4597: Check bind port before openconnect commitViacheslav Hletenko
Check if openconnect listen port is available and not used by another service
2022-08-05Merge pull request #1459 from dmbaturin/genop-exnViacheslav Hletenko
T2719: add an exception hierarchy for op mode errors
2022-08-05bgp: T4257: bugfixes after renaming "local-as" to "system-as"Christian Poessinger
2022-08-04Merge https://github.com/Cheeze-It/vyos-1x into currentChristian Poessinger
* https://github.com/Cheeze-It/vyos-1x: bgp: T4257: Changing BGP "local-as" to "system-as"
2022-08-04macsec: T4537: macsec_csindex can be set even without encryptionChristian Poessinger
2022-08-04smoketest: macsec: T4537: validate macsec_csindex for both AES-GCM-128 and ↵Christian Poessinger
AES-GCM-256
2022-08-04T2719: add an exception hierarchy for op mode errorsDaniil Baturin
2022-08-04Merge pull request #1457 from sever-sever/T4586Christian Poessinger
nat66: T4586: Add SNAT destination prefix and DNAT address
2022-08-04macsec: T4592: can not create two interfaces using the same source-interfaceChristian Poessinger
2022-08-04vyos.config.configdict: T4592: only print interface name, not interface dict ↵Christian Poessinger
on error
2022-08-04smoketest: macsec: T4537: verify macsec_csindexChristian Poessinger
2022-08-03Merge pull request #1369 from nicolas-fort/T4480Daniil Baturin
T4480: webproxy: Add safe-ports and ssl-safe-ports for acl squid config
2022-08-03nat66: T4586: Add SNAT destination prefix and DNAT addressViacheslav Hletenko
Ability to configure SNAT destination prefix and DNAT source address Add option "!" - not address/prefix for NAT66
2022-08-03validators: T4586: Add IPv6 exclude validators for address/prefixViacheslav Hletenko
Add IPV6 exclude validators: - ipv6-address-exclude - ipv6-prefix-exclude Will use in nat66 source/destination
2022-08-02Merge pull request #1456 from sever-sever/T4585Christian Poessinger
containers: T4585: Add option restart to containers.py
2022-08-02containers: T4585: Add option restart to containers.pyViacheslav Hletenko
Add option restart to `containers.py`
2022-08-02Merge pull request #1455 from sever-sever/T4544Christian Poessinger
graphql: T4544: Add overwritten scripts op-mode-standardized.json
2022-08-02graphql: T4544: Add overwritten scripts op-mode-standardized.jsonViacheslav Hletenko
Add overwritten scripts to 'op-mode-standardized.json'
2022-08-02Merge pull request #1454 from sever-sever/T4585Christian Poessinger
container: T4585: Rewrite show container
2022-08-02container: T4585: Rewrite show containerViacheslav Hletenko
Rewrite op-mode: - show container - show container network - show container image to the new vyos.opmode format
2022-08-02macsec: T4537: add mussing macsec_csindex option to support GCM-AES-256Christian Poessinger
2022-08-02hostap: T4584: add Debian specific options to systemd unit filesChristian Poessinger
2022-08-01macsec: T4537: remove debug falg "-d" from systemd service fileChristian Poessinger
2022-08-01macsec: T4537: supply PID path via systemd service file to daemonChristian Poessinger
2022-08-01macsec: T4391: bugfix config pathChristian Poessinger
After commit 85d6c8f7c62 ("vyos.configdict: T4391: enable get_interface_dict() to be used with ConfigTreeQuery()") we also need to use the full path when working with Config() as previous calls to get_interface_dict() no longer change the level of Config().
2022-08-01op-mode: macsec: T4537: add "show|monitor log macsec" CLI commandsChristian Poessinger
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-16 03:01:40 +0000