summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2022-10-10ssh: T4716: Ablity to configure RekeyLimit data and timeViacheslav Hletenko
Ability to configure SSH RekeyLimit data (in Megabytes) and time (in Minutes) set service ssh rekey data 1024 set service ssh rekey time 60
2022-09-27Merge pull request #1562 from sever-sever/T4711Christian Poessinger
login: T4711: Terminate user TTY and PTS sessions
2022-09-27Merge pull request #1560 from nicolas-fort/T4700Christian Poessinger
T4700: Firewall: add interface matching criteria
2022-09-27login: T4711: Terminate user TTY and PTS sessionsViacheslav Hletenko
Ability to terminate user TTY and PTS sessions clear session pts/1
2022-09-26ethernet: T4689: support asymetric RFS configuration on multiple interfacesChristian Poessinger
The initial implementation from commit ac4e07f9 ("rfs: T4689: Support RFS (Receive Flow Steering)") always adjusted the global rps_sock_flow_entries configuration. So if RFS was enabled for one NIC but not the other - it did not work. According to the documentation: RFS is only available if the kconfig symbol CONFIG_RPS is enabled (on by default for SMP). The functionality remains disabled until explicitly configured. The number of entries in the global flow table is set through: /proc/sys/net/core/rps_sock_flow_entries The number of entries in the per-queue flow table are set through: /sys/class/net/<dev>/queues/rx-<n>/rps_flow_cnt Both of these need to be set before RFS is enabled for a receive queue. Values for both are rounded up to the nearest power of two. The suggested flow count depends on the expected number of active connections at any given time, which may be significantly less than the number of open connections. We have found that a value of 32768 for rps_sock_flow_entries works fairly well on a moderately loaded server. This commit sets rps_sock_flow_entries via sysctl on bootup leafing the RFS configuration to the interface level.
2022-09-26Merge pull request #1545 from sever-sever/T4557Christian Poessinger
ids: T4557: Migrate threshold and add new threshold types
2022-09-26ids: T4557: Migrate threshold and add new threshold typesViacheslav Hletenko
Migrate "service ids ddos-protection threshold xxx" to "service ids ddos-protection general threshold xxx" Add new threshold types: set service ids ddos-protection threshold tcp xxx set service ids ddos-protection threshold udp xxx set service ids ddos-protection threshold icmp xxx
2022-09-26T4700: Firewall: add interface matching criteriaNicolas Fort
2022-09-25wireguard: ifconfig: T2653: move Config() import to be local to consumerChristian Poessinger
2022-09-25wireguard: ifconfig: T2653: use NamedTemporaryFile() when dealing with ↵Christian Poessinger
private key This prevents habing any leftover private-key files in /tmp directory.
2022-09-24Merge pull request #1558 from initramfs/current-fix-tcp-mssChristian Poessinger
interfaces: T4709: raise minimum TCP MSS clamping value
2022-09-25interfaces: T4709: raise minimum TCP MSS clamping valueinitramfs
This commit raises the minimum TCP MSS clamping range to the MSS value corresponding to the minimum packet size that must be accepted for IPv4.
2022-09-24ethernet: T3171: enable RPS (Receive Packet Steering) for all RX queuesChristian Poessinger
The initial implementation in commit 9fb9e5cade ("ethernet: T3171: add CLI option to enable RPS (Receive Packet Steering)" only changed the CPU affinity for RX queue 0. This commit takes all RX queues into account.
2022-09-22ipoe: T4703: fix migration of vlan node for loca authenticated usersChristian Poessinger
2022-09-22xml: T4698: validating a range must be explicitly enabled in the validatorChristian Poessinger
This extends commit 28573ffe4f ("xml: T4698: drop validator name="range" and replace it with numeric"). The first version allowed both a range and discrete numbers to be validated by the numeric validator. This had a flaw as both 22 and 22-30 were valid at the same time. The generic "port-number.xml.i" building block only allows a discrete number. Now if a user set port 22-30 for e.g. SSH the daemon did no longer start. This is why range validation must be explicitly enabled.
2022-09-22Merge pull request #1541 from goodNETnick/ggl_authChristian Poessinger
system login: T874: add libpam-google-authenticator package
2022-09-22Merge pull request #1554 from sarthurdev/nat_refactorChristian Poessinger
nat: T4605: Fix op-mode NAT table name
2022-09-22nat: T4605: Fix op-mode NAT table namesarthurdev
2022-09-22Merge pull request #1521 from sever-sever/T3476Christian Poessinger
update-check: T3476: Allow update-check for VyOS images
2022-09-22Merge pull request #1552 from sarthurdev/nat_refactorChristian Poessinger
nat: nat66: T4605: T4706: Refactor NAT/NAT66 and use new table name
2022-09-22telegraf: T4680: fix prometheus client listen-address invalid formatKyleM
2022-09-21nat: T4605: Refactor static NAT to use python module for parsing rulessarthurdev
* Rename table to vyos_nat * Add static NAT smoketest
2022-09-21nat66: T4605: Refactor NAT66 to use python module for parsing rulessarthurdev
* Rename table to vyos_nat * Refactor tests to use `verify_nftables` format
2022-09-21nat: T4605: Refactor NAT to use python module for parsing rulessarthurdev
* Rename table to vyos_nat * Refactor tests to use `verify_nftables` format
2022-09-21Merge pull request #1553 from nicolas-fort/return-actionChristian Poessinger
T4699: Firewall: Add return action
2022-09-21T4699: Firewall: Add return action, since jump action was added recentlyNicolas Fort
2022-09-21dhcpv6-pd: T2821: bugfix Jinja2 template - missing conditional ifChristian Poessinger
Specifying "dhcpv6-options pd 0" for any interface without an interface where we delegate an address to resulted in a commit error: {% for interface, interface_config in pd_config.interface.items() if pd_config.interface is vyos_defined %} jinja2.exceptions.UndefinedError: 'dict object' has no attribute 'interface'
2022-09-21ipoe: T4678: T4703: rewrite to get_config_dict()Christian Poessinger
In addition to the rewrite to make use of get_config_dict() the CLI is slightly adjusted as specified in T4703. * Rename vlan-id and vlan-range to simply vlan * Rename network-mode to simply mode * Re-use existing common Jinja2 template for Accel-PPP which are shared with PPPoE and SSTP server. * Retrieve default values via defaultValue XML node
2022-09-20xml: firewall: T2199: improve interface help stringChristian Poessinger
2022-09-20xml: ipsec: T1210: add valueHelp and constraint for remote-access connection ↵Christian Poessinger
name
2022-09-20xml: ipsec: T3093: add valueHelp and constraint for profile nameChristian Poessinger
2022-09-20ipsec: T4118: bugfix migration of IKEv2 road-warrior "id" CLI optionChristian Poessinger
The "authentication id" option for road-warriors did not get migrated to the new local-id CLI node. This has been fixed.
2022-09-19ipsec: T4118: bugfix config migrator 9-to-10Christian Poessinger
When a CLI node is set with a migrator and is not a valueLess node, we need to specify the "value" using the value= operation in config.set(). This fixes the config load error: vyos.configsession.ConfigSessionError: Invalid config file (syntax error): error at line 353
2022-09-19Merge pull request #1549 from sever-sever/T4118-smoketestChristian Poessinger
smoketest: T4118: Fix smoketest for NHRP
2022-09-19smoketest: T4118: Fix smoketest for NHRPViacheslav Hletenko
As we change syntax for IPSec 'esp <tag> compression disable' to delete 'compression' if it not used, so delete it from nhtp test
2022-09-18Merge pull request #1543 from Cheeze-It/currentChristian Poessinger
isis: T4693: Fix ISIS segment routing configurations, part deux
2022-09-18Update protocols_isis.pyCheeze_It
isis: T4693: Fix ISIS segment routing configurations This change is to fix more bugs in which ISIS segment routing was broken due to a refactor. This change also introduces a few additions to the ISIS handler for checking per prefix validations for segment value and mutual exclusivity for two options.
2022-09-17Merge pull request #1546 from nicolas-fort/fwall-jumpChristian Poessinger
T4699: Firewall: Add jump action in firewall ruleset
2022-09-17wireguard: T4702: actively revoke peer if it gets disabledChristian Poessinger
When any configured peer is set to `disable` while the Wireguard tunnel is up and running it does not get actively revoked and removed. This poses a security risk as connections keep beeing alive. Whenever any parameter of a peer changes we actively remove the peer and fully recreate it on the fly.
2022-09-17smoketest: accel-ppp: revise base class to reduce amout of redundant codeChristian Poessinger
2022-09-17pppoe-server: T4703: combine vlan-id and vlan-range into single CLI nodeChristian Poessinger
The initial Accel-PPP PPPoE implementation used: set service pppoe-server interface <name> vlan-id <id> set service pppoe-server interface <name> vlan-range <start-stop> This is actually a duplicated CLI node.
2022-09-16firewall: T2199: enable "auto-merge" on setsChristian Poessinger
vyos@vyos# show firewall +name foo { + rule 1 { + action accept + packet-length 100 + packet-length 105 + packet-length 200-300 + packet-length 220-250 + } +} will report a nftables error upon load: Error: conflicting intervals specified With nftables 1.0.3 there is an "auto-merge" option which corrects this: https://lwn.net/Articles/896732/
2022-09-16Merge pull request #1463 from sever-sever/T4118Daniil Baturin
ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer
2022-09-16T4699: Firewall: Add jump action in firewall rulestNicolas Fort
2022-09-16ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peerViacheslav Hletenko
Migration and Change boolean nodes "enable/disable" to disable-xxxx, enable-xxxx and just xxx for VPN IPsec configurations - IKE changes: - replace 'ipsec ike-group <tag> mobike disable' => 'ipsec ike-group <tag> disable-mobike' - replace 'ipsec ike-group <tag> ikev2-reauth yes|no' => 'ipsec ike-group <tag> ikev2-reauth' - ESP changes: - replace 'ipsec esp-group <tag> compression enable' => 'ipsec esp-group <tag> compression' - PEER changes: - replace: 'peer <tag> id xxx' => 'peer <tag> local-id xxx' - replace: 'peer <tag> force-encapsulation enable' => 'peer <tag> force-udp-encapsulation' - add option: 'peer <tag> remote-address x.x.x.x' Add 'peer <name> remote-address <name>' via migration script
2022-09-16Merge pull request #1544 from sever-sever/T4697Christian Poessinger
policy-route: T4697: Add missing rule_id for verify_rule func
2022-09-16ocserv: T4656: use "0.0.0.0" defaultValue via XML definition"Christian Poessinger
2022-09-16ocserv: openconnect: T4656: add listen-address CLI optionDemon_H
This will set the listen-host ocserv configuration option.
2022-09-16xml: T4698: drop validator name="range" and replace it with numericChristian Poessinger
After T4669 added support for range validation to the OCaml validator there is no need to keep the slow Python validator in place. Raplace all occurances of <validator name="range" argument="--min=1 --max=65535"/> with <validator name="numeric" argument="--range 1-65535"/>.
2022-09-16policy-route: T4697: Add missing rule_id for verify_rule funcViacheslav Hletenko
There is a missing 'rule_id' in verify_rule() function We call it from the loop but don't provide argument 'rule_id' It cause "NameError: name 'rule_id' is not defined" Fix it