summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-04-13T5150: do not apply zebra route-map from routing-daemon config levelChristian Breunig
2023-04-13T5150: initial implementation of new Kernel/Zebra route-map supportChristian Breunig
It is possible to install a route-map which filters the routes between routing daemons and the OS kernel (zebra) As of now this can be done by e.g. * set protocols ospf route-map foo * set protocols ospfv3 route-map foo * set protocols bgp route-map foo Which in turn will install the following lines into FRR * ip protocol ospf route-map foo * ipv6 protocol ospf6 route-map foo * ip protocol bgp route-map foo The current state of the VyOS CLI is incomplete as there is no way to: * Install a filter for BGP IPv6 routes * Install a filter for static routes * Install a filter for connected routes Thus the CLI should be redesigned to close match what FRR does for both the default and any other VRF * set system ip protocol ospf route-map foo * set system ipv6 protocol ospfv3 route-map foo * set system ip protocol bgp route-map foo * set system ipv6 protocol bgp route-map foo The configuration can be migrated accordingly. This commit does not come with the migrator, it will be comitted later.
2023-04-13eigrp: T2472: remove pprint debug statementChristian Breunig
2023-04-13Merge pull request #1935 from indrajitr/pdns-round3Christian Breunig
dns: T5143: Apply constraint for domain name in DNS forwarding
2023-04-12xml: op-mode: T5081: introduce new FRR tagNode interface building blockChristian Breunig
2023-04-12xml: op-mode: T5081: re-use vtysh-generic-detail building blockChristian Breunig
2023-04-12xml: T5081: generate common holddown XML building block for IS-IS and OSPFChristian Breunig
2023-04-12Merge pull request #1904 from Cheeze-It/currentChristian Breunig
T5081: ISIS and OSPF syncronization with IGP-LDP sync
2023-04-11Merge pull request #1953 from sever-sever/T4727-currChristian Breunig
T4727: Change and fix RADIUS rate-limit option for pptp
2023-04-11T4727: Change and fix RADIUS rate-limit option for pptpViacheslav Hletenko
Initially the option 'rate-limit' was implemented with the wrong place in the CLI: set vpn pptp remote-access authentication rate-limit <xxx> Expected under 'radius' section: set vpn pptp remote-access authentication radius rate-limit <xxx> Configuration for 'rate-limit' (Jinja2 template) never worked for pptp, fix it.
2023-04-11Merge pull request #1950 from sever-sever/T5152Christian Breunig
T5152: Get default hostname for telegraf from FQDN or hostname
2023-04-11T5081: ISIS and OSPF syncronization with IGP-LDP syncCheeze_It
2023-04-11T5152: Get default hostname for telegraf from FQDN or hostnameViacheslav Hletenko
Fix for Telegraf agent hostname isn't qualified Try to get hostname from FQDN and then from hostname Used for metrics You may have more than one machine with different domain names r1 domain-name foo.local, hostname myhost r2 domain-name bar.local, hostname myhost It helps to detect from which exectly host we get metric for InfluxDB2
2023-04-10Merge pull request #1936 from indrajitr/ddclient-opmodeChristian Breunig
dns: T5144: Improve dns dynamic status output
2023-04-10Merge pull request #1947 from sever-sever/T5148Christian Breunig
T5148: Add smoketest for plugin openvpn-otp OpenVPN
2023-04-10Merge pull request #1949 from sever-sever/T5065Christian Breunig
T5065: Add verify for firewall port-group and port
2023-04-10Merge pull request #1948 from chenxiaolong/T5151Christian Breunig
hostapd: T5151: Override ConditionFileNotEmpty
2023-04-10T5065: Add verify for firewall port-group and portViacheslav Hletenko
We cannot use both 'port' and 'port-group' for the same direction in one rule at the same time Otherwise it generates wrong rules that don't block anything set P_pgrp { type inet_service flags interval auto-merge elements = { 101-105 } } chain NAME_foo { tcp dport 22 tcp dport @P_pgrp counter drop comment "foo-10" counter return comment "foo default-action accept" }
2023-04-10hostapd: T5151: Override ConditionFileNotEmptyAndrew Gunnerson
Debian's `debian/2%2.10-12` update of the hostap packaging added a ConditionFileNotEmpty directive for `/etc/hostapd/<...>` paths, which doesn't match the `/run/hostapd/<...>` paths that VyOS uses. This commit updates the override file to use the proper VyOS paths. https://salsa.debian.org/debian/wpa/-/commit/d204ceb5a2dc33db888eb55b5fee542a1005e69c Signed-off-by: Andrew Gunnerson <accounts+github@chiller3.com>
2023-04-10Merge pull request #1941 from sever-sever/T1237Viacheslav Hletenko
T1237: Failover route add checks for multiple targets
2023-04-10T5148: Add smoketest for plugin openvpn-otp OpenVPNViacheslav Hletenko
2023-04-10Merge pull request #1942 from sever-sever/T4770Daniil Baturin
T4770: Ability to get OpenVPN iface state and description for raw
2023-04-10Merge pull request #1946 from ichdasich/filtered_routesDaniil Baturin
T5078: Added filtered-routes BGP command
2023-04-10Merge pull request #1945 from sever-sever/T5148Daniil Baturin
T5148: Fix OpenVPN plugin dir variable
2023-04-10T5078: Added filtered-routes BGP commandTobias Fiebig
2023-04-10T5148: Fix OpenVPN plugin dir variableViacheslav Hletenko
Jinja2 template uses {{ plugin_dir }} that it gets from the interface-openvpn.py variable 'plugin_dir' but the correct var should be as part of 'openvpn' dictionary i.e. openvpn['plugin_dir']
2023-04-10T4770: Ability to get OpenVPN iface state and description for rawViacheslav Hletenko
2023-04-09Merge pull request #1944 from chenxiaolong/eapol_tls_1.0_regressionChristian Breunig
eapol: T5151: Allow TLSv1.0/1.1 for EAP-TLS
2023-04-09eapol: T5151: Allow TLSv1.0/1.1 for EAP-TLSAndrew Gunnerson
The Debian 12 upgrade in T5003 caused a regression for connecting to legacy networks that only support TLSv1.0/1.1 for EAP-TLS. Debian allows this by default in their wpa_supplicant package, but their `allow-tlsv1.patch` patch does not work properly with VyOS' newer wpa_supplicant package, which is based on the latest code in git. As a result, wpa_supplicant always respects the system-wide openssl crypto policy, disallowing TLSv1. The commit uses the documented way of allowing TLSv1, which takes precedence over the system crypto policy. Signed-off-by: Andrew Gunnerson <accounts+github@chiller3.com>
2023-04-07openvpn: T5149: do not raise error in case of disabled interfaceJohn Estabrook
2023-04-07T1237: Failover route add checks for multiple targetsViacheslav Hletenko
There is only one target for checking ICMP/ARP Extend it for checking multiple targets set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '203.0.113.1' set protocols failover route 192.0.2.55/32 next-hop 192.168.122.1 check target '203.0.113.11' The route will be installed only if all targets are 'alive'
2023-04-06container: T5147: ensure container network exists before VRF operationChristian Breunig
Networks are started only as soon as there is a consumer. If only a network is created in the first place, no need to assign it to a VRF as there's no consumer, yet.
2023-04-04Merge pull request #1937 from aapostoliuk/T5135-sagittaChristian Breunig
opennhrp: T5135: Rewritten opennhrp script using vyos.ipsec
2023-04-04Merge pull request #1938 from sever-sever/T5142Christian Breunig
T5142: Add audit tool to monitor security-relevant events
2023-04-04Merge pull request #1939 from sever-sever/T5145Christian Breunig
T5145: Add maximum number of all logins on system
2023-04-04Merge branch 'current' of https://github.com/Cheeze-It/vyos-1x into currentCheeze_It
2023-04-04T5081: ISIS and OSPF syncronization with IGP-LDP syncCheeze_It
2023-04-04T5145: Add maximum number of all logins on systemViacheslav Hletenko
maxsyslogins maximum number of all logins on system; user is not allowed to log-in if total number of all user logins is greater than specified number (this limit does not apply to user with uid=0) set system login max-login-session 2
2023-04-04Merge branch 'vyos:current' into currentCheeze-It
2023-04-04T5142: Add audit tool to monitor security-relevant eventsViacheslav Hletenko
2023-04-04opennhrp: T5135: Rewritten opennhrp script using vyos.ipsecaapostoliuk
Rewritten opennhrp script using vyos.ipsec library
2023-04-04dns: T5143: Apply constraint for domain name in DNS forwardingIndrajit Raychaudhuri
This will prevent arbitrary strings from being entered as domain names. Additionally, reuse the fqdn validator instead of a custom regex.
2023-04-03T5081: ISIS and OSPF syncronization with IGP-LDP syncCheeze_It
2023-04-03dns: T5144: Improve dns dynamic status outputIndrajit Raychaudhuri
Improve and fix the output of dynamic dns status to be compatible with new ddclient cache format. Additional details: - The status output is now formatted as a table with per-host dual-stack information in rows. Columns not having actual value present in the output will be kept empty. - The 'Last update' column is now formatted in Local time format instead of UTC.
2023-04-03Merge pull request #1932 from sever-sever/T5125Christian Breunig
T5125: Sflow op-mode add event_samples_suppressed option
2023-04-03Merge pull request #1934 from sever-sever/T5141Christian Breunig
T5141: Add numbers for dhclient-exit-hooks.d to enforce order
2023-04-03Merge pull request #1933 from sever-sever/T5139Christian Breunig
T5139: IPSec add IKE lifetime 0 for no rekeying
2023-04-03T5141: Add numbers for dhclient-exit-hooks.d to enforce orderViacheslav Hletenko
Add numbers for all dhclient-exit-hooks.d to enforce script order execution Also, move '99-run-user-hooks' to '98-run-user-hooks' due to vyatta-dhclient-hook bug and exit with 'exit 1' it is described in the https://vyos.dev/T4856, so we should move this hook to the end. Rename 'vyatta-dhclient-hook' to '99-vyatta-dhclient-hook'
2023-04-03T5139: IPSec add IKE lifetime 0 for no rekeyingViacheslav Hletenko
IKE lifetime should starting from 0 for disabling rekeying
2023-04-03T5125: Sflow op-mode add event_samples_suppressed optionViacheslav Hletenko
Add "Packet drops suppressed" option Rename "Samples drop events sent" to "Packet drops sent"