summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2020-05-19nat: do not report unassigned IP address for DNATChristian Poessinger
That warning made no sense as the destination address where we forward a port to is by design not locally connected.
2020-05-19Merge pull request #413 from kroy-the-rabbit/patch-4Christian Poessinger
T2465: vyos-hostsd-client needs sudo
2020-05-19dhcpv6-pd: T421: support ethernet based interfacesChristian Poessinger
Add support for prefix delegation when receiving the prefix via ethernet, bridge, bond, wireless.
2020-05-19configdict: T2372: interfaces must reuse interface_default_dataChristian Poessinger
This is to remove the amount of duplicated entries in dictionaries. It's one more part to move to a unified interface management.
2020-05-19T2465: vyos-hostsd-client needs sudokroy-the-rabbit
There have been a number of complaints about DHCP not getting inserted into the `/etc/hosts` file. This should correct that problem.
2020-05-19configdict: T2372: use list over stringChristian Poessinger
2020-05-19configdict: T2372: add new interface_default_data dictChristian Poessinger
Dictionary is used to remove the amount of duplicated code by e.g. ethernet or bridge interface.
2020-05-19dhcpv6-server: T815: support delegating IPv6 prefixesChristian Poessinger
2020-05-18Merge pull request #412 from thomas-mangin/T2475Christian Poessinger
flake8: T2475: fix a number of issue reported by flake8
2020-05-18flake8: T2475: fix a number of issue reported by flake8Thomas Mangin
2020-05-17config: T2409: effective config should be empty at boot initializationJohn Estabrook
2020-05-17config: return empty dict if configuration under path is emptyJohn Estabrook
2020-05-17Merge branch 'ipv6-pd' of github.com:c-po/vyos-1x into currentChristian Poessinger
* 'ipv6-pd' of github.com:c-po/vyos-1x: pppoe: dhcpv6-pd: T421: change system type to forking pppoe: dhcpv6-pd: T421: stop service when config is removed pppoe: dhcpv6-pd: T421: start/stop delegation with interface status pppoe: dhcpv6-pd: T421: initial support dhcpv6-pd: T421: migrate from ISC dhclient to wide-dhcpv6-client
2020-05-17pppoe: dhcpv6-pd: T421: change system type to forkingChristian Poessinger
Wide dhcp client forks by itself
2020-05-17pppoe: dhcpv6-pd: T421: stop service when config is removedChristian Poessinger
2020-05-17pppoe: dhcpv6-pd: T421: start/stop delegation with interface statusChristian Poessinger
2020-05-17pppoe: dhcpv6-pd: T421: initial supportChristian Poessinger
The following configuration will assign a /64 prefix out of a /56 delegation to eth0. The IPv6 address assigned to eth0 will be <prefix>::ffff/64. If you do not know the prefix size delegated to you, start with sla-len 0. pppoe pppoe0 { authentication { password vyos user vyos } description sadfas dhcpv6-options { delegate eth0 { interface-id 65535 sla-id 0 sla-len 8 } } ipv6 { address { autoconf } enable } source-interface eth1 } vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 2001:db8:8003:400::ffff/64 u/u
2020-05-17dhcpv6-pd: T421: migrate from ISC dhclient to wide-dhcpv6-clientChristian Poessinger
ISC does not support running the client on PPP(oE) interfaces which makes it unusable for DHCPv6 Prefix Delegation tasks. Internet Systems Consortium DHCP Client 4.4.1 Copyright 2004-2018 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Unsupported device type 512 for "pppoe0"
2020-05-17pppoe-server: T2471: add SLAAC supportChristian Poessinger
... by setting AdvAutonomousFlag=1 when an IPv6 client pool is defined.
2020-05-17xml: split dhcp, dhcpv6 to individual filesChristian Poessinger
2020-05-17frr: combine all templates in frr directoryChristian Poessinger
2020-05-17powerdns: T2470: adjust systemd RuntimeDirectoryChristian Poessinger
2020-05-17powerdns: T2470: adjust config file permissions for recursor 4.3Christian Poessinger
PowerDNS recursor 4.3 now uns as user pdns and group pdns, thus the generated configuration file and directory need to have the appropriate permissions set.
2020-05-16nat: nptv6: T2198: add XML/Python skeletonChristian Poessinger
- define XML CLI interface - read CLI into Python dict
2020-05-16Merge branch 'nat-nftables' of github.com:c-po/vyos-1x into currentChristian Poessinger
* 'nat-nftables' of github.com:c-po/vyos-1x: (27 commits) nat: T2198: remove "tcp_udp" from "show nat dest stat"x Debian: add required dependency on systemd nat: T2198: add common ip-protocol validator nat: T2198: use Jinja2 macro for common ruleset for SNAT and DNAT nat: T2198: restructure DNAT template part for less duplicated code nat: T2198: add support for SNAT based on source addresses nat: T2198: set default protocol to all to be backwards compatible nat: T2198: sync generated SNAT rules with VyOS 1.2 nat: T2198: sync generated DNAT rules with VyOS 1.2 nat: T2198: do not run DNAT rule if rule is disabled nat: T2198: restructure DNAT template nat: T2198: verify translation address for SNAT and DNAT nat: T2198: extend verify() for destination ports nat: T2198: migrate "log enable" node to only "log" nat: T2198: add protocol completion helper and regex constraint nat: T2198: migrate "show nat" commands to XML and Python nat: T2198: add some basic verify() rules nat: T2198: split nat-address-port include into individual files nat: T2198: add ipv4-{address,prefix,rage}-exclude validators nat: T2198: add new ipv4-range validator ...
2020-05-16nat: T2198: remove "tcp_udp" from "show nat dest stat"xChristian Poessinger
2020-05-16Debian: add required dependency on systemdChristian Poessinger
2020-05-16nat: T2198: add common ip-protocol validatorChristian Poessinger
It allows IP protocol numbers 0-255, protocol names e.g. tcp, ip, ipv6 and the negated form with a leading "!".
2020-05-16nat: T2198: use Jinja2 macro for common ruleset for SNAT and DNATChristian Poessinger
By using a Jinja2 macro the same template code can be used to create both source and destination NAT rules with only minor changes introduced by e.g. the used chain (POSTROUTING vs PREROUTING). Used the following configuration for testing on two systems with VyOS 1.2 and the old implementation vs the new one here. set nat destination rule 15 description 'foo-10' set nat destination rule 15 destination address '1.1.1.1' set nat destination rule 15 inbound-interface 'eth0.202' set nat destination rule 15 protocol 'tcp_udp' set nat destination rule 15 translation address '192.0.2.10' set nat destination rule 15 translation port '3389' set nat destination rule 20 description 'foo-20' set nat destination rule 20 destination address '2.2.2.2' set nat destination rule 20 destination port '22' set nat destination rule 20 inbound-interface 'eth0.201' set nat destination rule 20 protocol 'tcp' set nat destination rule 20 translation address '192.0.2.10' set nat source rule 100 outbound-interface 'eth0.202' set nat source rule 100 protocol 'all' set nat source rule 100 source address '192.0.2.0/26' set nat source rule 100 translation address 'masquerade' set nat source rule 110 outbound-interface 'eth0.202' set nat source rule 110 protocol 'tcp' set nat source rule 110 source address '192.0.2.0/26' set nat source rule 110 source port '5556' set nat source rule 110 translation address 'masquerade' set nat source rule 120 outbound-interface 'eth0.202' set nat source rule 120 protocol 'tcp_udp' set nat source rule 120 source address '192.0.3.0/26' set nat source rule 120 translation address '2.2.2.2'
2020-05-16nat: T2198: restructure DNAT template part for less duplicated codeChristian Poessinger
Build up only one output rule string by appending the configuration part by part.
2020-05-16nat: T2198: add support for SNAT based on source addressesChristian Poessinger
CLI commands used for ruleset generation: set nat source rule 100 outbound-interface 'eth0.202' set nat source rule 100 protocol 'all' set nat source rule 100 source address '192.0.2.0/26' set nat source rule 100 translation address 'masquerade' set nat source rule 110 outbound-interface 'eth0.202' set nat source rule 110 protocol 'tcp' set nat source rule 110 source address '192.0.2.0/26' set nat source rule 110 source port '5556' set nat source rule 110 translation address 'masquerade'
2020-05-16nat: T2198: set default protocol to all to be backwards compatibleChristian Poessinger
2020-05-16nat: T2198: sync generated SNAT rules with VyOS 1.2Christian Poessinger
The generated NAT rules in VyOS 1.2 are compared to the generated nftables ruleset in VyOS 1.3 this was done by converting the 1.2 iptables ruleset to nftables and then do the diff. To convert from iptables to nftables use the following command: $ iptables-save -t nat > /tmp/tmp.iptables $ iptables-restore-translate -f /tmp/tmp.iptables The following CLI options have been used for testing: set nat source rule 10 description 'foo-10' set nat source rule 10 destination address '1.1.1.1' set nat source rule 10 destination port '1111' set nat source rule 10 exclude set nat source rule 10 log 'enable' set nat source rule 10 outbound-interface 'eth0.202' set nat source rule 10 protocol 'tcp_udp' set nat source rule 10 translation address '192.0.2.10' set nat source rule 15 description 'foo-10' set nat source rule 15 destination address '1.1.1.1' set nat source rule 15 exclude set nat source rule 15 log 'enable' set nat source rule 15 outbound-interface 'eth0.202' set nat source rule 15 protocol 'tcp_udp' set nat source rule 15 translation address '192.0.2.10' set nat source rule 20 description 'foo-20' set nat source rule 20 destination address '2.2.2.2' set nat source rule 20 log 'enable' set nat source rule 20 outbound-interface 'eth0.201' set nat source rule 20 protocol 'tcp' set nat source rule 20 translation address '192.0.2.10' set nat source rule 100 outbound-interface 'eth0.202' set nat source rule 100 protocol 'all' set nat source rule 100 source address '192.0.2.0/26' set nat source rule 100 translation address 'masquerade'
2020-05-16nat: T2198: sync generated DNAT rules with VyOS 1.2Christian Poessinger
The generated NAT rules in VyOS 1.2 are compared to the generated nftables ruleset in VyOS 1.3 this was done by converting the 1.2 iptables ruleset to nftables and then do the diff. To convert from iptables to nftables use the following command: $ iptables-save -t nat > /tmp/tmp.iptables $ iptables-restore-translate -f /tmp/tmp.iptables The following CLI options have been used for testing: set nat destination rule 10 description 'foo-10' set nat destination rule 10 destination address '1.1.1.1' set nat destination rule 10 destination port '1111' set nat destination rule 10 exclude set nat destination rule 10 inbound-interface 'eth0.202' set nat destination rule 10 log set nat destination rule 10 protocol 'tcp_udp' set nat destination rule 10 translation address '192.0.2.10' set nat destination rule 15 description 'foo-10' set nat destination rule 15 destination address '1.1.1.1' set nat destination rule 15 exclude set nat destination rule 15 inbound-interface 'eth0.202' set nat destination rule 15 log set nat destination rule 15 protocol 'tcp_udp' set nat destination rule 15 translation address '192.0.2.10' set nat destination rule 20 description 'foo-20' set nat destination rule 20 destination address '2.2.2.2' set nat destination rule 20 inbound-interface 'eth0.201' set nat destination rule 20 log set nat destination rule 20 protocol 'tcp' set nat destination rule 20 translation address '192.0.2.10'
2020-05-16nat: T2198: do not run DNAT rule if rule is disabledChristian Poessinger
2020-05-16nat: T2198: restructure DNAT templateChristian Poessinger
Make the entire template more maintainable
2020-05-16nat: T2198: verify translation address for SNAT and DNATChristian Poessinger
2020-05-16nat: T2198: extend verify() for destination portsChristian Poessinger
Destination NAT configuration: destination ports can only be specified when protocol is tcp, udp or tcp_udp.
2020-05-16nat: T2198: migrate "log enable" node to only "log"Christian Poessinger
2020-05-16nat: T2198: add protocol completion helper and regex constraintChristian Poessinger
2020-05-16nat: T2198: migrate "show nat" commands to XML and PythonChristian Poessinger
- "show nat source|destination statistics" is now implemented in Python - "show nat source|destination rules" needs a new implementation, see T2459 - "show nat source|destination translations" has been copied over from the old repo and is here until it is rewritten, this was not possible for "rules" as there would have been too much dependencies. This one only requires libxml-simple-perl
2020-05-16nat: T2198: add some basic verify() rulesChristian Poessinger
2020-05-16nat: T2198: split nat-address-port include into individual filesChristian Poessinger
2020-05-16nat: T2198: add ipv4-{address,prefix,rage}-exclude validatorsChristian Poessinger
Exclude validators are required to support the ! (not) operator on the CLI to exclude addresses from NAT.
2020-05-16nat: T2198: add new ipv4-range validatorChristian Poessinger
2020-05-16nat: T2198: make use of jmespath when walking nftables JSON outputChristian Poessinger
2020-05-16nat: T2198: implement deletion of NAT subsystemChristian Poessinger
2020-05-16nat: T2198: automatically determine handler numbersChristian Poessinger
When instantiating NAT it is required to isntall some nftable jump targets. The targets need to be added after a specific other target thus we need to dynamically query the handler number. This is done by get_handler() which could be moved to vyos.util at a later point in time so it can be reused for a firewall rewrite.
2020-05-16nat: T2198: move from iptables to nftablesChristian Poessinger
2020-05-16nat: T2198: migrate to common template for source/destination NATChristian Poessinger