Age | Commit message (Collapse) | Author |
|
Domain group allows to filter addresses by domain main
Resolved addresses as elements are stored to named "nft set"
that used in the nftables rules
Also added a dynamic "resolver" systemd daemon
vyos-domain-group-resolve.service which starts python script
for the domain-group addresses resolving by timeout 300 sec
set firewall group domain-group DOMAINS address 'example.com'
set firewall group domain-group DOMAINS address 'example.org'
set firewall name FOO rule 10 action 'drop'
set firewall name FOO rule 10 source group domain-group 'DOMAINS'
set interfaces ethernet eth0 firewall local name 'FOO'
nft list table ip filter
table ip filter {
set DOMAINS {
type ipv4_addr
flags interval
elements = { 192.0.2.1, 192.0.2.85,
203.0.113.55, 203.0.113.58 }
}
chain NAME_FOO {
ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10"
counter packets 0 bytes 0 return comment "FOO default-action accept"
}
}
|
|
ppppoe-server: T4373: Add option multiplier for correct shaping
|
|
Multiplier option is required by some vendors for correct shaping
For RADIUS based rate-limits
edit service pppoe-server
set authentication radius rate-limit multiplier '0.001'
|
|
|
|
We do not only allow individual host addresses but also prefixes.
|
|
|
|
sshguard: T4408: Add service ssh dynamic-protection
|
|
Sshguard protects hosts from brute-force attacks
Can inspect logs and block "bad" addresses by threshold
Auto-generate rules for nftables
When service stopped all generated rules are deleted
nft "type filter hook input priority filter - 10"
set service ssh dynamic-protection
set service ssh dynamic-protection block-time 120
set service ssh dynamic-protection detect-time 1800
set service ssh dynamic-protection threshold 30
set service ssh dynamic-protection whitelist-address 192.0.2.1
|
|
|
|
|
|
systemd has its internal reload or restart logic - we do not need to programm
it on our own.
|
|
|
|
Revert "NHRP : T4399: fix issues restart nhrp when add or del tunnel"
|
|
policy: T4424: Fix incorrect format for IPv6 prefixes
|
|
|
|
This reverts commit d1455f936ca721633fcc04d5c84169b4ccf2f447.
New spokes can't register on hub with 'reload-or-restart' option
And requires option 'restart' for opennhrp.service
|
|
T4405: Fix administrative distance of DHCP routes
|
|
- Default dhclient script only uses value of `$IF_MERIC` envvar for default route recived via `router` option.
- This variable has no effect on rotes received via `rfc3442-classless-static-routes` option
- Considering that Vyos overrrides `ip` command originating from `dhclient` this can be easily fixed in `iptovtysh()` function by using the `$IF_METRIC` envvar directly in the dhclient hook.
(cherry picked from commit 0c00e7bf8b6e68814607fde4ff0cd70ce9f4b486)
|
|
Firewall: T990: Add snat and dnat connection status on firewall
|
|
Do no longer store container images which are pulled from any registry to
/config/containers. Instead save them to a unified location that is the same
accross all images on the system: /usr/lib/live/mount/persistence/container/storage
Reason for this change is, while living under /config/containers a VyOS image
upgrade copied all downloaded container images to the new image - doubling the
used space per image on every upgrade. With the new location the images are
all the same for every VyOS image running. Container userdata can still be
stored under /config and copied to a newer image making rollbacks still
efficient.
|
|
Reduce bloat of containers_op.py wrapper script. All commands can be passed
directly to podman via the XML script. This also makes the execution faster,
as no Python environment needs to be build up.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
openvpn: T4381: Add tunnel ip column for status command
|
|
Added the tunnel ip column to see the assigned ip address in server mode
|
|
using python
|
|
monitoring: T4410: Add telegraf output Plugin http for Splunk
|
|
This takes a very long time, but keep the config for manual runs
|
|
|
|
Ability to send HTTP output to Splunk via telegraf
set service monitoring telegraf splunk authentication insecure
set service monitoring telegraf splunk authentication token 'xxx'
set service monitoring telegraf splunk url 'https://x.x.x.x'
|
|
monitoring: T4315: Add telegraf output plugin prometheus-client
|
|
Add output Plugin "prometheus-client" for telegraf:
set service monitoring telegraf prometheus-client
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|