Age | Commit message (Collapse) | Author |
|
In addition to the rewrite to make use of get_config_dict() the CLI is
slightly adjusted as specified in T4703.
* Rename vlan-id and vlan-range to simply vlan
* Rename network-mode to simply mode
* Re-use existing common Jinja2 template for Accel-PPP which are shared
with PPPoE and SSTP server.
* Retrieve default values via defaultValue XML node
|
|
The "authentication id" option for road-warriors did not get migrated to
the new local-id CLI node. This has been fixed.
|
|
isis: T4693: Fix ISIS segment routing configurations, part deux
|
|
isis: T4693: Fix ISIS segment routing configurations
This change is to fix more bugs in which ISIS segment routing was broken due to a refactor. This change also introduces a few additions to the ISIS handler for checking per prefix validations for segment value and mutual exclusivity for two options.
|
|
T4699: Firewall: Add jump action in firewall ruleset
|
|
The initial Accel-PPP PPPoE implementation used:
set service pppoe-server interface <name> vlan-id <id>
set service pppoe-server interface <name> vlan-range <start-stop>
This is actually a duplicated CLI node.
|
|
vyos@vyos# show firewall
+name foo {
+ rule 1 {
+ action accept
+ packet-length 100
+ packet-length 105
+ packet-length 200-300
+ packet-length 220-250
+ }
+}
will report a nftables error upon load: Error: conflicting intervals specified
With nftables 1.0.3 there is an "auto-merge" option which corrects this:
https://lwn.net/Articles/896732/
|
|
ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer
|
|
|
|
Migration and Change boolean nodes "enable/disable" to
disable-xxxx, enable-xxxx and just xxx for VPN IPsec
configurations
- IKE changes:
- replace 'ipsec ike-group <tag> mobike disable'
=> 'ipsec ike-group <tag> disable-mobike'
- replace 'ipsec ike-group <tag> ikev2-reauth yes|no'
=> 'ipsec ike-group <tag> ikev2-reauth'
- ESP changes:
- replace 'ipsec esp-group <tag> compression enable'
=> 'ipsec esp-group <tag> compression'
- PEER changes:
- replace: 'peer <tag> id xxx'
=> 'peer <tag> local-id xxx'
- replace: 'peer <tag> force-encapsulation enable'
=> 'peer <tag> force-udp-encapsulation'
- add option: 'peer <tag> remote-address x.x.x.x'
Add 'peer <name> remote-address <name>' via migration script
|
|
This will set the listen-host ocserv configuration option.
|
|
T3896(adjacent): Fix ocserv local user requirement, add groupconfig
|
|
Add new VyOS CLI command:
set protocols bgp parameters bestpath peer-type multipath-relax
This command specifies that BGP decision process should consider paths from all
peers for multipath computation. If this option is enabled, paths learned from
any of eBGP, iBGP, or confederation neighbors will be multipath if they are
otherwise considered equal cost. [1]
[1]: http://docs.frrouting.org/en/stable-8.3/bgp.html#clicmd-bgp-bestpath-peer-type-multipath-relax
|
|
nhrp: T2199: Use separate table in nftables for NHRP rules
|
|
|
|
firewall: zone-policy: T2199: T4605: Refactor firewall, migrate zone-policy
|
|
This change is to fix a bug in which ISIS segment routing was broken due to a refactor.
This change also is going to introduce a smoketest to make sure this is caught in the future.
|
|
|
|
|
|
|
|
firewall node
* Refactor firewall and zone-policy rule creation and cleanup
* Migrate interface firewall values to `firewall interfaces <name> <direction> name/ipv6-name <name>`
* Remove `firewall-interface.py` conf script
|
|
|
|
When applying the same VRID for IPv4 and IPv6 with RFC3768
compatibility enabled, the IPv6 interfaces came back with the
wrong name. For example:
Name Interface VRID State Priority Last Transition
------ ----------- ------ ------- ---------- -----------------
v4-10 eth1v10 10 MASTER 100 21s
v6-10 vrrpv10 10 MASTER 100 21s
Because of this, the IPv6 interface didn't show up in `show int`.
This change suffixes the interface with the IP version so
`show int` works again.
Name Interface VRID State Priority Last Transition
------ ----------- ------ ------- ---------- -----------------
v4-10 eth1v10v4 10 MASTER 100 21s
v6-10 eth1v10v6 10 MASTER 100 21s
vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
[....]
eth1v10v4 192.168.10.60/24 u/u
eth1v10v6 2001:ffff::1/64 u/u
[....]
|
|
|
|
nat: T538: Add static NAT one-to-one
|
|
Remove `default_action` from template "nftables-policy" as XML
policy route does not use it
Set default action 'accept' for policy route, as default action
'drop' must be used only for firewall and not related to the
policy route
|
|
|
|
nat66: T4631: Add port and protocol to nat66 conf
|
|
|
|
|
|
|
|
Ability to configure src/dst/translation port and protocol for
SNAT and DNAT IPv6
|
|
From the doc miniupnpd
IP/mask format must be nnn.nnn.nnn.nnn/nn
Comment out invalid option "anchor"
|
|
Address @sever-sever's suggestion to refactor how groupconfig is
defined, parsed, and set (with his proposed conditional string
appending Py-sugar). Use the disable-mobike refactor as template
for XML simplification.
Testing:
None yet
|
|
Enterprise RADIUS configurations often utilize group selectors for
authentication and attribute distribution for connecting clients.
Ocserv implements this functionality via the `select-group` config
file attribute, repeating for multiple groups. When a user selects
their membership group and the request is passed to the RADIUS
server, ocserv will match the returned Class attribute against the
value selected by the user. This functionality also works for local
group membership resolution, although VyOS currently doesn't have
group membership configuration for this.
Expose the tunnel-all-dns option in the ocserv config file allowing
users who deploy default routes to select split-dns and those who
do not to enable full DNS tunneling.
Testing:
Smoketests & build
Configured groups in openconnect profile and verified existence
in /run/ocserv/ocserv.conf
Configured forced dns tunneling and verified presence of setting
in /run/ocserv/ocserv.conf
|
|
From ocserv documentation:
```
If the groupconfig option is set, then config-per-user will be
overriden, and all configuration will be read from radius. That
also includes the Acct-Interim-Interval, and Session-Timeout
values.
```
Implement yes/no configuration and parameter handling during jinja
rendering.
Fix bug wherein openconnect-server configuration requires creation
of local user accounts even when RADIUS authentication is used.
Testing:
Set the groupconfig=yes param and observed change in generated
/run/ocserv/ocserv.conf.
Removed the local users via `delete vpn openconnect
authentication local-users` and observed commit & service operation
|
|
Ability to set static NAT (one-to-one) in one rule
set nat static rule 10 destination address '203.0.113.0/24'
set nat static rule 10 inbound-interface 'eth0'
set nat static rule 10 translation address '192.0.2.0/24'
It will be enough for PREROUTING and POSTROUTING rules
Use a separate table 'vyos_static_nat' as SRC/DST rules and
STATIC rules can have the same rule number
|
|
|
|
set vpn openconnect network-settings split-dns <domain>
|
|
|
|
Fix template for configuration DMVPN IKE profile
dead-peer-detection delay and dead-peer-detecion timeout options
|
|
|
|
* https://github.com/Cheeze-It/vyos-1x:
bgp: T4257: Changing BGP "local-as" to "system-as"
|
|
|
|
nat66: T4586: Add SNAT destination prefix and DNAT address
|
|
T4480: webproxy: Add safe-ports and ssl-safe-ports for acl squid config
|
|
Ability to configure SNAT destination prefix and
DNAT source address
Add option "!" - not address/prefix for NAT66
|
|
|
|
bgp: T4257: Changing BGP "local-as" to "system-as"
This change is to change the global BGP name for the node "local-as" to "system-as"
This is needed so that there's less ambiguity with the local-as feature per neighbor.
bgp: T4257: Changing BGP "local-as" to "system-as"
bgp: T4257: Changing BGP "local-as" to "system-as"
This change is to change the global BGP name for the node "local-as" to "system-as"
This is needed so that there's less ambiguity with the local-as feature per neighbor.
|
|
hosts/networks that should be ignored.
|