summaryrefslogtreecommitdiff
path: root/data/templates
AgeCommit message (Collapse)Author
2023-01-26T4916: Rewrite IPsec peer authentication and psk migrationViacheslav Hletenko
Rewrite strongswan IPsec authentication to reflect structure from swanctl.conf The most important change is that more than one local/remote ID in the same auth entry should be allowed replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx' => 'ipsec authentication psk <tag> secret xxx' set vpn ipsec authentication psk <tag> id '192.0.2.1' set vpn ipsec authentication psk <tag> id '192.0.2.2' set vpn ipsec authentication psk <tag> secret 'xxx' set vpn ipsec site-to-site peer <tag> authentication local-id '192.0.2.1' set vpn ipsec site-to-site peer <tag> authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer <tag> authentication remote-id '192.0.2.2' Add template filter for Jinja2 'generate_uuid4'
2023-01-14ntp: T3008: migrate from ntpd to chronyChristian Breunig
* Move CLI from "system ntp" -> "service ntp" * Drop NTP server option preempt as not supported by chrony
2023-01-12Merge pull request #1752 from sever-sever/T4118Christian Breunig
T4118: Add default value any for connection remote-id
2023-01-12T4118: Add default value any for connection remote-idViacheslav Hletenko
If IPsec "peer <tag> authentication remote-id" is not set it should be "%any" by default https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections_conn_remote Set XML default value in use it in the python vpn_ipsec.py script
2023-01-12T4934: ospf: Fix inter-area route summarizationYuxiang Zhu
Setting something like `protocols ospf area 10 range 10.10.0.0/16` without sub options doesn't work. This is because no range commands are generated when there is no leaf nodes set under the `range` tag node. ``` edit protocols ospf set area 16 network 10.10.0.0/16 set area 16 range 10.10.0.0/16 commit ``` ``` $ vtysh -c 'show run' ! router ospf auto-cost reference-bandwidth 100 timers throttle spf 200 1000 10000 network 10.10.0.0/16 area 16 exit ``` The generated FRR commands above is missing something like: ``` area 16 range 10.10.0.0/16 ```
2023-01-09container: T4880: add REST API endpoint for add/delelete/show imagesJohn Estabrook
2023-01-07T4920: ospf: Fix `passive-interface default` optionYuxiang Zhu
`passive_interface` is a leaf node. Also adds a smoketest.
2023-01-06static: T4883: fix KeyError: 'table'Christian Poessinger
Commit dafb0da2 ("static: T4883: add a description field for routing tables") added an iproute2 description table but lacked checking if the key exists. This has been fixed and also converted to Jinja2 to keep the "common" style inside the routing protocols. It might feel overengineered indeed.
2023-01-04ssh: T2651: add source-interface support ssh-clientChristian Poessinger
2023-01-02T4904: keepalived virtual-server allow multiple ports with fwmarkViacheslav Hletenko
Allow multiple ports for high-availability virtual-server The current implementation allows balance only one "virtual" address and port between between several "real servers" Allow matching "fwmark" to set traffic which should be balanced Allow to set port 0 (all traffic) if we use "fwmark" Add health-check script set high-availability virtual-server 203.0.113.1 fwmark '111' set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 health-check script '/bin/true' set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 port '0'
2022-12-30T4893: Add ppp-options ipv6-interface-id for L2TPViacheslav Hletenko
Add ppp-options IPv6 interface id for vpn L2TP - fixed or random interface identifier for IPv6 - peer interface identifier for IPv6 - whether to accept peer’s interface identifier set vpn l2tp remote-access ppp-options ipv6-accept-peer-intf-id set vpn l2tp remote-access ppp-options ipv6-intf-id 'random' set vpn l2tp remote-access ppp-options ipv6-peer-intf-id 'calling-sid'
2022-12-24container: T4870: update to overlay2 driverChristian Poessinger
overlay2 is the preferred storage driver for all currently supported Linux distributions, and requires no extra configuration.
2022-12-23Merge pull request #1702 from TGNThump/patch-1Christian Poessinger
container: T4870: Update podman to use overlay storage driver
2022-12-20radvd: T4809: fix AdvRASrcAddress missing semicolonChristian Poessinger
Commit 13071a4a ("T4809: radvd: Allow the use of AdvRASrcAddress") added a new feature to set the RA source-address. Unfortunately it missed a semicolon.
2022-12-17sstp: T4384: disable compression and creacke exclusive lock fileChristian Poessinger
2022-12-17Merge pull request #1669 from vfreex/dhcp-v6-only-option-1.4Christian Poessinger
T4832: dhcp: Add IPv6-only dhcp option support (RFC 8925)
2022-12-17Merge pull request #1626 from nicolas-fort/fwall_group_interfaceChristian Poessinger
T4780: Firewall: add firewall groups in firewall. Extend matching cri…
2022-12-17Merge pull request #1711 from roedie/T4884Christian Poessinger
T4884: snmpd: add community6 fallback
2022-12-17webproxy: T3810: multiple squidGuard fixesaapostoliuk
1. Added in script update webproxy blacklists generation of all DBs 2. Fixed: if the blacklist category does not have generated db, the template generates an empty dest category in squidGuard.conf and a Warning message. 3. Added template generation for local's categories in the rule section. 4. Changed syntax in the generation dest section for blacklist's categories 4. Fixed generation dest local sections in squidGuard.conf 5. Fixed bug in syntax. The word 'allow' changed to the word 'any' in acl squidGuard.conf
2022-12-17Merge pull request #1712 from roedie/T4809-2Christian Poessinger
T4809: radvd: Allow the use of AdvRASrcAddress
2022-12-17Merge pull request #1358 from sever-sever/T1237Christian Poessinger
routing: T1237: Add new feature failover route
2022-12-16T4809: radvd: Allow the use of AdvRASrcAddressSander Klein
This add the AdvRASrcAddress configuration option to configure a source address for the router advertisements. The source address still must be configured on the system. This is useful for VRRP setups where you want fe80::1 on the VRRP interface for cleaner VRRP failovers.
2022-12-16T4884: snmpd: add community6 fallbackSander Klein
If no client and network is defined only a `community` config is created. This also adds the `community6` part
2022-12-14routing: T1237: Add new feature failover routeViacheslav Hletenko
Failover route allows to install static routes to the kernel routing table only if required target or gateway is alive When target or gateway doesn't respond for ICMP/ARP checks this route deleted from the routing table Routes are marked as protocol 'failover' (rt_protos) cat /etc/iproute2/rt_protos.d/failover.conf 111 failover ip route add 203.0.113.1 metric 2 via 192.0.2.1 dev eth0 proto failover $ sudo ip route show proto failover 203.0.113.1 via 192.0.2.1 dev eth0 metric 1 So we can safely flush such routes
2022-12-11sstp: T4384: initial implementation of SSTP client CLIChristian Poessinger
vyos@vyos# show interfaces sstpc sstpc sstpc10 { authentication { password vyos user vyos } server sstp.vyos.net ssl { ca-certificate VyOS-CA } }
2022-12-09container: T4870: Update to overlay driverBen Pilgrim
2022-12-09T4868: Fix l2tp ppp IPv6 options in template and config get dictViacheslav Hletenko
L2TP 'ppp-options ipv6 x' can work without declaring IPv6 pool As we can get addresses via RADIUS attributes: - Framed-IPv6-Prefix - Delegated-IPv6-Prefix
2022-12-08T4117: Fix for L2TP DAE CoA server configurationViacheslav Hletenko
Fix l2tp dae server template and python config dict for correctlly handling Dynamic Authorization Extension server configuration
2022-12-08T4862: Added the generation config for webproxy domain-blockaapostoliuk
Added the generation in the config file /etc/squid/squid.conf for command: set service webroxy domain-block <domain>
2022-12-02 T4854: route reflector allows to apply route-mapsfett0
2022-11-26ospf: T4739: Adding missing OSPF FRR templateCheeze-It
Adding the parameters that were missing to the OSPF FRR template.
2022-11-23T4835: snmpd: Fix copy/paste error in snmpd.confSander Klein
The variable 'client' was accidently used where 'network should have been used. This lead to missing community6 string when an IPv6 network was defined instead of an IPv6 client.
2022-11-21T4823: Fix IPsec transport mode remote TSViacheslav Hletenko
Remote TS for transport mode GRE must be remote-address and not peer name
2022-11-21T4832: dhcp: Add IPv6-only dhcp option support (RFC 8925)Yuxiang Zhu
Clients supporting this DHCP option (DHCP option 108, RFC 8925) will disable its IPv4 network stack for configured number of seconds and operate in IPv6-only mode. This option is known to work on iOS 15+ and macOS 12.0.1+. Example command: ```sh set service dhcp-server shared-network-name LAN6 subnet 192.168.64.0/24 ipv6-only-preferred 0 ```
2022-11-19T4780: Firewall: add firewall groups in firewall. Extend matching criteria ↵Nicolas Fort
so this new group can be used in inbound and outbound matcher
2022-11-17Merge pull request #1654 from sarthurdev/pbr_refactorChristian Poessinger
policy: T2199: T4605: Migrate policy route interface node
2022-11-13l3VPN : T4182: add l3vpn over gre option from route-mapfett0
2022-11-11policy: T2199: T4605: Migrate policy route interface to `policy route|route6 ↵sarthurdev
<name> interface <ifname>` * Include refactor to policy route to allow for deletion of mangle table instead of complex cleanup * T4605: Rename mangle table to vyos_mangle
2022-11-10dns: T738: add CLI option for PowerDNS local-portZen3515
2022-11-03Merge pull request #1633 from sarthurdev/fqdnChristian Poessinger
firewall: T970: T1877: Add source/destination fqdn, refactor domain resolver, firewall groups in NAT
2022-11-03nat: T1877: T970: Add firewall groups to NATsarthurdev
2022-11-03firewall: T970: Refactor domain resolver, add firewall source/destination ↵sarthurdev
`fqdn` node
2022-10-31ipsec: T4787: add support for road-warrior/remote-access RADIUS timeoutChristian Poessinger
This enabled users to also use 2FA/MFA authentication with a radius backend as there is enough time to enter the second factor.
2022-10-29containers: T3903: Use systemd units for containerssarthurdev
* ExecStop action with defined timeout allows for quicker reboot/shutdown with containers
2022-10-25nat: T4764: Remove tables on NAT deletionsarthurdev
2022-10-17ssh: T4720: Ability to configure SSH-server HostKeyAlgorithmsViacheslav Hletenko
Ability to configure SSH-server HostKeyAlgorithms. Specifies the host key signature algorithms that the server offers. Can accept multiple values.
2022-10-14login: 2fa: T874: fix Google authenticator issuesChristian Poessinger
Move default values of TOTP configuration from a global to a per user setting. This makes the entire code easier as no global configuration must be blended into the per user config dict. Also it should be possible to set the authentication window "multiple concurrent keys" individual per user. set system login user vyos authentication otp key 'gzkmajid7na2oltajs4kbuq7lq' set system login user vyos authentication plaintext-password 'vyos'
2022-10-13T4739: ISIS segment routing being refactoredCheeze_It
2022-10-12ospf: T4707: fix segment-routing Jinja2 template for explicit-null and ↵Christian Poessinger
no-php-flag The nested if statement was not properly evaluated during smoketests making them fail. There is no need to nest the if's - as a simple string can be appended by {{ 'foo' if bar is vyos_defined }}
2022-10-12Merge pull request #1555 from goodNETnick/ssh_otpChristian Poessinger
system login: T874: add 2FA support for local and ssh authentication