summaryrefslogtreecommitdiff
path: root/data
AgeCommit message (Collapse)Author
2023-04-11T4727: Change and fix RADIUS rate-limit option for pptpViacheslav Hletenko
Initially the option 'rate-limit' was implemented with the wrong place in the CLI: set vpn pptp remote-access authentication rate-limit <xxx> Expected under 'radius' section: set vpn pptp remote-access authentication radius rate-limit <xxx> Configuration for 'rate-limit' (Jinja2 template) never worked for pptp, fix it.
2023-04-11T5152: Get default hostname for telegraf from FQDN or hostnameViacheslav Hletenko
Fix for Telegraf agent hostname isn't qualified Try to get hostname from FQDN and then from hostname Used for metrics You may have more than one machine with different domain names r1 domain-name foo.local, hostname myhost r2 domain-name bar.local, hostname myhost It helps to detect from which exectly host we get metric for InfluxDB2
2023-04-09eapol: T5151: Allow TLSv1.0/1.1 for EAP-TLSAndrew Gunnerson
The Debian 12 upgrade in T5003 caused a regression for connecting to legacy networks that only support TLSv1.0/1.1 for EAP-TLS. Debian allows this by default in their wpa_supplicant package, but their `allow-tlsv1.patch` patch does not work properly with VyOS' newer wpa_supplicant package, which is based on the latest code in git. As a result, wpa_supplicant always respects the system-wide openssl crypto policy, disallowing TLSv1. The commit uses the documented way of allowing TLSv1, which takes precedence over the system crypto policy. Signed-off-by: Andrew Gunnerson <accounts+github@chiller3.com>
2023-04-04T5145: Add maximum number of all logins on systemViacheslav Hletenko
maxsyslogins maximum number of all logins on system; user is not allowed to log-in if total number of all user logins is greater than specified number (this limit does not apply to user with uid=0) set system login max-login-session 2
2023-04-01container: T5082: switch to netavark network stackChristian Breunig
We now support assigning discrete IPv6 addresses to a container.
2023-03-31http-api: T5126: allow restricting client IP addressJohn Estabrook
2023-03-31Merge pull request #1922 from nicolas-fort/T5128Christian Breunig
T5128: Policy Route: allow wildcard on interface
2023-03-31T5125: Add op-mode for sFlow based on hsflowdViacheslav Hletenko
Add op-mode for sFlow based on hsflowd "show sflow" Add machine readable format '--raw' and formatted output
2023-03-31T5128: Policy Route: allow wildcard on interfaceNicolas Fort
2023-03-29ntp: T3008: start daemon with extended privileges but then drop to _chronyChristian Breunig
2023-03-29Merge pull request #1915 from indrajitr/pdns-port-round2Christian Breunig
dns: T5115: Support custom port for name servers for forwarding zones
2023-03-28container: T2216: explicitly select CNI network backendChristian Breunig
As podman is going to use netavark as new default we must explicitly select the old driver until we have migrated to netavark.
2023-03-28dns: T5115: Support custom port for name servers for forwarding zones.Indrajit Raychaudhuri
This would allow using custom ports in name server operating on non- default port for forwarding zones. This is a follow-up to T5113 for sake of completeness and having consistent treatment of all name servers configured in PowerDNS recursor. Additionally, migrate `service dns forwarding domain example.com server` to `service dns forwarding domain foo3.com name-server` for consistency and reusability.
2023-03-27bgp: T5114: support configuring TCP keepalive messagesChristian Breunig
2023-03-27bgp: T5114: add "neighbor path-attribute discard"Christian Breunig
2023-03-25ntp: T5112: Enable support for NTS (Network Time Security) in chronyIndrajit Raychaudhuri
This is basic configuration to enable NTS support in chrony.
2023-03-23Merge pull request #1901 from sever-sever/T5099Christian Breunig
T5099: IPoE-server add option next-pool for named ip pools
2023-03-21Merge pull request #1894 from aapostoliuk/T5043-sagittaChristian Breunig
ipsec: T5043: Rewritten and fixed 'reset vpn' commands
2023-03-21T5099: IPoE-server add option next-pool for named ip poolsViacheslav Hletenko
In cases with multiple named IP pools, it is required the option 'next' to be sure that if IP addresses ended in one pool, then they would begin to be allocated from the next named pool. For accel-ppp it requires specific order as pool must be defined before we can use it with the 'next-option' set service ipoe-server client-ip-pool name first-pool subnet '192.0.2.0/25' set service ipoe-server client-ip-pool name first-pool next-pool 'second-pool' set service ipoe-server client-ip-pool name second-pool subnet '203.0.113.0/25' [ip-pool] 203.0.113.0/25,name=second-pool 192.0.2.0/25,name=first-pool,next=second-pool
2023-03-21pppoe: T5098: allow user to set pppd holdoff optionZhiyuan Wan
2023-03-17T5086: Add sFlow drop-monitor-limit optionViacheslav Hletenko
hsflowd will export the headers of dropped packets (along with the name of the function in the Linux kernel where that skb was dropped) as part of the standard sFlow feed. This measurement complements the sFlow packet sampling and counter-telemetry well because it provides visibility into the traffic that is not flowing. Very helpful for troubleshooting. The limit (a rate limit max of N drops per second sent out in the sFlow datagrams) is the parameter you would set in the CLI. set system sflow drop-monitor-limit 50
2023-03-16Merge pull request #1893 from sever-sever/T5092Christian Breunig
T5092: IPoE-server named pool must not rely on auth type
2023-03-16ipsec: T5043: Rewritten and fixed 'reset vpn' commandsaapostoliuk
1. Rewritten CLI of 'reset vpn' commands. 2. Created 'reset vpn ipsec remote-access' commands to reset RA IKEv2 session. 3. Created 'reset vpn ipsec site-to-site all' command to reset all configured IPSec site-to-site peers sessions. 4. Rewritten 'reset vpn l2t|pptp|sstp' commands to new opmode style.
2023-03-16T5092: IPoE-server named pool must not rely on auth typeViacheslav Hletenko
Named pools for ipoe-server must not rely on autentication type It is a separate global option for [ipoe] and [ip-pool] sections
2023-03-16T5086: Add sFlow feature based on hsflowdViacheslav Hletenko
Add sFlow feature based on hsflowd According to user reviews, it works more stable and more productive than pmacct I haven't deleted 'pmacct' 'system flow-accounting sflow' yet It could be migrated or deprecated later set system sflow agent-address '192.0.2.14' set system sflow interface 'eth0' set system sflow interface 'eth1' set system sflow polling '30' set system sflow sampling-rate '100' set system sflow server 192.0.2.1 port '6343' set system sflow server 192.0.2.11 port '6343'
2023-03-14T5085: Fix ipv6 route-map for ospfv3Viacheslav Hletenko
Add template to generate zebra "ipv6 protocol ospf6 route-map xxx"
2023-03-11container: T5003: add dependency on fuse-overlayfsChristian Breunig
Fix podman error about invalid storage: [graphdriver] prior storage driver overlay failed: 'overlay' is not supported over overlayfs, a mount_program is required: backing file system is unsupported for this graph driver" Error: 'overlay' is not supported over overlayfs, a mount_program is required: backing file system is unsupported for this graph driver.
2023-03-10container: T4959: add registry authentication optionChristian Breunig
Container registry CLI node changed from leafNode to tagNode with the same defaults. In addition we can now configure an authentication option per registry.
2023-03-09Merge pull request #1881 from sarthurdev/qos_fixChristian Breunig
qos: T5018: Fix issues between QoS and interface mirror/redirect
2023-03-09qos: T5018: Use configdep to fix interface mirror/redirect issuesarthurdev
This will check if mirror/redirect is present on a QoS interface and use `vyos.configdep` module to update the interface again after QoS is applied.
2023-03-09T5073: IPoE-server fix parse empty range optionViacheslav Hletenko
If the 'client-subnet' is not used we must exclude it from the ipoe.config.j2 template. Otherwise we get wrong empty parameter ',range=,'
2023-03-07T5057: Fix IPoE regex Jinja2 for interfaceViacheslav Hletenko
Fix incorrect regex '\d+' when used vlan ranges For example 'ipoe-server interface eth1 vlan 2000-3000' - replace 'interface=re:eth1\.\d+' => 'interface=re:^eth1\.(200\d|20[1-9]\d|2[1-9]\d{2}|3000)$'
2023-03-06T5056: Fix IPoE server template for vlan-monViacheslav Hletenko
After rewriting IPoE server for config.dict the ipoe.config.j2 template wasn't changed for 'vlan-mon' section Fix it
2023-02-28Merge pull request #1800 from vfreex/feature-babelChristian Breunig
T4977: Add Babel routing protocol support
2023-02-24Merge pull request #1851 from zdc/T4943-sagittaChristian Breunig
login: T4943: Fixed 2FA + RADIUS compatibility
2023-02-24login: T4943: Fixed 2FA + RADIUS compatibilityzsdc
MFA requires KbdInteractiveAuthentication to ask a second factor, and the RADIUS module for PAM does not like it, which makes them incompatible. This commit: * disables KbdInteractiveAuthentication * changes order for PAM modules - make it first, before `pam_unix` or `pam_radius_auth` * enables the `forward_pass` option for `pam_google_authenticator` to accept both password and MFA in a single input As a result, local, RADIUS, and MFA work together. Important change: MFA should be entered together with a password. Before: ``` vyos login: <USERNAME> Password: <PASSWORD> Verification code: <MFA> ``` Now: ``` vyos login: <USERNAME> Password & verification code: <PASSWORD><MFA> ```
2023-02-24Merge pull request #1848 from sever-sever/T5029Christian Breunig
T5029: Change nginx default root directory
2023-02-24T5029: Change nginx default root directoryViacheslav Hletenko
2023-02-24T5029: Fix Regex for nginx to find a better matchViacheslav Hletenko
2023-02-23T5027: Enable legacy provider to support current ciphersViacheslav Hletenko
* We will need to remove insecure ciphers as a long-term solution (BF-CBC, DES...)
2023-02-17T5005: PPPoE server allow any login with option noauthViacheslav Hletenko
Disabling authentication is useful in emergency situations (e.g. RADIUS server is down) or testing purposes. Clients can connect with any login and username. set service pppoe-server authentication mode 'noauth'
2023-02-15Merge pull request #1817 from sarthurdev/bookwormChristian Breunig
debian: T5003: Upgrade base system to Debian 12 "Bookworm"
2023-02-15ipsec: T4593: Migrate and remove legacy `include-ipsec` nodessarthurdev
Not supported with swanctl
2023-02-13debian: T5003: Fix chronyd start errorsarthurdev
Fixes "chronyd: Fatal error : Not superuser" Fixes "ip[6394]: Failed to open mounts file: No such file or directory" when in VRF
2023-02-13debian: T5003: Fixes dynamic DNS for Bookwormsarthurdev
2023-02-12T5001: Replace links to the phabricator siteChristian Breunig
Replace links to the phabricator site from https://phabricator.vyos.net to https://vyos.dev
2023-02-10Merge pull request #1805 from nicolas-fort/T4857-frr-fixChristian Breunig
T4857: snmp: Fix error when not defining client|network under community
2023-02-10snmp: T4857: explicitly define default community networks 0.0.0.0/0 and ::/0Christian Breunig
After the RESTRICTED view was introduced snmpd requires a network to be specified. Before adding the RESTRICTED view snmpd always assumed the default network 0.0.0.0/0. This commit re-adds the build in default networks for IPv4 and IPv6 and exposes it as a proper default to the CLI so the user is informed about it: vyos@vyos# set service snmp community foooo Possible completions: authorization Authorization type (default: ro) + client IP address of SNMP client allowed to contact system + network Subnet of SNMP client(s) allowed to contact system (default: 0.0.0.0/0, ::/0)
2023-02-10interfaces: T4995: rename user -> username CLI node for pppoe, wwan and ↵Christian Breunig
sstp-client
2023-02-10Merge pull request #1808 from sever-sever/T1993Christian Breunig
T1993: PPPoE-server add section shaper and fwmark option