summaryrefslogtreecommitdiff
path: root/data
AgeCommit message (Collapse)Author
2020-05-16nat: T2198: use Jinja2 macro for common ruleset for SNAT and DNATChristian Poessinger
By using a Jinja2 macro the same template code can be used to create both source and destination NAT rules with only minor changes introduced by e.g. the used chain (POSTROUTING vs PREROUTING). Used the following configuration for testing on two systems with VyOS 1.2 and the old implementation vs the new one here. set nat destination rule 15 description 'foo-10' set nat destination rule 15 destination address '1.1.1.1' set nat destination rule 15 inbound-interface 'eth0.202' set nat destination rule 15 protocol 'tcp_udp' set nat destination rule 15 translation address '192.0.2.10' set nat destination rule 15 translation port '3389' set nat destination rule 20 description 'foo-20' set nat destination rule 20 destination address '2.2.2.2' set nat destination rule 20 destination port '22' set nat destination rule 20 inbound-interface 'eth0.201' set nat destination rule 20 protocol 'tcp' set nat destination rule 20 translation address '192.0.2.10' set nat source rule 100 outbound-interface 'eth0.202' set nat source rule 100 protocol 'all' set nat source rule 100 source address '192.0.2.0/26' set nat source rule 100 translation address 'masquerade' set nat source rule 110 outbound-interface 'eth0.202' set nat source rule 110 protocol 'tcp' set nat source rule 110 source address '192.0.2.0/26' set nat source rule 110 source port '5556' set nat source rule 110 translation address 'masquerade' set nat source rule 120 outbound-interface 'eth0.202' set nat source rule 120 protocol 'tcp_udp' set nat source rule 120 source address '192.0.3.0/26' set nat source rule 120 translation address '2.2.2.2'
2020-05-16nat: T2198: restructure DNAT template part for less duplicated codeChristian Poessinger
Build up only one output rule string by appending the configuration part by part.
2020-05-16nat: T2198: add support for SNAT based on source addressesChristian Poessinger
CLI commands used for ruleset generation: set nat source rule 100 outbound-interface 'eth0.202' set nat source rule 100 protocol 'all' set nat source rule 100 source address '192.0.2.0/26' set nat source rule 100 translation address 'masquerade' set nat source rule 110 outbound-interface 'eth0.202' set nat source rule 110 protocol 'tcp' set nat source rule 110 source address '192.0.2.0/26' set nat source rule 110 source port '5556' set nat source rule 110 translation address 'masquerade'
2020-05-16nat: T2198: sync generated SNAT rules with VyOS 1.2Christian Poessinger
The generated NAT rules in VyOS 1.2 are compared to the generated nftables ruleset in VyOS 1.3 this was done by converting the 1.2 iptables ruleset to nftables and then do the diff. To convert from iptables to nftables use the following command: $ iptables-save -t nat > /tmp/tmp.iptables $ iptables-restore-translate -f /tmp/tmp.iptables The following CLI options have been used for testing: set nat source rule 10 description 'foo-10' set nat source rule 10 destination address '1.1.1.1' set nat source rule 10 destination port '1111' set nat source rule 10 exclude set nat source rule 10 log 'enable' set nat source rule 10 outbound-interface 'eth0.202' set nat source rule 10 protocol 'tcp_udp' set nat source rule 10 translation address '192.0.2.10' set nat source rule 15 description 'foo-10' set nat source rule 15 destination address '1.1.1.1' set nat source rule 15 exclude set nat source rule 15 log 'enable' set nat source rule 15 outbound-interface 'eth0.202' set nat source rule 15 protocol 'tcp_udp' set nat source rule 15 translation address '192.0.2.10' set nat source rule 20 description 'foo-20' set nat source rule 20 destination address '2.2.2.2' set nat source rule 20 log 'enable' set nat source rule 20 outbound-interface 'eth0.201' set nat source rule 20 protocol 'tcp' set nat source rule 20 translation address '192.0.2.10' set nat source rule 100 outbound-interface 'eth0.202' set nat source rule 100 protocol 'all' set nat source rule 100 source address '192.0.2.0/26' set nat source rule 100 translation address 'masquerade'
2020-05-16nat: T2198: sync generated DNAT rules with VyOS 1.2Christian Poessinger
The generated NAT rules in VyOS 1.2 are compared to the generated nftables ruleset in VyOS 1.3 this was done by converting the 1.2 iptables ruleset to nftables and then do the diff. To convert from iptables to nftables use the following command: $ iptables-save -t nat > /tmp/tmp.iptables $ iptables-restore-translate -f /tmp/tmp.iptables The following CLI options have been used for testing: set nat destination rule 10 description 'foo-10' set nat destination rule 10 destination address '1.1.1.1' set nat destination rule 10 destination port '1111' set nat destination rule 10 exclude set nat destination rule 10 inbound-interface 'eth0.202' set nat destination rule 10 log set nat destination rule 10 protocol 'tcp_udp' set nat destination rule 10 translation address '192.0.2.10' set nat destination rule 15 description 'foo-10' set nat destination rule 15 destination address '1.1.1.1' set nat destination rule 15 exclude set nat destination rule 15 inbound-interface 'eth0.202' set nat destination rule 15 log set nat destination rule 15 protocol 'tcp_udp' set nat destination rule 15 translation address '192.0.2.10' set nat destination rule 20 description 'foo-20' set nat destination rule 20 destination address '2.2.2.2' set nat destination rule 20 inbound-interface 'eth0.201' set nat destination rule 20 log set nat destination rule 20 protocol 'tcp' set nat destination rule 20 translation address '192.0.2.10'
2020-05-16nat: T2198: do not run DNAT rule if rule is disabledChristian Poessinger
2020-05-16nat: T2198: restructure DNAT templateChristian Poessinger
Make the entire template more maintainable
2020-05-16nat: T2198: make use of jmespath when walking nftables JSON outputChristian Poessinger
2020-05-16nat: T2198: implement deletion of NAT subsystemChristian Poessinger
2020-05-16nat: T2198: automatically determine handler numbersChristian Poessinger
When instantiating NAT it is required to isntall some nftable jump targets. The targets need to be added after a specific other target thus we need to dynamically query the handler number. This is done by get_handler() which could be moved to vyos.util at a later point in time so it can be reused for a firewall rewrite.
2020-05-16nat: T2198: move from iptables to nftablesChristian Poessinger
2020-05-16nat: T2198: migrate to common template for source/destination NATChristian Poessinger
2020-05-16nat: T2198: destination nat template for iptables-restoreChristian Poessinger
2020-05-06sstp: T2392: add IPv6 DNS supportChristian Poessinger
New command added: * set vpn sstp network-settings name-server 2001:db8::1111
2020-05-06sstp: T2392: add initial IPv6 supportChristian Poessinger
New commands added: * set vpn sstp network-settings client-ipv6-pool prefix 2001:db8::/64 mask 112 * set vpn sstp network-settings client-ipv6-pool delegate 2001:db8:100::/48 delegation-prefix 64
2020-05-04openvpn: T2241: remove redundant bridge_member variableJernej Jakob
2020-04-30dhcpv6-server: T2406: move FQDN quoting to Jinja2 templateChristian Poessinger
... no need to reinvent the wheel in our Python code.
2020-04-28dhclient: T2393: remove intermediate _DHCP helper classChristian Poessinger
The intermedite class only held the path to the configuration files - thus its existence was doubtworthy. For better readability and a clean inheritance graph that class has been dropped.
2020-04-28dhclient6: T2393: T2394: migrate from SysVinit to systemdChristian Poessinger
2020-04-28dhclient: T2393: migrate from SysVinit to systemdChristian Poessinger
2020-04-27pppoe-server: T2391: Migrate single-session param to [common] sectionDmitriyEshenko
2020-04-26salt: T2384: migrate config optionsChristian Poessinger
- delete log_file, log_level and user nodes - rename hash_type to hash - rename mine_interval to interval
2020-04-26salt: T2384: always log to syslogChristian Poessinger
2020-04-25login: radius: T2304: add VRF supportChristian Poessinger
This allows the radius client to work when a management VRF is in use.
2020-04-23pppoe-server: T2373: Implement CLI commands for auth protocolsDmitriyEshenko
2020-04-22Merge branch 'pptp-rewrite' of github.com:c-po/vyos-1x into currentChristian Poessinger
* 'pptp-rewrite' of github.com:c-po/vyos-1x: accel-ppp: fix wrong reference in verify() on missing attributes accel-ppp: T2314: bugfix wrong placement of endif in Jinja2 template vpn: pptp: T2351: add support for common radius-additions XML vpn: pptp: T2351: migrate to common radius CLI vpn: pptp: T2351: migrate to common name-server, wins-server nodes accel-ppp: provide common wins-server include definition vpn: pptp: T2351: use first IP from client pool as gateway address vpn: pptp: T2351: align configuration to other accel implementations vpn: pptp: T2351: migrate from SysVinit to systemd vyos.util: migrate all cpu_count() occurances to common get_half_cpus()
2020-04-22accel-ppp: T2314: bugfix wrong placement of endif in Jinja2 templateChristian Poessinger
2020-04-22vpn: pptp: T2351: align configuration to other accel implementationsChristian Poessinger
2020-04-21mroute: T2364: Implement CLI commands for mrouteDmitriyEshenko
2020-04-21vpn: pptp: T2351: migrate from SysVinit to systemdChristian Poessinger
2020-04-20openvpn: T2339: fix for IPv4 local-host addressesJernej Jakob
Commit bb9f998 introduced a bug where openvpn fails to start if 'local-host' is an IPv4 address due to 'proto' wanting a IPv6 socket. This adds a conditional check and uses normal proto if it's IPv4.
2020-04-20pppoe-server: T2344: fix client static IP assignmentChristian Poessinger
2020-04-19openvpn: T2308: fix path to UNIX control socketChristian Poessinger
Bug introduced in commit b36e6e6 ("openvpn: T2273: migrate from SysVinit to systemd") as not all relevant configuration files have been re-rendered into /run/openvpn.
2020-04-19openvpn: T2336: fix auth-user-pass file generationChristian Poessinger
Bug introduced in commit b36e6e6 ("openvpn: T2273: migrate from SysVinit to systemd") as not all relevant configuration files have been re-rendered into /run/openvpn
2020-04-19ipoe-server: T2324: bugfix template generation on interface lineChristian Poessinger
2020-04-19pppoe-server: T2314: add common accel-radius-additions XML fileChristian Poessinger
2020-04-18ipoe-server: T2324: move template files to common accel-ppp template directoryChristian Poessinger
2020-04-18ipoe-server: T2324: migrate IPv6 client IP pool to common CLI nodesChristian Poessinger
2020-04-18ipoe-server: T2324: remove boilerplate code and adjust to other accel ↵Christian Poessinger
implementations
2020-04-18accel-ppp: T2314: use common tempplate for chap-secretsChristian Poessinger
2020-04-18pppoe-server: T2314: migrate IPv6 to common CLI nodes with embeeded validationChristian Poessinger
2020-04-18pppoe-server: T2313: bugfix Floating Point ExceptionChristian Poessinger
When only defining a timeout limit the generated config will look like: [connlimit] limit= burst= timeout=5 This will trigger a "Floating point exception" on startup of Accel-PPP and it can be re-surrected anymore until service is completely deleted and re-added.
2020-04-18pppoe-server: T2314: migrate IPv4/IPv6 name-servers to common nodeChristian Poessinger
Instead of having "dns-server server-1|server-2" nodes and the same for IPv6 all DNS nameservers are migrated to a common name-servers node.
2020-04-18pppoe-server: T2314: remove boilerplate code and adjustChristian Poessinger
2020-04-17wireless: T2306: Add new cipher suites to the WiFi configurationAlain Lamar
Yet, VyOS knows these two encryption schemes for WiFi: 1. CCMP = AES in Counter mode with CBC-MAC (CCMP-128) 2. TKIP = Temporal Key Integrity Protocol These encryption schemes are new and especially the Galois counter mode cipher suites are very desirable! 1. CCMP-256 = AES in Counter mode with CBC-MAC with 256-bit key 2. GCMP = Galois/counter mode protocol (GCMP-128) 3. GCMP-256 = Galois/counter mode protocol with 256-bit key CCMP is supported by all WPA2 compatible NICs, so this remains the default cipher for bidirectional and group packets while using WPA2. Use 'iw list' to figure out which cipher suites your cards support prior to configuring other cipher suites than CCMP. AP NICs and STA NICs must both support at least one common cipher in a given list in order to associate successfully.
2020-04-16Merge pull request #342 from jjakob/openvpn-ipv6Christian Poessinger
openvpn: T149: IPv6 support
2020-04-16Merge pull request #347 from DmitriyEshenko/fix-ipoeChristian Poessinger
ipoe: T2294: Fix templates and migrate to systemd
2020-04-16ipoe: T2294: Fix templatesDmitriyEshenko
2020-04-16openvpn: T149: IPv6 supportJernej Jakob
- allow configuring IPv6 server addresses and push options - add IPv6 server client IP pool - add IPv6 push dhcp-option DNS6 - allow configuring IPv6 server client addresses - allow configuring IPv6 site-to-site addresses - validate all IPv6 options and addresses - use protos that explicitely open an IPv6 listening socket (tcp6-server, tcp6-client, udp6) as the default on Linux listens on IPv4 only (https://community.openvpn.net/openvpn/ticket/360) - add validator for any IPv6 address, host or network (used by pool)
2020-04-15openvpn: T2335: allow disabling client-ip-poolJernej Jakob