summaryrefslogtreecommitdiff
path: root/interface-definitions/ssh.xml.in
AgeCommit message (Collapse)Author
2022-05-13sshguard: T4408: rename whitelist-address -> allow-fromChristian Poessinger
We do not only allow individual host addresses but also prefixes.
2022-05-12sshguard: T4408: Add service ssh dynamic-protectionViacheslav Hletenko
Sshguard protects hosts from brute-force attacks Can inspect logs and block "bad" addresses by threshold Auto-generate rules for nftables When service stopped all generated rules are deleted nft "type filter hook input priority filter - 10" set service ssh dynamic-protection set service ssh dynamic-protection block-time 120 set service ssh dynamic-protection detect-time 1800 set service ssh dynamic-protection threshold 30 set service ssh dynamic-protection whitelist-address 192.0.2.1
2022-02-28ssh: T4273: bugfix cipher and key-exchange multi nodesChristian Poessinger
After hardning the regex validator to be preceeded with ^ and ending with $ it was no longer possible to have a comma separated list as SSH ciphers. The migrations cript is altered to migrate the previous comma separated list to individual multi node entries - cipher and key-exchange always had been multinodes - so this just re-arranges some values and does not break CLI compatibility
2022-02-24scripts: T4269: node.def generator should automatically add default valuesChristian Poessinger
Since introducing the XML <defaultValue> node it was common, but redundant, practice to also add a help string indicating which value would be used as default if the node is unset. This makes no sense b/c it's duplicated code/value/characters and prone to error. The node.def scripts should be extended to automatically render the appropriate default value into the CLI help string. For e.g. SSH the current PoC renders: $ cat templates-cfg/service/ssh/port/node.def multi: type: txt help: Port for SSH service (default: 22) val_help: u32:1-65535; Numeric IP port ... Not all subsystems are already migrated to get_config_dict() and make use of the defaults() call - those subsystems need to be migrated, first before the new default is added to the CLI help.
2021-08-29xml: add missing "u32:" value declarator on integer rangesChristian Poessinger
2021-08-20xml: remove superfluous "interface" prefix from interface includesChristian Poessinger
2021-06-10xml: ssh: move user/group definition to includable filesChristian Poessinger
2021-04-02Makefile: fix logic to detect empty "node.def" filesChristian Poessinger
Commit 5b22ebae ("T3170: check if any generated node.def files are empty") added an initial test to find empty node.def files created by build-command-templates or build-command-op-templates. The problem was that GNU find always returns 0, thus the condition to bail out on error was always met. This has been corrected to return false on hits only.
2021-03-14xml: T1579: re-arrange xml interface include building blocksChristian Poessinger
As the amount of include files now has reached a certain amount, it is getting more and more crowsded, thuse introducing "per topic" subdirectories on the filesystem to keep a clean structure makes sense.
2021-01-13ssh: T3212: do not make /run/sshd directory disappear on failureChristian Poessinger
2020-12-12xml: use "u32:" keyword when identifying port rangesChristian Poessinger
This will render the completion help more nicely.
2020-10-06xml: include: add common helper file for listen-addressChristian Poessinger
2020-07-07ssh: T2691: bugfix loglevel config migrationChristian Poessinger
When migrating the conf from VyOS 1.2 to 1.3 a configuration error could appear if the user specified "info" as loglevel instead of "INFO". There was no input validation done in 1.2 but this is now enforced in 1.3. In VyOS 1.3 loglevel will be always lowercase on the CLI and when migrating the config this is transformed. Also VyOS 1.2 accpeted any arbitrary loglevel. If an invalid loglevel is found it will be set to info.
2020-06-23ssh: T2635: migrate to get_config_dict()Christian Poessinger
Jinja template contains some workarounds like {% if port is string %}, this depends of the resolution of https://phabricator.vyos.net/T2636
2020-06-23ssh: T2635: remove ' in comment to avoid proprocessor warningsChristian Poessinger
2020-06-23ssh: T2635: migrate from a script base completion helper to a listChristian Poessinger
SSH mac, ciper and key exchange algorithms are not ynamically and only change on distro upgrades. Thus it is easier to have them in a list and use a regex based constraint. In the past users could have entered anything here!
2020-06-22xml: ssh: fix typo in service descriptionChristian Poessinger
2020-06-11ssh: T2321: add VRF supportChristian Poessinger
2019-12-26xml: remove leading carrot (^) from regex syntaxChristian Poessinger
... as the carrot is applied automatically when reading in the XML definition. Auto replaced by: $ find interface-definitions -type f | xargs sed -i 's/regex>^/regex>/'
2019-12-06T1843: run interface-definitions though GCC preprocessorChristian Poessinger
A lot of XML code is duplicated (VLAN, interface address) for instance. Such XML definitions should be moved to feature.xml.i files and then just pulled in via GCC preprocessor #include definition in e.g. bond or ethernet definitions. This will give us the ability to single-source repeating node definitions as: * Interface Address * Interface Description * Interface Disable * VLAN (both vif-s and vif-c) The .in suffix of the interface-definitions is a marker that those files are input files to the GCC preprocessor. They will be rendered into proper XML files in the build directory. Some node definitions have been reworder to remove escaped double quote occurances which would have been warned about by the GCC preprocessor.