Age | Commit message (Collapse) | Author |
|
We do not only allow individual host addresses but also prefixes.
|
|
Sshguard protects hosts from brute-force attacks
Can inspect logs and block "bad" addresses by threshold
Auto-generate rules for nftables
When service stopped all generated rules are deleted
nft "type filter hook input priority filter - 10"
set service ssh dynamic-protection
set service ssh dynamic-protection block-time 120
set service ssh dynamic-protection detect-time 1800
set service ssh dynamic-protection threshold 30
set service ssh dynamic-protection whitelist-address 192.0.2.1
|
|
After hardning the regex validator to be preceeded with ^ and ending with $
it was no longer possible to have a comma separated list as SSH ciphers. The
migrations cript is altered to migrate the previous comma separated list
to individual multi node entries - cipher and key-exchange always had been
multinodes - so this just re-arranges some values and does not break CLI
compatibility
|
|
Since introducing the XML <defaultValue> node it was common, but redundant,
practice to also add a help string indicating which value would be used as
default if the node is unset.
This makes no sense b/c it's duplicated code/value/characters and prone to
error. The node.def scripts should be extended to automatically render the
appropriate default value into the CLI help string.
For e.g. SSH the current PoC renders:
$ cat templates-cfg/service/ssh/port/node.def
multi:
type: txt
help: Port for SSH service (default: 22)
val_help: u32:1-65535; Numeric IP port
...
Not all subsystems are already migrated to get_config_dict() and make use of
the defaults() call - those subsystems need to be migrated, first before the new
default is added to the CLI help.
|
|
|
|
|
|
|
|
Commit 5b22ebae ("T3170: check if any generated node.def files are empty") added
an initial test to find empty node.def files created by build-command-templates
or build-command-op-templates.
The problem was that GNU find always returns 0, thus the condition to bail out
on error was always met. This has been corrected to return false on hits only.
|
|
As the amount of include files now has reached a certain amount, it is getting
more and more crowsded, thuse introducing "per topic" subdirectories on the
filesystem to keep a clean structure makes sense.
|
|
|
|
This will render the completion help more nicely.
|
|
|
|
When migrating the conf from VyOS 1.2 to 1.3 a configuration error could appear
if the user specified "info" as loglevel instead of "INFO". There was no input
validation done in 1.2 but this is now enforced in 1.3.
In VyOS 1.3 loglevel will be always lowercase on the CLI and when migrating the
config this is transformed. Also VyOS 1.2 accpeted any arbitrary loglevel. If
an invalid loglevel is found it will be set to info.
|
|
Jinja template contains some workarounds like {% if port is string %}, this
depends of the resolution of https://phabricator.vyos.net/T2636
|
|
|
|
SSH mac, ciper and key exchange algorithms are not ynamically and only change
on distro upgrades. Thus it is easier to have them in a list and use a regex
based constraint. In the past users could have entered anything here!
|
|
|
|
|
|
... as the carrot is applied automatically when reading in the XML
definition. Auto replaced by:
$ find interface-definitions -type f | xargs sed -i 's/regex>^/regex>/'
|
|
A lot of XML code is duplicated (VLAN, interface address) for instance. Such
XML definitions should be moved to feature.xml.i files and then just pulled in
via GCC preprocessor #include definition in e.g. bond or ethernet definitions.
This will give us the ability to single-source repeating node definitions as:
* Interface Address
* Interface Description
* Interface Disable
* VLAN (both vif-s and vif-c)
The .in suffix of the interface-definitions is a marker that those files are
input files to the GCC preprocessor. They will be rendered into proper XML
files in the build directory.
Some node definitions have been reworder to remove escaped double quote
occurances which would have been warned about by the GCC preprocessor.
|