| Age | Commit message (Collapse) | Author |
|---|
|
Address @sever-sever's suggestion to refactor how groupconfig is
defined, parsed, and set (with his proposed conditional string
appending Py-sugar). Use the disable-mobike refactor as template
for XML simplification.
Testing:
None yet
|
|
Enterprise RADIUS configurations often utilize group selectors for
authentication and attribute distribution for connecting clients.
Ocserv implements this functionality via the `select-group` config
file attribute, repeating for multiple groups. When a user selects
their membership group and the request is passed to the RADIUS
server, ocserv will match the returned Class attribute against the
value selected by the user. This functionality also works for local
group membership resolution, although VyOS currently doesn't have
group membership configuration for this.
Expose the tunnel-all-dns option in the ocserv config file allowing
users who deploy default routes to select split-dns and those who
do not to enable full DNS tunneling.
Testing:
Smoketests & build
Configured groups in openconnect profile and verified existence
in /run/ocserv/ocserv.conf
Configured forced dns tunneling and verified presence of setting
in /run/ocserv/ocserv.conf
|
|
From ocserv documentation:
```
If the groupconfig option is set, then config-per-user will be
overriden, and all configuration will be read from radius. That
also includes the Acct-Interim-Interval, and Session-Timeout
values.
```
Implement yes/no configuration and parameter handling during jinja
rendering.
Fix bug wherein openconnect-server configuration requires creation
of local user accounts even when RADIUS authentication is used.
Testing:
Set the groupconfig=yes param and observed change in generated
/run/ocserv/ocserv.conf.
Removed the local users via `delete vpn openconnect
authentication local-users` and observed commit & service operation
|
|
There is no check if 'listen' is exist in the dictionary, fix it
Fix odd ValueHelp format
|
|
set vpn openconnect network-settings split-dns <domain>
|
|
Add l2tp authentication radius nas-ip-address option
which will be sent in NAS-IP-Address Radius attribute
|
|
and nat-rule.xml.i
|
|
|
|
* https://github.com/Cheeze-It/vyos-1x:
bgp: T4257: Changing BGP "local-as" to "system-as"
|
|
nat66: T4586: Add SNAT destination prefix and DNAT address
|
|
T4480: webproxy: Add safe-ports and ssl-safe-ports for acl squid config
|
|
Ability to configure SNAT destination prefix and
DNAT source address
Add option "!" - not address/prefix for NAT66
|
|
Ability to get MTU from DHCP-server and don't touch it per
any interface change if interface 'dhcp-options mtu' is
configured
|
|
bgp: T4257: Changing BGP "local-as" to "system-as"
This change is to change the global BGP name for the node "local-as" to "system-as"
This is needed so that there's less ambiguity with the local-as feature per neighbor.
bgp: T4257: Changing BGP "local-as" to "system-as"
bgp: T4257: Changing BGP "local-as" to "system-as"
This change is to change the global BGP name for the node "local-as" to "system-as"
This is needed so that there's less ambiguity with the local-as feature per neighbor.
|
|
lb-wan: T4518: Add XML for conf mode load-balancing wan
|
|
hosts/networks that should be ignored.
|
|
|
|
|
|
|
|
T4550: router-advert: Add deprecate-prefix & decrement-lifetimes options
|
|
|
|
|
|
|
|
DeprecatePrefix and DecrementLifetimes options in radvd is useful in a DHCPv6-PD environment to accommodate prefix changes from ISP's delegating router. Though there is currently no integration between the DHCP PD client (wide-dhcpv6-client) and radvd, it could be a good start point to have the 2 options configurable by the user.
https://phabricator.vyos.net/T4550
- deprecate-prefix: Upon shutdown, deprecate the prefix. This is useful
in a DHCPv6 PD environment: When ISP re-assigns a new prefix,
deprecate the old prefix that was advertised.
- decrement-lifetimes: Decrement the values of the preferred and valid
lifetimes for the prefix over time. This is also useful in a DHCPv6
PD environment to keep the advertised prefix's lifetimes in sync with
the prefix from delegating router.
|
|
|
|
Fix conflicts
|
|
|
|
|
|
When adding a new component version file, one must also include the file
in xml-component-version.xml.in
|
|
Linux Kernel supports to specify the MII link monitoring frequency in
milliseconds. This determines how often the link state of each slave is
inspected for link failures. A value of zero disables MII link monitoring.
A value of 100 is a good starting point.
The default value is 100.
set interfaces bonding bond0 mii-mon-interval <n>
|
|
disable-directed-broadcast-forwarding"
|
|
Directed broadcast is described in rfc1812#section-5.3.5.2 and rfc2644.
By default Linux kernel doesn't forward directed broadcast
packets unless both of `/proc/sys/net/ipv4/conf/all/bc_forwarding`
and `/proc/sys/net/ipv4/conf/$iface/bc_forwarding` are set to 1.
|
|
Add XML for configuration mode "load-balancing wan" for the future
rewriting this to Python
Remove node from Makefile as Python code is not yet completed
|
|
As we have specific configuration for each plugin:
set service monitoring telegraf xxx
- azure-data-explorer
- prometheus-client
- splunk
We should to move configuration that related to influxdb under
influxdb node
Replace:
set service monitoring telegraf
- authentication xxx
- bucket xxx
- port xxx
- url
To:
set service monitoring telegraf influxdb xxx
|
|
After discussion with @zsdc this was decided the better long term fix
* Removes hourly logrotate cron in favour of systemd timer override
|
|
|
|
dns: T4509: Add dns64-prefix option
|
|
rfc6147: DNS Extensions for Network Address Translation
from IPv6 Clients to IPv4 Servers
set service dns forwarding dns64-prefix 2001:db8:aabb::/96
|
|
firewall: T4299: Add ability to inverse match country-codes
|
|
|
|
When clients only use DHCP for interface addressing we can not bind NTPd to
an address - as it will fail if the address changes. This commit adds support
to bind ntpd to a given interface in addition to a given address.
set system ntp interface <name>
|
|
|
|
dns: T4378: Allow wildcard A AAAA record with option all
|
|
Ability to set wildcard record for authoritative-domain
set authoritative-domain example.com records a any address 192.0.2.11
cat /run/powerdns/zone.example.com.conf
* 300 A 192.0.2.11
|
|
Add rate-limit options: attribute, muptiplier and vendor
set service ipoe-server auth radius rate-limit attribute 'Mikrotik-Rate-Limit'
set service ipoe-server auth radius rate-limit enable
set service ipoe-server auth radius rate-limit multiplier '0.001'
set service ipoe-server auth radius rate-limit vendor 'Miktorik'
|
|
openvpn: T4485: Accept multiple tls ca-certificate values
|
|
|
|
|
|
|
|
|
