summaryrefslogtreecommitdiff
path: root/interface-definitions
AgeCommit message (Collapse)Author
2022-06-07firewall: T970: domain-group should not starts with numericViacheslav Hletenko
Edit regex to check firewall-group
2022-05-28firewall: T970: Add firewall group domain-groupViacheslav Hletenko
Domain group allows to filter addresses by domain main Resolved addresses as elements are stored to named "nft set" that used in the nftables rules Also added a dynamic "resolver" systemd daemon vyos-domain-group-resolve.service which starts python script for the domain-group addresses resolving by timeout 300 sec set firewall group domain-group DOMAINS address 'example.com' set firewall group domain-group DOMAINS address 'example.org' set firewall name FOO rule 10 action 'drop' set firewall name FOO rule 10 source group domain-group 'DOMAINS' set interfaces ethernet eth0 firewall local name 'FOO' nft list table ip filter table ip filter { set DOMAINS { type ipv4_addr flags interval elements = { 192.0.2.1, 192.0.2.85, 203.0.113.55, 203.0.113.58 } } chain NAME_FOO { ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10" counter packets 0 bytes 0 return comment "FOO default-action accept" } }
2022-05-16Merge pull request #1290 from sever-sever/T4373Christian Poessinger
ppppoe-server: T4373: Add option multiplier for correct shaping
2022-05-16pppoe-server: T4373: Add option multiplier for correct shapingViacheslav Hletenko
Multiplier option is required by some vendors for correct shaping For RADIUS based rate-limits edit service pppoe-server set authentication radius rate-limit multiplier '0.001'
2022-05-13sshguard: T4408: rename whitelist-address -> allow-fromChristian Poessinger
We do not only allow individual host addresses but also prefixes.
2022-05-13Merge pull request #1320 from sever-sever/T4408Christian Poessinger
sshguard: T4408: Add service ssh dynamic-protection
2022-05-12sshguard: T4408: Add service ssh dynamic-protectionViacheslav Hletenko
Sshguard protects hosts from brute-force attacks Can inspect logs and block "bad" addresses by threshold Auto-generate rules for nftables When service stopped all generated rules are deleted nft "type filter hook input priority filter - 10" set service ssh dynamic-protection set service ssh dynamic-protection block-time 120 set service ssh dynamic-protection detect-time 1800 set service ssh dynamic-protection threshold 30 set service ssh dynamic-protection whitelist-address 192.0.2.1
2022-05-12vrrp: T4417: bugfix service startup priorityChristian Poessinger
2022-05-12policy: T4424: Fix incorrect format for IPv6 prefixesViacheslav Hletenko
2022-05-09Merge pull request #1279 from nicolas-fort/T990Christian Poessinger
Firewall: T990: Add snat and dnat connection status on firewall
2022-05-08container: T4353: fix conf-mode script nameChristian Poessinger
2022-05-08policy: evpn: T3739: support "set evpn gateway-ip"Christian Poessinger
2022-05-07vrf: T4419: support to disable IP forwarding within a given VRFChristian Poessinger
2022-05-06ocserv: T4231: XML OTP support must not be added globally - only for openconnectChristian Poessinger
2022-05-05Merge pull request #1312 from sever-sever/T4410Christian Poessinger
monitoring: T4410: Add telegraf output Plugin http for Splunk
2022-05-05policy: T4414: add support for route-map "as-path prepend last-as x"Christian Poessinger
2022-05-05monitoring: T4410: Add telegraf output Plugin http for SplunkViacheslav Hletenko
Ability to send HTTP output to Splunk via telegraf set service monitoring telegraf splunk authentication insecure set service monitoring telegraf splunk authentication token 'xxx' set service monitoring telegraf splunk url 'https://x.x.x.x'
2022-05-03monitoring: T4315: Add telegraf output plugin prometheus-clientViacheslav Hletenko
Add output Plugin "prometheus-client" for telegraf: set service monitoring telegraf prometheus-client
2022-05-01container: T4353: fix Jinja2 linting errorsChristian Poessinger
2022-04-29T2216: containers need to be added via "add container image" in advance ↵Christian Poessinger
before using them
2022-04-29xml: T4047: use full string match in the regex validatorChristian Poessinger
2022-04-28arp: T4397: bump component version numberChristian Poessinger
2022-04-28arp: T4397: change CLI syntax to support interface and VRF bound ARP entriesChristian Poessinger
* set protocols static arp interface eth0 address 192.0.2.1 mac 01:23:45:67:89:01
2022-04-26dhcp: T4389: use lowercase vendor name in CLIChristian Poessinger
2022-04-26dhcp: T4389: fix vendor name, it is ubiquiti with an i, not yxChristian Poessinger
2022-04-23Firewall: T990: Modifications for new connection-status cliNicolas Fort
2022-04-22dhcp: T4389: add vendor option support for Ubiquity Unifi controllerChristian Poessinger
vyos@vyos# show service dhcp-server shared-network-name LAN { subnet 172.18.201.0/24 { default-router 172.18.201.1 name-server 172.18.201.2 range 0 { start 172.18.201.101 stop 172.18.201.109 } vendor-option { ubiquity { unifi-controller 172.16.100.1 } } } }
2022-04-22dhcpv6: T4357: rename vsio -> vendor-optionChristian Poessinger
2022-04-22Merge branch 'T4357' of https://github.com/sever-sever/vyos-1x into currentChristian Poessinger
* 'T4357' of https://github.com/sever-sever/vyos-1x: dhcpv6: T4357: Add dhcpv6 options for cisco VoIP tftp
2022-04-22dhcp: T4388: missing constraint on tftp-server-name optionChristian Poessinger
2022-04-22dhcpv6: T4357: Add dhcpv6 options for cisco VoIP tftpViacheslav Hletenko
Add vendor specific options for DHCPv6-server for working with cisco VoIP phone provisioning over IPv6
2022-04-21pppoe: T4384: replace default-route CLI option with common CLI nodes already ↵Christian Poessinger
present for DHCP VyOS 1.4 still leverages PPPd internals on the CLI. pppd supports three options for a default route, none, auto, force. * none: No default route is installed on interface up * auto: Default route is only installed if there is yet no default route * force: overwrite any default route There are several drawbacks in this design for VyOS and the users. If auto is specified, this only counted for static default routes - but what about dynamic ones? Same for force, only a static default route got replaced but dynamic ones did not got taken into account. The CLI is changed and we now re-use already existing nodes from the DHCP interface configuration: * no-default-route: On link up no default route is installed, same as the previous default-route none * default-route-distance: We can now specify the distance of this route for the routing table on the system. This defaults to 210 as we have for DHCP interfaces. All this will be migrated using a CLI migration script.
2022-04-21xml: T4385: provide building blocks for default route configurationChristian Poessinger
2022-04-18vxlan: geneve: T4370: support configuration of DF bit optionChristian Poessinger
set interfaces vxlan vxlan0 parameters ip df <set|unset|inherit> set interfaces geneve gnv0 parameters ip df <set|unset|inherit>
2022-04-18bgp: xml: update as-override help stringChristian Poessinger
2022-04-16xml: include: improve don't fragment helpChristian Poessinger
2022-04-15salt-minion: T4364: add support for source-interface definitionChristian Poessinger
2022-04-15salt-minion: T4364: support IPv6 master server(s)Christian Poessinger
2022-04-15salt-minion: T4364: migrate to get_config_dict()Christian Poessinger
2022-04-11Firewall: T990: Add snat and dst connection status on firewallNicolas Fort
2022-04-10ocserv: T4231: increment config version 1 -> 2Christian Poessinger
2022-04-09Merge pull request #1242 from goodNETnick/ocserv_local_otpChristian Poessinger
ocserv: T4231: Added OTP support for Openconnect 2FA
2022-04-09ocserv: T4231: Added OTP support for Openconnect 2FAgoodNETnick
2022-04-08Firewall: T990: Add snat and dnat connection status on firewallNicolas Fort
2022-04-08Merge branch 'current' into dhcpdGeorg
2022-04-07ipv6: T4346: delete (migrate) CLI command to disable IPv6 address familyChristian Poessinger
2022-04-07qos: T4284: rename "traffic-policy" node to "qos policy"Christian Poessinger
"set traffic-policy" now becomes "set qos policy" "set interface ethernet eth0 traffic-policy" now bvecomes "set qos interface eth0"
2022-04-07qos: T4284: support mirror and redirect on vlan subinterfacesChristian Poessinger
2022-04-07qos: T4284: support mirror and redirect on all interface typesChristian Poessinger
2022-04-06dns: forwarding: T4343: add CLI option for PowerDNS network-timeoutBracken
Makes the powerdns `network-timeout` setting configurable via: `service dns forwarding timeout`. The powerdns default is 1500ms, VyOS now explicitly sets the same default value or the configured value so that the setting can have a readily apparent default in the help, rather than the user having to know it's powerdns.