Age | Commit message (Collapse) | Author |
|
Edit regex to check firewall-group
|
|
Domain group allows to filter addresses by domain main
Resolved addresses as elements are stored to named "nft set"
that used in the nftables rules
Also added a dynamic "resolver" systemd daemon
vyos-domain-group-resolve.service which starts python script
for the domain-group addresses resolving by timeout 300 sec
set firewall group domain-group DOMAINS address 'example.com'
set firewall group domain-group DOMAINS address 'example.org'
set firewall name FOO rule 10 action 'drop'
set firewall name FOO rule 10 source group domain-group 'DOMAINS'
set interfaces ethernet eth0 firewall local name 'FOO'
nft list table ip filter
table ip filter {
set DOMAINS {
type ipv4_addr
flags interval
elements = { 192.0.2.1, 192.0.2.85,
203.0.113.55, 203.0.113.58 }
}
chain NAME_FOO {
ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10"
counter packets 0 bytes 0 return comment "FOO default-action accept"
}
}
|
|
ppppoe-server: T4373: Add option multiplier for correct shaping
|
|
Multiplier option is required by some vendors for correct shaping
For RADIUS based rate-limits
edit service pppoe-server
set authentication radius rate-limit multiplier '0.001'
|
|
We do not only allow individual host addresses but also prefixes.
|
|
sshguard: T4408: Add service ssh dynamic-protection
|
|
Sshguard protects hosts from brute-force attacks
Can inspect logs and block "bad" addresses by threshold
Auto-generate rules for nftables
When service stopped all generated rules are deleted
nft "type filter hook input priority filter - 10"
set service ssh dynamic-protection
set service ssh dynamic-protection block-time 120
set service ssh dynamic-protection detect-time 1800
set service ssh dynamic-protection threshold 30
set service ssh dynamic-protection whitelist-address 192.0.2.1
|
|
|
|
|
|
Firewall: T990: Add snat and dnat connection status on firewall
|
|
|
|
|
|
|
|
|
|
monitoring: T4410: Add telegraf output Plugin http for Splunk
|
|
|
|
Ability to send HTTP output to Splunk via telegraf
set service monitoring telegraf splunk authentication insecure
set service monitoring telegraf splunk authentication token 'xxx'
set service monitoring telegraf splunk url 'https://x.x.x.x'
|
|
Add output Plugin "prometheus-client" for telegraf:
set service monitoring telegraf prometheus-client
|
|
|
|
before using them
|
|
|
|
|
|
* set protocols static arp interface eth0 address 192.0.2.1 mac 01:23:45:67:89:01
|
|
|
|
|
|
|
|
vyos@vyos# show service dhcp-server
shared-network-name LAN {
subnet 172.18.201.0/24 {
default-router 172.18.201.1
name-server 172.18.201.2
range 0 {
start 172.18.201.101
stop 172.18.201.109
}
vendor-option {
ubiquity {
unifi-controller 172.16.100.1
}
}
}
}
|
|
|
|
* 'T4357' of https://github.com/sever-sever/vyos-1x:
dhcpv6: T4357: Add dhcpv6 options for cisco VoIP tftp
|
|
|
|
Add vendor specific options for DHCPv6-server for working with
cisco VoIP phone provisioning over IPv6
|
|
present for DHCP
VyOS 1.4 still leverages PPPd internals on the CLI.
pppd supports three options for a default route, none, auto, force.
* none: No default route is installed on interface up
* auto: Default route is only installed if there is yet no default route
* force: overwrite any default route
There are several drawbacks in this design for VyOS and the users. If auto is
specified, this only counted for static default routes - but what about dynamic
ones? Same for force, only a static default route got replaced but dynamic ones
did not got taken into account.
The CLI is changed and we now re-use already existing nodes from the DHCP
interface configuration:
* no-default-route:
On link up no default route is installed, same as the previous
default-route none
* default-route-distance:
We can now specify the distance of this route for the routing table on the
system. This defaults to 210 as we have for DHCP interfaces. All this will be
migrated using a CLI migration script.
|
|
|
|
set interfaces vxlan vxlan0 parameters ip df <set|unset|inherit>
set interfaces geneve gnv0 parameters ip df <set|unset|inherit>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ocserv: T4231: Added OTP support for Openconnect 2FA
|
|
|
|
|
|
|
|
|
|
"set traffic-policy" now becomes "set qos policy"
"set interface ethernet eth0 traffic-policy" now bvecomes "set qos interface eth0"
|
|
|
|
|
|
Makes the powerdns `network-timeout` setting configurable via:
`service dns forwarding timeout`.
The powerdns default is 1500ms, VyOS now explicitly sets the same default value
or the configured value so that the setting can have a readily apparent default
in the help, rather than the user having to know it's powerdns.
|