summaryrefslogtreecommitdiff
path: root/interface-definitions
AgeCommit message (Collapse)Author
2024-01-10bgp: T5913: allow peer-group support for ipv4|6-labeled-unicast SAFIChristian Breunig
2024-01-09https: T5902: remove virtual-host configurationChristian Breunig
We have not seen the adoption of the https virtual-host CLI option. What it did? * Create multiple webservers each listening on a different IP/port (but in the same VRF) * All webservers shared one common document root * All webservers shared the same SSL certificates * All webservers could have had individual allow-client configurations * API could be enabled for a particular virtual-host but was always enabled on the default host This configuration tried to provide a full webserver via the CLI but VyOS is a router and the Webserver is there for an API or to serve files for a local-ui. Changes Remove support for virtual-hosts as it's an incomplete and thus mostly useless "thing". Migrate all allow-client statements to one top-level allow statement.
2024-01-07Merge pull request #2758 from c-po/certbot-T5886Christian Breunig
pki: T5886: add support for ACME protocol (LetsEncrypt)
2024-01-06dns: T5900: add dont-throttle-netmasks and serve-stale-extensions powerdns ↵fvlaicu
features
2024-01-06https: T5886: migrate https certbot to new "pki certificate" CLI treeChristian Breunig
2024-01-06pki: T5886: add support for ACME protocol (LetsEncrypt)Christian Breunig
The "idea" of this PR is to add new CLI nodes under the pki subsystem to activate ACME for any given certificate. vyos@vyos# set pki certificate NAME acme Possible completions: + domain-name Domain Name email Email address to associate with certificate listen-address Local IPv4 addresses to listen on rsa-key-size Size of the RSA key (default: 2048) url Remote URL (default: https://acme-v02.api.letsencrypt.org/directory) Users choose if the CLI based custom certificates are used set pki certificate EXAMPLE acme certificate <base64> or if it should be generated via ACME. The ACME server URL defaults to LetsEncrypt but can be changed to their staging API for testing to not get blacklisted. set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory Certificate retrieval has a certbot --dry-run stage in verify() to see if it can be generated. After successful generation, the certificate is stored in under /config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set interfaces ethernet eth0 eapol certificate EXAMPLE) we call vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the base64 encoded certificate into the JSON data structure normally used when using a certificate set by the CLI. Using this "design" does not need any change to any other code referencing the PKI system, as the base64 encoded certificate is already there. certbot renewal will call the PKI python script to trigger dependency updates.
2024-01-03xml: T5738: add constraint building block with alphanumeric, hypen, ↵Christian Breunig
underscore and dot
2024-01-02pki: T3642: add missing base64 constraint on PEM keysChristian Breunig
2024-01-01wireguard: T3642: use base64 validatorChristian Breunig
2024-01-01configverify: T5880: raise exception if interfaces sourced form dynamic ↵Christian Breunig
interfaces Interfaces matching the following regex (ppp|pppoe|sstpc|l2tp|ipoe)[0-9]+ can not be used as source-interface for e.g. a tunnel. The main reason is that these are dynamic interfaces which come and go from a kernel point of view, thus it's not possible to bind an interface to them.
2023-12-31T5474: establish common file name pattern for XML conf mode commandsChristian Breunig
We will use _ as CLI level divider. The XML definition filename and also the Python helper should match the CLI node. Example: set interfaces ethernet -> interfaces_ethernet.xml.in set interfaces bond -> interfaces_bond.xml.in set service dhcp-server -> service_dhcp-server-xml.in
2023-12-30T5870: ipsec remote access VPN: add x509 ("pubkey") authentication.Lucas Christian
2023-12-29system: T5877: Shorten system domain-search config pathIndrajit Raychaudhuri
Shorten and simplify `system domain-search` config path from: ``` set system domain-search domain <domain1> ``` to: ``` set system domain-search <domain1> ``` This will shorten the path and also make consistent with `domain-search` config in other places (like `dhcp-server`).
2023-12-28ddclient: T5852: add missing priorityChristian Breunig
Running ddclient on a VLAN interface will fail during reboot as there is no discrete priority to tell that the dynamic DNS service needs to be started after the interfaces.
2023-12-28Merge pull request #2658 from aapostoliuk/T5801-circinusChristian Breunig
T5801: Rewritten L2TP to get_config_dict
2023-12-28Merge pull request #2695 from aapostoliuk/T5842-circinusChristian Breunig
T5842: Rewritten PPTP to get_config_dict
2023-12-28Merge pull request #2650 from indrajitr/kea-reservation-fixChristian Breunig
dhcp: T3316: Support hostname, DUID and MAC address in reservation
2023-12-27T5842: Rewritten PPTP to get_config_dictaapostoliuk
Rewritten PPTP to get_config_dict Fixed 'dynamic-author' commands. These commands did not create anything in accel-ppp config.
2023-12-26firewall: T5834: Improve log message and simplify log-option includeIndrajit Raychaudhuri
`include/firewall/rule-log-options.xml.i` is now more aptly renamed to `include/firewall/log-options.xml.i`.
2023-12-26firewall: T5834: Remove vestigial include fileIndrajit Raychaudhuri
This file is a left over from previous refactoring and no longer referenced anywhere in the interface definitions.
2023-12-26firewall: T5834: Migration for 'enable-default-log' to 'default-log'Indrajit Raychaudhuri
2023-12-26firewall: T5834: Rename 'enable-default-log' to 'default-log'Indrajit Raychaudhuri
Rename chain level defaults log option from `enable-default-log` to `default-log` for consistency.
2023-12-25snmp: T5855: migrate "set service lldp snmp enable" to "set service lldp snmp"Christian Breunig
2023-12-24Merge pull request #2677 from sever-sever/T160Christian Breunig
T160: NAT64 add match firewall mark feature
2023-12-24T160: NAT64 add match firewall mark featureViacheslav Hletenko
Match mark allows to use firewall marks of packet to use a specific pool Example of instance config /run/jool/instance-100.json ``` ... "pool4": [ { "protocol": "TCP", "prefix": "192.0.2.10", "port range": "1-65535", "mark": 23 }, ... ```
2023-12-24veth: T5853: fix typo in constraintErrorMessagezero13th
2023-12-21dhcp: T3316: Apply migration for valid hostname, and identifier (DUID)Indrajit Raychaudhuri
2023-12-21dhcp: T3316: Support hostname, DUID and MAC address in reservationIndrajit Raychaudhuri
Reinstate support for hostname in DHCP reservation. Having `hostname` in allows for server-side assignment of hostname. This is useful for static lookup of hostname. Ensure that hostname is a valid FQDN (doesn't have underscore, etc.) Additionally, support using either of DUID or MAC address for reservation. While MAC address is typically used for IPv4, and DUID is typically used for IPv6, either of them can be used in IPv4 and IPv6 reservations in Kea.
2023-12-21Merge pull request #2663 from c-po/srv6-part2Christian Breunig
srv6: T591: enable SR enabled packet processing on defined interfaces
2023-12-21Merge pull request #2665 from c-po/ndp-proxyChristian Breunig
T2898: add ndp-proxy service
2023-12-21dhcp: T5846: Ensure DUID regex range is boundIndrajit Raychaudhuri
The DUID regex was missing a lower bound, which could cause it not to match when it should. We have to specify the lower bound explicitly as 0 to keep the regex behavior similar to that in Python (in Python, omitting the lower bound is equivalent to specifying 0).
2023-12-21dhcp: T5846: Fix include pathIndrajit Raychaudhuri
2023-12-21dhcp: T5846: Refactor and simplify DUID definitionIndrajit Raychaudhuri
Refactor DUID XML definition in conf-mode to be reusable. Additionally, remove explicit call to a separate validator `ipv6-duid` and inline the regex into the XML definition.
2023-12-20T2898: add ndp-proxy serviceChristian Breunig
VyOS CLI command set service ndp-proxy interface eth0 prefix 2001:db8::/64 mode 'static' Will generate the following NDP proxy configuration $ cat /run/ndppd/ndppd.conf # autogenerated by service_ndp-proxy.py # This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route route-ttl 30000 # This sets up a listener, that will listen for any Neighbor Solicitation # messages, and respond to them according to a set of rules proxy eth0 { # Turn on or off the router flag for Neighbor Advertisements router no # Control how long to wait for a Neighbor Advertisment message before invalidating the entry (milliseconds) timeout 500 # Control how long a valid or invalid entry remains in the cache (milliseconds) ttl 30000 # This is a rule that the target address is to match against. If no netmask # is provided, /128 is assumed. You may have several rule sections, and the # addresses may or may not overlap. rule 2001:db8::/64 { static } }
2023-12-20srv6: T591: enable SR enabled packet processing on defined interfacesChristian Breunig
The Linux Kernel needs to be told if IPv6 SR enabled packets whether should be processed or not. This is done using /proc/sys/net/conf/<iface>/seg6_* variables: seg6_enabled - BOOL Accept or drop SR-enabled IPv6 packets on this interface. Relevant packets are those with SRH present and DA = local. 0 - disabled (default) not 0 - enabled Or the VyOS CLI command: * set protocols segment-routing interface eth0 srv6
2023-12-20T5801: Rewritten L2TP to get_config_dictaapostoliuk
Rewritten L2TP to get_config_dict Rewritten L2TP xml to accel-ppp patterns Migrated 'idle' to 'ppp-options.lcp-echo-timeout' Migrated 'authentication.mppe' to 'ppp-options.mppe' Migrated 'authentication.radius.dae-server' to 'authentication.radius.dynamic-author' Migrated 'authentication.require' to 'authentication.protocol' Added 'authentication.radius.acct-interim-jitter' Added 'authentication.radius.preallocate-vif' Added 'authentication.radius.server.<IP>.acct-port' Added 'ppp-options.ipv4' Added smoke-tests Fixed 'preallocate-vif' in SSTP
2023-12-16Merge pull request #2617 from indrajitr/ddclient-improvement-round-3-2023-12-11Christian Breunig
ddclient: T5144,T5791: Fix migration to avoid config name conflict
2023-12-16ocserv: T5796: add CLI knob "http-security-headers"fett0
OCserv manual recommended HTTP headers tobe included in the configuration. (cherry picked from commit ad65d37ddf92ec8416c84707d7d41e63346b550c)
2023-12-15Merge pull request #2639 from c-po/frr-t4020Viacheslav Hletenko
frr: T4020: add option to define number of open file descriptors
2023-12-15frr: T4020: add option to define number of open file descriptorsChristian Breunig
This allows the operator to control the number of open file descriptors each daemon is allowed to start with. The current assumed value on most operating systems is 1024. If the operator plans to run bgp with several thousands of peers then this is where we would modify FRR to allow this to happen. set system frr descriptors <n>
2023-12-15firewall: T4502: add ofload to firewall table actionsGurliGebis
2023-12-14Merge pull request #2627 from sever-sever/T4163Christian Breunig
T4163: Add BGP Monitoring Protocol BMP feature
2023-12-14Merge pull request #2590 from sever-sever/T5798Christian Breunig
T5798: load-balancing revese-proxy add multiple SSL certificates
2023-12-14T4163: Add BGP Monitoring Protocol BMP featureViacheslav Hletenko
Add BMP feature. BMP (BGP Monitoring Protocol, RFC 7854) is used to send monitoring data from BGP routers to network management entities https://docs.frrouting.org/en/latest/bmp.html Example: set system frr bmp commit run restart bgp set protocols bgp system-as '65001' set protocols bgp neighbor 192.0.2.11 address-family ipv4-unicast set protocols bgp neighbor 192.0.2.11 remote-as '65001' set protocols bgp bmp mirror-buffer-limit '256000000' set protocols bgp bmp target foo address '127.0.0.1' set protocols bgp bmp target foo port '5000' set protocols bgp bmp target foo min-retry '1000' set protocols bgp bmp target foo max-retry '2000' set protocols bgp bmp target foo mirror set protocols bgp bmp target foo monitor ipv4-unicast post-policy set protocols bgp bmp target foo monitor ipv4-unicast pre-policy set protocols bgp bmp target foo monitor ipv6-unicast post-policy set protocols bgp bmp target foo monitor ipv6-unicast pre-policy
2023-12-13ddclient: T5791: Enforce alphanumeric constraint on service nameIndrajit Raychaudhuri
Enforce constraint on Dynamic DNS service name to be alphanumeric (including hyphens and underscores).
2023-12-11srv6: T591: initial implementation to support locator definitionChristian Breunig
VyOS CLI set protocols segment-routing srv6 locator bar prefix '2001:b::/64' set protocols segment-routing srv6 locator foo behavior-usid set protocols segment-routing srv6 locator foo prefix '2001:a::/64' Will generate in FRR segment-routing srv6 locators locator bar prefix 2001:b::/64 block-len 40 node-len 24 func-bits 16 exit ! locator foo prefix 2001:a::/64 block-len 40 node-len 24 func-bits 16 behavior usid exit ! exit ! exit ! exit
2023-12-11bgp: T591: add SRv6 support from FRRChristian Breunig
set protocols bgp sid vpn per-vrf export '99' set protocols bgp srv6 locator 'foo' set protocols bgp system-as '100' Will generate in FRR config router bgp 100 no bgp ebgp-requires-policy no bgp default ipv4-unicast no bgp network import-check ! segment-routing srv6 locator foo exit sid vpn per-vrf export 99 exit
2023-12-09Merge pull request #1960 from sarthurdev/keaChristian Breunig
dhcp: T3316: Migrate dhcp/dhcpv6 server to Kea
2023-12-08git: T5803: Adjust git configuration for baseline defaultsIndrajit Raychaudhuri
Apply baseline defaults for `.gitattributes` and `.vscode/settings.json` for improved developer experience. The `.gitattrbutes` settings are based on: Git documentation (https://git-scm.com/docs/gitattributes#_effects) GitHub documentation (https://docs.github.com/en/get-started/getting-started-with-git/configuring-git-to-handle-line-endings) Community templates (https://github.com/gitattributes/gitattributes) Since editor-agnostic line-ending specific settings are applied to `.gitattributes`, they can be removed from `.vscode/settings.json`. The global VSCode defaults have also been removed to avoid duplication.
2023-12-08T5798: load-balancing revese-proxy add multiple SSL certificatesViacheslav Hletenko
Add ability to configure multiple SSL certificates for frontend/service set load-balancing reverse-proxy service web mode http set load-balancing reverse-proxy service web port 443 set load-balancing reverse-proxy service web ssl certificate cert1 set load-balancing reverse-proxy service web ssl certificate cert2