summaryrefslogtreecommitdiff
path: root/interface-definitions
AgeCommit message (Collapse)Author
2022-10-08firewall: T4612: Support arbitrary netmasksRain
Add support for arbitrary netmasks on source/destination addresses in firewall rules. This is particularly useful with DHCPv6-PD when the delegated prefix changes periodically.
2022-10-01T4722: consistently use the "RADIUS" spelling for the RADIUS protocolDaniil Baturin
2022-09-30bgp: evpn: T1315: add route-target CLI node <multi/> propertyChristian Poessinger
FRR supports multiple route-targets to be used for import/export: address-family l2vpn evpn route-target import 20:10 route-target import 20:11 route-target import 20:12 route-target import 40:40 route-target export 1:2 route-target export 1:3 route-target export 40:40 exit-address-family Thus the <multi/> property is added to the relevant CLI nodes.
2022-09-28Merge pull request #1561 from sever-sever/T4715Christian Poessinger
login: T4715: Auto logout user after inactivity
2022-09-28ids: T4557: Update xml-component-versionViacheslav Hletenko
2022-09-28login: T4715: Auto logout user after inactivityViacheslav Hletenko
Ability to terminate interactive sessions (TTY/PTS) after a period of inactivity. set system login timeout '300'
2022-09-28conserver: T4717: Support for setting a name for console-server devicesWilliam Hughes
This adds a new 'alias' property to the console-server device definition to allow users to connect to a console using a human-readable name rather than just the device name. For a configuration like: service { console-server { device ttyUSB0 { speed 115200 alias my-server } } } Users can connect either by doing `connect console ttyUSB0`, or `connect console my-server`. Names: * Must be unique * Are limited to 128 characters * Are optional - if not specified, only the `connect console ttyX` form can be used
2022-09-27Merge pull request #1560 from nicolas-fort/T4700Christian Poessinger
T4700: Firewall: add interface matching criteria
2022-09-26Merge pull request #1545 from sever-sever/T4557Christian Poessinger
ids: T4557: Migrate threshold and add new threshold types
2022-09-26ids: T4557: Migrate threshold and add new threshold typesViacheslav Hletenko
Migrate "service ids ddos-protection threshold xxx" to "service ids ddos-protection general threshold xxx" Add new threshold types: set service ids ddos-protection threshold tcp xxx set service ids ddos-protection threshold udp xxx set service ids ddos-protection threshold icmp xxx
2022-09-26T4700: Firewall: add interface matching criteriaNicolas Fort
2022-09-25interfaces: T4709: raise minimum TCP MSS clamping valueinitramfs
This commit raises the minimum TCP MSS clamping range to the MSS value corresponding to the minimum packet size that must be accepted for IPv4.
2022-09-22xml: T4698: validating a range must be explicitly enabled in the validatorChristian Poessinger
This extends commit 28573ffe4f ("xml: T4698: drop validator name="range" and replace it with numeric"). The first version allowed both a range and discrete numbers to be validated by the numeric validator. This had a flaw as both 22 and 22-30 were valid at the same time. The generic "port-number.xml.i" building block only allows a discrete number. Now if a user set port 22-30 for e.g. SSH the daemon did no longer start. This is why range validation must be explicitly enabled.
2022-09-22Merge pull request #1521 from sever-sever/T3476Christian Poessinger
update-check: T3476: Allow update-check for VyOS images
2022-09-22telegraf: T4680: fix prometheus client listen-address invalid formatKyleM
2022-09-21Merge pull request #1553 from nicolas-fort/return-actionChristian Poessinger
T4699: Firewall: Add return action
2022-09-21T4699: Firewall: Add return action, since jump action was added recentlyNicolas Fort
2022-09-21ipoe: T4678: T4703: rewrite to get_config_dict()Christian Poessinger
In addition to the rewrite to make use of get_config_dict() the CLI is slightly adjusted as specified in T4703. * Rename vlan-id and vlan-range to simply vlan * Rename network-mode to simply mode * Re-use existing common Jinja2 template for Accel-PPP which are shared with PPPoE and SSTP server. * Retrieve default values via defaultValue XML node
2022-09-20xml: firewall: T2199: improve interface help stringChristian Poessinger
2022-09-20xml: ipsec: T1210: add valueHelp and constraint for remote-access connection ↵Christian Poessinger
name
2022-09-20xml: ipsec: T3093: add valueHelp and constraint for profile nameChristian Poessinger
2022-09-17Merge pull request #1546 from nicolas-fort/fwall-jumpChristian Poessinger
T4699: Firewall: Add jump action in firewall ruleset
2022-09-17pppoe-server: T4703: combine vlan-id and vlan-range into single CLI nodeChristian Poessinger
The initial Accel-PPP PPPoE implementation used: set service pppoe-server interface <name> vlan-id <id> set service pppoe-server interface <name> vlan-range <start-stop> This is actually a duplicated CLI node.
2022-09-16Merge pull request #1463 from sever-sever/T4118Daniil Baturin
ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer
2022-09-16T4699: Firewall: Add jump action in firewall rulestNicolas Fort
2022-09-16ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peerViacheslav Hletenko
Migration and Change boolean nodes "enable/disable" to disable-xxxx, enable-xxxx and just xxx for VPN IPsec configurations - IKE changes: - replace 'ipsec ike-group <tag> mobike disable' => 'ipsec ike-group <tag> disable-mobike' - replace 'ipsec ike-group <tag> ikev2-reauth yes|no' => 'ipsec ike-group <tag> ikev2-reauth' - ESP changes: - replace 'ipsec esp-group <tag> compression enable' => 'ipsec esp-group <tag> compression' - PEER changes: - replace: 'peer <tag> id xxx' => 'peer <tag> local-id xxx' - replace: 'peer <tag> force-encapsulation enable' => 'peer <tag> force-udp-encapsulation' - add option: 'peer <tag> remote-address x.x.x.x' Add 'peer <name> remote-address <name>' via migration script
2022-09-16ocserv: T4656: use "0.0.0.0" defaultValue via XML definition"Christian Poessinger
2022-09-16ocserv: openconnect: T4656: add listen-address CLI optionDemon_H
This will set the listen-host ocserv configuration option.
2022-09-16xml: T4698: drop validator name="range" and replace it with numericChristian Poessinger
After T4669 added support for range validation to the OCaml validator there is no need to keep the slow Python validator in place. Raplace all occurances of <validator name="range" argument="--min=1 --max=65535"/> with <validator name="numeric" argument="--range 1-65535"/>.
2022-09-15Merge pull request #1477 from sempervictus/feature/ocserv_groupsViacheslav Hletenko
T3896(adjacent): Fix ocserv local user requirement, add groupconfig
2022-09-15bgp: T4696: add support for "bestpath peer-type multipath-relax"Christian Poessinger
Add new VyOS CLI command: set protocols bgp parameters bestpath peer-type multipath-relax This command specifies that BGP decision process should consider paths from all peers for multipath computation. If this option is enabled, paths learned from any of eBGP, iBGP, or confederation neighbors will be multipath if they are otherwise considered equal cost. [1] [1]: http://docs.frrouting.org/en/stable-8.3/bgp.html#clicmd-bgp-bestpath-peer-type-multipath-relax
2022-09-15Merge branch 'T4689' of https://github.com/jack9603301/vyos-1x into currentChristian Poessinger
* 'T4689' of https://github.com/jack9603301/vyos-1x: rfs: T4689: Support RFS(Receive Flow Steering)
2022-09-15rfs: T4689: Support RFS(Receive Flow Steering)jack9603301
2022-09-15conntrack: T4691: lower "tcp max-retrans" upper limitChristian Poessinger
Kernel 5.15.y and newer only support an upper boundary of 255. vyos@vyos:~$ sudo sysctl -w net.netfilter.nf_conntrack_tcp_max_retrans=255 net.netfilter.nf_conntrack_tcp_max_retrans = 255 vyos@vyos:~$ sudo sysctl -w net.netfilter.nf_conntrack_tcp_max_retrans=256 sysctl: setting key "net.netfilter.nf_conntrack_tcp_max_retrans": Invalid argument
2022-09-14keymap: T4695: Add Spain 'es' and Japan 'jp106' keymapsViacheslav Hletenko
Add Spain (es) and Japan (jp106) keymaps set system option keyboard-layout es|jp106
2022-09-14Merge pull request #1534 from sarthurdev/firewall_interfacesChristian Poessinger
firewall: zone-policy: T2199: T4605: Refactor firewall, migrate zone-policy
2022-09-13zone-policy: T2199: Migrate zone-policy to firewall nodesarthurdev
2022-09-13firewall: T2199: Refactor firewall + zone-policy, move interfaces under ↵sarthurdev
firewall node * Refactor firewall and zone-policy rule creation and cleanup * Migrate interface firewall values to `firewall interfaces <name> <direction> name/ipv6-name <name>` * Remove `firewall-interface.py` conf script
2022-09-12Revert "rfs: T4689: Support RFS(Receive Flow Steering)"Christian Poessinger
This reverts commit 53355271a2864d844daca89a064c21e514e10adb.
2022-09-12rfs: T4689: Support RFS(Receive Flow Steering)jack9603301
2022-09-10policy: T4685: fix non-existent inbound-interface on commitinitramfs
The local-policy and local-policy6 nodes were missing their priority property causing an ordering issue between the creation of dynamic interfaces (like VLAN/Bonding) and referencing said interface in PBR rules. Add a priority value to order local-policy(6) to be after all interface definitions.
2022-09-07update-check: T3476: Allow update-check for VyOS imagesViacheslav Hletenko
Ability to autocheck available new images Parse remote URL JSON image-version.json file and compare version VyOS with a local current version, if find diff sent wall message that the new image is available Also, add op-mode command to check images "show system image" With option "auto-check" check will be once per 12 hours set system update-check auto-check set system update-check url 'http://example.com/image-version.json' If new version is available shows it per login (MOTD)
2022-09-07T1024: Firewall and Policy route: add option to match dscp value, both on ↵Nicolas Fort
firewall and in policy route
2022-09-06T4670: policy route: extend matching criteria for policy route and route6. ↵Nicolas Fort
Matching criteria added: ttl/hoplimit and packet-length
2022-09-03firewall: T4651: re-implement packet-length CLI option to use <multi/>Christian Poessinger
2022-09-03firewall: T3568: improve default-action help stringChristian Poessinger
2022-09-03firewall: T3568: add XML include block for eq,gt,lt optionsChristian Poessinger
2022-09-02Merge branch 'T4651' of https://github.com/nicolas-fort/vyos-1x into firewallChristian Poessinger
* 'T4651' of https://github.com/nicolas-fort/vyos-1x: Firewall: T4651: Change proposed cli from ip-length to packet-length Firewall: T4651: Add options to match packet size on firewall rules.
2022-09-01Firewall: T4651: Change proposed cli from ip-length to packet-lengthNicolas Fort
2022-08-31nat: T538: Move nat configs to /run directoryViacheslav Hletenko