Age | Commit message (Collapse) | Author |
|
firewall: T4299: Add ability to inverse match country-codes
|
|
|
|
When clients only use DHCP for interface addressing we can not bind NTPd to
an address - as it will fail if the address changes. This commit adds support
to bind ntpd to a given interface in addition to a given address.
set system ntp interface <name>
|
|
|
|
smoketest: T4485: Add CRL for configtest, add script for configtest PKI objects
|
|
Allows easy creation of test PKI objects using `vyos.pki` module
Generates objects for PKI migration tests
|
|
|
|
|
|
openvpn: T4485: Accept multiple tls ca-certificate values
|
|
set service router-advert interface eth0 name-server-lifetime <value>
|
|
* Also determines and maps to correct CA for migrated CRL
|
|
route-map
|
|
|
|
|
|
* Refactor nftables clean-up code
* Adds policy route test for using firewall groups
|
|
firewall: T478: Add support for nesting groups
|
|
|
|
|
|
Firewall: T3907: add log-level options in firewall
|
|
Staic-host-mapping 'example.com' should be exists before we
configure firewall domain-group FOO address example.com
|
|
|
|
firewall: T970: Add firewall group domain-group
|
|
|
|
smoketest: T4387: Add test for load-balancing wan
|
|
for ipv4
|
|
Create 2 network namespaces which allow us to emulate 2 ISP
with different static addresses
Check routing table 201 for the first ISP and table 202 for the
second ISP. Each table must contain default route
(cherry picked from commit 6b75cbb0575ca95806e969f5d7f219c0cbeea334)
|
|
pki: T3642: Update conf scripts using changed PKI objects
|
|
|
|
|
|
|
|
prefix-len on both matches. Also change help properties of route-source node.
|
|
Commit f9e38622 ("rip: T4448: add support to set protocol version on an
interface level") also added the versionspecified on a per interface level.
the RIp version carried a default value of 2 which makes RIPv1 and RIPv2 no
longer working which is dthe default for FRR. Remove the default "2" from the
RIP version specifier to make this behavior work again.
|
|
* 'T4449' of https://github.com/nicolas-fort/vyos-1x:
Policy: T4449: Extend matching options for route-map ip nexthop
|
|
|
|
Domain group allows to filter addresses by domain main
Resolved addresses as elements are stored to named "nft set"
that used in the nftables rules
Also added a dynamic "resolver" systemd daemon
vyos-domain-group-resolve.service which starts python script
for the domain-group addresses resolving by timeout 300 sec
set firewall group domain-group DOMAINS address 'example.com'
set firewall group domain-group DOMAINS address 'example.org'
set firewall name FOO rule 10 action 'drop'
set firewall name FOO rule 10 source group domain-group 'DOMAINS'
set interfaces ethernet eth0 firewall local name 'FOO'
nft list table ip filter
table ip filter {
set DOMAINS {
type ipv4_addr
flags interval
elements = { 192.0.2.1, 192.0.2.85,
203.0.113.55, 203.0.113.58 }
}
chain NAME_FOO {
ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10"
counter packets 0 bytes 0 return comment "FOO default-action accept"
}
}
|
|
|
|
|
|
|
|
|
|
The migration script bgp/0-to-1 did not address
'protocols bgp ASN' -> 'protocols bgp local-as ASN'
under a vrf. Move to configs.no-load for review on extending/adding a
migration script.
|
|
The config vrf-basic reveals a missing block in the migration script
vrf/0-to-1, moving 'next-hop-vrf' to 'vrf'. As this only exists in
Sagitta, modify script 0-to-1. Also, fix the 'system nt' typo seen in
vrf-ospf.
|
|
The pki-ipsec sagitta-era config contains
'vpn ipsec ipsec-interfaces interface eth0'
with ipsec component version ipsec@6, however, this construction is
successfully moved by migration script ipsec/5-to-6. Consequently, this
must have been an error in translation of the config file. Note that
this is unrelated to the corrected error regarding an empty
'ipsec-interfaces' node. Move config to configs.no-load for review.
|
|
bgp_small_as contains set commands such as:
'protocols static route 10.0.0.0/8 MY-NAS distance 254'
which would appear to have no meaning, in any VyOS version.
Move to config.no-load for analysis.
|
|
The component version in bgp-dmvpn-spoke is nat@5, however, 4-to-5
removes the boolean argument. It is confirmed that the migration script
works correctly, hence, it must be a typo in translation; remove
argument 'enable'.
|
|
The config file isis-small has system@20, but 'user level' which was
migrated in system/16-to-17; remove the line in the config, as there is
no problem with the migration script in question.
|
|
This is a typo in vrf-ospf: 'system nt' on the line before 'system ntp'.
|
|
FRR: T4020: Added CLI options for FRR daemons
|
|
syntax
|
|
|
|
Sshguard protects hosts from brute-force attacks
Can inspect logs and block "bad" addresses by threshold
Auto-generate rules for nftables
When service stopped all generated rules are deleted
nft "type filter hook input priority filter - 10"
set service ssh dynamic-protection
set service ssh dynamic-protection block-time 120
set service ssh dynamic-protection detect-time 1800
set service ssh dynamic-protection threshold 30
set service ssh dynamic-protection whitelist-address 192.0.2.1
|