| Age | Commit message (Collapse) | Author |
|---|
|
It can be more then 5 symbols in top-level-domain address
for example '.photography' and '.accountants'
Firewall group can be added without address:
* set firewall group domain-group DOMAIN
Check if 'address' exists in group_config
|
|
|
|
* 'sstp_port' of https://github.com/goodNETnick/vyos-1x:
sstp: T4444. Port number changing support
|
|
firewall: T970: Add firewall group domain-group
|
|
|
|
event-handler: T3083: Add simple event-handler
|
|
Before:
set service event-handler Foo
After:
set service event-handler event Foo
|
|
* Added the ability to filter by a syslog identifier
* Added the ability to pass arguments to a script
* Added the ability to pass preconfigured environment variables to a script
* A message that triggered a script is now passed in the `message` variable and
can be used in a script
* Replaced `call()` to `run()`, since stdout are not need to be printed
|
|
Move 'system event-handler' to 'service event-handler'
|
|
* Removed dynamic generating for systemd unit
* Optimized configuration file deleting process
* Added exceptions handlers to event-handler script to protect service
from most obvious potential troubles
* Improved logging
* Moved pattern compilation outside a messages loop to avoid extra operations
* Added signal handlers for proper systemd integration
|
|
Event-handler allows executing a custom script when in logs it
detects configured "pattern"
A simple implemenation
set system event-handler first pattern '.*ssh2.*'
set system event-handler first script '/config/scripts/hello.sh'
|
|
|
|
|
|
|
|
OWAMP is a command line client application and a policy daemon used
to determine one way latencies between hosts.
OWAMP session control uses traditional client-server communication
between a control-client and a server,
TWAMP (two-way active measurement protocol)
Add configuration and operation modes
set service sla owamp-server
set service sla twamp-server
run force owping 192.0.2.120
run force twping 192.0.2.190
|
|
pki: T3642: Update conf scripts using changed PKI objects
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Commit f9e38622 ("rip: T4448: add support to set protocol version on an
interface level") also added the versionspecified on a per interface level.
the RIp version carried a default value of 2 which makes RIPv1 and RIPv2 no
longer working which is dthe default for FRR. Remove the default "2" from the
RIP version specifier to make this behavior work again.
|
|
|
|
|
|
|
|
Domain group allows to filter addresses by domain main
Resolved addresses as elements are stored to named "nft set"
that used in the nftables rules
Also added a dynamic "resolver" systemd daemon
vyos-domain-group-resolve.service which starts python script
for the domain-group addresses resolving by timeout 300 sec
set firewall group domain-group DOMAINS address 'example.com'
set firewall group domain-group DOMAINS address 'example.org'
set firewall name FOO rule 10 action 'drop'
set firewall name FOO rule 10 source group domain-group 'DOMAINS'
set interfaces ethernet eth0 firewall local name 'FOO'
nft list table ip filter
table ip filter {
set DOMAINS {
type ipv4_addr
flags interval
elements = { 192.0.2.1, 192.0.2.85,
203.0.113.55, 203.0.113.58 }
}
chain NAME_FOO {
ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10"
counter packets 0 bytes 0 return comment "FOO default-action accept"
}
}
|
|
|
|
http-api: T4442: Add action reset
|
|
Add action 'reset' (op-mode) for HTTP-API
http://localhost/reset
curl --unix-socket /run/api.sock -X POST -Fkey=mykey \
-Fdata='{"op": "reset", "path": ["ip", "bgp", "192.0.2.14"]}' \
http://localhost/reset
|
|
The config vrf-basic reveals a missing block in the migration script
vrf/0-to-1, moving 'next-hop-vrf' to 'vrf'. As this only exists in
Sagitta, modify script 0-to-1. Also, fix the 'system nt' typo seen in
vrf-ospf.
|
|
Migration of bgp-azure-ipsec-gateway and bgp_dmvpn_hub reveals that
migration script ipsec/5-to-6 leaves the empty node 'ipsec-interfaces'
after moving the interface; fix the migration script, as it is not yet
in 1.3.
|
|
ocserv: T4420: show configured 2FA OTP key
|
|
FRR: T4020: Added CLI options for FRR daemons
|
|
|
|
|
|
|
|
monitoring: T4418: Add output plugin azure-data-explorer
|
|
Add output telegraf Plugin Azure Data Explorer
set service monitoring telegraf azure-data-explorer authentication client-id 'x'
set service monitoring telegraf azure-data-explorer authentication client-secret 'x'
set service monitoring telegraf azure-data-explorer authentication tenant-id 'x'
set service monitoring telegraf azure-data-explorer database 'x'
set service monitoring telegraf azure-data-explorer group-metrics 'single-table'
set service monitoring telegraf azure-data-explorer url 'http://localhost.loc'
|
|
|
|
|
|
|
|
sshguard: T4408: Add service ssh dynamic-protection
|
|
Sshguard protects hosts from brute-force attacks
Can inspect logs and block "bad" addresses by threshold
Auto-generate rules for nftables
When service stopped all generated rules are deleted
nft "type filter hook input priority filter - 10"
set service ssh dynamic-protection
set service ssh dynamic-protection block-time 120
set service ssh dynamic-protection detect-time 1800
set service ssh dynamic-protection threshold 30
set service ssh dynamic-protection whitelist-address 192.0.2.1
|
|
|
|
systemd has its internal reload or restart logic - we do not need to programm
it on our own.
|
|
|
|
This reverts commit d1455f936ca721633fcc04d5c84169b4ccf2f447.
New spokes can't register on hub with 'reload-or-restart' option
And requires option 'restart' for opennhrp.service
|
|
- Default dhclient script only uses value of `$IF_MERIC` envvar for default route recived via `router` option.
- This variable has no effect on rotes received via `rfc3442-classless-static-routes` option
- Considering that Vyos overrrides `ip` command originating from `dhclient` this can be easily fixed in `iptovtysh()` function by using the `$IF_METRIC` envvar directly in the dhclient hook.
(cherry picked from commit 0c00e7bf8b6e68814607fde4ff0cd70ce9f4b486)
|
|
Reduce bloat of containers_op.py wrapper script. All commands can be passed
directly to podman via the XML script. This also makes the execution faster,
as no Python environment needs to be build up.
|
