summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2022-09-17wireguard: T4702: actively revoke peer if it gets disabledChristian Poessinger
When any configured peer is set to `disable` while the Wireguard tunnel is up and running it does not get actively revoked and removed. This poses a security risk as connections keep beeing alive. Whenever any parameter of a peer changes we actively remove the peer and fully recreate it on the fly. (cherry picked from commit a4feb96af9ac45aff41ded1744cf302b5c5a9e7e)
2022-09-15Merge pull request #1519 from c-po/t4630-equuleus-peth-macsecDaniil Baturin
T4630: disallow same source-interface for macsec and pseudo-ethernet
2022-09-15Merge pull request #1539 from sever-sever/T4679-eqDaniil Baturin
openvpn: T4679: Fix incorrect verify local and remote address 1.3
2022-09-14openvpn: T4679: Fix incorrect verify local and remote addressViacheslav Hletenko
In the OpenVPN site-to-site config we can use IPv6 peers without IPv4 configurations but "verify()" checks also local and remote IPv4 addresses that in this case will be empty lists For example: set interfaces openvpn vtun2 local-address 2001:db8::1 set interfaces openvpn vtun2 remote-address 2001:db8::2 Check in the commit (v4loAddr == v4remAddr) <= both empty lists commit DEBUG: [] == [] or ['2001:db8::2'] == [] So we should also check v4loAddr, v4remAddr, v6loAddr, v6remAddr are not empty
2022-09-04T4630: can not use same source-interface for macsec and pseudo-ethernetChristian Poessinger
A macsec interface requires a dedicated source interface, it can not be shared with another macsec or a pseudo-ethernet interface. set interfaces macsec macsec10 address '192.168.2.1/30' set interfaces macsec macsec10 security cipher 'gcm-aes-256' set interfaces macsec macsec10 security encrypt set interfaces macsec macsec10 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4232e44b7fda6f8e2d88a07bf78a7aff4' set interfaces macsec macsec10 security mka ckn '09924585a6f3010208cf5222ef24c821405b0e34f4b4f63b1f0ced474b9bb6e6' set interfaces macsec macsec10 source-interface 'eth1' commit set interfaces pseudo-ethernet peth0 source-interface eth1 commit Reuslts in FileNotFoundError: [Errno 2] failed to run command: ip link add peth0 link eth1 type macvlan mode private returned: exit code: 2 noteworthy: cmd 'ip link add peth0 link eth1 type macvlan mode private' returned (out): returned (err): RTNETLINK answers: Device or resource busy [[interfaces pseudo-ethernet peth0]] failed Commit failed (cherry picked from commit eb4a7ee3afc0765671ce0fa379ab5e3518e9e49e)
2022-09-04Merge pull request #1518 from initramfs/equuleus-fix-bond-members1.3.2Christian Poessinger
backport: bonding: T4668: Fix bond members not adding/interface state incorrect
2022-09-04Merge pull request #1498 from initramfs/fix-v6-default-routeChristian Poessinger
pppoe: T4648: fix incorrect installation of IPv6 default route even when default-route is set to none
2022-09-02bonding: T4668: fix live bonding member add or removeinitramfs
Fixes several bugs around bonding member interface states not matching the committed configuration, including: - Disabled removed interfaces coming back up - Newly added disabled interfaces not staying down - Newly added interfaces not showing up in the bond
2022-09-02bonding: T4668: refactor configuration mode interface bonding scriptinitramfs
Refactor interfaces-bonding.py to simplify existing code and to remove potentially bugprone sections in preparation for member add/remove fixes for T4668.
2022-08-29Merge pull request #1507 from c-po/t4653-offloading-equuleusChristian Poessinger
ethernet: T4653: bugfix copy-paste when processing NIC offloading
2022-08-29ethernet: T4653: bugfix copy-paste when processing NIC offloadingChristian Poessinger
Commit 31169fa8a763e ("vyos.ifconfig: T3619: only set offloading options if supported by NIC") added the new implementation which handles NIC offloading. Unfortunately every single implementation was copied from "gro" which resulted in a change to gro for each offloading option - thus options like lro, sg, tso had no effect at all. It all comes down to copy/paste errors ... one way or another. (cherry picked from commit b01f27b3bb3f4cbc6096011856d83009d0440313)
2022-08-29Merge pull request #1504 from sever-sever/T4654-eqDaniil Baturin
rpki: T4654: Fix RPKI cache description (1.3)
2022-08-29rpki: T4654: Fix RPKI cache descriptionViacheslav Hletenko
Fix wrong descriptions for the RPKI server It was mentioned about the NTP server
2022-08-27pppoe: T4648: stop default route from being installed under IPv6initramfs
Adds a sysctl parameter to ignore the default router obtained from router advertisements when pppoe default-route is set to 'none'.
2022-08-25Merge pull request #1494 from c-po/equuleus-proxy-t4642Christian Poessinger
proxy: T4642: bugfix regex, add hyphen to allow list
2022-08-25proxy: T4642: allow https proxy transportsChristian Poessinger
(cherry picked from commit 73be77ec42d06a369974bfb1255839164f73c276)
2022-08-24proxy: T4642: bugfix regex, add hyphen to allow listChristian Poessinger
(cherry picked from commit bfa13e367d0b77105ba350a34da8212859f07f59)
2022-08-22Merge pull request #1479 from c-po/macsec-t4538-equuleusDaniil Baturin
ethernet: T4538: fix wrong systemd unit used for EAPoL (equuleus)
2022-08-22Merge pull request #1484 from c-po/bridge-fixesChristian Poessinger
bridge: T4632: vlan aware bridge lacks CPU forwarding
2022-08-22bridge: T4632: vlan aware bridge lacks CPU forwardingChristian Poessinger
The VLAN aware bridge was forwarding traffic between member ports, but traffic destined torwards the CPU was dropped. This resulted in a gateway not reachable or DHCP leases that could not be handed out. Tested via: VyOS set interfaces bridge br0 enable-vlan set interfaces bridge br0 member interface eth1 allowed-vlan '10' set interfaces bridge br0 member interface eth1 allowed-vlan '20' set interfaces bridge br0 member interface eth1 allowed-vlan '30' set interfaces bridge br0 member interface eth1 allowed-vlan '40' set interfaces bridge br0 member interface eth1 native-vlan '40' set interfaces bridge br0 member interface eth2 allowed-vlan '30' set interfaces bridge br0 member interface eth2 allowed-vlan '20' set interfaces bridge br0 member interface eth2 allowed-vlan '10' set interfaces bridge br0 member interface eth2 allowed-vlan '40' set interfaces bridge br0 vif 10 address '10.0.10.1/24' set interfaces bridge br0 vif 20 address '10.0.20.1/24' set interfaces bridge br0 vif 30 address '10.0.30.1/24' set interfaces bridge br0 vif 40 address '10.0.40.1/24' Arista vEOS vlan 10,20,30,40 interface Ethernet1 switchport trunk allowed vlan 10,20,30,40 interface Vlan10 ip address 10.0.10.2/24 interface Vlan20 ip address 10.0.20.2/24 interface Vlan30 ip address 10.0.30.2/24 interface Vlan40 ip address 10.0.40.2/24 interface Ethernet1 switchport trunk allowed vlan 10,20,30,40 switchport mode trunk spanning-tree portfast Cisco vIOS interface GigabitEthernet0/0 ip address 10.0.40.3 255.255.255.0 duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/0.10 encapsulation dot1Q 10 ip address 10.0.10.3 255.255.255.0 ! interface GigabitEthernet0/0.20 encapsulation dot1Q 20 ip address 10.0.20.3 255.255.255.0 ! interface GigabitEthernet0/0.30 encapsulation dot1Q 30 ip address 10.0.30.3 255.255.255.0 ! (cherry picked from commit f60d0e1ce029925b843f635b36154c90049b9577)
2022-08-22Merge pull request #1480 from c-po/t4629-equuleusDaniil Baturin
T4629: Raised ConfigErrors contain dict instead of only the dict key (equuleus)
2022-08-19vyos.config.configdict: T4592: T4629: only print interface name, not ↵Christian Poessinger
interface dict on error (cherry picked from commit 475fbb785dca76868715827833dc44115635c4a6)
2022-08-19ethernet: T4538: fix wrong systemd unit used for EAPoLChristian Poessinger
When MACsec was bound to an ethernet interface and the underlaying source-interface got changed (even description only) this terminated the MACsec session running on top of it. The root cause is when EAPoL was implemented in commit d59354e52a8a7f we re-used the same systemd unit which is responsible for MACsec. That indeed lead to the fact that wpa_supplicant was always stopped when anything happened on the underlaying source-interface that was not related to EAPoL. (cherry picked from commit f92a23ef9ab8be59681e5b7ba627e399d89bce53)
2022-08-18Merge pull request #1470 from c-po/openconnect-T4614Daniil Baturin
ocserv: openconnect: T4614: add support for split-dns (equuleus)
2022-08-16Merge pull request #1473 from dmbaturin/T4039-equViacheslav Hletenko
syslog: T4039: Add protocol23format logging for UDP
2022-08-16syslog: T4039: Add protocol23format logging for UDPViacheslav
Add protocol23format for rsyslog protocol UDP Add ability to use IPv6 addresses (bracketize_ipv6) for protocol TCP and UDP, when protocol is configured explicity
2022-08-16Merge pull request #1472 from c-po/debian-t4584-equuleusDaniil Baturin
Debian: T4584: remove version number from hostap package requirement
2022-08-16Debian: T4584: remove version number from hostap package requirementChristian Poessinger
(cherry picked from commit 681bdf2946d1d10f3b432f70452a8d018b7a98ae)
2022-08-15openconnect: T4616: bugfix KeyError: 'local_users'Christian Poessinger
To reproduce: set vpn openconnect authentication mode local commit Traceback (most recent call last): File "/usr/libexec/vyos/conf_mode/vpn_openconnect.py", line 147, in <module> verify(c) File "/usr/libexec/vyos/conf_mode/vpn_openconnect.py", line 64, in verify if not ocserv["authentication"]["local_users"] or not ocserv["authentication"]["local_users"]["username"]: KeyError: 'local_users'
2022-08-15ocserv: openconnect: T4614: add support for split-dnsChristian Poessinger
set vpn openconnect network-settings split-dns <domain> (cherry picked from commit e41685a2f56cca0a53b4f8c084f61a85cf561c80)
2022-08-15smoketest: ocserv: implement config file validationChristian Poessinger
(cherry picked from commit bd102eac6d0c97a5f75324d1248814ebdad42da5)
2022-08-15Merge pull request #1469 from c-po/macsec-equuleusChristian Poessinger
MACsec: T4537: fix AES-GCM-256 support
2022-08-15macsec: T4537: macsec_csindex can be set even without encryptionChristian Poessinger
(cherry picked from commit 0943ac00412b0049b7a20a54e27e7b8025726598)
2022-08-15smoketest: macsec: T4537: validate macsec_csindex for both AES-GCM-128 and ↵Christian Poessinger
AES-GCM-256 (cherry picked from commit e19889adf8cef101d85a279055271a68b078ec73)
2022-08-15macsec: T4592: can not create two interfaces using the same source-interfaceChristian Poessinger
(cherry picked from commit 993961f60ead2a18912eb577b1152463d4eb8b4e)
2022-08-15smoketest: macsec: T4537: verify macsec_csindexChristian Poessinger
(cherry picked from commit 17e76dc77801ac58b2587f664c884c0d671a55c0)
2022-08-15macsec: T4537: add missing macsec_csindex option to support GCM-AES-256Christian Poessinger
(cherry picked from commit 258e6873b60531fe70d868d2e53ce2f921fe7f13)
2022-08-15macsec: T4537: remove debug falg "-d" from systemd service fileChristian Poessinger
(cherry picked from commit fa25d349aebc86e43957f37db765787fb7e431db)
2022-08-15macsec: T4537: supply PID path via systemd service file to daemonChristian Poessinger
(cherry picked from commit 5e919d3f91bccaf64878a94756c21766896db132)
2022-08-15macsec: T4537: restart wpa_supplicant on errorChristian Poessinger
(cherry picked from commit b2ff1407330e383a9fff688376377efc534bcfbc)
2022-08-15macsec: T2023: fixup systemd unit descriptionChristian Poessinger
(cherry picked from commit bc70c1f502bc587627b1bd15f6803c6c09d20a66)
2022-08-15macsec: T4537: support online ciper and source-interface re-configurationChristian Poessinger
(cherry picked from commit 82d8494d349edd7707c3811a71ca0e9c0648204e)
2022-08-15macsec: T4537: allow 32-byte keys for gcm-aes-256Christian Poessinger
(cherry picked from commit 393355f7feaa921eba46b83d4f15ad4a5c37adab)
2022-08-15Merge pull request #1467 from dmbaturin/macsec-fixChristian Poessinger
Fix missing dict_search import in interfaces-macsec.py
2022-08-13Fix missing dict_search import in interfaces-macsec.pyDaniil Baturin
2022-08-04Merge pull request #1453 from sever-sever/T4572-eqDaniil Baturin
mtu: T4572: Add DHCP-option MTU to get values from DHCP-server
2022-08-04Merge pull request #1450 from c-po/bridge-fixes-equuleusChristian Poessinger
bridge: bugfixes for equuleus
2022-08-01Merge pull request #1448 from initramfs/fix-t4582-equuleusChristian Poessinger
backport: router-advert: T4582: fix preferred cannot equal valid lifetime
2022-08-01mtu: T4572: Add DHCP-option MTU to get values from DHCP-serverViacheslav Hletenko
Ability to get MTU from DHCP-server and don't touch it per any interface change if interface 'dhcp-options mtu' is configured (cherry picked from commit 29b0ee30bf2622a40ca3d17e3f6b9e94e5b62072)
2022-08-01macsec: T3368: check key length for gcm-aes-128/gcm-aes-256Christian Poessinger
(cherry picked from commit a09359828e38c5b51a4579af16b5ea263a98233f)
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-04 07:29:43 +0000