Age | Commit message (Collapse) | Author |
|
T5817: Fix for show openvpn server
|
|
In some cases we can get error:
```
Traceback (most recent call last):
File "/usr/libexec/vyos/op_mode/show_openvpn.py", line 173, in <module>
data = get_status(args.mode, intf)
File "/usr/libexec/vyos/op_mode/show_openvpn.py", line 130, in get_status
client["tunnel"] = get_vpn_tunnel_address(client['remote'], interface)
File "/usr/libexec/vyos/op_mode/show_openvpn.py", line 66, in get_vpn_tunnel_address
tunnel_ip = lst[0].split(',')[0]
IndexError: list index out of range
```
|
|
wireguard: T5413: Blocked adding the peer with the router's public key
|
|
https: T5772: Move API key check to http-api.py
|
|
Signed-off-by: Daniil Baturin <daniil@baturin.org>
|
|
|
|
This reverts commit 57ba2fa91573ad2ecd03f0c2eb89507dfc397f1e.
|
|
T5714: op-cmd: Fix for "show log vpn ipsec/all"
|
|
https: T5772: remove the default API key
|
|
The new verification code prevents it from being used,
but it's not a reason to keep it
|
|
pppoe: T5630: make MRU default to MTU if unspecified (backport #2527)
|
|
T5763: fix imprecise check for remote file name (backport #2511)
|
|
(cherry picked from commit fe9b08665367b8e7d9b906a0760d44efc9b5cafb)
|
|
Disabled adding the peer with the same public key as the router has.
Backport from current
https://github.com/vyos/vyos-1x/pull/2122
|
|
smoketest: tftp: T4012: disable VRF based tests due to false positives
|
|
https api: T5772: check if keys are configured unless PAM auth is enabled for GraphQL (backport #2522)
|
|
TFTP VRF support is working on a live system but the smoketests tend to fail.
This commit removes the VRF based smoketests for TFTP server, to make
the equuleus Jenkins builds work again.
|
|
This fixes the implementation in e062a8c11 ("pppoe: T5630: allow to specify MRU
in addition to already configurable MTU") and restores the bahavior that MRU
defaults to MTU if MRU is not explicitly set.
This was the behavior in VyOS 1.3.3 and below before we added ability to define
the MRU value.
(cherry picked from commit ffd7339e2ea3eafdd97ac0763ca4a3913fe71bf3)
|
|
unless PAM auth is enabled for GraphQL
(cherry picked from commit 8c450ea7f538beb0b2cd21d35c05d18db49a1802)
|
|
PAM: T5577: Optimized RADIUS PAM config (backport from circinus)
|
|
- Added system `radius` group
- Added `mandatory` and `optional` modes for RADIUS
- Improved PAM config for RADIUS
New modes:
- `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be
stopped and access denied immediately.
- `optional` (default) - if RADIUS answers with `Access-Reject`, authentication
continues using the next module.
In `mandatory` mode authentication will be stopped only if RADIUS clearly
answered that access should be denied (no user in RADIUS database, wrong
password, etc.). If RADIUS is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
|
|
T4940: new interfaces debugging command equuleus
|
|
|
|
No results shown for this command "show log vpn ipsec"
Changed to journalctl
|
|
scripts: T4269: node.def generator should automatically add default values (backport)
|
|
bridge: T5670: add missing constraint on "member interface" node
|
|
correct include filename extension
|
|
T5586: Disable by default SNMP for Keeplived VRRP service
|
|
bridge: T5670: add missing constraint on "member interface" node
|
|
One could specify a bridge member of VXLAN1 interface, but it is not possible
to create a VXLAN interface with the name of VXLAN1 - prohibited by VXLAN
interface name validator.
Add missing interface-name validator code
(cherry picked from commit 45dc149e4e3c0c294deac6fd541bb027d2280ea1)
(cherry picked from commit e619b23b8889543465b61eb00d5b0d3c8063ae95)
|
|
vxlan: T5669: unable to change port number
|
|
set interfaces vxlan vxlan23 address '100.64.10.2/24'
set interfaces vxlan vxlan23 remote '192.0.2.1'
set interfaces vxlan vxlan23 source-address '192.0.2.5'
set interfaces vxlan vxlan23 vni '23'
commit
set interfaces vxlan vxlan23 port '4789'
commit
vyos@r1# ip -d link show dev vxlan23
12: vxlan23: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 22:6e:6d:33:c5:6b brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535
vxlan id 23 remote 192.0.2.1 local 192.0.2.5 srcport 0 0 dstport 8472
Port remains at the default value of 8472
This has been fixed
|
|
T5213: Add accounting-interim-interval option for PPPoE-server
|
|
pppoe: T5630: allow to specify MRU in addition to already configurable MTU (backport #2335)
|
|
Since introducing the XML <defaultValue> node it was common, but redundant,
practice to also add a help string indicating which value would be used as
default if the node is unset.
This makes no sense b/c it's duplicated code/value/characters and prone to
error. The node.def scripts should be extended to automatically render the
appropriate default value into the CLI help string.
For e.g. SSH the current PoC renders:
$ cat templates-cfg/service/ssh/port/node.def
multi:
type: txt
help: Port for SSH service (default: 22)
val_help: u32:1-65535; Numeric IP port
...
Not all subsystems are already migrated to get_config_dict() and make use of
the defaults() call - those subsystems need to be migrated, first before the new
default is added to the CLI help.
(cherry picked from commit a68c9238111c6caee78bb28f8054b8f0cfa0e374)
|
|
(cherry picked from commit e357258e645cf85de0035d4ecfbf99db4dd90f7e)
|
|
Set the MRU (Maximum Receive Unit) value to n. PPPd will ask the peer to send
packets of no more than n bytes. The value of n must be between 128 and 16384,
the default was always 1492 to match PPPoE MTU.
A value of 296 works well on very slow links (40 bytes for TCP/IP header + 256
bytes of data). Note that for the IPv6 protocol, the MRU must be at least 1280.
CLI:
set interfaces pppoe pppoe0 mru 1280
(cherry picked from commit e062a8c11856f213983f5b41f50d4f9dbc0dde0f)
|
|
Add accounting-interim-interval option for PPPoE-server
set service pppoe-server authentication radius accounting-interim-interval '60'
|
|
AgentX does not work stable. From time to time we see the system
service crashing/degrading if something is wrong with SNMP from
util net-snmp.
We should disable it by default and enable it only if configured.
set high-availability vrrp snmp
|
|
T5594: vrrp: extend function is_ipv6_tentative
|
|
|
|
system: T5555: Fix time-zone migrator changing valid time-zones to UTC
|
|
|
|
T5533: Fix VRRP IPv6 FAULT state due to IPv6 tentative state
|
|
T5545: fix sflow configuration
|
|
Checks if an IPv6 address on a specific network interface is
in the tentative state. IPv6 tentative addresses are not fully configured
and are undergoing Duplicate Address Detection (DAD) to ensure they are
unique on the network.
inet6 2001:db8::3/125 scope global tentative
It tentative state the group enters in FAULT state. Fix it.
|
|
|
|
T5428: fix DHCP client running in VRF context
|
|
(cherry picked from commit 8daf7f95d832550cc31ab22a65aabe969ecae813)
|
|
|