summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2022-02-20ipsec: T3948: Add CLI site-to-site peer connection-type noneViacheslav Hletenko
set vpn ipsec site-to-site peer 192.0.2.14 connection-type none
2022-02-20macsec: T4261: add dhcp client supportChristian Poessinger
2022-02-20smoketest: dhcp: T4203: set missing interface options if presentChristian Poessinger
Commit 5d14a04b ("smoketest: dhcp: T4203: move testcase to base class") added global support in the test case framework for DHCP tests. Some interfaces (e.g. MACsec) require additional options to be passed before the test can be launched. In the MACsec case this includes a source interface, or encryption ciphers.
2022-02-20Merge branch 't4203-dhcp' into currentChristian Poessinger
* t4203-dhcp: smoketest: dhcp: T4203: move testcase to base class static: T4203: obey interface dhcp default route distance interface: T4203: prevent DHCP client restart if not necessary
2022-02-20Merge pull request #1226 from sever-sever/T4254Christian Poessinger
vpn: T4254: Add cisco_flexvpn and install_virtual_ip_on options
2022-02-20smoketest: dhcp: T4203: move testcase to base classChristian Poessinger
We do not only provide DHCP functionality to ethernet interfaces, it's a common feature so the testcase should be made available for multiple interface types.
2022-02-20static: T4203: obey interface dhcp default route distanceChristian Poessinger
Commit 05aa22dc ("protocols: static: T3680: do not delete DHCP received routes") added a bug whenever a static route is modified - the DHCP interface will always end up with metric 210 - if there was a default route over a DHCP interface.
2022-02-20interface: T4203: prevent DHCP client restart if not necessaryChristian Poessinger
In the past whenever a change happened to any interface and it was configured as a DHCP client, VyOS always had a breif outage as DHCP released the old lease and re-aquired a new one - bad! This commit changes the behavior that DHCP client is only restarted if any one of the possible options one can set for DHCP client under the "dhcp-options" node is altered.
2022-02-20Merge pull request #1229 from sever-sever/T4249Christian Poessinger
containers: T4249: Allow to connect host device to the container
2022-02-19containers: T4249: Allow to connect host device to the containerViacheslav Hletenko
Ability to attach host devices to the container It can be disk, USB device or any device from the directory /dev set container name alp01 device disk source '/dev/vdb1' set container name alp01 device disk destination '/dev/mydisk'
2022-02-19vpn: T4254: Add cisco_flexvpn and install_virtual_ip_on optionsViacheslav Hletenko
Ability to set Cisco FlexVPN vendor ID payload: charon.cisco_flexvpn charon.install_virtual_ip_on swanctl.connections.<conn>.vips = x.x.x.x, z.z.z.z set vpn ipsec options flexvpn set vpn ipsec options virtual-ip set vpn ipsec options interface tunX set vpn ipsec site-to-site peer x.x.x.x virtual-address x.x.x.x
2022-02-19smoketest: T4258: dhcp: bugfix failover portsChristian Poessinger
Commit 5fc9ef9e ("DHCP : T4258: Set correct port for dhcp-failover") changed how the failover port is rendered into the ISC DHCPd configuration - adjustment of the smoketests was missed out.
2022-02-19Merge pull request #1227 from chenxiaolong/T4245Christian Poessinger
pki: eapol: T4245: Add full CA and client cert chains to wpa_supplicant PEM files
2022-02-19Merge pull request #1228 from fett0/T4258Christian Poessinger
DHCP : T4258: Set correct port for dhcp-failover
2022-02-18DHCP : T4258: Set correct port for dhcp-failoverfett0
2022-02-17pki: eapol: T4245: Add full CA and client cert chains to wpa_supplicant PEM ↵Andrew Gunnerson
files This commit updates the eapol code so that it writes the full certificate chains for both the specified CA and the client certificate to `<iface>_ca.pem` and `<iface>_cert.pem`, respectively. The full CA chain is necessary for validating the incoming server certificate when it is signed by an intermediate CA and the intermediate CA cert is not included in the EAP-TLS ServerHello. In this scenario, wpa_supplicant needs to have both the intermediate CA and the root CA in its `ca_file`. Similarly, the full client certificate chain is needed when the ISP expects/requires that the client (wpa_supplicant) sends the client cert + the intermediate CA (or even + the root CA) as part of the EAP-TLS ClientHello. Signed-off-by: Andrew Gunnerson <chillermillerlong@hotmail.com>
2022-02-17vyos.configverify: T4255: fix unexpected print of dictionary instead of keyChristian Poessinger
2022-02-17openvpn: T4230: globally enable ip_nonlocal_bindChristian Poessinger
2022-02-17Merge pull request #1211 from sever-sever/T4230-curChristian Poessinger
openvpn: T4230: Delete checks if local-host address assigned
2022-02-17Merge pull request #1225 from jestabro/component-versionJohn Estabrook
T3474: move component version info to XML
2022-02-16xml: T3474: get component version dictionary from xml cache, not legacyJohn Estabrook
2022-02-16xml: T3474: add smoketest to check xml component versions are maintainedJohn Estabrook
Add smoketest to catch updates to a component version in legacy curver_DATA that is not present in xml syntaxVersion.
2022-02-16xml: T3474: add component version include filesJohn Estabrook
Add the include files containing the syntaxVersion element defining the version of the respective component; these files are included by the top level file 'xml-component-versions.xml.in'. Processing of these elements was previously added to the python xml lib in commit 40f5359d. This will replace the use of 'curver_DATA' in vyatta-cfg-system and other legacy packages.
2022-02-16policy: T2425: add completion helper script when referencing IP addressesChristian Poessinger
2022-02-16wireless: T4240: bugfix interface bridgingChristian Poessinger
VLAN isolation can not be "set" when interface is of type wifi.
2022-02-15Merge pull request #1223 from sever-sever/T4237-curChristian Poessinger
conntrack-sync: T4237: Fix checks for listen-address list to str
2022-02-15conntrack-sync: T4237: Fix checks for listen-address list to strViacheslav Hletenko
Verify section conntrack_sync.py funciton 'is_addr_assigned' should checks address as string not as list (cherry picked from commit c41c51e4ed7ceb293161014a73bdd350162c3300)
2022-02-15Merge pull request #1220 from chenxiaolong/T4244Christian Poessinger
pki: eapol: T4244: Fix KeyError when CA cert name differs from client cert name
2022-02-14pki: eapol: T4244: Fix KeyError when CA cert name differs from client cert nameAndrew Gunnerson
This commit fixes a small typo where the client cert name was being used to index the CA configuration dict. Signed-off-by: Andrew Gunnerson <chillermillerlong@hotmail.com>
2022-02-14tunnel: T4154: import cleanupChristian Poessinger
2022-02-14tunnel: T4154: verify() no more then one GRE tunnel is used w/o "ip key" per ↵Christian Poessinger
interface It is impossible for the OS kernel to distinguish multiple GRE tunnels when no "gre key" is configured when sourcing tunnels from the same interface.
2022-02-13ethernet: T4242: speed/duplex can never be switched back to auto/autoChristian Poessinger
2022-02-13vrf: T4191: bugfix for "ip rule" when VRFs are createdChristian Poessinger
We always mangled and worked on the "ip rule" singleton even when nothing needed to be changed. This resulted in a VRF hickup when the same VRF was added and removed multiple times. set interfaces ethernet eth1 vrf foo set vrf name foo table '1000' commit delete interfaces ethernet eth1 vrf delete vrf commit set interfaces ethernet eth1 vrf foo set vrf name foo table '1000' commit broke reachability on eth1 - a reboot was required. This change will now only alter the ip rule tables once when VRF instances are created for the first time and will not touch the Kernel "ip rule" representation afterwards.
2022-02-13vyos.util: T4191: add new sysctl() helper functionChristian Poessinger
2022-02-12policy: T2199: bugfix verify_rule() on negated groupsChristian Poessinger
Related to #1215
2022-02-11Merge pull request #1214 from sever-sever/T3686Christian Poessinger
openvpn: T3686: Fix for check local-address in script and tmpl
2022-02-11Merge pull request #1217 from sever-sever/T4236Christian Poessinger
openvpn: T4236: Add generator for ovpn configurations in op-mode
2022-02-11Merge pull request #1216 from sever-sever/T3872Christian Poessinger
smoketest: T3872: Fix token check for monitoring test
2022-02-10openvpn: T4236: Add generator for ovpn configurations in op-modeViacheslav Hletenko
This generator generates client .ovpn files with required initial configuration It gets information from interface vtun, pki ca and certificates
2022-02-10Merge pull request #1133 from zdc/T1925-sagittaDaniil Baturin
ipsec: T1925: Fixed `show vpn ipsec sa` output
2022-02-10smoketest: T3872: Fix token check for monitoring testViacheslav Hletenko
As INFLUX_TOKEN is present in override.conf.tmpl environment we expect variable "$INFLUX_TOKEN" in the telegraf template and config but not value of the token
2022-02-10Merge pull request #1213 from jestabro/config-diffChristian Poessinger
configtree: T4235: encapsulate config tree diff function
2022-02-09openvpn: T3686: Fix for check local-address in script and tmplViacheslav Hletenko
Local-address should be checked/executed only if it exists in the openvpn configuration, dictionary, jinja2 template
2022-02-09openvpn: T4230: Delete checks if local-host address assignedViacheslav Hletenko
OpenVPN can't start if it depends on VRRP virtual-address as virtual-address is not yet assigned by HA (openvpn and ha in one commit) as we have checks "if address assigned" It depends on commit priorities: 460 interfaces/openvpn 800 high-availability Replace check if local-host address assigned from raise ConfigError to print (just notification) Allow to bind OpenVPN service to nonlocal address
2022-02-08configtree: T4235: encapsulate config tree diff functionJohn Estabrook
2022-02-08Merge pull request #1208 from sever-sever/T3600Christian Poessinger
dhcp: T3600: Fix DHCP static table dhcp-interface route
2022-02-08Merge pull request #1209 from sever-sever/T3872Christian Poessinger
monitoring: T3872: Add input filter for firewall InfluxDB2
2022-02-08monitoring: T3872: Add input filter for firewall InfluxDB2Viacheslav Hletenko
Input filter for firewall allows to get bytes/counters from nftables in format, required for InfluxDB2
2022-02-07xml: ssh: T4233: sync regex for allow/deny usernames to "system login"Christian Poessinger
2022-02-07dhcp: T3600: Fix DHCP static table dhcp-interface routeViacheslav Hletenko
Static table dhcp-interface route required table in template Without table this route will be placed to table 'main' by default