summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2022-02-19Merge pull request #1227 from chenxiaolong/T4245Christian Poessinger
pki: eapol: T4245: Add full CA and client cert chains to wpa_supplicant PEM files
2022-02-19Merge pull request #1228 from fett0/T4258Christian Poessinger
DHCP : T4258: Set correct port for dhcp-failover
2022-02-18DHCP : T4258: Set correct port for dhcp-failoverfett0
2022-02-17pki: eapol: T4245: Add full CA and client cert chains to wpa_supplicant PEM ↵Andrew Gunnerson
files This commit updates the eapol code so that it writes the full certificate chains for both the specified CA and the client certificate to `<iface>_ca.pem` and `<iface>_cert.pem`, respectively. The full CA chain is necessary for validating the incoming server certificate when it is signed by an intermediate CA and the intermediate CA cert is not included in the EAP-TLS ServerHello. In this scenario, wpa_supplicant needs to have both the intermediate CA and the root CA in its `ca_file`. Similarly, the full client certificate chain is needed when the ISP expects/requires that the client (wpa_supplicant) sends the client cert + the intermediate CA (or even + the root CA) as part of the EAP-TLS ClientHello. Signed-off-by: Andrew Gunnerson <chillermillerlong@hotmail.com>
2022-02-17vyos.configverify: T4255: fix unexpected print of dictionary instead of keyChristian Poessinger
2022-02-17openvpn: T4230: globally enable ip_nonlocal_bindChristian Poessinger
2022-02-17Merge pull request #1211 from sever-sever/T4230-curChristian Poessinger
openvpn: T4230: Delete checks if local-host address assigned
2022-02-17Merge pull request #1225 from jestabro/component-versionJohn Estabrook
T3474: move component version info to XML
2022-02-16xml: T3474: get component version dictionary from xml cache, not legacyJohn Estabrook
2022-02-16xml: T3474: add smoketest to check xml component versions are maintainedJohn Estabrook
Add smoketest to catch updates to a component version in legacy curver_DATA that is not present in xml syntaxVersion.
2022-02-16xml: T3474: add component version include filesJohn Estabrook
Add the include files containing the syntaxVersion element defining the version of the respective component; these files are included by the top level file 'xml-component-versions.xml.in'. Processing of these elements was previously added to the python xml lib in commit 40f5359d. This will replace the use of 'curver_DATA' in vyatta-cfg-system and other legacy packages.
2022-02-16policy: T2425: add completion helper script when referencing IP addressesChristian Poessinger
2022-02-16wireless: T4240: bugfix interface bridgingChristian Poessinger
VLAN isolation can not be "set" when interface is of type wifi.
2022-02-15Merge pull request #1223 from sever-sever/T4237-curChristian Poessinger
conntrack-sync: T4237: Fix checks for listen-address list to str
2022-02-15conntrack-sync: T4237: Fix checks for listen-address list to strViacheslav Hletenko
Verify section conntrack_sync.py funciton 'is_addr_assigned' should checks address as string not as list (cherry picked from commit c41c51e4ed7ceb293161014a73bdd350162c3300)
2022-02-15Merge pull request #1220 from chenxiaolong/T4244Christian Poessinger
pki: eapol: T4244: Fix KeyError when CA cert name differs from client cert name
2022-02-14pki: eapol: T4244: Fix KeyError when CA cert name differs from client cert nameAndrew Gunnerson
This commit fixes a small typo where the client cert name was being used to index the CA configuration dict. Signed-off-by: Andrew Gunnerson <chillermillerlong@hotmail.com>
2022-02-14tunnel: T4154: import cleanupChristian Poessinger
2022-02-14tunnel: T4154: verify() no more then one GRE tunnel is used w/o "ip key" per ↵Christian Poessinger
interface It is impossible for the OS kernel to distinguish multiple GRE tunnels when no "gre key" is configured when sourcing tunnels from the same interface.
2022-02-13ethernet: T4242: speed/duplex can never be switched back to auto/autoChristian Poessinger
2022-02-13vrf: T4191: bugfix for "ip rule" when VRFs are createdChristian Poessinger
We always mangled and worked on the "ip rule" singleton even when nothing needed to be changed. This resulted in a VRF hickup when the same VRF was added and removed multiple times. set interfaces ethernet eth1 vrf foo set vrf name foo table '1000' commit delete interfaces ethernet eth1 vrf delete vrf commit set interfaces ethernet eth1 vrf foo set vrf name foo table '1000' commit broke reachability on eth1 - a reboot was required. This change will now only alter the ip rule tables once when VRF instances are created for the first time and will not touch the Kernel "ip rule" representation afterwards.
2022-02-13vyos.util: T4191: add new sysctl() helper functionChristian Poessinger
2022-02-12policy: T2199: bugfix verify_rule() on negated groupsChristian Poessinger
Related to #1215
2022-02-11Merge pull request #1214 from sever-sever/T3686Christian Poessinger
openvpn: T3686: Fix for check local-address in script and tmpl
2022-02-11Merge pull request #1217 from sever-sever/T4236Christian Poessinger
openvpn: T4236: Add generator for ovpn configurations in op-mode
2022-02-11Merge pull request #1216 from sever-sever/T3872Christian Poessinger
smoketest: T3872: Fix token check for monitoring test
2022-02-10openvpn: T4236: Add generator for ovpn configurations in op-modeViacheslav Hletenko
This generator generates client .ovpn files with required initial configuration It gets information from interface vtun, pki ca and certificates
2022-02-10Merge pull request #1133 from zdc/T1925-sagittaDaniil Baturin
ipsec: T1925: Fixed `show vpn ipsec sa` output
2022-02-10smoketest: T3872: Fix token check for monitoring testViacheslav Hletenko
As INFLUX_TOKEN is present in override.conf.tmpl environment we expect variable "$INFLUX_TOKEN" in the telegraf template and config but not value of the token
2022-02-10Merge pull request #1213 from jestabro/config-diffChristian Poessinger
configtree: T4235: encapsulate config tree diff function
2022-02-09openvpn: T3686: Fix for check local-address in script and tmplViacheslav Hletenko
Local-address should be checked/executed only if it exists in the openvpn configuration, dictionary, jinja2 template
2022-02-09openvpn: T4230: Delete checks if local-host address assignedViacheslav Hletenko
OpenVPN can't start if it depends on VRRP virtual-address as virtual-address is not yet assigned by HA (openvpn and ha in one commit) as we have checks "if address assigned" It depends on commit priorities: 460 interfaces/openvpn 800 high-availability Replace check if local-host address assigned from raise ConfigError to print (just notification) Allow to bind OpenVPN service to nonlocal address
2022-02-08configtree: T4235: encapsulate config tree diff functionJohn Estabrook
2022-02-08Merge pull request #1208 from sever-sever/T3600Christian Poessinger
dhcp: T3600: Fix DHCP static table dhcp-interface route
2022-02-08Merge pull request #1209 from sever-sever/T3872Christian Poessinger
monitoring: T3872: Add input filter for firewall InfluxDB2
2022-02-08monitoring: T3872: Add input filter for firewall InfluxDB2Viacheslav Hletenko
Input filter for firewall allows to get bytes/counters from nftables in format, required for InfluxDB2
2022-02-07xml: ssh: T4233: sync regex for allow/deny usernames to "system login"Christian Poessinger
2022-02-07dhcp: T3600: Fix DHCP static table dhcp-interface routeViacheslav Hletenko
Static table dhcp-interface route required table in template Without table this route will be placed to table 'main' by default
2022-02-06smoketest: bond: T4228: verify bond member is only used onceChristian Poessinger
2022-02-06config: T4228: is_member() must return all instances not only the last oneChristian Poessinger
2022-02-05vrrp: T4226: transition-script does not work for groups containing a hypen (-)Christian Poessinger
2022-02-05Merge pull request #1200 from sever-sever/T3872Christian Poessinger
monitoring: T3872: Fix template input plugin for running services
2022-02-05Merge pull request #1206 from sarthurdev/T4209Christian Poessinger
firewall: T4209: Fix support for rule `recent` matches
2022-02-05Merge pull request #1207 from sever-sever/T4151Christian Poessinger
policy: T4151: Delete unexpected print added in commit c501ae0f
2022-02-05Merge pull request #1205 from srividya0208/T4227Christian Poessinger
T4227:Bridge: Typo in completion help of hello-time option
2022-02-04policy: T4151: Delete unexpected print added in commit c501ae0fViacheslav Hletenko
2022-02-04firewall: T4209: Fix support for rule `recent` matchessarthurdev
2022-02-03T4227:Bridge: Typo in completion help of hello-time optionsrividya0208
There is spelling mistake in "advertisement" of hello-time option's completion help
2022-02-03Merge pull request #1201 from sarthurdev/T4178_2Christian Poessinger
firewall: T4178: Fix only inverse matching on tcp flags
2022-02-03firewall: T4178: Fix only inverse matching on tcp flagssarthurdev