Age | Commit message (Collapse) | Author |
|
files
This commit updates the eapol code so that it writes the full
certificate chains for both the specified CA and the client certificate
to `<iface>_ca.pem` and `<iface>_cert.pem`, respectively.
The full CA chain is necessary for validating the incoming server
certificate when it is signed by an intermediate CA and the
intermediate CA cert is not included in the EAP-TLS ServerHello. In this
scenario, wpa_supplicant needs to have both the intermediate CA and the
root CA in its `ca_file`.
Similarly, the full client certificate chain is needed when the ISP
expects/requires that the client (wpa_supplicant) sends the client cert
+ the intermediate CA (or even + the root CA) as part of the EAP-TLS
ClientHello.
Signed-off-by: Andrew Gunnerson <chillermillerlong@hotmail.com>
|
|
|
|
|
|
openvpn: T4230: Delete checks if local-host address assigned
|
|
T3474: move component version info to XML
|
|
|
|
Add smoketest to catch updates to a component version in legacy
curver_DATA that is not present in xml syntaxVersion.
|
|
Add the include files containing the syntaxVersion element defining the
version of the respective component; these files are included by the top
level file 'xml-component-versions.xml.in'. Processing of these elements
was previously added to the python xml lib in commit 40f5359d. This will
replace the use of 'curver_DATA' in vyatta-cfg-system and other legacy
packages.
|
|
|
|
VLAN isolation can not be "set" when interface is of type wifi.
|
|
conntrack-sync: T4237: Fix checks for listen-address list to str
|
|
Verify section conntrack_sync.py funciton 'is_addr_assigned'
should checks address as string not as list
(cherry picked from commit c41c51e4ed7ceb293161014a73bdd350162c3300)
|
|
pki: eapol: T4244: Fix KeyError when CA cert name differs from client cert name
|
|
This commit fixes a small typo where the client cert name was being used
to index the CA configuration dict.
Signed-off-by: Andrew Gunnerson <chillermillerlong@hotmail.com>
|
|
|
|
interface
It is impossible for the OS kernel to distinguish multiple GRE tunnels when no
"gre key" is configured when sourcing tunnels from the same interface.
|
|
|
|
We always mangled and worked on the "ip rule" singleton even when nothing
needed to be changed. This resulted in a VRF hickup when the same VRF was added
and removed multiple times.
set interfaces ethernet eth1 vrf foo
set vrf name foo table '1000'
commit
delete interfaces ethernet eth1 vrf
delete vrf
commit
set interfaces ethernet eth1 vrf foo
set vrf name foo table '1000'
commit
broke reachability on eth1 - a reboot was required.
This change will now only alter the ip rule tables once when VRF instances
are created for the first time and will not touch the Kernel "ip rule"
representation afterwards.
|
|
|
|
Related to #1215
|
|
openvpn: T3686: Fix for check local-address in script and tmpl
|
|
openvpn: T4236: Add generator for ovpn configurations in op-mode
|
|
smoketest: T3872: Fix token check for monitoring test
|
|
This generator generates client .ovpn files with required initial
configuration
It gets information from interface vtun, pki ca and certificates
|
|
ipsec: T1925: Fixed `show vpn ipsec sa` output
|
|
As INFLUX_TOKEN is present in override.conf.tmpl environment we expect
variable "$INFLUX_TOKEN" in the telegraf template and config but not
value of the token
|
|
configtree: T4235: encapsulate config tree diff function
|
|
Local-address should be checked/executed only if it exists in the
openvpn configuration, dictionary, jinja2 template
|
|
OpenVPN can't start if it depends on VRRP virtual-address as
virtual-address is not yet assigned by HA (openvpn and ha
in one commit) as we have checks "if address assigned"
It depends on commit priorities:
460 interfaces/openvpn
800 high-availability
Replace check if local-host address assigned from raise ConfigError
to print (just notification)
Allow to bind OpenVPN service to nonlocal address
|
|
|
|
dhcp: T3600: Fix DHCP static table dhcp-interface route
|
|
monitoring: T3872: Add input filter for firewall InfluxDB2
|
|
Input filter for firewall allows to get bytes/counters from
nftables in format, required for InfluxDB2
|
|
|
|
Static table dhcp-interface route required table in template
Without table this route will be placed to table 'main' by default
|
|
|
|
|
|
|
|
monitoring: T3872: Fix template input plugin for running services
|
|
firewall: T4209: Fix support for rule `recent` matches
|
|
policy: T4151: Delete unexpected print added in commit c501ae0f
|
|
T4227:Bridge: Typo in completion help of hello-time option
|
|
|
|
|
|
There is spelling mistake in "advertisement" of hello-time option's
completion help
|
|
firewall: T4178: Fix only inverse matching on tcp flags
|
|
|
|
Add required capability for input scripts which collect
statistics of running services
|
|
This reverts commit 78b247b724f74bdabab0706aaa7f5b00e5809bc1.
|
|
|