Age | Commit message (Collapse) | Author |
|
in firewall, to NAT
|
|
|
|
T5056: Fix IPoE server template for vlan-mon
|
|
After rewriting IPoE server for config.dict the ipoe.config.j2
template wasn't changed for 'vlan-mon' section
Fix it
|
|
Not all interfaces have valid entries in the speed file. PPPoE interfaces have
the appropriate speed file, but you can not read it:
cat: /sys/class/net/pppoe7/speed: Invalid argument
|
|
graphql: T5040: generate schema on installation, rather than dynamically
|
|
|
|
ipsec: T4916: Fixed migrations script
|
|
* removed unused `re` from imports
* replaced `return_value()` to `return_values()` for `remote-address`
because this is a multi-value configuration node
|
|
login: T5039: catch error on 'my_set' for auth plaintext-password
|
|
login: T5039: Support hashing rounds in `encrypted-password` values
|
|
|
|
Since glibc 2.7, the SHA-256 and SHA-512 implementations support
a user-supplied number of hashing rounds, defaulting to 5000. If
the "$id$" characters in the salt are followed by "rounds=xxx$",
where xxx is an integer, then the result has the form
$id$rounds=yyy$salt$encrypted
where yyy is the number of hashing rounds actually used. The
number of rounds actually used is 1000 if xxx is less than 1000,
999999999 if xxx is greater than 999999999, and is equal to xxx
otherwise.
|
|
|
|
Since 'key' field is no longer required, a missing key will register an
error in the resolver, instead of being rejected as bad request.
|
|
|
|
For type introspection of op-mode scripts, scripts are loaded as
modules. For generation of schema from type introspection, it is useful
to load scripts during package installation, hence to fail gracefully if
not on live system.
|
|
Schema had been dynamically generated, based on configuration setting
for authentication. Add nullable field 'key' for static generation of
schema regardless of key/token use.
|
|
policy: T5035: Add more actions to policy route rule
|
|
|
|
|
|
T5037: Firewall: Add queue action and options to firewall
|
|
T4967: Allow setting container hostname
|
|
Ability setting container hostname
This host name is used as /etc/hostname
set container name <tag> host-name 'mybox'
|
|
|
|
|
|
T4977: Add Babel routing protocol support
|
|
container: T4014: Add `command`, `arg` and `entrypoint` configuration options for containers
|
|
T5033: Ability to generate muliple keys from a file or link
|
|
openvpn: T4770: fix tabulate output in _format_openvpn
|
|
|
|
op-mode: T4952: use list_interfaces from vyos-utils
|
|
|
|
openconnect: T4955: Renamed function and changed error messages
|
|
Renamed local function to be identical to 1.3 ver
Changed error messages after commit to be identical to 1.3 ver
|
|
T4790: Added check of the sum of radius timeouts
|
|
We generate only one public key (string) from a file xxx.pub
op-mode with 'generate public-key-command user vyos lik_to_key_file'
Add ability to generate configuration (from op-mode) for multiple keys
As github keys don't use identifiers, generate uuid4 id for them
|
|
|
|
This commit adds a script to run user-defined hook scripts upon renewing
a DHCP lease. This can be used to, for example, dynamically define a
firewall address-group based on the dynamic IP address of an interface.
For an example of its use (as well as the use case I had in mind while
coding this), see https://vyos.dev/T2196#142394
Co-authored-by: br <git@ibeep.com>
|
|
|
|
Commit 54c36e43 (tunnel: T5034: migrate "multicast enable" CLI node to
enable-multicast) changed the syntax on the CLI. This commits changes the
testcase to make use of the new syntax.
|
|
Tunnel interface multicast settings can be "enabled or disabled". As we prefer
valueless nodes, and the linux kernel default is "disabled" we should add a
set interfaces tunnel tunXX enable-multicast
command
|
|
DeprecationWarning: 'crypt' is deprecated and slated for removal in Python 3.13
DeprecationWarning: 'spwd' is deprecated and slated for removal in Python 3.13
|
|
|
|
login: T4943: Fixed 2FA + RADIUS compatibility
|
|
MFA requires KbdInteractiveAuthentication to ask a second factor, and the RADIUS
module for PAM does not like it, which makes them incompatible.
This commit:
* disables KbdInteractiveAuthentication
* changes order for PAM modules - make it first, before `pam_unix` or
`pam_radius_auth`
* enables the `forward_pass` option for `pam_google_authenticator` to accept
both password and MFA in a single input
As a result, local, RADIUS, and MFA work together.
Important change: MFA should be entered together with a password.
Before:
```
vyos login: <USERNAME>
Password: <PASSWORD>
Verification code: <MFA>
```
Now:
```
vyos login: <USERNAME>
Password & verification code: <PASSWORD><MFA>
```
|
|
T5029: Change nginx default root directory
|
|
http-api: T5030: fix missing check on delete keys id tag or key value
|
|
T5029: Fix Regex for nginx to find a better match
|
|
|