Age | Commit message (Collapse) | Author |
|
RADIUS authentication can be handled by a variety of mechanisms,
including proxy for 2FA systems requiring user interaction with a
separate device, token acquisition, or other time-consuming action.
Given the delays required for certain 2FA implementations, a thirty
second timeout can range from onerous to untenable. Accomodate the
2FA time requirements by extending the hard-coded RADIUS time limit
from 30 seconds to 240.
Co-authored-by: RageLtMan <rageltman [at] sempervictus>
|
|
After hardning the regex validator to be preceeded with ^ and ending with $
it was no longer possible to have a comma separated list as SSH ciphers. The
migrations cript is altered to migrate the previous comma separated list
to individual multi node entries - cipher and key-exchange always had been
multinodes - so this just re-arranges some values and does not break CLI
compatibility
|
|
|
|
(cherry picked from commit 2fd5eea801bb524c12217c26d98c44a819b2086e)
|
|
|
|
|
|
|
|
Instead of hardcoding the default behavior inside the Jinaj2 template, all
defaults are required to be specified inside teh XML definition. This is
required to automatically render the appropriate CLI tab completion commands.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Since introducing the XML <defaultValue> node it was common, but redundant,
practice to also add a help string indicating which value would be used as
default if the node is unset.
This makes no sense b/c it's duplicated code/value/characters and prone to
error. The node.def scripts should be extended to automatically render the
appropriate default value into the CLI help string.
For e.g. SSH the current PoC renders:
$ cat templates-cfg/service/ssh/port/node.def
multi:
type: txt
help: Port for SSH service (default: 22)
val_help: u32:1-65535; Numeric IP port
...
Not all subsystems are already migrated to get_config_dict() and make use of
the defaults() call - those subsystems need to be migrated, first before the new
default is added to the CLI help.
|
|
|
|
|
|
When changing "general" parameters like:
- interface IP address
- MTU
- description
the interface is destroyed and recreated ... this should not happen!
|
|
If a valueLess node is added or removed from the CLI, a call to
leaf_node_changed() will not detect it.
If node is valueLess, on change old or new (depending on addition or deletion)
will be {} and is treated as None.
Add handler for this special case where old or new is an instance of a
dictionary but empty.
|
|
ipsec: T1856: Ability to set SA life bytes and packets
|
|
T2719: initial batch of standardized structure op mode scripts
|
|
T4115:Reboot:Options "in" and "at" are not working as expected
|
|
ipsec: T3948: Add CLI site-to-site peer connection-type none
|
|
vpn_ipsec: T3656: modified completion help for key-exchange
|
|
|
|
|
|
|
|
In latest releases, default IKE version is removed, which allows the
connection to be IKEv1 or IKEv2.
The completion help shows IKEv1 as default so removed it.
|
|
|
|
|
|
VXLAN does support using multiple remotes but VyOS does not. Add the ability
to set multiple remotes and add their flood lists using "bridge" command.
|
|
set vpn ipsec site-to-site peer 192.0.2.14 connection-type none
|
|
When reboot is executed with "in" option it only accepts minutes till 99 value
and does not accept greater values and "at" is also working same like in option
where as it should work with exact timings.
|
|
|
|
Commit 5d14a04b ("smoketest: dhcp: T4203: move testcase to base class") added
global support in the test case framework for DHCP tests. Some interfaces (e.g.
MACsec) require additional options to be passed before the test can be launched.
In the MACsec case this includes a source interface, or encryption ciphers.
|
|
set vpn ipsec esp-group grp-ESP life-bytes '100000'
set vpn ipsec esp-group grp-ESP life-packets '2000000'
|
|
* t4203-dhcp:
smoketest: dhcp: T4203: move testcase to base class
static: T4203: obey interface dhcp default route distance
interface: T4203: prevent DHCP client restart if not necessary
|
|
vpn: T4254: Add cisco_flexvpn and install_virtual_ip_on options
|
|
We do not only provide DHCP functionality to ethernet interfaces, it's a common
feature so the testcase should be made available for multiple interface types.
|
|
Commit 05aa22dc ("protocols: static: T3680: do not delete DHCP received routes")
added a bug whenever a static route is modified - the DHCP interface will
always end up with metric 210 - if there was a default route over a DHCP
interface.
|
|
In the past whenever a change happened to any interface and it was configured
as a DHCP client, VyOS always had a breif outage as DHCP released the old lease
and re-aquired a new one - bad!
This commit changes the behavior that DHCP client is only restarted if any one
of the possible options one can set for DHCP client under the "dhcp-options"
node is altered.
|
|
containers: T4249: Allow to connect host device to the container
|
|
Ability to attach host devices to the container
It can be disk, USB device or any device from the directory /dev
set container name alp01 device disk source '/dev/vdb1'
set container name alp01 device disk destination '/dev/mydisk'
|
|
Ability to set Cisco FlexVPN vendor ID payload:
charon.cisco_flexvpn
charon.install_virtual_ip_on
swanctl.connections.<conn>.vips = x.x.x.x, z.z.z.z
set vpn ipsec options flexvpn
set vpn ipsec options virtual-ip
set vpn ipsec options interface tunX
set vpn ipsec site-to-site peer x.x.x.x virtual-address x.x.x.x
|
|
Commit 5fc9ef9e ("DHCP : T4258: Set correct port for dhcp-failover") changed
how the failover port is rendered into the ISC DHCPd configuration - adjustment
of the smoketests was missed out.
|
|
pki: eapol: T4245: Add full CA and client cert chains to wpa_supplicant PEM files
|
|
DHCP : T4258: Set correct port for dhcp-failover
|
|
|
|
files
This commit updates the eapol code so that it writes the full
certificate chains for both the specified CA and the client certificate
to `<iface>_ca.pem` and `<iface>_cert.pem`, respectively.
The full CA chain is necessary for validating the incoming server
certificate when it is signed by an intermediate CA and the
intermediate CA cert is not included in the EAP-TLS ServerHello. In this
scenario, wpa_supplicant needs to have both the intermediate CA and the
root CA in its `ca_file`.
Similarly, the full client certificate chain is needed when the ISP
expects/requires that the client (wpa_supplicant) sends the client cert
+ the intermediate CA (or even + the root CA) as part of the EAP-TLS
ClientHello.
Signed-off-by: Andrew Gunnerson <chillermillerlong@hotmail.com>
|
|
|