summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2022-02-28open-connect: T4274: extend RADIUS authentication timeoutRageLtMan
RADIUS authentication can be handled by a variety of mechanisms, including proxy for 2FA systems requiring user interaction with a separate device, token acquisition, or other time-consuming action. Given the delays required for certain 2FA implementations, a thirty second timeout can range from onerous to untenable. Accomodate the 2FA time requirements by extending the hard-coded RADIUS time limit from 30 seconds to 240. Co-authored-by: RageLtMan <rageltman [at] sempervictus>
2022-02-28ssh: T4273: bugfix cipher and key-exchange multi nodesChristian Poessinger
After hardning the regex validator to be preceeded with ^ and ending with $ it was no longer possible to have a comma separated list as SSH ciphers. The migrations cript is altered to migrate the previous comma separated list to individual multi node entries - cipher and key-exchange always had been multinodes - so this just re-arranges some values and does not break CLI compatibility
2022-02-26lldp: T4272: minor bugfix in Jinja2 template for locationChristian Poessinger
2022-02-26smoketest: lldp: add testcaseChristian Poessinger
(cherry picked from commit 2fd5eea801bb524c12217c26d98c44a819b2086e)
2022-02-26lldp: T4272: migrate to get_config_dict()Christian Poessinger
2022-02-25nat: T1083: use defaultValue from XML when handling translationsChristian Poessinger
2022-02-25smoketest: zone-policy: use setUpClass() over setUp()Christian Poessinger
2022-02-25zone-policy: T2199: bugfix defaultValue usageChristian Poessinger
Instead of hardcoding the default behavior inside the Jinaj2 template, all defaults are required to be specified inside teh XML definition. This is required to automatically render the appropriate CLI tab completion commands.
2022-02-25vpn: ipsec: T3093: add missing defaultValue entriesChristian Poessinger
2022-02-25monitoring: T3872: re-use "port" building block from port-number.xml.iChristian Poessinger
2022-02-25xml: webproxy: add comment about explicitly not set defaultValueChristian Poessinger
2022-02-25wireless: ifconfig: T2653: add missing defaultValue for mgmt-frame-protectionChristian Poessinger
2022-02-25smoketest: webproxy: use setUpClass() over setUp()Christian Poessinger
2022-02-25dhcp-relay: T3095: add missing max-size default valueChristian Poessinger
2022-02-24scripts: T4269: node.def generator should automatically add default valuesChristian Poessinger
Since introducing the XML <defaultValue> node it was common, but redundant, practice to also add a help string indicating which value would be used as default if the node is unset. This makes no sense b/c it's duplicated code/value/characters and prone to error. The node.def scripts should be extended to automatically render the appropriate default value into the CLI help string. For e.g. SSH the current PoC renders: $ cat templates-cfg/service/ssh/port/node.def multi: type: txt help: Port for SSH service (default: 22) val_help: u32:1-65535; Numeric IP port ... Not all subsystems are already migrated to get_config_dict() and make use of the defaults() call - those subsystems need to be migrated, first before the new default is added to the CLI help.
2022-02-23smoketest: tunnel: indention fixupChristian Poessinger
2022-02-23tunnel: T4267: "parameters ip key" on GRE not required for different remotesChristian Poessinger
2022-02-22vxlan: T4264: interface is destroyed and rebuild on description changeChristian Poessinger
When changing "general" parameters like: - interface IP address - MTU - description the interface is destroyed and recreated ... this should not happen!
2022-02-22vyos.configdict: T4263: leaf_node_changed() must also honor valueLess CLI nodesChristian Poessinger
If a valueLess node is added or removed from the CLI, a call to leaf_node_changed() will not detect it. If node is valueLess, on change old or new (depending on addition or deletion) will be {} and is treated as None. Add handler for this special case where old or new is an instance of a dictionary but empty.
2022-02-22Merge pull request #1230 from sever-sever/T1856Christian Poessinger
ipsec: T1856: Ability to set SA life bytes and packets
2022-02-21Merge pull request #1233 from dmbaturin/structured-op-modeJohn Estabrook
T2719: initial batch of standardized structure op mode scripts
2022-02-21Merge pull request #1232 from srividya0208/T4115John Estabrook
T4115:Reboot:Options "in" and "at" are not working as expected
2022-02-21Merge pull request #1231 from sever-sever/T3948Christian Poessinger
ipsec: T3948: Add CLI site-to-site peer connection-type none
2022-02-21Merge pull request #1234 from srividya0208/T3656Christian Poessinger
vpn_ipsec: T3656: modified completion help for key-exchange
2022-02-21smoketest: vxlan: T4120: verify support for multiple remote addressesChristian Poessinger
2022-02-21vxlan: T4120: code cleanup for multiple remotesChristian Poessinger
2022-02-21T2719: initial batch of standardized structure op mode scriptsDaniil Baturin
2022-02-21vpn_ipsec: T3656: modified completion help for key-exchangesrividya0208
In latest releases, default IKE version is removed, which allows the connection to be IKEv1 or IKEv2. The completion help shows IKEv1 as default so removed it.
2022-02-20bridge: remove unreferenced import -> leaf_node_changedChristian Poessinger
2022-02-20vxlan: T4120: rename tunnel-remotes.xml.i -> tunnel-remote-multi.xml.iChristian Poessinger
2022-02-20vxlan: T4120: add ability to set multiple remotes (PR #1127)Andreas
VXLAN does support using multiple remotes but VyOS does not. Add the ability to set multiple remotes and add their flood lists using "bridge" command.
2022-02-20ipsec: T3948: Add CLI site-to-site peer connection-type noneViacheslav Hletenko
set vpn ipsec site-to-site peer 192.0.2.14 connection-type none
2022-02-20T4115:Reboot:Options "in" and "at" are not workingsrividya0208
When reboot is executed with "in" option it only accepts minutes till 99 value and does not accept greater values and "at" is also working same like in option where as it should work with exact timings.
2022-02-20macsec: T4261: add dhcp client supportChristian Poessinger
2022-02-20smoketest: dhcp: T4203: set missing interface options if presentChristian Poessinger
Commit 5d14a04b ("smoketest: dhcp: T4203: move testcase to base class") added global support in the test case framework for DHCP tests. Some interfaces (e.g. MACsec) require additional options to be passed before the test can be launched. In the MACsec case this includes a source interface, or encryption ciphers.
2022-02-20ipsec: T1856: Ability to set SA life bytes and packetsViacheslav Hletenko
set vpn ipsec esp-group grp-ESP life-bytes '100000' set vpn ipsec esp-group grp-ESP life-packets '2000000'
2022-02-20Merge branch 't4203-dhcp' into currentChristian Poessinger
* t4203-dhcp: smoketest: dhcp: T4203: move testcase to base class static: T4203: obey interface dhcp default route distance interface: T4203: prevent DHCP client restart if not necessary
2022-02-20Merge pull request #1226 from sever-sever/T4254Christian Poessinger
vpn: T4254: Add cisco_flexvpn and install_virtual_ip_on options
2022-02-20smoketest: dhcp: T4203: move testcase to base classChristian Poessinger
We do not only provide DHCP functionality to ethernet interfaces, it's a common feature so the testcase should be made available for multiple interface types.
2022-02-20static: T4203: obey interface dhcp default route distanceChristian Poessinger
Commit 05aa22dc ("protocols: static: T3680: do not delete DHCP received routes") added a bug whenever a static route is modified - the DHCP interface will always end up with metric 210 - if there was a default route over a DHCP interface.
2022-02-20interface: T4203: prevent DHCP client restart if not necessaryChristian Poessinger
In the past whenever a change happened to any interface and it was configured as a DHCP client, VyOS always had a breif outage as DHCP released the old lease and re-aquired a new one - bad! This commit changes the behavior that DHCP client is only restarted if any one of the possible options one can set for DHCP client under the "dhcp-options" node is altered.
2022-02-20Merge pull request #1229 from sever-sever/T4249Christian Poessinger
containers: T4249: Allow to connect host device to the container
2022-02-19containers: T4249: Allow to connect host device to the containerViacheslav Hletenko
Ability to attach host devices to the container It can be disk, USB device or any device from the directory /dev set container name alp01 device disk source '/dev/vdb1' set container name alp01 device disk destination '/dev/mydisk'
2022-02-19vpn: T4254: Add cisco_flexvpn and install_virtual_ip_on optionsViacheslav Hletenko
Ability to set Cisco FlexVPN vendor ID payload: charon.cisco_flexvpn charon.install_virtual_ip_on swanctl.connections.<conn>.vips = x.x.x.x, z.z.z.z set vpn ipsec options flexvpn set vpn ipsec options virtual-ip set vpn ipsec options interface tunX set vpn ipsec site-to-site peer x.x.x.x virtual-address x.x.x.x
2022-02-19smoketest: T4258: dhcp: bugfix failover portsChristian Poessinger
Commit 5fc9ef9e ("DHCP : T4258: Set correct port for dhcp-failover") changed how the failover port is rendered into the ISC DHCPd configuration - adjustment of the smoketests was missed out.
2022-02-19Merge pull request #1227 from chenxiaolong/T4245Christian Poessinger
pki: eapol: T4245: Add full CA and client cert chains to wpa_supplicant PEM files
2022-02-19Merge pull request #1228 from fett0/T4258Christian Poessinger
DHCP : T4258: Set correct port for dhcp-failover
2022-02-18DHCP : T4258: Set correct port for dhcp-failoverfett0
2022-02-17pki: eapol: T4245: Add full CA and client cert chains to wpa_supplicant PEM ↵Andrew Gunnerson
files This commit updates the eapol code so that it writes the full certificate chains for both the specified CA and the client certificate to `<iface>_ca.pem` and `<iface>_cert.pem`, respectively. The full CA chain is necessary for validating the incoming server certificate when it is signed by an intermediate CA and the intermediate CA cert is not included in the EAP-TLS ServerHello. In this scenario, wpa_supplicant needs to have both the intermediate CA and the root CA in its `ca_file`. Similarly, the full client certificate chain is needed when the ISP expects/requires that the client (wpa_supplicant) sends the client cert + the intermediate CA (or even + the root CA) as part of the EAP-TLS ClientHello. Signed-off-by: Andrew Gunnerson <chillermillerlong@hotmail.com>
2022-02-17vyos.configverify: T4255: fix unexpected print of dictionary instead of keyChristian Poessinger