Age | Commit message (Collapse) | Author |
|
syslog: T1487: store all journald log files also in syslog (backport #2797)
|
|
T5919: firewall: fix <show firewall ipv6 ..> command (backport #2799)
|
|
T5915: firewall: re-add opmode command for zone based firewall (backport #2784)
|
|
This is useful to send the journal logs to external syslog servers
(cherry picked from commit 800c85a20a00278ab07bbcccd85b753b1ca31e21)
|
|
(cherry picked from commit 089280f82349cd7b77649eb71729be1e73714b52)
|
|
(cherry picked from commit 62f10e0ec8075634e1515d6cecc822d87053bccb)
|
|
T5688: Changed 'range' to multi in 'client-ip-pool' for accell-ppp (backport #2777)
|
|
dhcp: T5787: Prevent duplicate IP addresses on static mappings (backport)
|
|
interface: T5550: Interface source-validation priority over global value (backport)
|
|
image-tools: T5917: annotate image list with (running)/(default boot) (backport #2786)
|
|
(cherry picked from commit 17a1d31299e8960d9eba528e04c418b4c1007eb2)
|
|
|
|
T5918: Fix typo in verify vpn ipsec interface (backport #2791)
|
|
The correct CLI command is `interface` and not `interfaces`
```
set vpn ipsec interface xxx
```
(cherry picked from commit 8452d8f49216d224bc5d5751354414274982f5be)
|
|
bgp: T5913: allow peer-group support for ipv4|6-labeled-unicast SAFI (backport #2787)
|
|
Changed node 'range' to multi in 'client-ip-pool' for accell-ppp
services.
Added completionHelp to default-pool and next-pool.
Fixed verification in vpn l2tp config script.
(cherry picked from commit 4ffec67d04670192d9b722353cbaef04cb0ba129)
|
|
T5916: Added segment routing check for index size and SRGB size (backport #2780)
|
|
(cherry picked from commit f1411240c6b11ec400ac0f66eb71982259204317)
|
|
(cherry picked from commit cfb5b052c84ffba789d61a59350676b6b4a0a5f7)
|
|
T5530: isis: Adding loop free alternate feature (backport #2263)
|
|
https: T5902: remove virtual-host configuration (backport #2773)
|
|
(cherry picked from commit 7a2b70bd73c8579a885348b93b8addfb20fb006c)
|
|
This extends commit 86d1291ec5 ("[boot-config-loader] T1622: Add failsafe
and back trace") and adds missing groups to the vyos user. Without this
change the vyos user will only have operator (vyos@vyos>) privileges,
even if this level is discontinued.
One could hack himself up as the user has sudo rights, but rather place
the user in the right groups from the beginning.
NOTE: This user is only added if booted with "vyos-config-debug" and
an error when the configuration can not be loaded at all.
(cherry picked from commit 07e802a2d3f98cdf29928bf321cc8b89cb41766c)
|
|
hyphen (-)
When testing for changed PKI certificates using node_changed(), we should not
use key_mangling=('-', '_'), as this will make certificate updates with a hypen
not possible.
(cherry picked from commit fc6926fdf32a7bdf9f943c7818ee6ea4a8131fba)
|
|
We have not seen the adoption of the https virtual-host CLI option.
What it did?
* Create multiple webservers each listening on a different IP/port
(but in the same VRF)
* All webservers shared one common document root
* All webservers shared the same SSL certificates
* All webservers could have had individual allow-client configurations
* API could be enabled for a particular virtual-host but was always enabled on
the default host
This configuration tried to provide a full webserver via the CLI but VyOS is a
router and the Webserver is there for an API or to serve files for a local-ui.
Changes
Remove support for virtual-hosts as it's an incomplete and thus mostly useless
"thing". Migrate all allow-client statements to one top-level allow statement.
(cherry picked from commit d0d3071e99eb65edb888c26ef2fdc9e038438887)
|
|
pki: T5886: add support for ACME protocol (LetsEncrypt) (backport #2758)
|
|
(cherry picked from commit 2095eb75a2326b8f493944aef07f65b150cfbc60)
|
|
(cherry picked from commit 410458c00e6202dd9a5c52b3c5ac00a90db5bc53)
|
|
This fixes a priority inversion when doing initial certificate commits.
* pki subsystem is executed with priority 300
* vti uses priority 381
* ipsec uses priority 901
On commit pki.py will be executed first, detecting a change in dependencies
for vpn_ipsec.py which will be executed second. The VTI interface was yet not
created leading to ConfigError('VTI interface XX for site-to-site peer YY does
not exist!')
The issue is caused by this new line of code in commit b8db1a9d7ba ("pki:
T5886: add support for ACME protocol (LetsEncrypt)") file src/conf_mode/pki.py
line 139 which triggers the dependency update even if a key is newly added.
This commit changes the "detection" based on the cerbot configuration on disk.
(cherry picked from commit 9162631f12ade65392ea2fa53642ea4af39627c7)
|
|
(cherry picked from commit 9ab6665c80c30bf446d94620fc9d85b052d48072)
|
|
* show log certbot
* monitor log certbot
* renew certbot
(cherry picked from commit 9d02d32319f9328df618910a038ef580588e13c8)
|
|
The "idea" of this PR is to add new CLI nodes under the pki subsystem to
activate ACME for any given certificate.
vyos@vyos# set pki certificate NAME acme
Possible completions:
+ domain-name Domain Name
email Email address to associate with certificate
listen-address Local IPv4 addresses to listen on
rsa-key-size Size of the RSA key (default: 2048)
url Remote URL (default:
https://acme-v02.api.letsencrypt.org/directory)
Users choose if the CLI based custom certificates are used
set pki certificate EXAMPLE acme certificate <base64>
or if it should be generated via ACME.
The ACME server URL defaults to LetsEncrypt but can be changed to their staging
API for testing to not get blacklisted.
set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory
Certificate retrieval has a certbot --dry-run stage in verify() to see if it
can be generated.
After successful generation, the certificate is stored in under
/config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set
interfaces ethernet eth0 eapol certificate EXAMPLE) we call
vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the
base64 encoded certificate into the JSON data structure normally used when
using a certificate set by the CLI.
Using this "design" does not need any change to any other code referencing the
PKI system, as the base64 encoded certificate is already there.
certbot renewal will call the PKI python script to trigger dependency updates.
(cherry picked from commit b8db1a9d7baf91b70c1b735e58710f1e2bc9fc7a)
# Conflicts:
# debian/control
|
|
image: T5898: fix kernel-level partition rescan (backport #2760)
|
|
This fix moves from partprobe to partx to rescan the partition table on an affected disk.
(cherry picked from commit f883455d9a3081780c43426ab26de9d26f24c9aa)
|
|
T5896: firewall: backport interface validator for firewall rules.
|
|
|
|
smoketest: T5195: fix BasicInterfaceTest tearDown() timeout penalty (backport #2769)
|
|
Commit ad9bdfc24 ("T5195: add timeout argument to process_named_running()")
added a 2*10 seconds penalty for every interface test (dhcp and dhcpv6).
This leads to long runs of "make test" after an ISO build.
There is no need to wait 10 seconds for a test that checks for a process
not running. The timeout is there to give the process some time to startup.
(cherry picked from commit 041db49533d57cabfccd319492b85ee0bafdd40c)
|
|
T5195: add timeout argument to process_named_running() (backport #2764)
|
|
op-mode: T5904: add "show ipv6 route vrf <name> <prefix>" command (backport #2765)
|
|
Smoketests heavily rely on process_named_running() so in order to "relax"
system constraints during a test we will add a timeout of 10 seconds for
every testcase provided by base_interfaces_test.py
(cherry picked from commit ad9bdfc248cf47b3361bd0e5d7371d56131160a0)
|
|
We've always had a command to display discrete IPv6 routes/prefixes within the
global VRF. This commit also adds support for a discrete VRF.
vyos@vyos:~$ show ipv6 route vrf <name>
Possible completions:
<Enter> Execute the current command
<h:h:h:h:h:h:h:h> Show IPv6 routes of given address or prefix
<h:h:h:h:h:h:h:h/x>
(cherry picked from commit 119d94bdb05d0c88bfc452d903e64000b278c43e)
|
|
openvpn: T3214: fix server-ipv6 and nopool handling (backport #1637)
|
|
dns: T5900: fix smoketests for serve-stale-extension and exclude-throttle-address (backport #2761)
|
|
After commit 0ccbbca01b ("openvpn: T3214: specify nopool on --server line only
if needed") that removed the net30 option and nopool smoketests needed a fix.
(cherry picked from commit 455943cd7f759a5a3fc53d421b479044730d1f08)
|
|
The --server directive will already create a pool automatically.
For this reason noppol should be used only when an explicit
client-ip-pool was configured by the user.
If that's not the case, then the nopool flag should not be
specified and no manual pool should be configured.
Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
(cherry picked from commit 0ccbbca01b22232b5cba63d64ab00eb54af7b068)
|
|
Currently OpenVPN does not allow having an IPv6 subnet if 'nopool'
was specified on the --server directive. For this eason warn if this
specific configuration is being hit.
This is probably something that should be fixed upstream, but for now
we can't allow this combination of parameters.
Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
(cherry picked from commit 7a0e40ce8df386c0ea2de84bce8fb6c81a0353ce)
|
|
Starting with v2.5.0 OpenVPN allows configuring a server with
an IPv6 only tunnel.
For this reason there is no need to depend on the existence of an IPv4
subnet anymore.
Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
(cherry picked from commit 3072e507eb1cdc18cfe5429fd0c03d223d2576fe)
|
|
exclude-throttle-address
This fixes commit 199ceb1f0a ("dns: T5900: add dont-throttle-netmasks and
serve-stale-extensions powerdns features") where after the latest review round
the Jinja2 template was inconsitently changed and smoketests were not re-run.
(cherry picked from commit 9baeafa890f7b1d3829df633322fb4288e9ea882)
|
|
T5900 dns forwarding: reliability improvements (backport #2757)
|