Age | Commit message (Collapse) | Author |
|
Commit 952b1656f51 ("ipsec: T5606: T5871: Use multi node for CA certificates")
added support for multiple CA certificates which broke the OP mode command
to generate the IPSec profiles as it did not expect a list and was rather
working on a string.
Now multiple CAs can be rendered into the Apple IOS profile.
|
|
Inspired-By: Brandon Zhi <Huiyuze_Zhi@protonmail.com>
|
|
To prevent any possible races in the future the host-name and domain-name nodes
should be set with explicit priorities!
|
|
T6415: Allow repo-sync workflow to be triggered manually
|
|
|
|
Commit 74910564f ("T6406: rename cpus to cpu") did not import the function
from the Python module.
|
|
|
|
|
|
The code path to handle the ca certificate used for the frontend service
is removed, as there is no way on the XLI to define the CA certificate used
for the frontend service.
|
|
haproxy supports both ":::80 v4v6" and "[::]:80 v4v6" as listen statement,
where the later one is more humand readable. Both act in the same way.
|
|
|
|
list of ports/ranges exists
Before: Issuing the op mode command "show nat source rules" will throw an
exception if the user has configured NAT rules using a list of ports as a
comma-separated list (e.g. '!22,telnet,http,123,1001-1005'). Also there was
no handling for the "!" rule and so '!53' would display as '53'.
With this PR: Introduced iteration to capture all configured ports and append
to the appropriate string for display to the user as well as handling of '!' if
present in user's configuration.
|
|
T6415: Fix variables for repo sync
|
|
openvpn: T6374: only check TLS role for s2s if TLS is configured
|
|
|
|
|
|
T6349: Reuse repo sync
|
|
|
|
T6411: CGNAT fix sequences for external address ranges
|
|
ISIS: T6332: Fix isis not working only ipv6
|
|
|
|
openvpn: T6374: ensure that TLS role is configured for site-to-site with TLS
|
|
op_mode: T6389: Check architecture and flavor compatibility on upgrade attempts
|
|
T5786: Add set/show system image to /image endpoint
|
|
|
|
Fix the bug where address external alocation was not rely on sequences
of the external IP addresses (if set)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
add ability to change logging level config for:
* VPN L2TP
* VPN PPTP
* VPN SSTP
* IPoE Server
* PPPoE Serve
|
|
smoketest: T6395: check for VFIO options to be present
|
|
reverse-proxy: T6402: Fix invalid checks in validation script
|
|
|
|
|
|
op-mode: T6377: must call pki.py helper as root to work with ACME certificates
|
|
op-mode: T6400: pki: unable to generate fingerprint for ACME issued certificates
|
|
This fixes (for and ACME generated certificate)
vyos@vyos:~$ show pki certificate vyos fingerprint sha512
Traceback (most recent call last):
File "/usr/libexec/vyos/op_mode/pki.py", line 1081, in <module>
show_certificate_fingerprint(args.certificate, args.fingerprint)
File "/usr/libexec/vyos/op_mode/pki.py", line 934, in show_certificate_fingerprint
print(get_certificate_fingerprint(cert, hash))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/vyos/pki.py", line 76, in get_certificate_fingerprint
fp = cert.fingerprint(hash_algorithm)
^^^^^^^^^^^^^^^^
AttributeError: 'bool' object has no attribute 'fingerprint'
After the fix:
vyos@vyos# run show pki certificate vyos fingerprint sha256
10:2C:EF:2C:DA:7A:EE:C6:D7:8E:53:12:F0:F5:DE:B9:E9:D0:6C:B4:49:1C:8B:70:2B:D9:AF:FC:9B:75:A3:D2
|
|
This fixes the error:
vyos@vyos:~$ show pki certificate
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/vyos/config.py", line 111, in config_dict_mangle_acme
tmp = read_file(f'{vyos_certbot_dir}/live/{name}/cert.pem')
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/vyos/utils/file.py", line 44, in read_file
raise e
File "/usr/lib/python3/dist-packages/vyos/utils/file.py", line 38, in read_file
with open(fname, 'r') as f:
^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: '/config/auth/letsencrypt/live/vyos/cert.pem'
|
|
Co-authored-by: Gregor Michels <hirnpfirsich@brainpeach.de>
|
|
suricata: T751: Initial support for suricata
|
|
|
|
|
|
|
|
reverse-proxy: T6370: Set custom HTTP headers in reverse-proxy responses
|
|
nat: T6345: source NAT port mapping "fully-random" is superfluous in Kernel >=5.0
|
|
nat66: T6365: remove warnings for negated interface selections by name
|