summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2024-05-30op-mode: ipsec: T6407: fix profile generationChristian Breunig
Commit 952b1656f51 ("ipsec: T5606: T5871: Use multi node for CA certificates") added support for multiple CA certificates which broke the OP mode command to generate the IPSec profiles as it did not expect a list and was rather working on a string. Now multiple CAs can be rendered into the Apple IOS profile.
2024-05-30vyos.ifconfig: T6421: verify /etc/hostname exists before readingChristian Breunig
Inspired-By: Brandon Zhi <Huiyuze_Zhi@protonmail.com>
2024-05-30hostname: T6421: enforce explicit CLI priority for host-name and domain-nameChristian Breunig
To prevent any possible races in the future the host-name and domain-name nodes should be set with explicit priorities!
2024-05-30Merge pull request #3549 from sever-sever/T6415-dispatchVijayakumar A
T6415: Allow repo-sync workflow to be triggered manually
2024-05-30T6415: Enable repo-sync workflow to be triggered manuallyViacheslav Hletenko
2024-05-29container: T6406: fix NameError: name 'vyos' is not definedChristian Breunig
Commit 74910564f ("T6406: rename cpus to cpu") did not import the function from the Python module.
2024-05-29reverse-proxy: T6419: build full CA chain for frontend SSL certificateChristian Breunig
2024-05-29reverse-proxy: T6419: build full CA chain when verifying backend serverChristian Breunig
2024-05-29reverse-proxy: T5231: remove frontend ca-certificate code pathChristian Breunig
The code path to handle the ca certificate used for the frontend service is removed, as there is no way on the XLI to define the CA certificate used for the frontend service.
2024-05-29reverse-proxy: T5231: better mark v4v6 listen any addressChristian Breunig
haproxy supports both ":::80 v4v6" and "[::]:80 v4v6" as listen statement, where the later one is more humand readable. Both act in the same way.
2024-05-29op-mode: T5231: add command to restart reverse-proxyChristian Breunig
2024-05-29nat: T6371: fix op mode display of configured ports when comma separated ↵Ginko
list of ports/ranges exists Before: Issuing the op mode command "show nat source rules" will throw an exception if the user has configured NAT rules using a list of ports as a comma-separated list (e.g. '!22,telnet,http,123,1001-1005'). Also there was no handling for the "!" rule and so '!53' would display as '53'. With this PR: Introduced iteration to capture all configured ports and append to the appropriate string for display to the user as well as handling of '!' if present in user's configuration.
2024-05-29Merge pull request #3543 from sever-sever/T6415-fixChristian Breunig
T6415: Fix variables for repo sync
2024-05-29Merge pull request #3541 from dmbaturin/T6374-openvpn-s2s-tls-validation-fixChristian Breunig
openvpn: T6374: only check TLS role for s2s if TLS is configured
2024-05-29T6415: Fix variables for repo syncViacheslav Hletenko
2024-05-29openvpn: T6374: only check TLS role for s2s if TLS is configuredDaniil Baturin
2024-05-29Merge pull request #3540 from sever-sever/T6415-reuseDaniil Baturin
T6349: Reuse repo sync
2024-05-29T6349: Reuse repo syncViacheslav Hletenko
2024-05-29Merge pull request #3534 from sever-sever/T6411Daniil Baturin
T6411: CGNAT fix sequences for external address ranges
2024-05-29Merge pull request #3537 from fett0/T6332Christian Breunig
ISIS: T6332: Fix isis not working only ipv6
2024-05-29ISIS: T6332: Fix isis not working only ipv6fett0
2024-05-28Merge pull request #3528 from dmbaturin/T6374-openvpn-s2s-tls-validationChristian Breunig
openvpn: T6374: ensure that TLS role is configured for site-to-site with TLS
2024-05-28Merge pull request #3533 from natali-rs1985/T6389-currentJohn Estabrook
op_mode: T6389: Check architecture and flavor compatibility on upgrade attempts
2024-05-28Merge pull request #3529 from HollyGurza/T5786Christian Breunig
T5786: Add set/show system image to /image endpoint
2024-05-28container: T6406: add CLI option for cpu-quotaChristian Breunig
2024-05-28T6411: CGNAT fix sequences for external address rangesViacheslav Hletenko
Fix the bug where address external alocation was not rely on sequences of the external IP addresses (if set)
2024-05-28op mode: T6389: Check architecture and flavor compatibility on upgrade attemptsNataliia Solomko
2024-05-28T6406: rename cpus to cpuNicolas Vollmar
2024-05-28T6406: add container cpu limit optionNicolas Vollmar
2024-05-27reverse-proxy: T6409: Remove unused backend parametersAlex W
2024-05-27T6406: check for required kernel configNicolas Vollmar
2024-05-27T5786: Add set/show system image to /image endpointkhramshinr
2024-05-27openvpn: T6374: ensure that TLS role is configured for site-to-site with TLSDaniil Baturin
2024-05-27T4576: Accel-ppp logging level configurationkhramshinr
add ability to change logging level config for: * VPN L2TP * VPN PPTP * VPN SSTP * IPoE Server * PPPoE Serve
2024-05-27Merge pull request #3522 from c-po/smoketest-NOIOMMUChristian Breunig
smoketest: T6395: check for VFIO options to be present
2024-05-27Merge pull request #3523 from Embezzle/T6402Christian Breunig
reverse-proxy: T6402: Fix invalid checks in validation script
2024-05-26reverse-proxy: T6402: Fix invalid checks in validation scriptAlex W
2024-05-26smoketest: T6395: check for VFIO options to be presentChristian Breunig
2024-05-26Merge pull request #3517 from c-po/pki-t6377Christian Breunig
op-mode: T6377: must call pki.py helper as root to work with ACME certificates
2024-05-26Merge pull request #3518 from c-po/pki-t6400Christian Breunig
op-mode: T6400: pki: unable to generate fingerprint for ACME issued certificates
2024-05-25op-mode: T6400: pki: unable to generate fingerprint for ACME issued certificatesChristian Breunig
This fixes (for and ACME generated certificate) vyos@vyos:~$ show pki certificate vyos fingerprint sha512 Traceback (most recent call last): File "/usr/libexec/vyos/op_mode/pki.py", line 1081, in <module> show_certificate_fingerprint(args.certificate, args.fingerprint) File "/usr/libexec/vyos/op_mode/pki.py", line 934, in show_certificate_fingerprint print(get_certificate_fingerprint(cert, hash)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/vyos/pki.py", line 76, in get_certificate_fingerprint fp = cert.fingerprint(hash_algorithm) ^^^^^^^^^^^^^^^^ AttributeError: 'bool' object has no attribute 'fingerprint' After the fix: vyos@vyos# run show pki certificate vyos fingerprint sha256 10:2C:EF:2C:DA:7A:EE:C6:D7:8E:53:12:F0:F5:DE:B9:E9:D0:6C:B4:49:1C:8B:70:2B:D9:AF:FC:9B:75:A3:D2
2024-05-25op-mode: T6377: must call pki.py helper as root to work with ACME certificatesChristian Breunig
This fixes the error: vyos@vyos:~$ show pki certificate Traceback (most recent call last): File "/usr/lib/python3/dist-packages/vyos/config.py", line 111, in config_dict_mangle_acme tmp = read_file(f'{vyos_certbot_dir}/live/{name}/cert.pem') ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/vyos/utils/file.py", line 44, in read_file raise e File "/usr/lib/python3/dist-packages/vyos/utils/file.py", line 38, in read_file with open(fname, 'r') as f: ^^^^^^^^^^^^^^^^ PermissionError: [Errno 13] Permission denied: '/config/auth/letsencrypt/live/vyos/cert.pem'
2024-05-24load-balancing haproxy: T6391: fix typo in timeout help (#3513)Gregor Michels
Co-authored-by: Gregor Michels <hirnpfirsich@brainpeach.de>
2024-05-23Merge pull request #3399 from 0xThiebaut/suricataChristian Breunig
suricata: T751: Initial support for suricata
2024-05-23suricata: T751: use key_mangling in get_config_dict()Christian Breunig
2024-05-23suricata: T751: remove implicit default dictionaryChristian Breunig
2024-05-23suricata: T751: move CLI from "service ids suricata" -> "service suricata"Christian Breunig
2024-05-23Merge pull request #3487 from Embezzle/T6370Christian Breunig
reverse-proxy: T6370: Set custom HTTP headers in reverse-proxy responses
2024-05-23Merge pull request #3507 from c-po/nat-T6345Daniil Baturin
nat: T6345: source NAT port mapping "fully-random" is superfluous in Kernel >=5.0
2024-05-23Merge pull request #3505 from c-po/nat66-T6365Daniil Baturin
nat66: T6365: remove warnings for negated interface selections by name