summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-12-16Merge pull request #2572 from fett0/T5796Christian Breunig
T5796:backport-add/fixed OCSERV HTTP security headers
2023-12-15 T5796:add command http-security-headersfett0
2023-12-12Merge pull request #2619 from sever-sever/T5817Daniil Baturin
T5817: Fix for show openvpn server
2023-12-12T5817: Fix for show openvpn serverViacheslav Hletenko
In some cases we can get error: ``` Traceback (most recent call last): File "/usr/libexec/vyos/op_mode/show_openvpn.py", line 173, in <module> data = get_status(args.mode, intf) File "/usr/libexec/vyos/op_mode/show_openvpn.py", line 130, in get_status client["tunnel"] = get_vpn_tunnel_address(client['remote'], interface) File "/usr/libexec/vyos/op_mode/show_openvpn.py", line 66, in get_vpn_tunnel_address tunnel_ip = lst[0].split(',')[0] IndexError: list index out of range ```
2023-12-09Merge pull request #2540 from aapostoliuk/T5413-equuleusDaniil Baturin
wireguard: T5413: Blocked adding the peer with the router's public key
2023-12-04 T5796:add/fixed OCSERV HTTP security headersfett0
2023-12-04Merge pull request #2570 from dmbaturin/https-api-keys-fix1.3.5Daniil Baturin
https: T5772: Move API key check to http-api.py
2023-12-04https: T5772: return from verify if NoneJohn Estabrook
​ Signed-off-by: Daniil Baturin <daniil@baturin.org>
2023-12-04https: T5772: require that at least one valid API key is presentDaniil Baturin
2023-12-04Revert "https api: T5772: check if keys are configured"Daniil Baturin
This reverts commit 57ba2fa91573ad2ecd03f0c2eb89507dfc397f1e.
2023-12-02Merge pull request #2442 from srividya0208/T5714Daniil Baturin
T5714: op-cmd: Fix for "show log vpn ipsec/all"
2023-11-30Merge pull request #2553 from dmbaturin/T5772Daniil Baturin
https: T5772: remove the default API key
2023-11-30https: T5772: remove the default API keyDaniil Baturin
The new verification code prevents it from being used, but it's not a reason to keep it
2023-11-28Merge pull request #2536 from c-po/backport-pr-2527Christian Breunig
pppoe: T5630: make MRU default to MTU if unspecified (backport #2527)
2023-11-27Merge pull request #2548 from vyos/mergify/bp/equuleus/pr-2511Christian Breunig
T5763: fix imprecise check for remote file name (backport #2511)
2023-11-27T5763: fix imprecise check for remote file nameJohn Estabrook
(cherry picked from commit fe9b08665367b8e7d9b906a0760d44efc9b5cafb)
2023-11-24wireguard: T5413: Blocked adding the peer with the router's public keyaapostoliuk
Disabled adding the peer with the same public key as the router has. Backport from current https://github.com/vyos/vyos-1x/pull/2122
2023-11-23Merge pull request #2537 from c-po/tftp-no-vrf-smoketestDaniil Baturin
smoketest: tftp: T4012: disable VRF based tests due to false positives
2023-11-23Merge pull request #2531 from vyos/mergify/bp/equuleus/pr-2522Daniil Baturin
https api: T5772: check if keys are configured unless PAM auth is enabled for GraphQL (backport #2522)
2023-11-23smoketest: tftp: T4012: disable VRF based tests due to false positivesChristian Breunig
TFTP VRF support is working on a live system but the smoketests tend to fail. This commit removes the VRF based smoketests for TFTP server, to make the equuleus Jenkins builds work again.
2023-11-23pppoe: T5630: make MRU default to MTU if unspecifiedChristian Breunig
This fixes the implementation in e062a8c11 ("pppoe: T5630: allow to specify MRU in addition to already configurable MTU") and restores the bahavior that MRU defaults to MTU if MRU is not explicitly set. This was the behavior in VyOS 1.3.3 and below before we added ability to define the MRU value. (cherry picked from commit ffd7339e2ea3eafdd97ac0763ca4a3913fe71bf3)
2023-11-23https api: T5772: check if keys are configuredDaniil Baturin
unless PAM auth is enabled for GraphQL (cherry picked from commit 8c450ea7f538beb0b2cd21d35c05d18db49a1802)
2023-11-21Merge pull request #2513 from zdc/T5577-equuleusChristian Breunig
PAM: T5577: Optimized RADIUS PAM config (backport from circinus)
2023-11-20PAM: T5577: Optimized RADIUS PAM configzsdc
- Added system `radius` group - Added `mandatory` and `optional` modes for RADIUS - Improved PAM config for RADIUS New modes: - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be stopped and access denied immediately. - `optional` (default) - if RADIUS answers with `Access-Reject`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if RADIUS clearly answered that access should be denied (no user in RADIUS database, wrong password, etc.). If RADIUS is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-11-16Merge pull request #2492 from mkorobeinikov/equuleusChristian Breunig
T4940: new interfaces debugging command equuleus
2023-11-16T4940: new interfaces debugging command equuleusmkorobeinikov
2023-11-08T5714: op-cmd: Fix for "show log vpn ipsec/all"srividya0208
No results shown for this command "show log vpn ipsec" Changed to journalctl
2023-11-06Merge pull request #2348 from c-po/t4269-cli-defaults-backportChristian Breunig
scripts: T4269: node.def generator should automatically add default values (backport)
2023-10-31Merge pull request #2420 from rebortg/patch-1Christian Breunig
bridge: T5670: add missing constraint on "member interface" node
2023-10-31bridge: T5670: add missing constraint on "member interface" nodeRobert Göhler
correct include filename extension
2023-10-31Merge pull request #2310 from sever-sever/T5586-eqDaniil Baturin
T5586: Disable by default SNMP for Keeplived VRRP service
2023-10-25Merge pull request #2402 from c-po/equuleus-t5670Daniil Baturin
bridge: T5670: add missing constraint on "member interface" node
2023-10-25bridge: T5670: add missing constraint on "member interface" nodeChristian Breunig
One could specify a bridge member of VXLAN1 interface, but it is not possible to create a VXLAN interface with the name of VXLAN1 - prohibited by VXLAN interface name validator. Add missing interface-name validator code (cherry picked from commit 45dc149e4e3c0c294deac6fd541bb027d2280ea1) (cherry picked from commit e619b23b8889543465b61eb00d5b0d3c8063ae95)
2023-10-19Merge pull request #2381 from c-po/vxlan-t5669Christian Breunig
vxlan: T5669: unable to change port number
2023-10-19vxlan: T5669: unable to change port numberChristian Breunig
set interfaces vxlan vxlan23 address '100.64.10.2/24' set interfaces vxlan vxlan23 remote '192.0.2.1' set interfaces vxlan vxlan23 source-address '192.0.2.5' set interfaces vxlan vxlan23 vni '23' commit set interfaces vxlan vxlan23 port '4789' commit vyos@r1# ip -d link show dev vxlan23 12: vxlan23: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/ether 22:6e:6d:33:c5:6b brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535 vxlan id 23 remote 192.0.2.1 local 192.0.2.5 srcport 0 0 dstport 8472 Port remains at the default value of 8472 This has been fixed
2023-10-08Merge pull request #2333 from sever-sever/T5213-eq1.3.4Daniil Baturin
T5213: Add accounting-interim-interval option for PPPoE-server
2023-10-08Merge pull request #2347 from c-po/equuleusDaniil Baturin
pppoe: T5630: allow to specify MRU in addition to already configurable MTU (backport #2335)
2023-10-08scripts: T4269: node.def generator should automatically add default valuesChristian Breunig
Since introducing the XML <defaultValue> node it was common, but redundant, practice to also add a help string indicating which value would be used as default if the node is unset. This makes no sense b/c it's duplicated code/value/characters and prone to error. The node.def scripts should be extended to automatically render the appropriate default value into the CLI help string. For e.g. SSH the current PoC renders: $ cat templates-cfg/service/ssh/port/node.def multi: type: txt help: Port for SSH service (default: 22) val_help: u32:1-65535; Numeric IP port ... Not all subsystems are already migrated to get_config_dict() and make use of the defaults() call - those subsystems need to be migrated, first before the new default is added to the CLI help. (cherry picked from commit a68c9238111c6caee78bb28f8054b8f0cfa0e374)
2023-10-08pppoe: T5630: verify MRU is less or equal then MTUChristian Breunig
(cherry picked from commit e357258e645cf85de0035d4ecfbf99db4dd90f7e)
2023-10-08pppoe: T5630: allow to specify MRU in addition to already configurable MTUChristian Breunig
Set the MRU (Maximum Receive Unit) value to n. PPPd will ask the peer to send packets of no more than n bytes. The value of n must be between 128 and 16384, the default was always 1492 to match PPPoE MTU. A value of 296 works well on very slow links (40 bytes for TCP/IP header + 256 bytes of data). Note that for the IPv6 protocol, the MRU must be at least 1280. CLI: set interfaces pppoe pppoe0 mru 1280 (cherry picked from commit e062a8c11856f213983f5b41f50d4f9dbc0dde0f)
2023-10-03T5213: Add accounting-interim-interval option for PPPoE-serverViacheslav Hletenko
Add accounting-interim-interval option for PPPoE-server set service pppoe-server authentication radius accounting-interim-interval '60'
2023-09-26T5586: Disable by default SNMP for Keeplived VRRP serviceViacheslav Hletenko
AgentX does not work stable. From time to time we see the system service crashing/degrading if something is wrong with SNMP from util net-snmp. We should disable it by default and enable it only if configured. set high-availability vrrp snmp
2023-09-19Merge pull request #2282 from nicolas-fort/T5594-equuleusChristian Breunig
T5594: vrrp: extend function is_ipv6_tentative
2023-09-18T5594: vrrp: extend function is_ipv6_tentativeNicolas Fort
2023-09-07Merge pull request #2219 from sarthurdev/T5555_equuleusChristian Breunig
system: T5555: Fix time-zone migrator changing valid time-zones to UTC
2023-09-07system: T5555: Fix time-zone migrator changing valid time-zones to UTCsarthurdev
2023-09-05Merge pull request #2200 from sever-sever/T5533-eqDaniil Baturin
T5533: Fix VRRP IPv6 FAULT state due to IPv6 tentative state
2023-09-05Merge pull request #2198 from mlk-89/equuleusChristian Breunig
T5545: fix sflow configuration
2023-09-04T5533: Fix VRRP IPv6 FAULT state due to IPv6 tentative stateViacheslav Hletenko
Checks if an IPv6 address on a specific network interface is in the tentative state. IPv6 tentative addresses are not fully configured and are undergoing Duplicate Address Detection (DAD) to ensure they are unique on the network. inet6 2001:db8::3/125 scope global tentative It tentative state the group enters in FAULT state. Fix it.
2023-09-04T5545: fix sflow configurationMaxime.L