Age | Commit message (Collapse) | Author |
|
(cherry picked from commit c0b2693cebc3429e1974a9cec5946fa88ffc0205)
|
|
pki: T6464: sstpc interface not reloaded when updating SSL certificate(s) (backport #3613)
|
|
op-mode: T6424: ipsec: honor certificate CN and CA chain during profile generation (backport #3610)
|
|
generation
In e6fe6e50a5c ("op-mode: ipsec: T6407: fix profile generation") we fixed
support for multiple CAs when dealing with the generation of Apple IOS profiles.
This commit extends support to properly include the common name of the server
certificate issuer and all it's paren't CAs. A list of parent CAs is
automatically generated from the "PKI" subsystem content and embedded into the
resulting profile.
(cherry picked from commit d65f43589612c30dfaa5ce30aca5b8b48bf73211)
|
|
The SSTPC client was not reloaded/restarted with the new SSL certificate(s)
after a change in the PKI subsystem.
This was due to missing dependencies.
(cherry picked from commit 42294ccd904773fa19a6af0f37cf9526321d87e4)
|
|
The haproxy reverse proxy was not reloaded/restarted with the new SSL
certificate(s) after a change in the PKI subsystem. This was due to missing
dependencies.
(cherry picked from commit 6ce8efdc8dafef67541bed89fc7dc7cd83335bf4)
|
|
(cherry picked from commit 60d7c0ecaff49ec62f4600a460f5fbe7b26a0d9c)
|
|
(cherry picked from commit 39004c453fb8f71171ba3433ee559b5ff745bebe)
|
|
(cherry picked from commit 3e5cc0b7fb8ae4a0f8b7c9270d9db0a0f252c448)
Co-authored-by: Alex W <embezzle.dev@proton.me>
|
|
add ability to change logging level config for:
* VPN L2TP
* VPN PPTP
* VPN SSTP
* IPoE Server
* PPPoE Serve
(cherry picked from commit 4d84f786f64d2b80046100ead5d0e8c1eef7418c)
|
|
Commit 952b1656f51 ("ipsec: T5606: T5871: Use multi node for CA certificates")
added support for multiple CA certificates which broke the OP mode command
to generate the IPSec profiles as it did not expect a list and was rather
working on a string.
Now multiple CAs can be rendered into the Apple IOS profile.
(cherry picked from commit e6fe6e50a5c817e18c453e7bc42bb2e1c4b17671)
|
|
haproxy supports both ":::80 v4v6" and "[::]:80 v4v6" as listen statement,
where the later one is more humand readable. Both act in the same way.
(cherry picked from commit a2f0b25452c67528077f343d75de09d038e97fee)
|
|
(cherry picked from commit 03fd368ed263ca28c9b1b5e29f486217784d15ef)
|
|
(cherry picked from commit e1450096b4c667a4c33a3fcd8f67ebf6a39d441d)
|
|
Added the following commands:
show evpn
show evpn es
show evpn es <es-id>
show evpn es detail
show evpn es-evi
show evpn es-evi detail
show evpn es-evi vni <num>
show evpn vni
show evpn vni detail
show evpn vni <num>
Updated the following commands:
show evpn access-vlan
show evpn arp-cache
show evpn mac
show evpn next-hops
show evpn rmac
(cherry picked from commit c6be441c86bc8fe2e938e2bd3c85f99071cbfb49)
|
|
(cherry picked from commit 75d553932504c55e710265776e4865a238223e1f)
|
|
Remove `service upnp` as it never worked as expected, nft rules do
not integrated and custom patches do not seem like a suitable
solution for now.
Security:
UPnP has been historically associated with security risks due to its automatic
and potentially unauthenticated nature.
UPnP devices might be vulnerable to unauthorized access or exploitation.
(cherry picked from commit 7c438caa2c21101cbefc2eec21935ab55af19c46)
|
|
bridge: T6317: add dependency call for wireless interfaces (backport #3430)
|
|
(cherry picked from commit 32658e981babffb5b7149534bd50a64d11f7c74f)
|
|
(cherry picked from commit 431443ab3f663a6617008536d2d6d96407aebfcb)
|
|
(cherry picked from commit 92b468b9a0d5eee8484601568227f7c56e71b119)
|
|
(cherry picked from commit 963daf62d417a3fcccf33ed93904eddd21aa6a02)
|
|
The netns support currently available on the VyOS CLI is only a
proof-of-technology, we have no real support for any service behind it.
In order to not confuse anyone on the LTS branch we decided to remove the
netns option for interfaces until there is a proper usecase and implementation
available.
|
|
bgp: T6189: L3VPN connectivity is broken after re-enabling VRF (backport #3392)
|
|
When adding and removing VRF instances on the fly it was noticed that the vni
statement under the VRF instance in FRR vanishes. This was caused by a race
condition which was previously designed to fix another bug.
The wierd design of a Python helper below the VRF tree to only generate the
VNI configuration nodes is now gone and all is rendered in the proper place.
(cherry picked from commit e7bb65894f86372dc0f6e8fd39b1628e0a224c68)
|
|
(cherry picked from commit 107ee099e82397b31fca8cf1ac3860cbf76f0596)
|
|
(cherry picked from commit 0be0cdb932ca2d7399c026f1f601b56e179cc9c3)
|
|
(cherry picked from commit 9ff74d4370f0a5f66c303074796dab8b1ca5c4a5)
|
|
(cherry picked from commit 8602c84e1b7c0da4c4c57fc2d034ec18497303fd)
|
|
config
(cherry picked from commit 984c386d11ead8371b7ac381e6c0921473e557ed)
|
|
(cherry picked from commit 78ea623df20b44309cc6ac9848ed18e97fc4ed03)
|
|
(cherry picked from commit 050f24770aec7a74c1a07ba64cf2cb83afb72f1a)
|
|
(cherry picked from commit 785616393557c4e3f616287de81b61a68ba177ac)
|
|
server certificates
(cherry picked from commit aafe22d08bb38a579dd5075fd27a1b88beeca791)
|
|
pppoe-server: T6141: T5364: PPPoE-server add pado-delay without sessions fails (backport #3296)
|
|
fails (#3296)
(cherry picked from commit 6d8336f5ad2d9c4e0f12b54681db2924d6998d2d)
|
|
(cherry picked from commit ecc83562b4d756cc50910561a3f52ec260aeb478)
|
|
(cherry picked from commit 2eb7f96ca2038bf37dc1d274821ca6f619489b58)
|
|
<high-availability>. Also, add <mode> parameter in order to configure active-active or active-passive behavior for HA.
|
|
T6192: allow binding SSH to multiple VRF instances (backport #3229)
|
|
Currently VyOS only supports binding a service to one individual VRF. It might
become handy to have the services (initially it will be VRF, NTP and SNMP) be
bound to multiple VRFs.
Changed VRF from leafNode to multi leafNode with defaultValue: default - which
is the name of the default VRF.
(cherry picked from commit e5af1f0905991103b12302892e6f0070bbb7b770)
|
|
Fixed using 'route-map', 'as-set' and 'summary-only' together in
aggregation in BGP
(cherry picked from commit d8df8339d665db58afbf20cecaeb49ac9d1b617d)
|
|
(cherry picked from commit 010c4061a8884a3617368f3618a425dc517d0675)
|
|
After migrating from ISC DHCLIENT for IPv6 to wide-dhcp-client the logic which
was present to update /etc/resolv.conf with the DHCP specified nameservers and
also the search domain list was no longer present.
This commit adds a per interface rendered script to inform vyos-hostsd about
the received IPv6 nameservers and search domains.
(cherry picked from commit ece425f0191762638b7c967097accd8739e9103d)
|
|
Ability to set interface for `excluded-address`
The excluded-addresses are not listed in the VRRP packet (adverts packets).
We have this ability for `address`, add the same feature for the
excluded-address
```
set high-availability vrrp group GRP-01 excluded-address 192.0.2.202 interface 'dum2'
set high-availability vrrp group GRP-01 excluded-address 192.0.2.203 interface 'dum3'
```
(cherry picked from commit 0daf445abcd00446da21fe0220d41d5fdde95ebd)
|
|
(cherry picked from commit 679b78356cbda4de15f96a7f22d4a98037dbeea4)
|
|
(cherry picked from commit cd8ef21f280f726955f537132e3fab2bcb3c286f)
|
|
(cherry picked from commit f7834324d3d9edd7e161e7f2f3868452997c9c81)
|
|
The current op-mode script simply calls sudo systemctl restart "dhclient@$4.service"
with no additional information about a client interface at all.
This results in useless dhclient processes
root 47812 4.7 0.0 5848 3584 ? Ss 00:30 0:00 /sbin/dhclient -4 -d
root 48121 0.0 0.0 4188 3072 ? S 00:30 0:00 \_ /bin/sh /sbin/dhclient-script
root 48148 50.0 0.2 18776 11264 ? R 00:30 0:00 \_ python3 -
Which also assign client leases to all local interfaces, if we receive one
valid DHCPOFFER
vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address MAC VRF MTU S/L Description
----------- ----------------- ----------------- ------- ----- ----- -------------
eth0 - 00:50:56:bf:c5:6d default 1500 u/u
eth0.10 172.16.33.102/24 00:50:56:bf:c5:6d default 1500 u/u
eth1 172.16.33.131/24 00:50:56:b3:38:c5 default 1500 u/u
172.16.33.102/24 and 172.16.33.131/24 are stray DHCP addresses.
This commit moved the renew command to the DHCP op-mode script to properly
validate if the interface we request a renew for, has actually a dhcp address
configured. In additional this exposes the renew feature to the API.
(cherry picked from commit 7dbaa25a199a781aaa9f269741547e576410cb11)
|
|
Add support for pref64 option, as defined in RFC8781. The prefix valid lifetime
must not be smaller than the "interface interval max" definition which defaults
to 600.
set service router-advert interface eth1 nat64prefix 64:ff9b::/96
(cherry picked from commit f1ead5c6a16aba00699b8a5b9c18ef6cffe8cc4d)
|