summaryrefslogtreecommitdiff
path: root/data
AgeCommit message (Collapse)Author
2024-06-22T5949: Add option to disable USB autosuspendkhramshinr
(cherry picked from commit c0b2693cebc3429e1974a9cec5946fa88ffc0205)
2024-06-10Merge pull request #3617 from vyos/mergify/bp/sagitta/pr-3613Christian Breunig
pki: T6464: sstpc interface not reloaded when updating SSL certificate(s) (backport #3613)
2024-06-10Merge pull request #3619 from vyos/mergify/bp/sagitta/pr-3610Christian Breunig
op-mode: T6424: ipsec: honor certificate CN and CA chain during profile generation (backport #3610)
2024-06-10op-mode: T6424: ipsec: honor certificate CN and CA chain during profile ↵Christian Breunig
generation In e6fe6e50a5c ("op-mode: ipsec: T6407: fix profile generation") we fixed support for multiple CAs when dealing with the generation of Apple IOS profiles. This commit extends support to properly include the common name of the server certificate issuer and all it's paren't CAs. A list of parent CAs is automatically generated from the "PKI" subsystem content and embedded into the resulting profile. (cherry picked from commit d65f43589612c30dfaa5ce30aca5b8b48bf73211)
2024-06-10pki: T6464: sstpc interface not reloaded when updating SSL certificate(s)Christian Breunig
The SSTPC client was not reloaded/restarted with the new SSL certificate(s) after a change in the PKI subsystem. This was due to missing dependencies. (cherry picked from commit 42294ccd904773fa19a6af0f37cf9526321d87e4)
2024-06-10pki: T6463: reverse-proxy service not reloaded when updating SSL certificate(s)Christian Breunig
The haproxy reverse proxy was not reloaded/restarted with the new SSL certificate(s) after a change in the PKI subsystem. This was due to missing dependencies. (cherry picked from commit 6ce8efdc8dafef67541bed89fc7dc7cd83335bf4)
2024-06-09reverse-proxy: T6454: Set default value of http for haproxy modeAlex W
(cherry picked from commit 60d7c0ecaff49ec62f4600a460f5fbe7b26a0d9c)
2024-06-05isis: T6429: fix isis metric-style configuration missingfett0
(cherry picked from commit 39004c453fb8f71171ba3433ee559b5ff745bebe)
2024-06-03reverse-proxy: T6434: Support additional healthcheck options (#3574) (#3577)mergify[bot]
(cherry picked from commit 3e5cc0b7fb8ae4a0f8b7c9270d9db0a0f252c448) Co-authored-by: Alex W <embezzle.dev@proton.me>
2024-05-30T4576: Accel-ppp logging level configurationkhramshinr
add ability to change logging level config for: * VPN L2TP * VPN PPTP * VPN SSTP * IPoE Server * PPPoE Serve (cherry picked from commit 4d84f786f64d2b80046100ead5d0e8c1eef7418c)
2024-05-30op-mode: ipsec: T6407: fix profile generationChristian Breunig
Commit 952b1656f51 ("ipsec: T5606: T5871: Use multi node for CA certificates") added support for multiple CA certificates which broke the OP mode command to generate the IPSec profiles as it did not expect a list and was rather working on a string. Now multiple CAs can be rendered into the Apple IOS profile. (cherry picked from commit e6fe6e50a5c817e18c453e7bc42bb2e1c4b17671)
2024-05-30reverse-proxy: T5231: better mark v4v6 listen any addressChristian Breunig
haproxy supports both ":::80 v4v6" and "[::]:80 v4v6" as listen statement, where the later one is more humand readable. Both act in the same way. (cherry picked from commit a2f0b25452c67528077f343d75de09d038e97fee)
2024-05-29ISIS: T6332: Fix isis not working only ipv6fett0
(cherry picked from commit 03fd368ed263ca28c9b1b5e29f486217784d15ef)
2024-05-23reverse-proxy: T6370: Set custom HTTP headers in reverse-proxy responsesAlex W
(cherry picked from commit e1450096b4c667a4c33a3fcd8f67ebf6a39d441d)
2024-05-16T6335: Add/Update EVPN op commandsl0crian1
Added the following commands: show evpn show evpn es show evpn es <es-id> show evpn es detail show evpn es-evi show evpn es-evi detail show evpn es-evi vni <num> show evpn vni show evpn vni detail show evpn vni <num> Updated the following commands: show evpn access-vlan show evpn arp-cache show evpn mac show evpn next-hops show evpn rmac (cherry picked from commit c6be441c86bc8fe2e938e2bd3c85f99071cbfb49)
2024-05-16T5756: L2TP RADIUS backup and weight settingskhramshinr
(cherry picked from commit 75d553932504c55e710265776e4865a238223e1f)
2024-05-14T3420: Remove service upnpViacheslav Hletenko
Remove `service upnp` as it never worked as expected, nft rules do not integrated and custom patches do not seem like a suitable solution for now. Security: UPnP has been historically associated with security risks due to its automatic and potentially unauthenticated nature. UPnP devices might be vulnerable to unauthorized access or exploitation. (cherry picked from commit 7c438caa2c21101cbefc2eec21935ab55af19c46)
2024-05-10Merge pull request #3440 from vyos/mergify/bp/sagitta/pr-3430Christian Breunig
bridge: T6317: add dependency call for wireless interfaces (backport #3430)
2024-05-10image-tools: T6327: drop boot console type ttyUSBJohn Estabrook
(cherry picked from commit 32658e981babffb5b7149534bd50a64d11f7c74f)
2024-05-10bridge: T6317: add dependency call for wireless interfacesChristian Breunig
(cherry picked from commit 431443ab3f663a6617008536d2d6d96407aebfcb)
2024-05-09sstp: T4393: Add support to configure host-name (SNI)Nataliia Solomko
(cherry picked from commit 92b468b9a0d5eee8484601568227f7c56e71b119)
2024-05-04T6291: Add bonding.py to op-mode-standardized.jsonl0crian1
(cherry picked from commit 963daf62d417a3fcccf33ed93904eddd21aa6a02)
2024-05-02netns: T6295: disable incomplete support in VyOS 1.4 sagittaChristian Breunig
The netns support currently available on the VyOS CLI is only a proof-of-technology, we have no real support for any service behind it. In order to not confuse anyone on the LTS branch we decided to remove the netns option for interfaces until there is a proper usecase and implementation available.
2024-05-02Merge pull request #3393 from vyos/mergify/bp/sagitta/pr-3392Daniil Baturin
bgp: T6189: L3VPN connectivity is broken after re-enabling VRF (backport #3392)
2024-05-01vrf: T6189: render FRR L3VNI configuration when creating VRF instanceChristian Breunig
When adding and removing VRF instances on the fly it was noticed that the vni statement under the VRF instance in FRR vanishes. This was caused by a race condition which was previously designed to fix another bug. The wierd design of a Python helper below the VRF tree to only generate the VNI configuration nodes is now gone and all is rendered in the proper place. (cherry picked from commit e7bb65894f86372dc0f6e8fd39b1628e0a224c68)
2024-05-01pppoe-server: T6234: PPPoE-server pado-delay refactoringNataliia Solomko
(cherry picked from commit 107ee099e82397b31fca8cf1ac3860cbf76f0596)
2024-05-01haproxy: T6179: fix rule generationNicolas Vollmar
(cherry picked from commit 0be0cdb932ca2d7399c026f1f601b56e179cc9c3)
2024-04-30openconnect: T4982: Support defining minimum TLS version in openconnect VPNAlex W
(cherry picked from commit 9ff74d4370f0a5f66c303074796dab8b1ca5c4a5)
2024-04-23T6255: static-routing: don't render whitespace from static table descriptionsAlex W
(cherry picked from commit 8602c84e1b7c0da4c4c57fc2d034ec18497303fd)
2024-04-23T6226: add HAPROXY tcp-request related block to load-balancing reverse proxy ↵Windom WU
config (cherry picked from commit 984c386d11ead8371b7ac381e6c0921473e557ed)
2024-04-22T6237: IPSec remote access VPN: ability to set EAP ID of clientsAlex W
(cherry picked from commit 78ea623df20b44309cc6ac9848ed18e97fc4ed03)
2024-04-21T6246: improve haproxy http check configurationNicolas Vollmar
(cherry picked from commit 050f24770aec7a74c1a07ba64cf2cb83afb72f1a)
2024-04-19T6246: adds basic haproxy http-check configurationNicolas Vollmar
(cherry picked from commit 785616393557c4e3f616287de81b61a68ba177ac)
2024-04-16T6242: load-balancing reverse-proxy: Ability for ssl backends to not verify ↵Alex W
server certificates (cherry picked from commit aafe22d08bb38a579dd5075fd27a1b88beeca791)
2024-04-12Merge pull request #3299 from vyos/mergify/bp/sagitta/pr-3296Christian Breunig
pppoe-server: T6141: T5364: PPPoE-server add pado-delay without sessions fails (backport #3296)
2024-04-12pppoe-server: T6141: T5364: PPPoE-server add pado-delay without sessions ↵Nataliia Solomko
fails (#3296) (cherry picked from commit 6d8336f5ad2d9c4e0f12b54681db2924d6998d2d)
2024-04-12T5871: ipsec remote access VPN: specify "cacerts" for client auth.Lucas Christian
(cherry picked from commit ecc83562b4d756cc50910561a3f52ec260aeb478)
2024-04-06conntrack-sync: T1244: add CLI support for StartupResyncNataliia Solomko
(cherry picked from commit 2eb7f96ca2038bf37dc1d274821ca6f619489b58)
2024-04-03T6068: T6171: change <fail-over> node from dhcp-server to ↵Nicolas Fort
<high-availability>. Also, add <mode> parameter in order to configure active-active or active-passive behavior for HA.
2024-04-03Merge pull request #3235 from vyos/mergify/bp/sagitta/pr-3229Daniil Baturin
T6192: allow binding SSH to multiple VRF instances (backport #3229)
2024-04-02ssh: T6192: allow binding to multiple VRF instancesChristian Breunig
Currently VyOS only supports binding a service to one individual VRF. It might become handy to have the services (initially it will be VRF, NTP and SNMP) be bound to multiple VRFs. Changed VRF from leafNode to multi leafNode with defaultValue: default - which is the name of the default VRF. (cherry picked from commit e5af1f0905991103b12302892e6f0070bbb7b770)
2024-04-02T6196: Fixed applying parameters for aggregation in BGPaapostoliuk
Fixed using 'route-map', 'as-set' and 'summary-only' together in aggregation in BGP (cherry picked from commit d8df8339d665db58afbf20cecaeb49ac9d1b617d)
2024-04-01bgp: T6010: Allow configuration of disable-ebgp-connected-route-checkfett0
(cherry picked from commit 010c4061a8884a3617368f3618a425dc517d0675)
2024-04-01dhcpv6-client: T2590: fix vyos-hostsd update for nameserver and search domainsChristian Breunig
After migrating from ISC DHCLIENT for IPv6 to wide-dhcp-client the logic which was present to update /etc/resolv.conf with the DHCP specified nameservers and also the search domain list was no longer present. This commit adds a per interface rendered script to inform vyos-hostsd about the received IPv6 nameservers and search domains. (cherry picked from commit ece425f0191762638b7c967097accd8739e9103d)
2024-03-28T5832: VRRP allow set interface for exluded-addressViacheslav Hletenko
Ability to set interface for `excluded-address` The excluded-addresses are not listed in the VRRP packet (adverts packets). We have this ability for `address`, add the same feature for the excluded-address ``` set high-availability vrrp group GRP-01 excluded-address 192.0.2.202 interface 'dum2' set high-availability vrrp group GRP-01 excluded-address 192.0.2.203 interface 'dum3' ``` (cherry picked from commit 0daf445abcd00446da21fe0220d41d5fdde95ebd)
2024-03-28T5872: re-write exit hook to always regenerate configLucas Christian
(cherry picked from commit 679b78356cbda4de15f96a7f22d4a98037dbeea4)
2024-03-28T5872: fix ipsec dhclient exit hookLucas Christian
(cherry picked from commit cd8ef21f280f726955f537132e3fab2bcb3c286f)
2024-03-28T5872: ipsec remote access VPN: support dhcp-interface.Lucas Christian
(cherry picked from commit f7834324d3d9edd7e161e7f2f3868452997c9c81)
2024-03-28op-mode: T6175: "renew dhcp interface <name>" does not check for DHCP interfaceChristian Breunig
The current op-mode script simply calls sudo systemctl restart "dhclient@$4.service" with no additional information about a client interface at all. This results in useless dhclient processes root 47812 4.7 0.0 5848 3584 ? Ss 00:30 0:00 /sbin/dhclient -4 -d root 48121 0.0 0.0 4188 3072 ? S 00:30 0:00 \_ /bin/sh /sbin/dhclient-script root 48148 50.0 0.2 18776 11264 ? R 00:30 0:00 \_ python3 - Which also assign client leases to all local interfaces, if we receive one valid DHCPOFFER vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address MAC VRF MTU S/L Description ----------- ----------------- ----------------- ------- ----- ----- ------------- eth0 - 00:50:56:bf:c5:6d default 1500 u/u eth0.10 172.16.33.102/24 00:50:56:bf:c5:6d default 1500 u/u eth1 172.16.33.131/24 00:50:56:b3:38:c5 default 1500 u/u 172.16.33.102/24 and 172.16.33.131/24 are stray DHCP addresses. This commit moved the renew command to the DHCP op-mode script to properly validate if the interface we request a renew for, has actually a dhcp address configured. In additional this exposes the renew feature to the API. (cherry picked from commit 7dbaa25a199a781aaa9f269741547e576410cb11)
2024-03-13radvd: T6118: add nat64prefix support RFC8781Christian Breunig
Add support for pref64 option, as defined in RFC8781. The prefix valid lifetime must not be smaller than the "interface interval max" definition which defaults to 600. set service router-advert interface eth1 nat64prefix 64:ff9b::/96 (cherry picked from commit f1ead5c6a16aba00699b8a5b9c18ef6cffe8cc4d)