Age | Commit message (Collapse) | Author |
|
We need to use a temporary variable when validating the tuple if address
is used. If not the else branch will always add the tuple to the list of
addresses used for listen-address.
(cherry picked from commit d13b91462487e090b32c0d1ecf9139a2271b4837)
|
|
(cherry picked from commit eceaa3a787929f5a514b9c45da52936c0d4d4a54)
|
|
Custom OpenVPN options moved back to the command line from a
configuration file. This should keep full compatibility with the
`crux` branch, and allows to avoid mistakes with parsing options
that contain `--` in the middle.
The only smart part of this - handling a `push` option. Because
of internal changes in OpenVPN, previously it did not require an
argument in the double-quotes, but after version update in
`equuleus` and `sagitta` old syntax became invalid. So, all the
`push` options are processed to add quotes. The solution is still
not complete, because if a single config line contains `push` with
other options, it will not work, but it is better than nothing.
(cherry picked from commit 3fd2ff423b6c6e992b2ed531c7ba99fb9e1a2123)
|
|
(cherry picked from commit 77eca49bffede005f546b7d9d3660bf2e32c7e8e)
|
|
(cherry picked from commit 3d00140453b3967370c77ddd9dac4af223a7ddce)
|
|
(cherry picked from commit 73be449b1cd09f3ca86400753630fb4804fbeca7)
|
|
(cherry picked from commit 889e16a77517549fb833a90d047455533be02f06)
|
|
(cherry picked from commit 5d39a113bdef82e201aa43f848217c30db2f6fd9)
|
|
|
|
error
(cherry picked from commit 17215846b512851e7df8cdfcfc06c18b1d27f763)
|
|
(cherry picked from commit f227987ccf41e01d4ddafb6db7b36ecf13148c78)
|
|
This prevents a failover from MASTER -> BACKUP when changing any MASTER related
configuration.
(cherry picked from commit 2c82c9acbde2ccca9c7bb5e646a45fd646463afe)
|
|
|
|
(cherry picked from commit 78cfb949cc6bceab744271cf23f269276b178182)
|
|
(cherry picked from commit 9c825a3457a88a4eebc6475f92332822e5102889)
|
|
|
|
(cherry picked from commit ead10909ba9104733930bb3f59c90610138bd047)
|
|
Different types of tunnels have different keys set in get_interface_config().
Thus it should be properly verified (by e.g. using dict_search()) that the key
in question esits to not raise KeyError.
(cherry picked from commit 5aadf673497b93e2d4ad304e567de1cd571f9e25)
|
|
|
|
|
|
Do not create rfc3768-compatibility interfaces by default because of wrong
Jinja2 syntax. Backporting the entire system makes it easier in the future to
additional bugfixes.
|
|
Commit 260f3832 ("vrrp: keepalived: T616: drop /etc/default/keepalived") dropped
the old daemon configuration but there was one line of code that tried to delete
the file which was no longer present.
This resulted in: KeyError: 'daemon'
|
|
This is a follow-up commit to 65398e5c8 ("vrrp: keepalived: T616: move
configuration to volatile /run directory") as it makes no sense to store a
static /etc/default/keepalived file marked as "Autogenerated by VyOS" that only
enabled the SNMP option to keepalived.
Better pass the --snmp switch via the systemd override file and drop all other
references/files.
|
|
Move keepalived configuration from /etc/keepalived to /run/keepalived.
(cherry picked from commit b243795eba1b36cadd81c3149e833bdf5c5bea70)
|
|
This is a successor to commit a2ac9fac16e ("vyos.template: T2720: always enable
Jinja2 trim_blocks feature"). It only shifts the whitespaces / indents inside
the keepalived configuration file.
(cherry picked from commit c1ac0630cfe0ee65569fbe435cc006ade20fed22)
|
|
This option is mandatory and must be user configurable as it needs to match
on both sides.
(cherry picked from commit 2985035bcb2f3732e15a41e3c2ee6c6c93a6836e)
|
|
(cherry picked from commit a8ccf72c222caad8cd7aaca9bca773be39e87f5c)
|
|
vyos@vyos# show service dhcp-server
shared-network-name LAN {
subnet 10.0.0.0/24 {
default-router 10.0.0.1
dns-server 194.145.150.1
lease 88
range 0 {
start 10.0.0.100
stop 10.0.0.200
}
static-route 192.168.10.0/24 {
next-hop 10.0.0.2
}
static-route 192.168.20.0/24 {
router 10.0.0.2
}
}
}
(cherry picked from commit a4440bd589db645eb99f343a8163e188a700774c)
|
|
Commit b8bb9f586 ("T3822: set the OpenVPN key file owner to openvpn:openvpn")
changed the permissions only for file present in the "fix_permissions" list.
The list did not contain all required certificates - this has been fixed.
|
|
|
|
T3275: conntrack: Backport XML/Python implementation of conntrack CLI
|
|
|
|
Move the two implementations to get the driver name of a NIC from ethernet.py
and ethtool.py to only ethtool.py.
|
|
(cherry picked from commit 2647edc30f1e02840cae62fde8b44345d35ac720)
|
|
(cherry picked from commit 84e912ab2f583864e637c2df137f62f3d4cbeb14)
|
|
This patch allows the use of `"` in ssh public-key options which
unlocks the ability to set the `from` option in a way that sshd will
accept to limit what hosts a user can connect from.
(cherry picked from commit 6b52387190f8213e7e02060e894c6ddd4fb7cb3d)
|
|
tunnel: T2920: Add checks tun with same source addr and keys
|
|
This commit also extends the smoketest to verify that the exception for this
error is raised.
(cherry picked from commit 84a429b41175b95634ec9492e0cf3a564a47abdd)
|
|
2 tunnels with the same local-address should has different keys
Check existing tunnels (source-address key) with new tunnel.
|
|
We have "set system name-server <ipv4|ipv6>" to specify a name-server IP
address we wan't to use. We also have "set system name-servers-dhcp <interface>"
which does the same, but the name-server in question is retrieved via DHCP.
Both CLI nodes are combined under "set system name-server <ipv4|ipv6|interface>"
to keep things as they are in real life - we need a name-server.
|
|
The root cause is that the ipsec-settings.py script is run _twice_:
first from "vpn ipsec options", then from the top level "vpn" node.
The case when it's not required is when:
* "vpn ipsec" configuration doesn't exist yet
* user configured it with "vpn ipsec options"
* the ipsec-settings.py script is run first time, from "vpn ipsec options"
Trying to restart charon at that stage leads to a deadlock.
|
|
Keys are not allowed with ipip and sit tunnels
(cherry picked from commit 7e84566dedfdc532ffe05b404005daa6f21df567)
|
|
nipsec: T3093: Delete temporarily generated code
|
|
This code was generated before to rewrite IPSec to XML style
And this was rewriten/fixed and used in the next 1.4 releases
So we realy don't need it in 1.3 as we use old nodes for it.
|
|
While migrating to get_config_dict() in commit e8a1c291b1 ("login: radius:
T3192: migrate to get_config_dict()") the user-name was not excluded
from mangling (no_tag_node_value_mangle=True).
This resulted in a username "vyos-user" from CLI to be actually created as
"vyos_user" on the system.
This commit also adds respective Smoketests to prevent this in the future.
(cherry picked from commit 658de9ea0fbe91e593f9cf0a8c434791282af100)
|
|
|
|
It makes no sense to have a parser for the ethtool values in ethtool.py
and ethernet.py - one instance ios more then enough!
(cherry picked from commit 0229645c8248decb5664056df8aa5cd5dff41802)
|
|
Only update the RX/TX ring-buffer settings if they are different from the ones
currently programmed to the hardware. There is no need to write the same value
to the hardware again - this could cause traffic disruption on some NICs.
(cherry picked from commit 29082959e0efc02462fba8560d6726096e8743e9)
|
|
Not all interface drivers have the ability to change the speed and duplex
settings. Known drivers with this limitation are vmxnet3, virtio_net and
xen_netfront. If this driver is detected, an error will be presented to the
user.
(cherry picked from commit cc742d48579e4f76e5d3230d87e22f71f76f9301)
|
|
Ethernet adapters have a discrete set of available speed and duplex settings.
Instead of passing every value down to ethtool and let it decide, we can do
this early in the VyOS verify() function for ethernet interfaces.
(cherry picked from commit 91892e431349ca0edb5e3e3023e4f340ab9b777f)
|