Age | Commit message (Collapse) | Author |
|
server certificates
(cherry picked from commit aafe22d08bb38a579dd5075fd27a1b88beeca791)
|
|
T5535: firewall: migrate command <set system ip disable-directed-broadcast> to firewall global-optinos (backport #3309)
|
|
(cherry picked from commit 9f9891a209957403dfa3ae9ec2cd56d8d9eedb86)
|
|
Check if DH is configured for OpenVPN but does not exist in the
PKI section
```
set pki dh dh-correct parameters 'xxxx'
set interfaces openvpn vtun10 tls dh-params 'dh-fake'
File "/usr/libexec/vyos/conf_mode/interfaces_openvpn.py", line 208, in verify_pki
pki_dh = pki['dh'][tls['dh_params']]
~~~~~~~~~^^^^^^^^^^^^^^^^^^
KeyError: 'dh-fake'
```
(cherry picked from commit 95cd743c24c6f7720af87450312fc111649db849)
|
|
to firewall global-optinos
(cherry picked from commit 76dcecafca977b640dd16d8e68c4a050ca1af4fb)
|
|
fails (#3296)
(cherry picked from commit 6d8336f5ad2d9c4e0f12b54681db2924d6998d2d)
|
|
(cherry picked from commit 6b5590ae3325320a2b6bbcb34086ddb178860160)
|
|
There are cloud environments available where the maximum supported ethernet
MTU is e.g. 1450 bytes, thus we clamp this to the adapters maximum MTU value
or 1500 bytes - whatever is lower.
(cherry picked from commit 8296cc727066e739c178918a91cfc11d20d26fe1)
|
|
Commit 1b364428f ("login: T5875: restore home directory permissions only when
needed") added logic to chown the users home directory if it's UID changes.
This might happen when a user account is deleted and re-added to the system.
Under rar e circumstances it was possible that the implementation triggered
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
KeyError: 'getpwuid(): uid not found: XXXX'
This has been fixed by re-arranging the code path with an additional try/except
if the PW database information could not be retrieved leading to an implicit
chown() of the home directory to the user beeing added.
(cherry picked from commit 1165bb497ec2d6d1b3b12d6c03435b0210efe9e5)
|
|
ipoe: T6205: error in migration script logic while renaming mac-address to mac node (backport #3263)
|
|
'upper'
Commit b30faa43c (container: T6208: rename "cap-add" CLI node to "capability")
added an AttributeError referencing an out of scope variable.
This has been fixed.
(cherry picked from commit 2463bd292f14e46fdb26116791a89ca2eb651d17)
|
|
Containers have the ability to add Linux system capabilities to them, this is
done using the "set container name <name> cap-add" command.
The CLI node sounds off and rather should be "set container name <name>
capability" instead as we use and pass a capability to a container and not
add/invent new ones.
(cherry picked from commit b30faa43c28b592febd83a7fd3a58247de6b27bc)
|
|
mac node
The problem was introduced in [1] but the config migrator part unfortunately
was added to the wrong version [2]. As IPoE config version 0 was only active
during the 1.3 development cycle and VyOS 1.3.0 was already released with config
version 1 we can safely drop the migrator 0-to-1 and move the code to 1-to-2 to
properly support upgrades from VyOS 1.3 -> 1.4 or newer.
1: https://github.com/vyos/vyos-1x/commit/05df2a5f021f0c7aab7c06db645d210858b6e98d#diff-08291bf77870abe3af8bbe3e8ce4bbf344fd0498b2c5c75a75aa7235d381c88eL168
2: https://github.com/vyos/vyos-1x/commit/05df2a5f021f0c7aab7c06db645d210858b6e98d#diff-b8bb58b75607d3653e74d82eff02442f9f3ab82698f160ba37858f7cdf6c79ccR44-R46
(cherry picked from commit a5ccc06c08d3a9696f1c03c8d0c7de78ce1fd3c5)
|
|
(cherry picked from commit 489e6fababa60d9c0fbfdb421305cbe563432499)
# Conflicts:
# src/migration-scripts/dhcp-server/9-to-10
# src/migration-scripts/dhcpv6-server/3-to-4
|
|
(cherry picked from commit d403117cdb5e7718c8590cfeb79a336cb5b67aac)
|
|
T6199: spring cleaning - drop unused Python imports (backport #3240)
|
|
found using "git ls-files *.py | xargs pylint | grep W0611"
(cherry picked from commit 274b2da242acd1f1f64ff1dee471e34295137c5f)
|
|
* Use interface_exists() outside of verify()
* Use verify_interface_exists() in verify() to drop common error message
(cherry picked from commit 4c7c168fe970b807750a05ceb66b70c0d8652535)
|
|
<high-availability>. Also, add <mode> parameter in order to configure active-active or active-passive behavior for HA.
|
|
T6192: allow binding SSH to multiple VRF instances (backport #3229)
|
|
The next evolutional step after adding get_config_dict(..., with_pki=True) is
to add a common verification function for the recurring task of validating SSL
certificate existance in e.g. EAPoL, OpenConnect, SSTP or HTTPS.
(cherry picked from commit 3b758d870449e92fece9e29c791b950b332e6e65)
|
|
Currently VyOS only supports binding a service to one individual VRF. It might
become handy to have the services (initially it will be VRF, NTP and SNMP) be
bound to multiple VRFs.
Changed VRF from leafNode to multi leafNode with defaultValue: default - which
is the name of the default VRF.
(cherry picked from commit e5af1f0905991103b12302892e6f0070bbb7b770)
|
|
(cherry picked from commit 5bb27f0c6220fd940b63cdd37a60c312c0ac3efd)
|
|
(cherry picked from commit 462ba67cf2e193883e33b4ce655b2b0cd1aab80f)
|
|
(cherry picked from commit f92ef7f3c86ca09775b536ca2bd9813f95cc7d3f)
|
|
(cherry picked from commit a33946630348371518247ff13ce918c208ef50d1)
|
|
(cherry picked from commit e257155aea09b906d8784cb6143d3ab27578c4a8)
|
|
(cherry picked from commit 09ac2851f89f2b7d94a21c3506e46f380e961fba)
|
|
(cherry picked from commit 6e0fdbcbba39691461f791c7a68a2c6c5091d2c1)
|
|
name-server option"
This fixes an invalid warning when using a DHCP VLAN interface to retrieve the
system nameserver to be used. VLAN CLI config is not properly expanded
leading to a false warning:
[ system name-server eth1.10 ]
WARNING: "eth1.10" is not a DHCP interface but uses DHCP name-server option!
(cherry picked from commit 61e70c5500ad5b0a9d25bdee28d982644bad6461)
|
|
(cherry picked from commit 320fe827b4842b0c0da1ec5fee3d41a5730334d5)
|
|
peer-group
changed exception condition
Improved route_reflector_client test
(cherry picked from commit 84f05b1dd41bea5de16d707aa77a467f8d499323)
|
|
dhcp-server: T4718: Listen-address is not commited if the IP address is on the interface with a VRF
|
|
T5872: ipsec remote access VPN: support dhcp-interface. (backport #2965)
|
|
This changes behaviour from fetching CA chain in PKI, to the user manually setting CA certificates.
Prevents unwanted parent CAs existing in PKI from being auto-included as may not be desired/intended.
(cherry picked from commit 952b1656f5164f6cfc601e040b48384859e7a222)
|
|
(cherry picked from commit 679b78356cbda4de15f96a7f22d4a98037dbeea4)
|
|
(cherry picked from commit f7834324d3d9edd7e161e7f2f3868452997c9c81)
|
|
interface with vrf
|
|
(cherry picked from commit 2ba435fa4bc8a5c9b2285fb9215ebc582bfb5fdf)
|
|
Users can not (FRR fails) commit the same network belonging to different OSPF
areas. Add verify() check to prevent this.
(cherry picked from commit c6d8d9c012da1a7566eec2dff70385457f073e64)
|
|
This is a leftover after commit 0e050cb35 (isis: T3417: drop artificial "domain"
node identifying the IS-IS process name). Drop all references to "process"
variable.
Specifying:
set protocols isis interface eth1
set protocols isis net '49.0001.1921.6825.5255.00'
set protocols isis redistribute ipv4 bgp
Triggered an exception
Traceback (most recent call last):
File "/usr/libexec/vyos/conf_mode/protocols_isis.py", line 309, in <module>
verify(c)
File "/usr/libexec/vyos/conf_mode/protocols_isis.py", line 158, in verify
f'"protocols isis {process} redistribute {afi} {proto}"!')
^^^^^^^
NameError: name 'process' is not defined
(cherry picked from commit 78212414e085d6261a32015553eb3e407f77792f)
|
|
* Move global state-policy smoketest to it's own test, verify conntrack
(cherry picked from commit 62bda3b082a79c2f31483dba5bfeb19464f6dbe2)
|
|
(cherry picked from commit e2df1f4929774792c1d4bfb78c2dfa5bdf7f0825)
|
|
radvd: T6118: add nat64prefix support RFC8781 (backport #3125)
|
|
Add support for pref64 option, as defined in RFC8781. The prefix valid lifetime
must not be smaller than the "interface interval max" definition which defaults
to 600.
set service router-advert interface eth1 nat64prefix 64:ff9b::/96
(cherry picked from commit f1ead5c6a16aba00699b8a5b9c18ef6cffe8cc4d)
|
|
Lower available CPU C states to a minimum if this option set. This will set
Kernel commandline options "intel_idle.max_cstate=0 processor.max_cstate=1".
(cherry picked from commit 3a3e0dff4ff1f80835eca6b2362d792e3ecacc8e)
|
|
(cherry picked from commit 1fbda31623054ee944d063f738e4d1d4170341ef)
|
|
Added health-check to sync-group in CLI
Don't use instance health-check when instance in sync group member
Disallow wrong healtch-check configurations
New smoke test
|
|
firewall|nat rules.
(cherry picked from commit 3c0634e572ffdecaf24a9dac16678427f22761ab)
|
|
If we have any `vpn ipsec` and `protocol nhrp` configuration we
get the empty configuration file `/run/opennhrp/opennhrp.conf`
after rebooting the system.
Use config dependency instead of the old `resync_nhrp` function
fixes this issue
(cherry picked from commit 689fea253d9019df20d5c6ac7fa22d5e8454afab)
|