summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2024-06-20openconnect: T6500: add support for multiple ca-certificates (#3691)mergify[bot]
Add possibility to provide a full CA chain to the openconnect server. * Support multiple CA certificates * For every CA certificate specified, always determine the full certificate chain in the background and add the necessary SSL certificates (cherry picked from commit 973f06c00b902c43dfea34bdf01bdec7c599c452) Co-authored-by: Christian Breunig <christian@breunig.cc>
2024-06-19macsec: T5447: fix error message syntax - there is no tx and rx key, only keyChristian Breunig
(cherry picked from commit f29caa824c02c833a3978b9236391e4277c1a6ba)
2024-06-17pki: T6241: remove debug print statement about updated subsystems (#3672)mergify[bot]
Commit 9f9891a2099 ("pki: T6241: Fix dependency updates on PKI changes") added a print() statement which notified the users about the subsystems which got supplied with an updated certificate. Example: > PKI: Updating config: interfaces openvpn vtun0 tls certificate openvpn_vtun0 > PKI: Updating config: interfaces openvpn vtun0 tls ca_certificate openvpn_vtun0_1 This is an informational message which should maybe (if needed) be sent to syslog. But the main issue is that CLI paths are mangled (- to _) which makes the about print output wrong and could potentially confuse users. Statement has been commented to be re-enabled for debugging. (cherry picked from commit a4d49a96918c0f0dac3d17f9cf3a5b8f3a9505c0) Co-authored-by: Christian Breunig <christian@breunig.cc>
2024-06-17pki: T4026: Only emit private keys when available (#3669)mergify[bot]
* install_certificate() code path handles private_key=None & key_passphrase=None OK already * file and console output paths will error trying to encode None as a key * This is only an issue for a couple of the generate_*_sign() functions, where having a null private key is possible * Self-signing and CA creation always generate a private key * Certreqs will generate a private key if not already provided * Do not prompt for a private key passphrase if we aren't giving back a private key (cherry picked from commit d2cf8eeee9053d04f34c5e8a22373290d078ab37) Co-authored-by: Andrew Topp <andrewt@telekinetica.net>
2024-06-15openvpn: T5487: make migration script executableChristian Breunig
Migration script introduced in commit 0f669a226 ("openvpn: T5487: Remove eprecated option --cipher for server and client mode") lacked executable permission.
2024-06-14Merge pull request #3646 from c-po/pki-T6407Christian Breunig
op-mode: T6407: "generate pki" missed to mangle in ACME certificates when required
2024-06-14op-mode: T6407: "generate pki" missed to mangle in ACME certificates when ↵Christian Breunig
required If the requested certificate to generate an Apple IOS profile was based on an ACME certificate, we also need to mangle in the ACME certs content to retrieve the certificates issuer name.
2024-06-13Merge pull request #3639 from natali-rs1985/T5487-currentDaniil Baturin
openvpn: T5487: Remove deprecated option --cipher for server and client mode
2024-06-13Merge pull request #3601 from talmakion/bugfix/T6456Daniil Baturin
T6456: Convert "monitor traffic" to modern op-mode wrapper
2024-06-13Merge pull request #3590 from talmakion/feature/T6045Daniil Baturin
T6045: Recreate show lldp detail views & improve remote port selection
2024-06-12op_mode: T6227: Rewrite show conntrack-sync cache internal to use tabulate ↵Nataliia Solomko
output
2024-06-11openvpn: T5487: Remove eprecated option --cipher for server and client modeNataliia Solomko
2024-06-11T6456: Convert "monitor traffic" to modern op-mode wrapperAndrew Topp
The old "monitor traffic" definition had misaligned arguments under the verbose node and manually offered the same parameter keyword in multiple positions to emulate flexible parameters. I've wrapped tcpdump for op-mode and replicated the "varargs" style from mtr.py/mtr.xml.in to present a few more parameters in a more flexible manner. Changes to the Makefile were required for recursive varargs lookup.
2024-06-11T6045: Recreate show lldp detail views & improve remote port selectionAndrew Topp
If the remote device has explicitly sent the interface name as the portID, we should use that first as the interface name, before working through the previous priority order. I've brought back LLDP detail views directly calling lldpcli. This can be extended to render a template from op_mode/lldp.py, but lldpcli isn't bad at rendering readable info. Raw mode (including detailed raw) is still accessible for programmatic access.
2024-06-11Merge pull request #3632 from c-po/fixup-firewallChristian Breunig
firewall: T3900: fix migration and smoketests
2024-06-11firewall: T3900: fix migration and smoketestsChristian Breunig
Commit 770edf016838523 ("T3900: T6394: extend functionalities in firewall") changed the position in the CLI for conntrack timeout. This lead to failing smoketests because of a regression in the migrator.
2024-06-10Merge pull request #3621 from sever-sever/T6442Christian Breunig
T6442: CGNAT add log for address allocation
2024-06-10Merge pull request #3606 from c-po/utils-cpu-T5195Christian Breunig
vyos.utils: T5195: import vyos.cpu to this package
2024-06-10T6442: CGNAT add log for address allocationViacheslav Hletenko
Add the configuration command to log current CGNAT allocation set nat cgnat log-allocation
2024-06-10T6219: align with system sysctl and limit parameters to supportedNicolas Vollmar
2024-06-10container: T6219: Add support for container sysctl / kernel parametersBen Pilgrim
2024-06-10vyos.utils: T5195: import vyos.cpu to this packageChristian Breunig
The intention of vyos.utils package is to have a common ground for repeating actions/helpers. This is also true for number of CPUs and their respective core count. Move vyos.cpu to vyos.utils.cpu
2024-06-10Merge pull request #3610 from c-po/ipsec-profile-T6424Christian Breunig
op-mode: T6424: ipsec: honor certificate CN and CA chain during profile generation
2024-06-10Merge pull request #3612 from c-po/haproxy-pki-T6463Christian Breunig
pki: T6463: reverse-proxy service not reloaded when updating SSL certificate(s)
2024-06-10Merge pull request #3607 from c-po/firewall-unused-importChristian Breunig
firewall: T3900: T6394: remove unused import
2024-06-09op-mode: T6424: ipsec: filter out duplicate CA certificates in Apple IOS profileChristian Breunig
2024-06-09op-mode: T6424: ipsec: honor certificate CN and CA chain during profile ↵Christian Breunig
generation In e6fe6e50a5c ("op-mode: ipsec: T6407: fix profile generation") we fixed support for multiple CAs when dealing with the generation of Apple IOS profiles. This commit extends support to properly include the common name of the server certificate issuer and all it's paren't CAs. A list of parent CAs is automatically generated from the "PKI" subsystem content and embedded into the resulting profile.
2024-06-09pki: T6463: reverse-proxy service not reloaded when updating SSL certificate(s)Christian Breunig
The haproxy reverse proxy was not reloaded/restarted with the new SSL certificate(s) after a change in the PKI subsystem. This was due to missing dependencies.
2024-06-09firewall: T3900: T6394: remove unused importChristian Breunig
With commit 770edf016838 ("T3900: T6394: extend functionalities in firewall; move netfilter sysctl timeout parameters defined in conntrack to firewall global-opton section.") the import of the glob module is no longer required. Found my running: make unused-imports
2024-06-07reverse-proxy: T6454: Set default value of http for haproxy modeAlex W
2024-06-06T6412: CGNAT fix allocation calcluation for verify (#3585)Viacheslav Hletenko
Fix external address/port allocation for CGN. It fixes some cases where external address/ports can be allocated again to another user.
2024-06-06Merge pull request #3578 from nicolas-fort/raw-hookDaniil Baturin
T3900: Add support for raw tables in firewall
2024-06-05migration: T6006: add activation script dir and helper functionJohn Estabrook
2024-06-05migration: T6006: update config.boot.default and move to vyos-1xJohn Estabrook
2024-06-04T3900: T6394: extend functionalities in firewall; move netfilter sysctl ↵Nicolas Fort
timeout parameters defined in conntrack to firewall global-opton section.
2024-06-03Merge pull request #3572 from talmakion/bugfix/T6403Daniil Baturin
nat64: T6403: validate source prefix for RFC compliance
2024-06-03bfd: T6440: BFD peer length typoHannes Tamme
2024-06-03reverse-proxy: T6434: Support additional healthcheck options (#3574)Alex W
2024-06-01nat64: T6403: validate source prefix for RFC complianceAndrew Topp
Simplest fix is to comply with RFC6052. The code change is just masking out the relevant bits and ensuring they're zeroed.
2024-05-31tunnel: T6157: fixing GRE tunnel uniqueness checksAndrew Topp
Unset params would mistakenly match when None and trigger a validation error even when used params were unique. Updated check to ensure unique source-addresses if not None, and that (source-interfaces, source-addresses) are unique together appropriately.
2024-05-31Merge pull request #3557 from haimgel/T6422/allow-multiple-ns-recordsChristian Breunig
dns: T6422: allow multiple redundant NS records
2024-05-31T5307: QoS - traffic-class-map services (#3492)Roman Khramshin
added new syntax to work with class match filters in QoS policy
2024-05-31op-mode: T683: remove superfluous debug print in snmpv3 display codeChristian Breunig
This was a leftover from the early days.
2024-05-30T6422: Smoke test for NS record configration in authoritative DNS, typo & ↵Haim Gelfenbeyn
style fixes
2024-05-30Merge pull request #3531 from Embezzle/T6409Christian Breunig
reverse-proxy: T6409: Remove unused backend parameters
2024-05-30reverse-proxy: T6409: unindent migration script code pathChristian Breunig
2024-05-30Merge pull request #3552 from c-po/ipsec-profileChristian Breunig
op-mode: ipsec: T6407: fix profile generation
2024-05-30dns: T6422: allow multiple redundant NS recordsHaim Gelfenbeyn
NS is unlike CNAME or PTR, multiple NS records are perfectly valid and is a common use case: multiple redundant DNS servers is a common configuration and should be supported.
2024-05-30Merge pull request #3546 from c-po/haproxyChristian Breunig
reverse-proxy: T6419: build full CA chain when verifying backend server
2024-05-30op-mode: ipsec: T6407: fix profile generationChristian Breunig
Commit 952b1656f51 ("ipsec: T5606: T5871: Use multi node for CA certificates") added support for multiple CA certificates which broke the OP mode command to generate the IPSec profiles as it did not expect a list and was rather working on a string. Now multiple CAs can be rendered into the Apple IOS profile.