summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2024-07-03T6536: change wildcard character from + to * - extend fix to interfaces ↵Nicolas Fort
defined in zone policy. (cherry picked from commit 66ec278393dbabe71f320c543816f27797d51140)
2024-07-03T6536: nat: add migration script that replaces wildcard charater supported ↵Nicolas Fort
in 1.3 <+> with character supported in latest version <*> (cherry picked from commit 148af29b68416a5b8d0e025a16aef252fdf31e67) # Conflicts: # src/migration-scripts/nat/6-to-7
2024-07-01Merge pull request #3735 from vyos/mergify/bp/sagitta/pr-3731Christian Breunig
op-mode: T5633, T6465: fix error when op cmd interrupted, updates some system call syntax (backport #3731)
2024-07-01Merge pull request #3738 from vyos/mergify/bp/sagitta/pr-3720Christian Breunig
T6477: Add telegraf loki output plugin (backport #3720)
2024-06-29op-mode: T6524: rewrite "release dhcp(v6) interface" to new op-mode formatChristian Breunig
(cherry picked from commit 5ade35255b3d8438aa6082fe56ae459d50cdc0a5)
2024-06-28T6477: Add telegraf loki output pluginViacheslav Hletenko
Add Loki plugin to telegraf set service monitoring telegraf loki url xxx (cherry picked from commit 3365eb7ab99fa9a259fe440eb51e82fc0a0a4dc6)
2024-06-28Fixes error generated when op cmd interrupted, updates show system calls to ↵Ginko
new cli syntax (#3731) (cherry picked from commit a095a3c7b3dd4459dc8626f0e5adecda855580e0)
2024-06-26interfaces: T6519: harden config migration if ethernet interface is missingChristian Breunig
During a corner case where the configuration is migrated to a different system with fewer ethernet interfaces, migration will fail during an image upgrade. vyos.ethtool.Ethtool() is instantiated with an invalid interface leading to an exception that kills the migrator (cherry picked from commit e47d4fd385631236da6882233b09f6364cbb077b)
2024-06-24T3202: add single variable for Kernel dynamic debug settingsChristian Breunig
(cherry picked from commit 9495f904fcc157521ca001ee21cf31be28a6b3a0)
2024-06-24T3202: Enable wireguard debug messagesNataliia Solomko
(cherry picked from commit d818788932e3c57d020cca9236df7275da452fce)
2024-06-24Merge pull request #3709 from vyos/mergify/bp/sagitta/pr-3677Christian Breunig
T5949: Add option to disable USB autosuspend (backport #3677)
2024-06-24Merge pull request #3689 from vyos/mergify/bp/sagitta/pr-3682Christian Breunig
openconnect: T6500: add support for multiple ca-certificates (backport #3682)
2024-06-24pki: T6241: remove debug print statement about updated subsystems (#3670)mergify[bot]
Commit 9f9891a2099 ("pki: T6241: Fix dependency updates on PKI changes") added a print() statement which notified the users about the subsystems which got supplied with an updated certificate. Example: > PKI: Updating config: interfaces openvpn vtun0 tls certificate openvpn_vtun0 > PKI: Updating config: interfaces openvpn vtun0 tls ca_certificate openvpn_vtun0_1 This is an informational message which should maybe (if needed) be sent to syslog. But the main issue is that CLI paths are mangled (- to _) which makes the about print output wrong and could potentially confuse users. Statement has been commented to be re-enabled for debugging. (cherry picked from commit a4d49a96918c0f0dac3d17f9cf3a5b8f3a9505c0) Co-authored-by: Christian Breunig <christian@breunig.cc>
2024-06-24pki: T4026: Only emit private keys when available (#3667)mergify[bot]
* install_certificate() code path handles private_key=None & key_passphrase=None OK already * file and console output paths will error trying to encode None as a key * This is only an issue for a couple of the generate_*_sign() functions, where having a null private key is possible * Self-signing and CA creation always generate a private key * Certreqs will generate a private key if not already provided * Do not prompt for a private key passphrase if we aren't giving back a private key (cherry picked from commit d2cf8eeee9053d04f34c5e8a22373290d078ab37) Co-authored-by: Andrew Topp <andrewt@telekinetica.net>
2024-06-22Merge pull request #3650 from vyos/mergify/bp/sagitta/pr-3646Christian Breunig
op-mode: T6407: "generate pki" missed to mangle in ACME certificates when required (backport #3646)
2024-06-22T5949: Add option to disable USB autosuspendkhramshinr
(cherry picked from commit c0b2693cebc3429e1974a9cec5946fa88ffc0205)
2024-06-22Merge pull request #3686 from vyos/mergify/bp/sagitta/pr-3685Daniil Baturin
macsec: T5447: fix error message syntax - there is no tx and rx key, only key (backport #3685)
2024-06-21op-mode: T5514: Allow safe reboots to config defaults when config.boot is ↵Andrew Topp
deleted * Added flag to vyos.config_mgmt.unsaved_commits() that will tolerate missing config.boot for specific circumstances * Shutdown/reboot uses this flag; config will regenerate from defaults after a reboot (cherry picked from commit 8281383a09f12da20a1c9b4864b38ac3f541b48f)
2024-06-20openconnect: T6500: add support for multiple ca-certificatesChristian Breunig
Add possibility to provide a full CA chain to the openconnect server. * Support multiple CA certificates * For every CA certificate specified, always determine the full certificate chain in the background and add the necessary SSL certificates (cherry picked from commit 973f06c00b902c43dfea34bdf01bdec7c599c452)
2024-06-19macsec: T5447: fix error message syntax - there is no tx and rx key, only keyChristian Breunig
(cherry picked from commit f29caa824c02c833a3978b9236391e4277c1a6ba)
2024-06-14op-mode: T6407: "generate pki" missed to mangle in ACME certificates when ↵Christian Breunig
required If the requested certificate to generate an Apple IOS profile was based on an ACME certificate, we also need to mangle in the ACME certs content to retrieve the certificates issuer name. (cherry picked from commit 1bc67d498c4d71da78aa46d1d2f9fe9752f59860)
2024-06-11T6219: Add support for container sysctl parameter (backport #3614) (#3629)mergify[bot]
* container: T6219: Add support for container sysctl / kernel parameters (cherry picked from commit 717ea64e4c54a8be619ffc29c16c6203b29319dd) * T6219: align with system sysctl and limit parameters to supported (cherry picked from commit f030464952168b553b5b3e29b461d437c2642a9b) --------- Co-authored-by: Ben Pilgrim <ben@pilgrim.me.uk> Co-authored-by: Nicolas Vollmar <nvollmar@gmail.com>
2024-06-10vyos.utils: T5195: import vyos.cpu to this packageChristian Breunig
The intention of vyos.utils package is to have a common ground for repeating actions/helpers. This is also true for number of CPUs and their respective core count. Move vyos.cpu to vyos.utils.cpu (cherry picked from commit e318eb33446de47835480d4b8f1646b39fb5c388)
2024-06-10Merge pull request #3619 from vyos/mergify/bp/sagitta/pr-3610Christian Breunig
op-mode: T6424: ipsec: honor certificate CN and CA chain during profile generation (backport #3610)
2024-06-10op-mode: T6424: ipsec: filter out duplicate CA certificates in Apple IOS profileChristian Breunig
(cherry picked from commit 4e51569013b3f78abea9c18e5a6ecb9ff5ae4687)
2024-06-10op-mode: T6424: ipsec: honor certificate CN and CA chain during profile ↵Christian Breunig
generation In e6fe6e50a5c ("op-mode: ipsec: T6407: fix profile generation") we fixed support for multiple CAs when dealing with the generation of Apple IOS profiles. This commit extends support to properly include the common name of the server certificate issuer and all it's paren't CAs. A list of parent CAs is automatically generated from the "PKI" subsystem content and embedded into the resulting profile. (cherry picked from commit d65f43589612c30dfaa5ce30aca5b8b48bf73211)
2024-06-10pki: T6463: reverse-proxy service not reloaded when updating SSL certificate(s)Christian Breunig
The haproxy reverse proxy was not reloaded/restarted with the new SSL certificate(s) after a change in the PKI subsystem. This was due to missing dependencies. (cherry picked from commit 6ce8efdc8dafef67541bed89fc7dc7cd83335bf4)
2024-06-09Merge pull request #3605 from vyos/mergify/bp/sagitta/pr-3598Christian Breunig
reverse-proxy: T6454: Set default value of http for haproxy mode (backport #3598)
2024-06-09reverse-proxy: T6454: Set default value of http for haproxy modeAlex W
(cherry picked from commit 60d7c0ecaff49ec62f4600a460f5fbe7b26a0d9c)
2024-06-09T6460: fixes duid formattingNicolas Vollmar
2024-06-03bfd: T6440: BFD peer length typoHannes Tamme
(cherry picked from commit 5490c76f9b9f53751fc527f455090f0a3820e8fe)
2024-06-03reverse-proxy: T6434: Support additional healthcheck options (#3574) (#3577)mergify[bot]
(cherry picked from commit 3e5cc0b7fb8ae4a0f8b7c9270d9db0a0f252c448) Co-authored-by: Alex W <embezzle.dev@proton.me>
2024-05-31T6422: Smoke test for NS record configration in authoritative DNS, typo & ↵Haim Gelfenbeyn
style fixes (cherry picked from commit f2d0701f50061374b5a4f55d33201629b3293248)
2024-05-31dns: T6422: allow multiple redundant NS recordsHaim Gelfenbeyn
NS is unlike CNAME or PTR, multiple NS records are perfectly valid and is a common use case: multiple redundant DNS servers is a common configuration and should be supported. (cherry picked from commit 19d8415512dcf87dc3a87feabf128652ffc74594)
2024-05-31op-mode: T683: remove superfluous debug print in snmpv3 display codeChristian Breunig
This was a leftover from the early days. (cherry picked from commit d5271e084cca8af54f425816916a821b0eab1a5a)
2024-05-30reverse-proxy: T6409: unindent migration script code pathChristian Breunig
(cherry picked from commit dd2516904527c74e01e0ced5166afe72a479ee00)
2024-05-30reverse-proxy: T6409: Remove unused backend parametersAlex W
(cherry picked from commit fb6602f431f5595b97ea3726467ec782fa50ceb8)
2024-05-30op-mode: ipsec: T6407: fix profile generationChristian Breunig
Commit 952b1656f51 ("ipsec: T5606: T5871: Use multi node for CA certificates") added support for multiple CA certificates which broke the OP mode command to generate the IPSec profiles as it did not expect a list and was rather working on a string. Now multiple CAs can be rendered into the Apple IOS profile. (cherry picked from commit e6fe6e50a5c817e18c453e7bc42bb2e1c4b17671)
2024-05-30Merge pull request #3555 from vyos/mergify/bp/sagitta/pr-3546Christian Breunig
reverse-proxy: T6419: build full CA chain when verifying backend server (backport #3546)
2024-05-30reverse-proxy: T6419: build full CA chain for frontend SSL certificateChristian Breunig
(cherry picked from commit 4b189a76c0a9a28504aab6715658840b929fc243)
2024-05-30reverse-proxy: T6419: build full CA chain when verifying backend serverChristian Breunig
(cherry picked from commit d83a6e5c5dc7e97e773f08bec7ba377530baafc9)
2024-05-30reverse-proxy: T5231: remove frontend ca-certificate code pathChristian Breunig
The code path to handle the ca certificate used for the frontend service is removed, as there is no way on the XLI to define the CA certificate used for the frontend service. (cherry picked from commit 6000c47f068503522b0ccfe57c51f34ad9892e87)
2024-05-30container: T6406: fix NameError: name 'vyos' is not definedChristian Breunig
Commit 74910564f ("T6406: rename cpus to cpu") did not import the function from the Python module. (cherry picked from commit 8439f8a43e93c0560f1abfc2aa60990f521b4d4d)
2024-05-29nat: T6371: fix op mode display of configured ports when comma separated ↵Ginko
list of ports/ranges exists Before: Issuing the op mode command "show nat source rules" will throw an exception if the user has configured NAT rules using a list of ports as a comma-separated list (e.g. '!22,telnet,http,123,1001-1005'). Also there was no handling for the "!" rule and so '!53' would display as '53'. With this PR: Introduced iteration to capture all configured ports and append to the appropriate string for display to the user as well as handling of '!' if present in user's configuration. (cherry picked from commit b7595ee9d328778105c70e3d4399ac45f555b304)
2024-05-29openvpn: T6374: only check TLS role for s2s if TLS is configuredDaniil Baturin
(cherry picked from commit f4069582273e1ee9916dea7de1e6ec176db81bc6)
2024-05-28openvpn: T6374: ensure that TLS role is configured for site-to-site with TLSDaniil Baturin
(cherry picked from commit 380e998b10341b6dd42bb94d00a9d7a462ada27a)
2024-05-28T6406: rename cpus to cpuNicolas Vollmar
(cherry picked from commit 74910564f82e2837cd7eb35ea21f07601e5f8f0d)
2024-05-28T6406: add container cpu limit optionNicolas Vollmar
(cherry picked from commit 81dea053e7178b8fea836a85aacde2a38ffb9e09)
2024-05-27reverse-proxy: T6402: Fix invalid checks in validation scriptAlex W
(cherry picked from commit d4d70929a81b2ee1f66a9412a3545911b3874a62)
2024-05-26op-mode: T6400: pki: unable to generate fingerprint for ACME issued certificatesChristian Breunig
This fixes (for and ACME generated certificate) vyos@vyos:~$ show pki certificate vyos fingerprint sha512 Traceback (most recent call last): File "/usr/libexec/vyos/op_mode/pki.py", line 1081, in <module> show_certificate_fingerprint(args.certificate, args.fingerprint) File "/usr/libexec/vyos/op_mode/pki.py", line 934, in show_certificate_fingerprint print(get_certificate_fingerprint(cert, hash)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/vyos/pki.py", line 76, in get_certificate_fingerprint fp = cert.fingerprint(hash_algorithm) ^^^^^^^^^^^^^^^^ AttributeError: 'bool' object has no attribute 'fingerprint' After the fix: vyos@vyos# run show pki certificate vyos fingerprint sha256 10:2C:EF:2C:DA:7A:EE:C6:D7:8E:53:12:F0:F5:DE:B9:E9:D0:6C:B4:49:1C:8B:70:2B:D9:AF:FC:9B:75:A3:D2 (cherry picked from commit b6ee07c7efbb818787deba20116f4289853fb5c9)