| Age | Commit message (Collapse) | Author |
|---|
|
Unset params would mistakenly match when None and trigger a validation error even when used params were unique.
Updated check to ensure unique source-addresses if not None, and that (source-interfaces, source-addresses) are
unique together appropriately.
|
|
dns: T6422: allow multiple redundant NS records
|
|
added new syntax to work with class match filters in QoS policy
|
|
This was a leftover from the early days.
|
|
style fixes
|
|
reverse-proxy: T6409: Remove unused backend parameters
|
|
|
|
op-mode: ipsec: T6407: fix profile generation
|
|
NS is unlike CNAME or PTR, multiple NS records are perfectly valid and is a common use case: multiple redundant DNS servers is a common configuration and should be supported.
|
|
reverse-proxy: T6419: build full CA chain when verifying backend server
|
|
Commit 952b1656f51 ("ipsec: T5606: T5871: Use multi node for CA certificates")
added support for multiple CA certificates which broke the OP mode command
to generate the IPSec profiles as it did not expect a list and was rather
working on a string.
Now multiple CAs can be rendered into the Apple IOS profile.
|
|
Commit 74910564f ("T6406: rename cpus to cpu") did not import the function
from the Python module.
|
|
|
|
|
|
The code path to handle the ca certificate used for the frontend service
is removed, as there is no way on the XLI to define the CA certificate used
for the frontend service.
|
|
list of ports/ranges exists
Before: Issuing the op mode command "show nat source rules" will throw an
exception if the user has configured NAT rules using a list of ports as a
comma-separated list (e.g. '!22,telnet,http,123,1001-1005'). Also there was
no handling for the "!" rule and so '!53' would display as '53'.
With this PR: Introduced iteration to capture all configured ports and append
to the appropriate string for display to the user as well as handling of '!' if
present in user's configuration.
|
|
|
|
T6411: CGNAT fix sequences for external address ranges
|
|
openvpn: T6374: ensure that TLS role is configured for site-to-site with TLS
|
|
op_mode: T6389: Check architecture and flavor compatibility on upgrade attempts
|
|
T5786: Add set/show system image to /image endpoint
|
|
Fix the bug where address external alocation was not rely on sequences
of the external IP addresses (if set)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This fixes (for and ACME generated certificate)
vyos@vyos:~$ show pki certificate vyos fingerprint sha512
Traceback (most recent call last):
File "/usr/libexec/vyos/op_mode/pki.py", line 1081, in <module>
show_certificate_fingerprint(args.certificate, args.fingerprint)
File "/usr/libexec/vyos/op_mode/pki.py", line 934, in show_certificate_fingerprint
print(get_certificate_fingerprint(cert, hash))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/vyos/pki.py", line 76, in get_certificate_fingerprint
fp = cert.fingerprint(hash_algorithm)
^^^^^^^^^^^^^^^^
AttributeError: 'bool' object has no attribute 'fingerprint'
After the fix:
vyos@vyos# run show pki certificate vyos fingerprint sha256
10:2C:EF:2C:DA:7A:EE:C6:D7:8E:53:12:F0:F5:DE:B9:E9:D0:6C:B4:49:1C:8B:70:2B:D9:AF:FC:9B:75:A3:D2
|
|
suricata: T751: Initial support for suricata
|
|
|
|
|
|
|
|
reverse-proxy: T6370: Set custom HTTP headers in reverse-proxy responses
|
|
nat: T6345: source NAT port mapping "fully-random" is superfluous in Kernel >=5.0
|
|
nat66: T6365: remove warnings for negated interface selections by name
|
|
current (#3508)
|
|
>=5.0
random - In kernel 5.0 and newer this is the same as fully-random. In earlier
kernels the port mapping will be randomized using a seeded MD5 hash mix using
source and destination address and destination port.
https://git.netfilter.org/nftables/commit/?id=fbe27464dee4588d906492749251454
|
|
|
|
nat: T6365: remove warnings for negated interface selections by name
|
|
|
|
|
|
|
|
|
|
Add the ability to show port allocation per external or internal address
With huge entries, it is necessary to filter it by specific
external/internal IP address
|
|
T6364: CGNAT drop hard limit that allows only one translation rule
|
|
|
|
Allow to set multiple CGNAT internal pools
```
set nat cgnat pool internal int-01 range '100.64.0.0/28'
set nat cgnat pool internal int-01 range '100.64.222.11-100.64.222.14'
```
|
|
As PoC for CGNAT had a hard limit of using only one translation
rule for one internal pool.
Drop this limit and extend the usage number of the rules.
```
set nat cgnat rule 100 source pool 'int-01'
set nat cgnat rule 100 translation pool 'ext-01'
set nat cgnat rule 120 source pool 'vyos-int-02'
set nat cgnat rule 120 translation pool 'vyos-ext-02'
```
|
