Age | Commit message (Collapse) | Author |
|
* container: T6219: Add support for container sysctl / kernel parameters
(cherry picked from commit 717ea64e4c54a8be619ffc29c16c6203b29319dd)
* T6219: align with system sysctl and limit parameters to supported
(cherry picked from commit f030464952168b553b5b3e29b461d437c2642a9b)
---------
Co-authored-by: Ben Pilgrim <ben@pilgrim.me.uk>
Co-authored-by: Nicolas Vollmar <nvollmar@gmail.com>
|
|
The intention of vyos.utils package is to have a common ground for repeating
actions/helpers. This is also true for number of CPUs and their respective
core count.
Move vyos.cpu to vyos.utils.cpu
(cherry picked from commit e318eb33446de47835480d4b8f1646b39fb5c388)
|
|
op-mode: T6424: ipsec: honor certificate CN and CA chain during profile generation (backport #3610)
|
|
(cherry picked from commit 4e51569013b3f78abea9c18e5a6ecb9ff5ae4687)
|
|
generation
In e6fe6e50a5c ("op-mode: ipsec: T6407: fix profile generation") we fixed
support for multiple CAs when dealing with the generation of Apple IOS profiles.
This commit extends support to properly include the common name of the server
certificate issuer and all it's paren't CAs. A list of parent CAs is
automatically generated from the "PKI" subsystem content and embedded into the
resulting profile.
(cherry picked from commit d65f43589612c30dfaa5ce30aca5b8b48bf73211)
|
|
The haproxy reverse proxy was not reloaded/restarted with the new SSL
certificate(s) after a change in the PKI subsystem. This was due to missing
dependencies.
(cherry picked from commit 6ce8efdc8dafef67541bed89fc7dc7cd83335bf4)
|
|
reverse-proxy: T6454: Set default value of http for haproxy mode (backport #3598)
|
|
(cherry picked from commit 60d7c0ecaff49ec62f4600a460f5fbe7b26a0d9c)
|
|
|
|
(cherry picked from commit 5490c76f9b9f53751fc527f455090f0a3820e8fe)
|
|
(cherry picked from commit 3e5cc0b7fb8ae4a0f8b7c9270d9db0a0f252c448)
Co-authored-by: Alex W <embezzle.dev@proton.me>
|
|
style fixes
(cherry picked from commit f2d0701f50061374b5a4f55d33201629b3293248)
|
|
NS is unlike CNAME or PTR, multiple NS records are perfectly valid and is a common use case: multiple redundant DNS servers is a common configuration and should be supported.
(cherry picked from commit 19d8415512dcf87dc3a87feabf128652ffc74594)
|
|
This was a leftover from the early days.
(cherry picked from commit d5271e084cca8af54f425816916a821b0eab1a5a)
|
|
(cherry picked from commit dd2516904527c74e01e0ced5166afe72a479ee00)
|
|
(cherry picked from commit fb6602f431f5595b97ea3726467ec782fa50ceb8)
|
|
Commit 952b1656f51 ("ipsec: T5606: T5871: Use multi node for CA certificates")
added support for multiple CA certificates which broke the OP mode command
to generate the IPSec profiles as it did not expect a list and was rather
working on a string.
Now multiple CAs can be rendered into the Apple IOS profile.
(cherry picked from commit e6fe6e50a5c817e18c453e7bc42bb2e1c4b17671)
|
|
reverse-proxy: T6419: build full CA chain when verifying backend server (backport #3546)
|
|
(cherry picked from commit 4b189a76c0a9a28504aab6715658840b929fc243)
|
|
(cherry picked from commit d83a6e5c5dc7e97e773f08bec7ba377530baafc9)
|
|
The code path to handle the ca certificate used for the frontend service
is removed, as there is no way on the XLI to define the CA certificate used
for the frontend service.
(cherry picked from commit 6000c47f068503522b0ccfe57c51f34ad9892e87)
|
|
Commit 74910564f ("T6406: rename cpus to cpu") did not import the function
from the Python module.
(cherry picked from commit 8439f8a43e93c0560f1abfc2aa60990f521b4d4d)
|
|
list of ports/ranges exists
Before: Issuing the op mode command "show nat source rules" will throw an
exception if the user has configured NAT rules using a list of ports as a
comma-separated list (e.g. '!22,telnet,http,123,1001-1005'). Also there was
no handling for the "!" rule and so '!53' would display as '53'.
With this PR: Introduced iteration to capture all configured ports and append
to the appropriate string for display to the user as well as handling of '!' if
present in user's configuration.
(cherry picked from commit b7595ee9d328778105c70e3d4399ac45f555b304)
|
|
(cherry picked from commit f4069582273e1ee9916dea7de1e6ec176db81bc6)
|
|
(cherry picked from commit 380e998b10341b6dd42bb94d00a9d7a462ada27a)
|
|
(cherry picked from commit 74910564f82e2837cd7eb35ea21f07601e5f8f0d)
|
|
(cherry picked from commit 81dea053e7178b8fea836a85aacde2a38ffb9e09)
|
|
(cherry picked from commit d4d70929a81b2ee1f66a9412a3545911b3874a62)
|
|
This fixes (for and ACME generated certificate)
vyos@vyos:~$ show pki certificate vyos fingerprint sha512
Traceback (most recent call last):
File "/usr/libexec/vyos/op_mode/pki.py", line 1081, in <module>
show_certificate_fingerprint(args.certificate, args.fingerprint)
File "/usr/libexec/vyos/op_mode/pki.py", line 934, in show_certificate_fingerprint
print(get_certificate_fingerprint(cert, hash))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/vyos/pki.py", line 76, in get_certificate_fingerprint
fp = cert.fingerprint(hash_algorithm)
^^^^^^^^^^^^^^^^
AttributeError: 'bool' object has no attribute 'fingerprint'
After the fix:
vyos@vyos# run show pki certificate vyos fingerprint sha256
10:2C:EF:2C:DA:7A:EE:C6:D7:8E:53:12:F0:F5:DE:B9:E9:D0:6C:B4:49:1C:8B:70:2B:D9:AF:FC:9B:75:A3:D2
(cherry picked from commit b6ee07c7efbb818787deba20116f4289853fb5c9)
|
|
address
ISC DHCP server expects a string: "prefix6 2001:db8:290:: 2001:db8:29f:: /64;"
where the IPv6 prefix/range must be :: terminaated with a delegated prefix
length at the end.
This commit changes the validator that the IPv6 address defined on the CLI must
always end with ::. In addition a verify() step is added to check that the
stop address is greater than start address.
|
|
This reverts the prefix start/stop address must be inside network part from
commit 4cde0b8ce778d269d3fe1d4f33ba5b2caf424181.
|
|
$ touch /tmp/vyos.smoketest.debug
will enable dynamic debugging of the smoketests - showing the appropriate CLI
commands on stdout
(cherry picked from commit 0cb4294fdfe5ae0e0e8fd06436f38b67f16413a2)
|
|
(cherry picked from commit e1450096b4c667a4c33a3fcd8f67ebf6a39d441d)
|
|
>=5.0
random - In kernel 5.0 and newer this is the same as fully-random. In earlier
kernels the port mapping will be randomized using a seeded MD5 hash mix using
source and destination address and destination port.
https://git.netfilter.org/nftables/commit/?id=fbe27464dee4588d906492749251454
(cherry picked from commit 7fe568ca1672f1dfbd2b56ee3ef7a6ab48b03070)
|
|
(cherry picked from commit 59781ff365a5e1b15ef6c4c2481f3d3815548b9d)
|
|
(cherry picked from commit 645c43ba60d29ca676a4323ccc5ca16c6bd8127a)
|
|
(cherry picked from commit 3870247517741ce23e2fcee8aaa1d194f0ad621b)
|
|
(cherry picked from commit 03eae30b27433055ddc10f09fc134b83e9bd6cec)
|
|
ConfigError messages
|
|
op mode: T6348: SNAT op-mode fails with flowtable offload entries (backport #3471)
|
|
(cherry picked from commit 1cba74f91a67348bc8e8ad3e2ef4325dc9f9d6e0)
|
|
(cherry picked from commit f5051de4fc034bd95677ef142423e59eae47cd2f)
|
|
(cherry picked from commit 240f199cdfadbc12ce713dae74c8db3af44a398c)
|
|
Converted completion helpers from python to bash for performance
Previous commit:
Added the following commands:
show evpn
show evpn es
show evpn es <es-id>
show evpn es detail
show evpn es-evi
show evpn es-evi detail
show evpn es-evi vni <num>
show evpn vni
show evpn vni detail
show evpn vni <num>
Updated the following commands:
show evpn access-vlan
show evpn arp-cache
show evpn mac
show evpn next-hops
show evpn rmac
(cherry picked from commit 3917e3e9f985063ab7419c903f6019116224f640)
|
|
Added the following commands:
show evpn
show evpn es
show evpn es <es-id>
show evpn es detail
show evpn es-evi
show evpn es-evi detail
show evpn es-evi vni <num>
show evpn vni
show evpn vni detail
show evpn vni <num>
Updated the following commands:
show evpn access-vlan
show evpn arp-cache
show evpn mac
show evpn next-hops
show evpn rmac
(cherry picked from commit c6be441c86bc8fe2e938e2bd3c85f99071cbfb49)
|
|
op mode: T4519: Show DUID instead of IAID_DUID
|
|
|
|
(cherry picked from commit cc0573a78aac4d6ac4479fdf951d151a36b88cbc)
|
|
Remove `service upnp` as it never worked as expected, nft rules do
not integrated and custom patches do not seem like a suitable
solution for now.
Security:
UPnP has been historically associated with security risks due to its automatic
and potentially unauthenticated nature.
UPnP devices might be vulnerable to unauthorized access or exploitation.
(cherry picked from commit 7c438caa2c21101cbefc2eec21935ab55af19c46)
|
|
When all the underlay links go down the PE no longer has access to the VxLAN
+overlay.
To prevent blackholing of traffic the server/ES links are protodowned on the PE.
A link can be setup for uplink tracking via the following configuration:
set interfaces ethernet eth0 evpn uplink
(cherry picked from commit 5565f27d15c5e7378e94aae8db8a894a12e25d7b)
|