Age | Commit message (Collapse) | Author | |
---|---|---|---|
2024-05-30 | T6422: Smoke test for NS record configration in authoritative DNS, typo & ↵ | Haim Gelfenbeyn | |
style fixes | |||
2024-05-30 | Merge pull request #3531 from Embezzle/T6409 | Christian Breunig | |
reverse-proxy: T6409: Remove unused backend parameters | |||
2024-05-30 | reverse-proxy: T6409: unindent migration script code path | Christian Breunig | |
2024-05-30 | Merge pull request #3552 from c-po/ipsec-profile | Christian Breunig | |
op-mode: ipsec: T6407: fix profile generation | |||
2024-05-30 | dns: T6422: allow multiple redundant NS records | Haim Gelfenbeyn | |
NS is unlike CNAME or PTR, multiple NS records are perfectly valid and is a common use case: multiple redundant DNS servers is a common configuration and should be supported. | |||
2024-05-30 | Merge pull request #3546 from c-po/haproxy | Christian Breunig | |
reverse-proxy: T6419: build full CA chain when verifying backend server | |||
2024-05-30 | op-mode: ipsec: T6407: fix profile generation | Christian Breunig | |
Commit 952b1656f51 ("ipsec: T5606: T5871: Use multi node for CA certificates") added support for multiple CA certificates which broke the OP mode command to generate the IPSec profiles as it did not expect a list and was rather working on a string. Now multiple CAs can be rendered into the Apple IOS profile. | |||
2024-05-29 | container: T6406: fix NameError: name 'vyos' is not defined | Christian Breunig | |
Commit 74910564f ("T6406: rename cpus to cpu") did not import the function from the Python module. | |||
2024-05-29 | reverse-proxy: T6419: build full CA chain for frontend SSL certificate | Christian Breunig | |
2024-05-29 | reverse-proxy: T6419: build full CA chain when verifying backend server | Christian Breunig | |
2024-05-29 | reverse-proxy: T5231: remove frontend ca-certificate code path | Christian Breunig | |
The code path to handle the ca certificate used for the frontend service is removed, as there is no way on the XLI to define the CA certificate used for the frontend service. | |||
2024-05-29 | nat: T6371: fix op mode display of configured ports when comma separated ↵ | Ginko | |
list of ports/ranges exists Before: Issuing the op mode command "show nat source rules" will throw an exception if the user has configured NAT rules using a list of ports as a comma-separated list (e.g. '!22,telnet,http,123,1001-1005'). Also there was no handling for the "!" rule and so '!53' would display as '53'. With this PR: Introduced iteration to capture all configured ports and append to the appropriate string for display to the user as well as handling of '!' if present in user's configuration. | |||
2024-05-29 | openvpn: T6374: only check TLS role for s2s if TLS is configured | Daniil Baturin | |
2024-05-29 | Merge pull request #3534 from sever-sever/T6411 | Daniil Baturin | |
T6411: CGNAT fix sequences for external address ranges | |||
2024-05-28 | Merge pull request #3528 from dmbaturin/T6374-openvpn-s2s-tls-validation | Christian Breunig | |
openvpn: T6374: ensure that TLS role is configured for site-to-site with TLS | |||
2024-05-28 | Merge pull request #3533 from natali-rs1985/T6389-current | John Estabrook | |
op_mode: T6389: Check architecture and flavor compatibility on upgrade attempts | |||
2024-05-28 | Merge pull request #3529 from HollyGurza/T5786 | Christian Breunig | |
T5786: Add set/show system image to /image endpoint | |||
2024-05-28 | T6411: CGNAT fix sequences for external address ranges | Viacheslav Hletenko | |
Fix the bug where address external alocation was not rely on sequences of the external IP addresses (if set) | |||
2024-05-28 | op mode: T6389: Check architecture and flavor compatibility on upgrade attempts | Nataliia Solomko | |
2024-05-28 | T6406: rename cpus to cpu | Nicolas Vollmar | |
2024-05-28 | T6406: add container cpu limit option | Nicolas Vollmar | |
2024-05-27 | reverse-proxy: T6409: Remove unused backend parameters | Alex W | |
2024-05-27 | T5786: Add set/show system image to /image endpoint | khramshinr | |
2024-05-27 | openvpn: T6374: ensure that TLS role is configured for site-to-site with TLS | Daniil Baturin | |
2024-05-26 | reverse-proxy: T6402: Fix invalid checks in validation script | Alex W | |
2024-05-25 | op-mode: T6400: pki: unable to generate fingerprint for ACME issued certificates | Christian Breunig | |
This fixes (for and ACME generated certificate) vyos@vyos:~$ show pki certificate vyos fingerprint sha512 Traceback (most recent call last): File "/usr/libexec/vyos/op_mode/pki.py", line 1081, in <module> show_certificate_fingerprint(args.certificate, args.fingerprint) File "/usr/libexec/vyos/op_mode/pki.py", line 934, in show_certificate_fingerprint print(get_certificate_fingerprint(cert, hash)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/vyos/pki.py", line 76, in get_certificate_fingerprint fp = cert.fingerprint(hash_algorithm) ^^^^^^^^^^^^^^^^ AttributeError: 'bool' object has no attribute 'fingerprint' After the fix: vyos@vyos# run show pki certificate vyos fingerprint sha256 10:2C:EF:2C:DA:7A:EE:C6:D7:8E:53:12:F0:F5:DE:B9:E9:D0:6C:B4:49:1C:8B:70:2B:D9:AF:FC:9B:75:A3:D2 | |||
2024-05-23 | Merge pull request #3399 from 0xThiebaut/suricata | Christian Breunig | |
suricata: T751: Initial support for suricata | |||
2024-05-23 | suricata: T751: use key_mangling in get_config_dict() | Christian Breunig | |
2024-05-23 | suricata: T751: remove implicit default dictionary | Christian Breunig | |
2024-05-23 | suricata: T751: move CLI from "service ids suricata" -> "service suricata" | Christian Breunig | |
2024-05-23 | Merge pull request #3487 from Embezzle/T6370 | Christian Breunig | |
reverse-proxy: T6370: Set custom HTTP headers in reverse-proxy responses | |||
2024-05-23 | Merge pull request #3507 from c-po/nat-T6345 | Daniil Baturin | |
nat: T6345: source NAT port mapping "fully-random" is superfluous in Kernel >=5.0 | |||
2024-05-23 | Merge pull request #3505 from c-po/nat66-T6365 | Daniil Baturin | |
nat66: T6365: remove warnings for negated interface selections by name | |||
2024-05-23 | dhcpv6-server: T6381: fix typos in select ConfigError messages in VyOS ↵ | Ginko | |
current (#3508) | |||
2024-05-22 | nat: T6345: source NAT port mapping "fully-random" is superfluous in Kernel ↵ | Christian Breunig | |
>=5.0 random - In kernel 5.0 and newer this is the same as fully-random. In earlier kernels the port mapping will be randomized using a seeded MD5 hash mix using source and destination address and destination port. https://git.netfilter.org/nftables/commit/?id=fbe27464dee4588d906492749251454 | |||
2024-05-22 | nat66: T6365: remove warnings for negated interface selections by name | Christian Breunig | |
2024-05-22 | Merge pull request #3482 from alryaz/patch-1 | Christian Breunig | |
nat: T6365: remove warnings for negated interface selections by name | |||
2024-05-22 | nat: T6365: use interface_exists() over netifaces.interfaces() | Christian Breunig | |
2024-05-22 | nat: T6365: use string startswith() over [0] index access | Christian Breunig | |
2024-05-22 | nat: T6365: remove warnings for negated interface selections by name | Ryazanov Alexander Mihailovich | |
2024-05-21 | reverse-proxy: T6370: Set custom HTTP headers in reverse-proxy responses | Alex W | |
2024-05-21 | T6366: CGNAT add ability to get external and internal allocations | Viacheslav Hletenko | |
Add the ability to show port allocation per external or internal address With huge entries, it is necessary to filter it by specific external/internal IP address | |||
2024-05-19 | Merge pull request #3483 from sever-sever/T6364 | Daniil Baturin | |
T6364: CGNAT drop hard limit that allows only one translation rule | |||
2024-05-18 | T6349: updated pr-labels workflow permission (#3485) | Vijayakumar A | |
2024-05-18 | T5169: Allow to set CGNAT multiple internal pools | Viacheslav Hletenko | |
Allow to set multiple CGNAT internal pools ``` set nat cgnat pool internal int-01 range '100.64.0.0/28' set nat cgnat pool internal int-01 range '100.64.222.11-100.64.222.14' ``` | |||
2024-05-18 | T6364: CGNAT drop hard limit that allows only one translation rule | Viacheslav Hletenko | |
As PoC for CGNAT had a hard limit of using only one translation rule for one internal pool. Drop this limit and extend the usage number of the rules. ``` set nat cgnat rule 100 source pool 'int-01' set nat cgnat rule 100 translation pool 'ext-01' set nat cgnat rule 120 source pool 'vyos-int-02' set nat cgnat rule 120 translation pool 'vyos-ext-02' ``` | |||
2024-05-17 | Merge pull request #3471 from natali-rs1985/T6348-current | Christian Breunig | |
op mode: T6348: SNAT op-mode fails with flowtable offload entries | |||
2024-05-17 | Merge pull request #3472 from nvollmar/T6358 | Christian Breunig | |
T6358: Container config option to enable host pid | |||
2024-05-17 | T6358: Add config option for host process namespace | Nicolas Vollmar | |
2024-05-17 | T6358: Remove duplicate host name handling | Nicolas Vollmar | |