| Age | Commit message (Collapse) | Author |
|---|
|
Udev rules have moved from /etc/udev to /lib/udev on Debian Squeeze
|
|
Other udev scripts may have configured the device name before
the Vyatta script runs. Use the convention followed by the
standard persistent network name script; only applly name rules
if interface does not already have name assigned.
|
|
* second udev invocation now has ACTION "change" in squeeze.
* DRIVERS no longer available from squeeze udev.
|
|
* as discussed, remove the wireless rule that causes warning
|
|
|
|
For serviceablity put core files in /var/core.
But core file will still not be created unless process is running
with permission to write there, and has ulimit permission.
|
|
Unionfs should copyup the xattr automatically, but it doesn't
so use touch to force a copyup before setting attributes.
|
|
|
|
Not using auditing for command logging.
|
|
Ping is already setuid root.
|
|
|
|
This sets file capability attributes during package
installation (and build) to allow better security models.
|
|
Instead of white-listing special system users, just go with the
Debian policy that all users with uid < 1000 are system accounts
|
|
The problem is that IPV6 module is not loaded when sysctl's
are interpreted during boot, and we want to allow marking IPV6
disabled.
|
|
1. Move vyatta-sysctl.conf from rl-system.init to procps
This makes configuration happen early (before networking)
2. Do IPV6 configuration for address_flush in rl-system.init
(after IPV6 is loaded)
3. Cleanup shell code for ipv6_params:
* no sudo needed in startup scripts
* use cleaner iteration
|
|
Bug 3696
This adds parameter to keep Vyatta IPV6 behavior
|
|
This is a resolution of Bug 5031
Set default to 1 - reply only if the target IP address is local address
configured on the incoming interface. This makes Vyatta behaves
like interface base address model.
|
|
If second wlan device is created (for multiple ssid), then udev
rules don't know how to handle it. For now, just accept what kernel
gives us.
|
|
|
|
|
|
1. Complete migration of protected-users from hardcoded in User.pm
to /opt/vyatta/etc/protected-user
2. Put mapping from level to group in file.
|
|
|
|
Causes pam-auth-update to barf
Use of uninitialized value $3 in split at /usr/sbin/pam-auth-update line 620, <CURRENT> line 19.
Use of uninitialized value $curmod in quotemeta at /usr/sbin/pam-auth-update line 628, <CURRENT> line 19.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 650, <CURRENT> line 19.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 650, <CURRENT> line 19.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 650, <CURRENT> line 19.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 650, <CURRENT> line 19.
|
|
Use a reasonable suffix for file type
|
|
|
|
This keeps radius from fighting with tacacs+
|
|
Handle cases where IPv6 kernel module is not loaded more gracefully.
|
|
Don't rename wireless devices to be ethX.
|
|
replaced with Debian branding during full-upgrade to Jenner
(cherry picked from commit cbdcd18b2e5328d24a9dfe04dfa015f8375b50ac)
|
|
Bug 4591
Consolidate check for telnet login
Don't remove /etc/securetty edit it
(cherry picked from commit c6c477f2ffb0f2fd4cf12882f22c2c44ab57cc46)
|
|
|
|
Only put comments in about features that are used.
|
|
|
|
So when CLI updates ntp.conf, the file stays same format
|
|
There are options (like restrict) that should be ntp.conf
This would reduce security exposure of the router (see recent CVE).
Also, this avoid restarting ntp server on boot when using the default
vyatta ntp server.
|
|
Default fallback code was broken
Change to blocked out region for Vyatta config.
|
|
Do most of the work in the rewritten vyatta_update_syslog code.
Handle multiple facilities for same target without causing duplicate
log messages.
Never restart syslog daemon, just reload it and only if the configuration
has changed.
|
|
Bug 4205
Duplicate messages in syslog for quagga notice and above messages.
|
|
modified via the CLI - (modify ARP table size)
* added cli to configure [arp (ipv4)] and [neighbor (ipv6)] table-size
* set default value for arp_announce so as to avoid local addresses that are
not in the target's subnet for the interface
|
|
|
|
firewall
|
|
fail within the webgui.
|
|
Correct value is 'kernel.panic' not 'sys.kernel.panic'
|
|
Faster way to make empty files.
Load snmp stats in background
Move all sysctl settings to one place
|
|
|
|
Bugfix 3567
The command templates for managing the syslog are awkward and brittle
and really can't deal with multiple targets or full config format,
so just go back to something simple and fix later in a better redesign.
|
|
The TCP MD5 code is fixed to handle SACK correctly.
|
|
|
|
For sucessful sudo, just log it at info level.
Capture any security failures/changes into /var/log/auth.log
but skip normal CLI commands
Turn off the builtin sync after each write to /var/log/messages
by putting - before file name; the sync causes a disk write
each time and therefore can be a performance hit during boot.
|
|
This is a workaround for bug 3313. The problem is that MD5
uses up what little space there for TCP options in header.
|
