| Age | Commit message (Collapse) | Author |
|
|
|
According to [1] rijndael-cbc@lysator.liu.se is an alias for aes256-cbc which
was standardized in RFC4253 (2006).
This changes the migrator implementation to not only delete the old
"rijndael-cbc@lysator.liu.se" cipher from the CLI and set the new, standardized
aes256-cbc SSH cipher.
1: https://github.com/openssh/openssh-portable/commit/03e93c753d7c223063a
|
|
|
|
T8103: add root to those allowed to call op-run commands directly
|
|
ssh: T8090: T8098: add support for config test mode (sshd -t)
|
|
|
|
T8100: Update pull_request_target branch filters for GitHub Actions policy change
|
|
|
|
|
|
|
|
Follow VyOS CLI best practices for using singular whenever possible to build a
CLI node. As we introduce a new migration 2 -> 3 for SSH we can correct this
minor detail.
|
|
According to an Arch Linux forum discussion, the cipher
rijndael-cbc@lysator.liu.se was removed in OpenSSH 6.7.
References:
- https://bbs.archlinux.org/viewtopic.php?id=188613
- https://www.openssh.org/txt/release-6.7
- https://github.com/openssh/openssh-portable/commit/03e93c753d7c223063a
|
|
Add a safety-net for development to check if the rendered sshd(8) configuration
can be applied at all. If it can't be applied - throw an error.
From https://linux.die.net/man/8/sshd:
-t Test mode. Only check the validity of the configuration file and sanity
of the keys. This is useful for updating sshd reliably as configuration
options may change.
Explicitly forcing a broken config now results in:
vyos@vyos# commit
[ service ssh ]
Unexpected error with SSH configuration! /run/sshd/sshd_config line 21:
X11DisplayOffset integer value invalid.
[[service ssh]] failed
Commit failed
|
|
isis: T8094: bugfix config migration from 1.3.0-rc1 -> 1.4
|
|
dmbaturin/T8096-fix-capital-letter-op-mode-commands
op-mode: T8096: fix command names that contain capital letters
|
|
While producing all configtest assert files for VyOS 1.4 it was noted that
the the isis-small testcase from fails. This config fragment is not properly
migrated when updating from VyOS 1.3.0-rc1 -> 1.4 and using IS-IS.
protocols {
isis FOO {
interface eth1 {
bfd
}
net 49.0001.1921.6800.1002.00
redistribute {
ipv4 {
connected {
level-2 {
route-map EXPORT-ISIS
}
}
}
}
}
}
and results in loosing IS-IS connectivity. This is due the fact that
config.rename() does not work when only using the base tagNode.
|
|
|
|
firewall: T8089: "geoip country-code" should get a completion helper
|
|
smoketest: T8087: reorganize folderstructure for embedded configttests
|
|
|
|
vpp: T7972: Make `nat44 no-forwarding` feature automatically configurable
|
|
T8078: dhcpv6: allow lease renew for pd & parameters
|
|
There is a CLI constraint for lowercase country codes, but user's do not
see this.
|
|
Configuration files for config tests gathered from lab installations, customers
or our own networks were placed in multiple directories - all related to
the same thing.
We have had config-tests, configs and config.no-load. This commit re-arranges
all the files and places a proper README for the users.
|
|
vpp: T7819: do not override driver if it is already done
|
|
The upstream VPP code already writes the ena device ID to new_id
So we can remove `ena` from `override_driver()`
The kernel does not provide a reliable way to check whether an ID has already been
registered, so we simply attempt the write and ignore the FileExistsError.
Any other failure is treated as a warning.
Fixes this case:
Traceback (most recent call last):
File "/usr/libexec/vyos/services/vyos-configd", line 156, in run_script
script.apply(c)
File "/usr/libexec/vyos/conf_mode/vpp.py", line 613, in apply
control_host.override_driver(
File "/usr/lib/python3/dist-packages/vyos/vpp/control_host.py", line 138, in override_driver
Path('/sys/module/vfio_pci/drivers/pci:vfio-pci/new_id').write_text(
File "/usr/lib/python3.11/pathlib.py", line 1079, in write_text
with self.open(mode='w', encoding=encoding, errors=errors, newline=newline) as f:
FileExistsError: [Errno 17] File exists
|
|
The renew command will refuse to restart the dhcp6c process for an
interface unless it is configured to request an address, but the
client may also be running to manage parameters and/or prefix
delegations.
|
|
T8011: VPP fix log duplication in systemd journal
|
|
tech-support: T7134: add topology snapshot generation using `hwloc` package
|
|
This enhances diagnostic capabilities by providing hardware topology
visuals within support archives.
|
|
salt: T8056: add a deprecation warning
|
|
op-mode: T7810: fix broken 'reset connection' command
|
|
vyos-op-run: T7901: skip permission checks if the user is root
|
|
T7982: container: generate run arguments once
|
|
ipsec: T8001: Commit fails removing VTI interface in IPsec config
|
|
ipsec: T7594: Rename `respond` connection-type in IPSec peer settings to `trap`
|
|
syslog: T8059: migrate host:port node names to the new syntax with a dedicated port option
|
|
The previous 'connection-type respond' option in IPsec site-to-site peers
was misleading - instead of passively waiting for peer initiation, it would
initiate negotiation when matching traffic appeared, potentially causing
SA duplication and renegotiation loops.
|
|
If any dynamic rule is configured forwarding should be disabled because each
packet must be processed through the NAT session table to apply proper
translations
|
|
|
|
|
|
openvpn: T7738: avoid duplicate certs during 1.3 -> 1.4 migration
|
|
|
|
with a dedicated port option
|
|
T8032: add analogue of cli-shell-api sessionUnsaved
|
|
This adds necessary embedded certificates to validate the migration logic added
in commit 63cc76fa236 ("openvpn: T7738: avoid duplicate certs during 1.3 -> 1.4
migration").
The CA used was generated using EasyRSA as described in our documentation:
https://docs.vyos.io/en/1.3/configuration/interfaces/openvpn.html#generate-x-509-certificate-and-keys
|
|
|
|
T8030: VPP: Check support for changed driver too
|
|
interfaces: T8054: use --is-valid-intf-address for validating interface addresses
|
|
When migrating from VyOS 1.3 to 1.4, OpenVPN interfaces sharing the same
certificate (chain) end up getting duplicated certificate entries, one per
interface — instead of reusing a single cert if applicable.
This change makes the migration logic detect shared certificates and reuse a
single CA and server certificate objects, preventing redundant certificate
entries in the config.
|