summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2021-07-03pki: T3642: Add support for signing and revoking subordinate CAssarthurdev
2021-07-02conntrack: T3535: add support for multiple failsave linksChristian Poessinger
2021-07-02conntrack: T3660: make peer port configurableChristian Poessinger
2021-07-02conntrack: T3535: add missing valueHelp/constraint for peer CLI nodeChristian Poessinger
2021-07-02smoketest: ipam: add site2site x509 auth testcaseChristian Poessinger
2021-07-02smoketest: ipsec: place peer local-address into variableChristian Poessinger
2021-07-02smoketest: ipsec: IKE and ESP settings can be done one time in setUp()Christian Poessinger
2021-07-02Merge pull request #903 from sarthurdev/T3659_T3656Christian Poessinger
ipsec: T3656: T3659: Fix passthrough with ipv6. Fix op-mode ipsec commands. Remove python3-crypto dependency.
2021-07-02ipsec: T3656: T3659: Fix pass-through with ipv6. Fix op-mode ipsec commands. ↵sarthurdev
Remove python3-crypto dependency.
2021-07-01vyos.util: remove no longer needed copy_file helper methodChristian Poessinger
The IPSec ceritifcate handling is now done by storing the CA key inside the running configuration.
2021-07-01Merge branch 'pki_ipsec' of https://github.com/sarthurdev/vyos-1x into pki-cliChristian Poessinger
* 'pki_ipsec' of https://github.com/sarthurdev/vyos-1x: pki: ipsec: T3642: Update migration script to account for file permission issues pki: ipsec: T3642: Migrate IPSec to use PKI configuration pki: T3642: New PKI config and management
2021-07-01ipsec: T3643: bugfix on wrong destination file path for x509 key fileChristian Poessinger
Commit a6b526fd982 ("ipsec: T3643: us vyos.util.copy_file() over raw UNIX cp command") used a new helper to copy the x509 certificate files, but it also added a bug where the certificate key file was copied to the wrong location. This has been fixed and the corect path is used again.
2021-07-01vyos.util: fix IsADirectoryError and SameFileError for copy_fileChristian Poessinger
Commit 5303ec39 ("vyos.util: add new helper copy_file()") added a new helper function to copy a file from A -> B and create the destination directory if required. It did also throw an excpetion if the destination file already existed and consisted of the same file - this is now ignored and we always copy the source to the destination.
2021-07-01pki: ipsec: T3642: Update migration script to account for file permission issuessarthurdev
2021-06-30smoketest: ipsec: add more re-usable variable definitions throughout the testChristian Poessinger
2021-06-30Merge pull request #902 from bstepler/T3658Christian Poessinger
dhcpdv6: T3658: add support for dhcpdv6 fixed-prefix6
2021-06-30dhcpdv6: T3658: add support for dhcpdv6 fixed-prefix6Brandon Stepler
2021-06-29Debian: T3641: remove absolut path to tcpdump which now resides in /usr/binChristian Poessinger
2021-06-29pki: ipsec: T3642: Migrate IPSec to use PKI configurationsarthurdev
2021-06-29pppoe-server: T3405: Add interface cache featureDmitriyEshenko
2021-06-29smoketest: bgp: T3657: test ipv6 link-local peeringChristian Poessinger
2021-06-29pki: T3642: New PKI config and managementsarthurdev
2021-06-28ipsec: T1441: switch from vti to xfrm interfacesChristian Poessinger
XFRM interfaces are similar to VTI devices in their basic functionality but offer several advantages: * No tunnel endpoint addresses have to be configured on the interfaces. Compared to VTIs, which are layer 3 tunnel devices with mandatory endpoints, this resolves issues with wildcard addresses (only one VTI with wildcard endpoints is supported), avoids a 1:1 mapping between SAs and interfaces, and easily allows SAs with multiple peers to share the same interface. * Because there are no endpoint addresses, IPv4 and IPv6 SAs are supported on the same interface (VTI devices only support one address family). * IPsec modes other than tunnel are supported (VTI devices only support tunnel mode). * No awkward configuration via GRE keys and XFRM marks. Instead, a new identifier (XFRM interface ID) links policies and SAs with XFRM interfaces.
2021-06-28bgp: T3657: fix remote-as validator for IPv6 link-local peeringChristian Poessinger
The "v6only" CLI tree was not taken into account during validation. vyos@vyos:~$ show configuration commands | grep bgp set protocols bgp local-as '200' set protocols bgp neighbor eth0.204 address-family ipv6-unicast set protocols bgp neighbor eth0.204 interface v6only remote-as '100' vyos@vyos:~$ show bgp ipv6 sum IPv6 Unicast Summary: BGP router identifier 172.18.254.201, local AS number 200 vrf-id 0 BGP table version 0 RIB entries 0, using 0 bytes of memory Peers 1, using 21 KiB of memory Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt eth0.204 4 100 99 99 0 0 0 01:35:07 0 0 Total number of neighbors 1
2021-06-27op-mode: bond: T2546: implement "show interface bond * slaves" commandChristian Poessinger
Add implementation with XML and Python.
2021-06-26Debian: disable systemd salt-minion configuration - all handled in vyos-buildChristian Poessinger
2021-06-26Debian: ensure path for vyos-postconfig-bootup.script existsChristian Poessinger
2021-06-26Debian: drop ipsec key removal from postinst script - done on every system bootChristian Poessinger
2021-06-26Import vyos-postconfig-bootup.script from vyatta-cfg-systemChristian Poessinger
2021-06-26Import configuration files from vyatta-cfg-systemChristian Poessinger
2021-06-26Debian: no need to disable salt-minion in postinst scriptChristian Poessinger
This is already done in systemd service disable hook from vyos-build.
2021-06-26Import sudoers configuration from vyatta-cfg-systemChristian Poessinger
2021-06-26banner: T2135: adjust to raw strings from vyatta-cfg repoChristian Poessinger
2021-06-26nat: T1083: fix Jinja2 templating errorChristian Poessinger
Commit 166d44b3 ("nat: T1083: add translation options for persistent/random mapping of address and port") added support for persistent IP address and port mappings for NAT. Unfortunately one if clause got lost in translation.
2021-06-26nat: T1083: add translation options for persistent/random mapping of address ↵Igor Melnyk
and port Tested using: set destination rule 100 inbound-interface 'eth0' set destination rule 100 translation address '19.13.23.42' set destination rule 100 translation options address-mapping 'random' set destination rule 100 translation options port-mapping 'none' set source rule 1000 outbound-interface 'eth0' set source rule 1000 translation address '122.233.231.12' set source rule 1000 translation options address-mapping 'persistent' set source rule 1000 translation options port-mapping 'fully-random'
2021-06-26openvpn: T3641: adjust deprecated "openvpn --genkey" commandChristian Poessinger
WARNING: Using --genkey --secret filename is DEPRECATED. Use --genkey secret filename instead.
2021-06-26ipsec: T3643: us vyos.util.copy_file() over raw UNIX cp commandChristian Poessinger
2021-06-26vyos.util: add new helper copy_file()Christian Poessinger
Copy a file from A -> B but also support adjusting Bs file permissions and creation of Bs base directory if required.
2021-06-26ipsec: T3643: use variable for path namesChristian Poessinger
2021-06-26Revert "ipsec: T3643: move swanctl.conf to /run"Christian Poessinger
This reverts commit 95bbbb8bed92a60a320ff255c8b8656145f3c540.
2021-06-25Merge pull request #899 from jack9603301/T3648Christian Poessinger
nat: nat66: T3648: Fix script logic errors and missing logic handling
2021-06-26nat: nat66: T3648: Fix script logic errors and missing logic handlingjack9603301
2021-06-25smoketest: ospf: sometimes the passive-interface-test fails - add debug codeChristian Poessinger
2021-06-25openvpn: T1704: drop deprecated disable-ncp optionChristian Poessinger
2021-06-25smoketest: bonding: T3649: fix typo in testcase nameChristian Poessinger
2021-06-25Merge pull request #898 from DmitriyEshenko/1x25062021Christian Poessinger
T3649: bonding: Add additional hash policies
2021-06-25T3649: bonding: Add additional hash policiesDmitriyEshenko
2021-06-24openvpn: T1512: T3641: drop deprecated "compat-names" optionChristian Poessinger
2021-06-24openvpn: T3641: remove deprecated iproute optionChristian Poessinger
Executing iproute2 commands as unprivileged member of the openvpn group is now handled via a sudoers file.
2021-06-24ipsec: T3643: move swanctl.conf to /runChristian Poessinger
This is the completion of commit 50a742b5 ("IPSec: T3643: Fix path for swanctl.conf file") that moves the generated swanctl file from non-volatile to a volatile (tmpfs backed) storage like we do for all out configuration files. Thus it is ensured after a reboot or service deprecation there are no accidential leftovers from previous configurations stored on the system.