Age | Commit message (Collapse) | Author |
|
|
|
set pki openssh rpki private key ...
set pki openssh rpki public key ...
set pki openssh rpki public type 'ssh-rsa'
|
|
rpki: T6004: add missing startup priority
|
|
xml: T5738: improve PKI building blocks for CLI
|
|
|
|
|
|
T6028: Fix QoS policy shaper wrong class_id_max and default_minor_id
|
|
The `class_id_max` is wrong due to `tmp.sort` of Strings
If we have class 5 and class 10 we get sorted max value 5, expected 10
```
>>> tmp = ['5', '10']
>>> tmp.sort()
>>> tmp
['10', '5']
>>>
>>> hex(5+1)
'0x6'
>>>
>>> hex(10+1)
'0xb'
>>>
```
This way we get wrong default maximum class value:
```
tc qdisc replace dev eth1 root handle 1: htb r2q 444 default 6
```
Expect:
```
tc qdisc replace dev eth1 root handle 1: htb r2q 444 default b
```
Fix this converting Strings to Integers and get max value.
|
|
T5703: Fix reapply QoS for connection-oriented interfaces
|
|
After `disconnect` and `connect` connection-oriented interfaces
like PPPoE, QoS policy has to be reapplied
|
|
https: T5902: fix migration of virtual-host port
|
|
CLI source node is port and not listen-port.
|
|
rpki: T6023: add support for CLI knobs expire-interval and retry-interval
|
|
T5685: Keepalived VRRP prefix is not necessary for the virtual address
|
|
|
|
T5960: Rewritten authentication node in PPTP to a single view
|
|
T6026: QoS hide attempts to delete qdisc from devices
|
|
op-mode: T4038: Python rewrite of image tools
|
|
Hide unexpected output by attempts of deleting `qdisc` from
interfaces
[ qos ]
Error: Cannot find specified qdisc on specified device.
Error: Cannot delete qdisc with handle of zero.
|
|
vrf: T5973: module is now statically compiled into the kernel
|
|
bgp: T6024: add additional missing FRR features
|
|
init: T2044: only start rpki if cache is configured
|
|
xml: T302: replace references to Quagga with FRRouting
|
|
|
|
This extends commit 9199c87cf ("init: T2044: always start/stop rpki during
system boot") to check the bootup configuration if an RPKI cache is defined.
Only start RPKI if this is the case.
|
|
vpn: T3843: l2tp configuration not cleared after delete
|
|
* set protocols bgp parameters labeled-unicast <explicit-null | ipv4-explicit-null | ipv6-explicit-null>
* set protocols bgp parameters allow-martian-nexthop
* set protocols bgp parameters no-hard-administrative-reset"
|
|
|
|
T6021: Fix QoS shaper r2q calculation
|
|
Rewritten authentication node in accel-ppp services
to a single view. In particular - PPTP authentication.
|
|
Always enable VRF strict_mode
|
|
The current calculation `r2q` is wrong as it uses `Floor division`
but expecting `division`
This way `math.ceil` calculate wrong value as we expect
round a number upward to its nearest integer
For example for speed 710 mbits expected value `444` but we get `443`
```
from math import ceil
MAXQUANTUM = 200000
speed = 710000000
speed_bps = int(speed) // 8
>>> speed_bps // MAXQUANTUM
443
>>> speed_bps / MAXQUANTUM
443.75
>>>
>>>
>>> ceil(speed_bps // MAXQUANTUM)
443
>>> ceil(speed_bps / MAXQUANTUM)
444
>>>
```
|
|
image-tools: T6016: wait for umount in cleanup function
|
|
T5921: Fix OpenConnect verify for local users
|
|
Fix verify error for the VPN OpenConnect configuration with
local authentication and without any user
File "/usr/libexec/vyos/conf_mode/vpn_openconnect.py", line 94, in verify
if not ocserv["authentication"]["local_users"]:
KeyError: 'local_users'
|
|
vpn: T5926: IPSEC does not apply after l2tp configuration was changed
added dependency between l2tp and ipsec conf
added test for apply config to swanctl
|
|
op-mode:T6015:Fix for charon file generated by ipsec debug script (backport #2942)
|
|
(cherry picked from commit 0c9c496961dc88110da53943a14dd88086ea920d)
|
|
|
|
rpki: T6011: known-hosts-file is no longer supported by FRR
|
|
init: T2044: always start/stop rpki during system boot
|
|
T6018: adjust smoketest for update to FastAPI web framework
|
|
|
|
|
|
|
|
ipsec: T5998: add replay-windows setting
|
|
The replay_window for child SA will always be 32 (hence enabled). Add a CLI node
to explicitly change this.
* set vpn ipsec site-to-site peer <name> replay-window <0-2040>
|
|
configdict: T5894: preserve old behavior when dealing with PKI
|
|
Commit b152b5202 ("configdict: T5894: add get_config_dict() flag with_pki")
added the generic PKI flag but if there was no PKI subsystem available
in the configuration, no pki dict key ever manifested in the resulting
dictionary requested by the caller.
This is different to the old behavior (which each caller implementing the call
itself) where there always was a pki key present - even if it was empty.
This triggered a bug in the IPSec script
Traceback (most recent call last):
File "/usr/libexec/vyos/conf_mode/vpn_ipsec.py", line 600, in <module>
verify(ipsec)
File "/usr/libexec/vyos/conf_mode/vpn_ipsec.py", line 372, in verify
verify_pki_rsa(ipsec['pki'], rsa)
~~~~~^^^^^^^
KeyError: 'pki'
As it wanted to verify keys, but there was no pki dictionary key available.
This commit restores the previous behavior.
|
|
qos: T5848: Add triple-isolate option to CAKE policy config
|