Age | Commit message (Collapse) | Author |
|
|
|
This commit adds a script to run user-defined hook scripts upon renewing
a DHCP lease. This can be used to, for example, dynamically define a
firewall address-group based on the dynamic IP address of an interface.
For an example of its use (as well as the use case I had in mind while
coding this), see https://vyos.dev/T2196#142394
Co-authored-by: br <git@ibeep.com>
|
|
Commit 54c36e43 (tunnel: T5034: migrate "multicast enable" CLI node to
enable-multicast) changed the syntax on the CLI. This commits changes the
testcase to make use of the new syntax.
|
|
Tunnel interface multicast settings can be "enabled or disabled". As we prefer
valueless nodes, and the linux kernel default is "disabled" we should add a
set interfaces tunnel tunXX enable-multicast
command
|
|
DeprecationWarning: 'crypt' is deprecated and slated for removal in Python 3.13
DeprecationWarning: 'spwd' is deprecated and slated for removal in Python 3.13
|
|
|
|
login: T4943: Fixed 2FA + RADIUS compatibility
|
|
MFA requires KbdInteractiveAuthentication to ask a second factor, and the RADIUS
module for PAM does not like it, which makes them incompatible.
This commit:
* disables KbdInteractiveAuthentication
* changes order for PAM modules - make it first, before `pam_unix` or
`pam_radius_auth`
* enables the `forward_pass` option for `pam_google_authenticator` to accept
both password and MFA in a single input
As a result, local, RADIUS, and MFA work together.
Important change: MFA should be entered together with a password.
Before:
```
vyos login: <USERNAME>
Password: <PASSWORD>
Verification code: <MFA>
```
Now:
```
vyos login: <USERNAME>
Password & verification code: <PASSWORD><MFA>
```
|
|
T5029: Change nginx default root directory
|
|
http-api: T5030: fix missing check on delete keys id tag or key value
|
|
T5029: Fix Regex for nginx to find a better match
|
|
|
|
|
|
|
|
ipsec: T4985: Changed 'reset vpn ipsec-peer' to use vici library
|
|
1. Changed reset IPSEC, IKE SAs to use vici library.
2. Created package vyos.ipsec to communicate with vici library.
|
|
T5027: Enable legacy provider to support current ciphers
|
|
T5013: Extend accelppp op-mode script to get statistic
|
|
T5017: Add interface ifbX to constraint interface-name
|
|
|
|
|
|
|
|
* We will need to remove insecure ciphers as a long-term solution (BF-CBC, DES...)
|
|
|
|
|
|
|
|
T5025: Fix timezones and validator use timedatectl
|
|
Fix timezones completion help and validotor
Use 'timedatectl' insted of find zoneinfo
|
|
openconnect: T5023: Conf script missing optional config parameter
|
|
|
|
ipsec: T4593: Remove references to deleted variables
|
|
|
|
T5020: Extend openvpn op-mode to get list of configured clients
|
|
T5007: Fix multicast implementation for the tunnel interfaces
|
|
T4978: Default values of port rewrite default container values
|
|
As we have the same variable name 'default_values' for container
name, port and volume, it rewrites default container parameters
with default port parameters
Fix it
|
|
Extend openvpn.py op-mode script to get list of configured clients
for the '--raw' output
|
|
Multicast has not been implemented for the tunnel interfaces.
We have only configuration CLI commands that do anything.
Fix it.
ip link set dev <tag> multicast on
ip link set dev <tag> multicast off
|
|
T4886: allow connection-mark 0 value, which is acceptable
|
|
|
|
T5011: Set default values for min_mtu max_mtu
|
|
Some interface drivers don't support/provide min_mtu and max_mtu values
For example VyOS in docker container with 'veth' driver on some
platforms
As a workarund add default values for min/max MTU for calculations
and pass function "verify_mtu(config)"
|
|
Change op-mode raw statistics for accel_ppp.py
dict key 'cpu' to 'cpu_load_percentage' and value to integer
|
|
Extend accelppp.py op-mode script to get
subnet/start/stop/gateway/client_ip_pool/ etc
info from the configuration
|
|
qos: classes: helptext: T5015: Escape % in printf
|
|
|
|
macsec: T5008: Changed length of CKN to (2..64 hex-digits)
|
|
T5005: PPPoE server allow any login with option noauth
|
|
Disabling authentication is useful in emergency situations
(e.g. RADIUS server is down) or testing purposes.
Clients can connect with any login and username.
set service pppoe-server authentication mode 'noauth'
|
|
Based on wpa_supplicant documentation.
mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit)
hex-string (2..64 hex-digits)
Changed allowable length of CKN from strong 64 hex-digits
to the range (2..64 hex-digits)
|