summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-04-09Merge pull request #1944 from chenxiaolong/eapol_tls_1.0_regressionChristian Breunig
eapol: T5151: Allow TLSv1.0/1.1 for EAP-TLS
2023-04-09eapol: T5151: Allow TLSv1.0/1.1 for EAP-TLSAndrew Gunnerson
The Debian 12 upgrade in T5003 caused a regression for connecting to legacy networks that only support TLSv1.0/1.1 for EAP-TLS. Debian allows this by default in their wpa_supplicant package, but their `allow-tlsv1.patch` patch does not work properly with VyOS' newer wpa_supplicant package, which is based on the latest code in git. As a result, wpa_supplicant always respects the system-wide openssl crypto policy, disallowing TLSv1. The commit uses the documented way of allowing TLSv1, which takes precedence over the system crypto policy. Signed-off-by: Andrew Gunnerson <accounts+github@chiller3.com>
2023-04-07openvpn: T5149: do not raise error in case of disabled interfaceJohn Estabrook
2023-04-06container: T5147: ensure container network exists before VRF operationChristian Breunig
Networks are started only as soon as there is a consumer. If only a network is created in the first place, no need to assign it to a VRF as there's no consumer, yet.
2023-04-04Merge pull request #1937 from aapostoliuk/T5135-sagittaChristian Breunig
opennhrp: T5135: Rewritten opennhrp script using vyos.ipsec
2023-04-04Merge pull request #1938 from sever-sever/T5142Christian Breunig
T5142: Add audit tool to monitor security-relevant events
2023-04-04Merge pull request #1939 from sever-sever/T5145Christian Breunig
T5145: Add maximum number of all logins on system
2023-04-04T5145: Add maximum number of all logins on systemViacheslav Hletenko
maxsyslogins maximum number of all logins on system; user is not allowed to log-in if total number of all user logins is greater than specified number (this limit does not apply to user with uid=0) set system login max-login-session 2
2023-04-04T5142: Add audit tool to monitor security-relevant eventsViacheslav Hletenko
2023-04-04opennhrp: T5135: Rewritten opennhrp script using vyos.ipsecaapostoliuk
Rewritten opennhrp script using vyos.ipsec library
2023-04-03Merge pull request #1932 from sever-sever/T5125Christian Breunig
T5125: Sflow op-mode add event_samples_suppressed option
2023-04-03Merge pull request #1934 from sever-sever/T5141Christian Breunig
T5141: Add numbers for dhclient-exit-hooks.d to enforce order
2023-04-03Merge pull request #1933 from sever-sever/T5139Christian Breunig
T5139: IPSec add IKE lifetime 0 for no rekeying
2023-04-03T5141: Add numbers for dhclient-exit-hooks.d to enforce orderViacheslav Hletenko
Add numbers for all dhclient-exit-hooks.d to enforce script order execution Also, move '99-run-user-hooks' to '98-run-user-hooks' due to vyatta-dhclient-hook bug and exit with 'exit 1' it is described in the https://vyos.dev/T4856, so we should move this hook to the end. Rename 'vyatta-dhclient-hook' to '99-vyatta-dhclient-hook'
2023-04-03T5139: IPSec add IKE lifetime 0 for no rekeyingViacheslav Hletenko
IKE lifetime should starting from 0 for disabling rekeying
2023-04-03T5125: Sflow op-mode add event_samples_suppressed optionViacheslav Hletenko
Add "Packet drops suppressed" option Rename "Samples drop events sent" to "Packet drops sent"
2023-04-02container: T5134: support binding container network to specific VRFChristian Breunig
Container networks now can be bound to a specific VRF instance. set vrf name <foo> table <xxx> set container network <name> vrf <foo>
2023-04-02xml: re-use generic-description.xml.i building block whenever possibleChristian Breunig
Remove redundant XML CLI node definitions for the common description node by referencing the common building block.
2023-04-01Merge pull request #1929 from sever-sever/T5125Christian Breunig
T5125: Extend op-mode show sflow add new metric
2023-04-01T5125: Extend op-mode show sflow add new metricViacheslav Hletenko
Add new metric, the number of packet-drop-events sent
2023-04-01container: T4959: bugfix credential validation on registriesChristian Breunig
Commit fe82d86d ("container: T4959: add registry authentication option") looked up the wrong config dict level when validating that both username and password need to be specified when registries are in use.
2023-04-01container: T5082: switch to netavark network stackChristian Breunig
We now support assigning discrete IPv6 addresses to a container.
2023-04-01container: T5047: bugfix TypeError: argument of type 'NoneType' is not iterableChristian Breunig
Commit 52e51ffb ("container: T5047: restart only containers that changed") started to iterate over a NoneType which is invalid. This happened when a network description was changed but no container was due for restart.
2023-04-01xml: include building block file name should end with .i and not .inChristian Breunig
2023-04-01isis: op-mode: T5132: bugfix VRF commands for route and neighborChristian Breunig
show isis vrf <name> neighbor|route did not call the vtysh wrapper but instead always called the commands for the default routing table.
2023-04-01Merge pull request #1926 from aapostoliuk/T5093-sagittaChristian Breunig
ipsec: T5093: Fixed 'reset vpn ipsec profile' command
2023-04-01xml: T5128: streamline help string for interface CLI node building blocksChristian Breunig
2023-04-01xml: allow-client: T5126: re-use new building block also for NTP serviceChristian Breunig
2023-03-31Merge pull request #1920 from jestabro/https-allow-clientViacheslav Hletenko
http-api: T5126: allow restricting client IP address
2023-03-31http-api: T5126: allow restricting client IP addressJohn Estabrook
2023-03-31Merge pull request #1922 from nicolas-fort/T5128Christian Breunig
T5128: Policy Route: allow wildcard on interface
2023-03-31Merge pull request #1927 from sever-sever/T5125Christian Breunig
T5125: Add op-mode for sFlow based on hsflowd
2023-03-31T5125: Add op-mode for sFlow based on hsflowdViacheslav Hletenko
Add op-mode for sFlow based on hsflowd "show sflow" Add machine readable format '--raw' and formatted output
2023-03-31T5128: Add contraint for firewall interface. Also update smoketest to ↵Nicolas Fort
include at least one wildcarded interface
2023-03-31T5128: Policy Route: allow wildcard on interfaceNicolas Fort
2023-03-31Merge pull request #1925 from sever-sever/T4173-smoketestViacheslav Hletenko
T4173: Fix smoketest for load-balancing wan
2023-03-31Merge pull request #1924 from fett0/T5131Christian Breunig
T5131: fix op-mode show isis segment-routing prefix-sids
2023-03-30 T5131: fix op-mode show isis segment-routing prefix-sidsfett0
2023-03-30Merge pull request #1923 from jestabro/fix-templateChristian Breunig
interfaces: T5130: remove show_interfaces.py reference and script
2023-03-30interfaces: T5130: remove obsoleted show_interfaces.pyJohn Estabrook
2023-03-30interfaces: T5130: show/interfaces/node.def defined in vyos-1xJohn Estabrook
2023-03-30ipsec: T5093: Fixed 'reset vpn ipsec profile' commandaapostoliuk
Fixed 'reset vpn ipsec profile' command using vici library and new op-mode style. Added ability to use 'reset vpn ipsec profile' command with 'remote-host' option.
2023-03-30T4173: Fix smoketest for load-balancing wanViacheslav Hletenko
Counter jump WANLOADBALANCE was deleted in the commit https://github.com/vyos/vyos-1x/commit/27ca5b9d6d699e201f88ffff41b0a651166b65eb I guess it was done to pass the smoketest even if it broke the load-balance wan feature Fix it
2023-03-29Merge pull request #1900 from jestabro/diff-testChristian Breunig
configdiff: T5089: add unit test of config_diff
2023-03-29ntp: T3008: start daemon with extended privileges but then drop to _chronyChristian Breunig
2023-03-29configdiff: T5089: add unit testJohn Estabrook
2023-03-29configdiff: T5089: add optional arg ordered_values for unit testsJohn Estabrook
2023-03-29configdiff: T5089: add union of configtrees for unit testJohn Estabrook
2023-03-29configtree: T5089: sorting of nodes is now implemented on parsing configJohn Estabrook
2023-03-29Merge pull request #1918 from sever-sever/T5110Christian Breunig
T5110: Fix op-mode FRR vtysh_pam account validation