| Age | Commit message (Collapse) | Author |
|---|
|
T4916: Rewrite IPsec peer authentication and psk migration
|
|
Some older VyOS 1.3 installations seem to use zero-length description fields.
Do not break them!
|
|
|
|
T4958: ocserv: openconnect: Add RADIUS accounting support
|
|
configtree: T4961: improve error reporting of function copy
|
|
Removes port key from accounting server merged config dictionary.
|
|
|
|
Adds CLI configuration options to configure RADIUS accounting for OpenConnect VPN sessions. This functionality cannot be used outside of the RADIUS OpenConnect VPN authentication mode
|
|
|
|
openconnect: T4955: Removed wrong authserver in radiusclient.conf
|
|
sysctl: T4928: remove outdated conntrack_helper
|
|
This sysctl has been removed from kernel 6.0.X onwards but its removal was skipped when upgrading the kernel.
See: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/netfilter?id=b118509076b39cc5e616c0680312b5caaca535fe
|
|
vyos.ethtool: T4963: improve driver name detection
|
|
The previous solution did not work for drivers that were no modules.
e.g compiled with a kernel config set to CONFIG_VIRTIO_NET=y
|
|
|
|
|
|
config.copy does not recursively create nodes of the path. On install
image, the path ['service'] is not present in config.boot.default, so
must be created before config.copy['service', 'ntp'].
|
|
After merging config dictionary with default values, radius port
the default value was merged not in a proper way.
It is added as a server.
After creating radiusclient.conf added and the illegal authserver
equal 'port'.
|
|
Rewrite strongswan IPsec authentication to reflect structure
from swanctl.conf
The most important change is that more than one local/remote ID in the
same auth entry should be allowed
replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx'
=> 'ipsec authentication psk <tag> secret xxx'
set vpn ipsec authentication psk <tag> id '192.0.2.1'
set vpn ipsec authentication psk <tag> id '192.0.2.2'
set vpn ipsec authentication psk <tag> secret 'xxx'
set vpn ipsec site-to-site peer <tag> authentication local-id '192.0.2.1'
set vpn ipsec site-to-site peer <tag> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <tag> authentication remote-id '192.0.2.2'
Add template filter for Jinja2 'generate_uuid4'
|
|
T4956: fix 'show hardware cpu' issue on arm64
|
|
|
|
|
|
Traceback (most recent call last):
File "/usr/libexec/vyos/op_mode/cpu.py", line 76, in <module>
res = vyos.opmode.run(sys.modules[__name__])
File "/usr/lib/python3/dist-packages/vyos/opmode.py", line 200, in run
res = func(**args)
File "/usr/libexec/vyos/op_mode/cpu.py", line 58, in show
cpu_data = _get_raw_data()
File "/usr/libexec/vyos/op_mode/cpu.py", line 40, in _get_raw_data
return vyos.cpu.get_cpus()
File "/usr/lib/python3/dist-packages/vyos/cpu.py", line 83, in get_cpus
cpus_dict = _find_physical_cpus()
File "/usr/lib/python3/dist-packages/vyos/cpu.py", line 76, in _find_physical_cpus
phys_cpus[num] = cpu[num]
NameError: name 'cpu' is not defined
Co-authored By: MartB <contact@martb.dev>
|
|
opmode: T4950: add set to the list of op mode functions
|
|
T1297: VRRP: add garp options to vrrp
|
|
T4940: make the file .py Executable
|
|
|
|
make the file (generate_interfaces_debug_archive.py
) executable
|
|
Commit b5e90197 ("op mode: T4951: add InsufficientResources error") missed out
a comma when extending the op_mode_err_msg dictionary.
|
|
Commit a0fc8b80 ("T4940: new interfaces debugging command") introduced a new
tree under the op-mode "generate" function. The new "interface" node had no
help string available making the build fail:
> There are empty node.def files! Check your interface definitions.
|
|
igmp-proxy: T4912: Rewrite show IGMP proxy commands in the new op-mode format
|
|
T4940: new interfaces debugging command
|
|
op mode: T4951: add InsufficientResources error
|
|
CLI expects ipv4net/ipv6net but the help strings only suggested it should be
ipv4/ipv6. This has been corrected.
|
|
|
|
|
|
|
|
|
|
There are currently two ways to generate the interface name completion helper
list (we use openvpn in this example)
- <script> ${vyos_completion_dir}/list_interfaces.py --type openvpn</script>
- <path>interfaces openvpn</path>
The first one using <script> tends to be rather slow as there is a Python
interpreter startup involved (expensive). The latter simply calls a C program
which is executed rather fast and gives the same result.
We can simply replace the first call with the second one to make the CLI
feel faster.
|
|
T4944: disallow bare literals in raw op mode outputs
|
|
|
|
|
|
|
|
The script completion helper will only show SSTP client interfaces already
created and beeing active in the Kernel. The path completion helper shows the
real CLI deal.
|
|
The script completion helper will only show MACsec interfaces already created
and beeing active in the Kernel. The path completion helper shows the real
CLI deal.
|
|
Some ISPs seem to use the host-uniq flag to authenticate client equipment.
Add CLI option in VyOS to allow specification of the host-uniq flag.
set interfaces pppoe pppoeN host-uniq <value>
|
|
One can not always ensure that "interface" is of type list, add safeguard.
E.G. Juniper Networks, Inc. ex2300-c-12t only has a dict, not a list of dicts
So this is actually an upstream lldpd bug where the output depends on the amount
of data transmitted.
|
|
Whenever a container is used and a folder is mounted, this happenes as
read-write which is the default in Docker/Podman - so is the default in VyOS.
A new option is added "set container name foo volume mode <ro|rw>" to specify
explicitly if rw (default) or ro should be used for this mounted folder.
|
|
|
|
One can not always ensure that "capability" is of type list, add a safeguard.
E.G. Unify US-24-250W only has a dict, not a list of dicts.
|
