Age | Commit message (Collapse) | Author |
|
(cherry picked from commit dd2516904527c74e01e0ced5166afe72a479ee00)
|
|
(cherry picked from commit fb6602f431f5595b97ea3726467ec782fa50ceb8)
|
|
op-mode: ipsec: T6407: fix profile generation (backport #3552)
|
|
Commit 952b1656f51 ("ipsec: T5606: T5871: Use multi node for CA certificates")
added support for multiple CA certificates which broke the OP mode command
to generate the IPSec profiles as it did not expect a list and was rather
working on a string.
Now multiple CAs can be rendered into the Apple IOS profile.
(cherry picked from commit e6fe6e50a5c817e18c453e7bc42bb2e1c4b17671)
|
|
reverse-proxy: T6419: build full CA chain when verifying backend server (backport #3546)
|
|
container: T6406: fix NameError: name 'vyos' is not defined (backport #3547)
|
|
hostname: T6421: enforce explicit CLI priority for host-name and domain-name (backport #3551)
|
|
(cherry picked from commit 4b189a76c0a9a28504aab6715658840b929fc243)
|
|
(cherry picked from commit d83a6e5c5dc7e97e773f08bec7ba377530baafc9)
|
|
The code path to handle the ca certificate used for the frontend service
is removed, as there is no way on the XLI to define the CA certificate used
for the frontend service.
(cherry picked from commit 6000c47f068503522b0ccfe57c51f34ad9892e87)
|
|
haproxy supports both ":::80 v4v6" and "[::]:80 v4v6" as listen statement,
where the later one is more humand readable. Both act in the same way.
(cherry picked from commit a2f0b25452c67528077f343d75de09d038e97fee)
|
|
(cherry picked from commit 2980eb0ad527f0ef0f1527c0ea97842ca2a8ede5)
|
|
Commit 74910564f ("T6406: rename cpus to cpu") did not import the function
from the Python module.
(cherry picked from commit 8439f8a43e93c0560f1abfc2aa60990f521b4d4d)
|
|
Inspired-By: Brandon Zhi <Huiyuze_Zhi@protonmail.com>
(cherry picked from commit cf07a55d183be1f4d28b8b50a0784513d91d6fe2)
|
|
To prevent any possible races in the future the host-name and domain-name nodes
should be set with explicit priorities!
(cherry picked from commit 96d0e23a32a0e1b990ce022546ed7225956a0494)
|
|
T6420: updated contributor doc link
|
|
|
|
NAT: T6371: fix NAT op mode when list of ports/ranges configured (backport #3532)
|
|
list of ports/ranges exists
Before: Issuing the op mode command "show nat source rules" will throw an
exception if the user has configured NAT rules using a list of ports as a
comma-separated list (e.g. '!22,telnet,http,123,1001-1005'). Also there was
no handling for the "!" rule and so '!53' would display as '53'.
With this PR: Introduced iteration to capture all configured ports and append
to the appropriate string for display to the user as well as handling of '!' if
present in user's configuration.
(cherry picked from commit b7595ee9d328778105c70e3d4399ac45f555b304)
|
|
openvpn: T6374: only check TLS role for s2s if TLS is configured (backport #3541)
|
|
(cherry picked from commit f4069582273e1ee9916dea7de1e6ec176db81bc6)
|
|
ISIS: T6332: Fix isis not working only ipv6 (backport #3537)
|
|
(cherry picked from commit 03fd368ed263ca28c9b1b5e29f486217784d15ef)
|
|
openvpn: T6374: ensure that TLS role is configured for site-to-site with TLS (backport #3528)
|
|
(cherry picked from commit 380e998b10341b6dd42bb94d00a9d7a462ada27a)
|
|
T6406: Container CPU limits (backport #3530)
|
|
(cherry picked from commit 74910564f82e2837cd7eb35ea21f07601e5f8f0d)
|
|
(cherry picked from commit 81dea053e7178b8fea836a85aacde2a38ffb9e09)
|
|
(cherry picked from commit 5146cb23fff56e5a84db8c84120b836ceeae47f2)
|
|
(cherry picked from commit 6bcb201a0e7ee9fea5874b963bd3e727ecec578f)
|
|
smoketest: T6395: check for VFIO options to be present (backport #3522)
|
|
(cherry picked from commit f7b0bc68b7950a6c6e68b9e6708ef8a4b7b9b423)
|
|
dhcpv6-server: T3493: add constraintGroup for prefix-delegation start/stop address
|
|
reverse-proxy: T6402: Fix invalid checks in validation script (backport #3523)
|
|
(cherry picked from commit d4d70929a81b2ee1f66a9412a3545911b3874a62)
|
|
address
In addition for testing that the supplied IPv6 address ends with ::, we also
verify that it's a proper IPv6 address, just in case.
|
|
op-mode: T6400: pki: unable to generate fingerprint for ACME issued certificates (backport #3518)
|
|
op-mode: T6377: must call pki.py helper as root to work with ACME certificates (backport #3517)
|
|
This fixes (for and ACME generated certificate)
vyos@vyos:~$ show pki certificate vyos fingerprint sha512
Traceback (most recent call last):
File "/usr/libexec/vyos/op_mode/pki.py", line 1081, in <module>
show_certificate_fingerprint(args.certificate, args.fingerprint)
File "/usr/libexec/vyos/op_mode/pki.py", line 934, in show_certificate_fingerprint
print(get_certificate_fingerprint(cert, hash))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/vyos/pki.py", line 76, in get_certificate_fingerprint
fp = cert.fingerprint(hash_algorithm)
^^^^^^^^^^^^^^^^
AttributeError: 'bool' object has no attribute 'fingerprint'
After the fix:
vyos@vyos# run show pki certificate vyos fingerprint sha256
10:2C:EF:2C:DA:7A:EE:C6:D7:8E:53:12:F0:F5:DE:B9:E9:D0:6C:B4:49:1C:8B:70:2B:D9:AF:FC:9B:75:A3:D2
(cherry picked from commit b6ee07c7efbb818787deba20116f4289853fb5c9)
|
|
This fixes the error:
vyos@vyos:~$ show pki certificate
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/vyos/config.py", line 111, in config_dict_mangle_acme
tmp = read_file(f'{vyos_certbot_dir}/live/{name}/cert.pem')
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/vyos/utils/file.py", line 44, in read_file
raise e
File "/usr/lib/python3/dist-packages/vyos/utils/file.py", line 38, in read_file
with open(fname, 'r') as f:
^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: '/config/auth/letsencrypt/live/vyos/cert.pem'
(cherry picked from commit 65fba1cd27af67c543e120effc12882bd0191f03)
|
|
T3493: dhcpv6-server does not have prefix range validation
|
|
address
ISC DHCP server expects a string: "prefix6 2001:db8:290:: 2001:db8:29f:: /64;"
where the IPv6 prefix/range must be :: terminaated with a delegated prefix
length at the end.
This commit changes the validator that the IPv6 address defined on the CLI must
always end with ::. In addition a verify() step is added to check that the
stop address is greater than start address.
|
|
This reverts the prefix start/stop address must be inside network part from
commit 4cde0b8ce778d269d3fe1d4f33ba5b2caf424181.
|
|
$ touch /tmp/vyos.smoketest.debug
will enable dynamic debugging of the smoketests - showing the appropriate CLI
commands on stdout
(cherry picked from commit 0cb4294fdfe5ae0e0e8fd06436f38b67f16413a2)
|
|
|
|
Co-authored-by: Gregor Michels <hirnpfirsich@brainpeach.de>
(cherry picked from commit 609563d6acfeafbed46b1ac5e6bd497ce097e3bc)
Co-authored-by: Gregor Michels <gregor.michels@web.de>
|
|
reverse-proxy: T6370: Set custom HTTP headers in reverse-proxy responses (backport #3487)
|
|
(cherry picked from commit e1450096b4c667a4c33a3fcd8f67ebf6a39d441d)
|
|
nat: T6345: source NAT port mapping "fully-random" is superfluous in Kernel >=5.0 (backport #3507)
|
|
>=5.0
random - In kernel 5.0 and newer this is the same as fully-random. In earlier
kernels the port mapping will be randomized using a seeded MD5 hash mix using
source and destination address and destination port.
https://git.netfilter.org/nftables/commit/?id=fbe27464dee4588d906492749251454
(cherry picked from commit 7fe568ca1672f1dfbd2b56ee3ef7a6ab48b03070)
|