| Age | Commit message (Collapse) | Author |
|---|
|
Strongswan does not initiate session after termination via vici.
Added an CHILD SAs initialization on the initiator side
of the tunnel.
|
|
(#3616)
* Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for
fw rules
* Add ipsec match-ipsec-out and match-none-out
* Change all the points where the match-ipsec.xml.i include was used
before, making sure the new includes (match-ipsec-in/out.xml.i) are
used appropriately. There were a handful of spots where match-ipsec.xml.i
had snuck back in for output hooked chains already
(the common-rule-* includes)
* Add the -out generators to rendered templates
* Heavy modification to firewall config validators:
* I needed to check for ipsec-in matches no matter how deeply nested
under an output-hook chain(via jump-target) - this always generates
an error.
* Ended up retrofitting the jump-targets validator from root chains
and for named custom chains. It checks for recursive loops and improper
IPsec matches.
* Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation"
smoketests
|
|
interface: T6592: remove interface from conntrack ct_iface_map on deletion
|
|
deletion
Now that interfaces are deleted from ct_iface_map during deletion it's time to
also add a smoketest ensuring there is no entry in the ct_iface_map once an
interface was deleted from the CLI.
|
|
|
|
We always have had stale interface entries in the ct_iface_map of nftables/
conntrack for any interface that once belonged to a VRF.
This commit will always clean the nftables interface map when the interface
is deleted from the system.
|
|
wireless: T6597: improve hostapd startup and corresponding smoketests
|
|
To reproduce:
set vrf name mgmt table '150'
set vrf name no-mgmt table '151'
set interfaces ethernet eth2 vrf 'mgmt'
commit
set interfaces ethernet eth2 vrf no-mgmt
commit
This resulted in an error while interacting with nftables:
[Errno 1] failed to run command: nft add element inet vrf_zones ct_iface_map { "eth2" : 151 }
The reason is that the old mapping entry still exists and was not removed.
This commit adds a new utility function get_vrf_tableid() and compares the
current and new VRF table IDs assigned to an interface. If the IDs do not
match, the nftables ct_iface_map entry is removed before the new entry is added.
|
|
|
|
as opposed to entire subsystems
|
|
|
|
|
|
|
|
An empty component version string will trigger a full migration,
however, the case of component_version is None was missed in a utility
function. Fix comment formatting.
|
|
Sometimes we need a reliable way to lock an execution until some other operation
is not done.
This commit introduces locking util, which can be used as a common lock, even
between different processes.
Usage example:
```
from vyos.utils.locking import Lock
lock = Lock('my_lock_id')
lock.acquire(timeout=10)
print(f'Lock acquired: {lock.is_locked}')
lock.release()
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
During a corner case where the configuration is migrated to a different system
with fewer ethernet interfaces, migration will fail during an image upgrade.
vyos.ethtool.Ethtool() is instantiated with an invalid interface leading to an
exception that kills the migrator
|
|
op-mode: T6514: rework the "show system storage" code to handle live CD systems correctly
|
|
to handle live CD systems correctly
and allow reusing the functions from other scripts
|
|
configd: T6504: send sudo_user on session init and set env variable
|
|
op mode: T6501: add "run show kernel modules"
|
|
get_current_user()
|
|
op mode: T6498: move uptime helpers to vyos.utils.system
|
|
to be able to call them from the new tech-support script
|
|
op-mode: T5514: Allow safe reboots to config defaults when config.boot is deleted
|
|
|
|
|
|
deleted
* Added flag to vyos.config_mgmt.unsaved_commits() that will tolerate missing config.boot for specific circumstances
* Shutdown/reboot uses this flag; config will regenerate from defaults after a reboot
|
|
filesystem
|
|
|
|
|
|
|
|
The intention of vyos.utils package is to have a common ground for repeating
actions/helpers. This is also true for number of CPUs and their respective
core count.
Move vyos.cpu to vyos.utils.cpu
|
|
generation
In e6fe6e50a5c ("op-mode: ipsec: T6407: fix profile generation") we fixed
support for multiple CAs when dealing with the generation of Apple IOS profiles.
This commit extends support to properly include the common name of the server
certificate issuer and all it's paren't CAs. A list of parent CAs is
automatically generated from the "PKI" subsystem content and embedded into the
resulting profile.
|
|
To parse variables with `=` a variable name should be limited by alphanumerical
characters only.
|
