| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
As we now await the call to commit-confirm, do not run
commit-confirm-notify from a subshell.
|
|
|
|
|
|
T7591: remove copyright years from source files
|
|
T7589: Add no-split-gso and ack-filter for CAKE
|
|
dmbaturin/T7580-op-cache-generator-standalone-virtual
build: T7580: add support for standalone and virtual tag nodes to the op mode cache generator
|
|
|
|
vrf: T7544: Ensure correct quoting for VRF ifnames in nftables
|
|
The legal team says years are not necessary so we can go ahead with it, since
it will simplify backporting.
Automatically removed using: git ls-files | grep -v libvyosconfig | xargs sed -i -E \
's/^# Copyright (19|20)[0-9]{2}(-[0-9]{4})? VyOS maintainers.*/# Copyright VyOS maintainers and contributors <maintainers@vyos.io>/g'
In addition we will error-out during "make" if someone re-adds a legacy
copyright notice
|
|
to ensure that the JSON cache is usable for command lookup
|
|
* For VRF create/delete:
* Simple dquoting, as before, was parsed away by the shell
* Just escaping the double quotes could cause issues with the shell mangling
VRF names (however unlikely)
* Wrapping original quotes in shell-escaped single quotes is a quick & easy
way to guard against both improper shell parsing and string names being
taken as nft keywords.
* Firewall configuration:
* Firewall "interface name" rules support VRF ifnames and used them unquoted,
fixed for nft_rule template tags (parse_rule)
* Went through and quoted all iif/oifname usage by zones and interface
groups. VRF ifnames weren't available for all cases, but there is
no harm in completeness.
* For this, also created a simple quoted_join template filter to replace
any use of |join(',')
* PBR calls nft but doesn't mind the "vni" name - table IDs used instead
I may have missed some niche nft use-cases that would be exposed to this problem.
|
|
mode cache generator
|
|
T7561: simplify op-mode-definitions XML cache generation
|
|
pki: T7574: add optional force argument to renew certbot-issued certificates
|
|
Certbot renewal command in op-mode "renew certbot" only works if any of the
certificates is up for renewal. There is no CLI option to forcefully renew a
certificate. This is about adding a force option to the CLI and with this
addition move the entire certbot renew handling to new-style op-mode commands.
vyos@vyos:~$ renew certbot force
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /config/auth/letsencrypt/renewal/vyos.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for vyos.io
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
/config/auth/letsencrypt/live/vyos/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Hook 'post-hook' ran with output:
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
|
|
|
|
|
|
|
|
|
|
|
|
The original implementation of the op-mode XML cache generation resulted
in a structure that was difficult to use, for example, in documentation
generation. The source of complication is that, unlike the XML of
interface-definitions, path names are not unique: the same path may
occur as both a regular node and as a tag node. Here we simplify the
underlying structure by enriching path names with type information, thus
disambiguating paths. An interface to the cache is provided by explicit
generator and lookup functions.
|
|
T7554: fix wireguard fwmark parsing
|
|
firewall: T6951: Add a configuration command for ethertypes that bridge firewalls should always accept
|
|
|
|
firewalls should always accept
|
|
T7488: add utility for automatic rollback of section on apply stage error
|
|
T7432: RPKI VRF Support
|
|
|
|
|
|
|
|
http-api: T3955: add commit-confirm to endpoints /configure /config-file
|
|
|
|
|
|
T6013: Add support for AuthorizedPrincipalsFile to trusted_user_ca_key
|
|
config-mgmt: T7500: fix typo preventing commit-confirm hard rollback
|
|
http-api: T7498: allow passing config string in body of 'load' or 'merge' request
|
|
The current implementation for SSH CA based authentication uses "set service
ssh trusted-user-ca-key ca-certificate <foo>" to define an X.509 certificate
from "set pki ca <foo> ..." - fun fact, native OpenSSH does not support X.509
certificates and only runs with OpenSSH ssh-keygen generated RSA or EC keys.
This commit changes the bahavior to support antive certificates generated using
ssh-keygen and loaded to our PKI tree. As the previous implementation
did not work at all, no migrations cript is used.
|
|
|
