| Age | Commit message (Collapse) | Author |
|---|
|
T7554: fix wireguard fwmark parsing
|
|
firewall: T6951: Add a configuration command for ethertypes that bridge firewalls should always accept
|
|
|
|
firewalls should always accept
|
|
T7488: add utility for automatic rollback of section on apply stage error
|
|
T7432: RPKI VRF Support
|
|
|
|
|
|
|
|
http-api: T3955: add commit-confirm to endpoints /configure /config-file
|
|
|
|
|
|
T6013: Add support for AuthorizedPrincipalsFile to trusted_user_ca_key
|
|
config-mgmt: T7500: fix typo preventing commit-confirm hard rollback
|
|
http-api: T7498: allow passing config string in body of 'load' or 'merge' request
|
|
The current implementation for SSH CA based authentication uses "set service
ssh trusted-user-ca-key ca-certificate <foo>" to define an X.509 certificate
from "set pki ca <foo> ..." - fun fact, native OpenSSH does not support X.509
certificates and only runs with OpenSSH ssh-keygen generated RSA or EC keys.
This commit changes the bahavior to support antive certificates generated using
ssh-keygen and loaded to our PKI tree. As the previous implementation
did not work at all, no migrations cript is used.
|
|
|
|
|
|
|
|
|
|
flowtable: T7350: Prevent interface deletion if referenced on flowtable
|
|
Bridge: T7430: Add BPDU Guard and Root Guard support
|
|
|
|
We maintain compatibility with the legacy commit lock file until all
other references are resolved; this requires a POSIX-type lock instead
of the BSD-type lock of vyos.utils.locking.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In the absence of Cstore, the env var remains as the sole indication of
config mode for the legacy CLI, and its emulation here.
|
|
The environment variable _OFR_CONFIGURE is used by bash completion to
setup the config mode environment. We check this setting to coordinate
vyconf config mode and CLI config mode, independent of the legacy
backend Cstore check.
|
|
|
|
ipoe_server: T6997: Do not require to create client ip pool when dhcp-relay is used
|
|
is used
|
|
T7348: Add config CPU thread-count for accel-ppp services
|
|
wireguard: T7387: Optimise wireguard peer handling
|
|
If we use several port for the `conntrack ignore` there
have to be used curly braces for nftables
Incorrect format: dport 500,4500
Correct format: dport { 500, 4500 }
|
|
Accel-ppp services should not use all CPU cores to process requests.
At the moment accel-ppp services use all available CPU cores
to process requests from the subscribers (establish/update session/etc).
During mass connection of sessions, this can lead to the fact that it
utilizes all CPU, and for other services like FRR, there is not enough
CPU time to process their own stable work.
services:
- L2TP
- SSTP
- PPPoE
- IPoE
- PPtP
Add this option configurable and use all cores if not set:
```
set service pppoe-server thread-count < all | half | x >
```
The defaultValue `all`
|
|
T7386: firewall: Allow IPv6 member in firewall remote-groups
|
|
utils: T7095: make `vrf` and `netns` arguments aware of the shell
|
|
remote groups
|
|
frr: T7431: missing logging options after rewrite to frrender class
|
|
In src/etc/systemd/system/frr.service.d/override.conf#L6-L11 the log entry is
added on restart - but not during normal operation of frrender.py
Logging should be added persistent when rendering the FRR configuration
using FRRender class.
|
|
This will add support for BPDU Guard and Root Guard to the bridge interface.
Verification will come from:
show log spanning-tree
|
|
When both the CLI PKI node for an ACME-issued certificate and HAProxy are
configured during initial setup, the certbot challenge cannot be served via the
reverse proxy because HAProxy has not yet been configured at all.
This commit introduces a special case to handle this bootstrap scenario,
ensuring that the certbot challenge can still be served correctly in standalone
mode on port 80 despite initial config dependencies/priorities between PKI
and HAProxy.
|
|
This will wrap the messages at 72 characters in the same way as Warning() and
DeprecationWarning() would do. We now have simple wrappers for it!
Example:
vyos@vyos# commit
[ pki ]
Updating configuration: "load-balancing haproxy service frontend ssl
certificate LE_cloud"
Add/replace automatically imported CA certificate for "LE_cloud"
|
|
Add a new category if Jinja2 operands. We already have filters and tests, but
sometimes we would like to call a Python function without and data "|" piped
to it - that's what they call a clever-function.
{{ get_default_port(NAME) }} can be used to retrieve the value from
vyos.defaults.internal_ports[NAME] within Jinja2. We no longer need to extend
the dictionary with arbitrary data retrieved from vyos.defaults, we can now
simply register another clever-function to the Jinja2 backend.
|
|
If we detect that an ACME issued certificate is consumed by haproxy service,
we will move the certbot webserver to localhost and a highport, to proxy the
request via haproxy which is already using port 80.
|
