Age | Commit message (Collapse) | Author |
|
firewall: T4345: Fix incorrect firewall rule limit rate format
|
|
|
|
|
|
|
|
interface in VRF
|
|
|
|
|
|
In order to test for proper system authentication and security setup a new
testcase is added which performs an SSH login and command execution with a
predefined user. The result (output of uname -a) must match the output if the
command is run natively.
We also try to login as an invalid user - this is not allowed to work.
|
|
This is actually no longer required in FRR 8.2.2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Commit f8b3d8999c ("ipv6: T4319: do not configure IPv6 related settings if it's
disabled") moved the MTU configuration part under the code path which is only
run if IPv6 is enabled on the system.
This prevented MTU changes on IPv6 disabled systems.
|
|
T4319: bugfixes for disabled IPv6 (current)
|
|
Add new bgp parameter 'no-suppress-duplicates'
set protocols bgp parameters no-suppress-duplicates
|
|
|
|
|
|
|
|
|
|
According to a wrong bug [1] there is no longer a vrf suffix available for
interfaces. This got changed in [2] which no longer print vrf name for
interface config when using vrf-lite.
1: https://github.com/FRRouting/frr/issues/10805
2: https://github.com/FRRouting/frr/pull/10411
|
|
|
|
|
|
This reverts commit 534f677d36285863decb2cdff179687b4fd690cb.
Revert while investigating failure in vyos-configtest.
|
|
|
|
|
|
|
|
It should be possible to send the gathered data via a VRF bound interface to
the collector. This is somehow related to T3981 but it's the opposite side of
the netflow process.
set system flow-accounting vrf <name>
|
|
After hardning the regex validator to be preceeded with ^ and ending with $
it was no longer possible to have a comma separated list as SSH ciphers. The
migrations cript is altered to migrate the previous comma separated list
to individual multi node entries - cipher and key-exchange always had been
multinodes - so this just re-arranges some values and does not break CLI
compatibility
|
|
(cherry picked from commit 2fd5eea801bb524c12217c26d98c44a819b2086e)
|
|
|
|
|
|
|
|
|
|
ipsec: T1856: Ability to set SA life bytes and packets
|
|
ipsec: T3948: Add CLI site-to-site peer connection-type none
|
|
|
|
VXLAN does support using multiple remotes but VyOS does not. Add the ability
to set multiple remotes and add their flood lists using "bridge" command.
|
|
set vpn ipsec site-to-site peer 192.0.2.14 connection-type none
|
|
Commit 5d14a04b ("smoketest: dhcp: T4203: move testcase to base class") added
global support in the test case framework for DHCP tests. Some interfaces (e.g.
MACsec) require additional options to be passed before the test can be launched.
In the MACsec case this includes a source interface, or encryption ciphers.
|
|
set vpn ipsec esp-group grp-ESP life-bytes '100000'
set vpn ipsec esp-group grp-ESP life-packets '2000000'
|
|
* t4203-dhcp:
smoketest: dhcp: T4203: move testcase to base class
static: T4203: obey interface dhcp default route distance
interface: T4203: prevent DHCP client restart if not necessary
|
|
vpn: T4254: Add cisco_flexvpn and install_virtual_ip_on options
|
|
We do not only provide DHCP functionality to ethernet interfaces, it's a common
feature so the testcase should be made available for multiple interface types.
|
|
Ability to set Cisco FlexVPN vendor ID payload:
charon.cisco_flexvpn
charon.install_virtual_ip_on
swanctl.connections.<conn>.vips = x.x.x.x, z.z.z.z
set vpn ipsec options flexvpn
set vpn ipsec options virtual-ip
set vpn ipsec options interface tunX
set vpn ipsec site-to-site peer x.x.x.x virtual-address x.x.x.x
|
|
Commit 5fc9ef9e ("DHCP : T4258: Set correct port for dhcp-failover") changed
how the failover port is rendered into the ISC DHCPd configuration - adjustment
of the smoketests was missed out.
|
|
files
This commit updates the eapol code so that it writes the full
certificate chains for both the specified CA and the client certificate
to `<iface>_ca.pem` and `<iface>_cert.pem`, respectively.
The full CA chain is necessary for validating the incoming server
certificate when it is signed by an intermediate CA and the
intermediate CA cert is not included in the EAP-TLS ServerHello. In this
scenario, wpa_supplicant needs to have both the intermediate CA and the
root CA in its `ca_file`.
Similarly, the full client certificate chain is needed when the ISP
expects/requires that the client (wpa_supplicant) sends the client cert
+ the intermediate CA (or even + the root CA) as part of the EAP-TLS
ClientHello.
Signed-off-by: Andrew Gunnerson <chillermillerlong@hotmail.com>
|