| Age | Commit message (Collapse) | Author |
|---|
|
Ability to attach host devices to the container
It can be disk, USB device or any device from the directory /dev
set container name alp01 device disk source '/dev/vdb1'
set container name alp01 device disk destination '/dev/mydisk'
|
|
files
This commit updates the eapol code so that it writes the full
certificate chains for both the specified CA and the client certificate
to `<iface>_ca.pem` and `<iface>_cert.pem`, respectively.
The full CA chain is necessary for validating the incoming server
certificate when it is signed by an intermediate CA and the
intermediate CA cert is not included in the EAP-TLS ServerHello. In this
scenario, wpa_supplicant needs to have both the intermediate CA and the
root CA in its `ca_file`.
Similarly, the full client certificate chain is needed when the ISP
expects/requires that the client (wpa_supplicant) sends the client cert
+ the intermediate CA (or even + the root CA) as part of the EAP-TLS
ClientHello.
Signed-off-by: Andrew Gunnerson <chillermillerlong@hotmail.com>
|
|
|
|
openvpn: T4230: Delete checks if local-host address assigned
|
|
Verify section conntrack_sync.py funciton 'is_addr_assigned'
should checks address as string not as list
(cherry picked from commit c41c51e4ed7ceb293161014a73bdd350162c3300)
|
|
This commit fixes a small typo where the client cert name was being used
to index the CA configuration dict.
Signed-off-by: Andrew Gunnerson <chillermillerlong@hotmail.com>
|
|
|
|
interface
It is impossible for the OS kernel to distinguish multiple GRE tunnels when no
"gre key" is configured when sourcing tunnels from the same interface.
|
|
We always mangled and worked on the "ip rule" singleton even when nothing
needed to be changed. This resulted in a VRF hickup when the same VRF was added
and removed multiple times.
set interfaces ethernet eth1 vrf foo
set vrf name foo table '1000'
commit
delete interfaces ethernet eth1 vrf
delete vrf
commit
set interfaces ethernet eth1 vrf foo
set vrf name foo table '1000'
commit
broke reachability on eth1 - a reboot was required.
This change will now only alter the ip rule tables once when VRF instances
are created for the first time and will not touch the Kernel "ip rule"
representation afterwards.
|
|
Related to #1215
|
|
Local-address should be checked/executed only if it exists in the
openvpn configuration, dictionary, jinja2 template
|
|
OpenVPN can't start if it depends on VRRP virtual-address as
virtual-address is not yet assigned by HA (openvpn and ha
in one commit) as we have checks "if address assigned"
It depends on commit priorities:
460 interfaces/openvpn
800 high-availability
Replace check if local-host address assigned from raise ConfigError
to print (just notification)
Allow to bind OpenVPN service to nonlocal address
|
|
firewall: T4209: Fix support for rule `recent` matches
|
|
|
|
|
|
|
|
policy: T4219: add local-route(6) inbound-interface support
|
|
|
|
|
|
|
|
|
|
|
|
policy: T4151: bugfix multiple commits and smoketest
|
|
upnpd: T3420: Support UPNP protocol
|
|
|
|
policy: T4213: Fix rule creation/deletion for IPv6 policy routes
|
|
|
|
Prefix-list should not be duplicatied as FRR doesn't accept it
One option when it can be duplicated when it uses "le" or "ge"
|
|
firewall: T4130: T4186: ICMP/v6 updates, ipv6 state policy check fix
|
|
|
|
|
|
|
|
policy: T4151: Add policy ipv6-local-route
|
|
|
|
|
|
firewall: T4178: T3873: tcp flags syntax refactor, intra-zone-filtering fix
|
|
* Add support for ECN and CWR flags
|
|
firewall: T4178: Use lowercase for TCP flags and add an validator
|
|
|
|
Adds support for `ip -6 rule` policy based routing.
Also, extends the existing ipv4 implemenation with a
`destination` key, which is translated as
`ip rule add to x.x.x.x/x` rules.
https://phabricator.vyos.net/T4151
|
|
Telegraf ethtool input filter expected ethX interfaces and not
other interfaces like vlans/tunnels/dummy
Add "interface_include" option to telegraf template.
|
|
* Migrates all policy route references from `ipv6-route` to `route6`
* Update test config `dialup-router-medium-vpn` to test migration of `ipv6-route` to `route6`
|
|
|
|
is changed
|
|
file for group definitions.
|
|
In order to have a consistent looking CLI we should rename this CLI node.
There is:
* access-list and access-list6 (policy)
* prefix-list and prefix-list6 (policy)
* route and route6 (static routes)
|
|
The bug was partially fixed with this commit:
https://github.com/vyos/vyos-1x/commit/358f0b481d8620cad4954e3fe418054b9a8c3ecd
The earlier commit introduced a startup retry (up to 10 times) to allow the OS
to settle before the container is started. However, it only applies if
host networking is NOT used. This change applies the same for containers
where host networking is employed.
Since the retry portion of the code (written in the earlier commit) is now
referenced twice, it has been moved to its own function.
|
|
Before installing a new conntrack policy into the OS Kernel, the new policy
should be verified by nftables if it can be loaded at all or if it will fail
to load. There is no need to load a "bad" configuration if we can pre-test it.
|
|
Before installing a new conntrack policy into the OS Kernel, the new policy
should be verified by nftables if it can be loaded at all or if it will fail
to load. There is no need to load a "bad" configuration if we can pre-test it.
|
|
|
