Age | Commit message (Collapse) | Author |
|
Commit bb76e8d7f1635 ("nat: T2199: dry-run newly generated config before
install") added support to verify the generated nftables ruleset. Unfortunately
if the verify failed - a Python exception was triggered:
NameError: name 'nftables_ct_file' is not defined
This was due to bad copy/pasting.
|
|
ocserv: T4231: Added OTP support for Openconnect 2FA
|
|
|
|
Shared network name should not be handled by tag node mangling
I.e. should not replace underscores with dashed
set service dhcp-server shared-network-name NET_01
shared-network NET_01 {
authoritative;
...
on commit {
set shared-networkname = "NET_01";
}
}
|
|
Commit 5dafe255d ("policy: T4194: Add prefix-list duplication checks") added
first support for FRR prefix-list duplication checks. FRR does not allow to
specify the same profix list rule multiple times.
vyos(config)# ip prefix-list foo seq 10 permit 192.0.2.0/24
vyos(config)# ip prefix-list foo seq 20 permit 192.0.2.0/24
% Configuration failed.
Error type: validation
Error description: duplicated prefix list value: 192.0.2.0/24
There is a VyOS verify() function which simply probed for the prefix, action,
le and ge settings - but as Python has excellent support when comparing data,
this can be as simple as a dictionary comparison using "==".
|
|
|
|
|
|
"set traffic-policy" now becomes "set qos policy"
"set interface ethernet eth0 traffic-policy" now bvecomes "set qos interface eth0"
|
|
|
|
firewall: T4345: Fix incorrect firewall rule limit rate format
|
|
|
|
|
|
Commit 2ecf7a9f9c ('name-server: T3804: merge "system name-servers-dhcp" into
"system name-server"') missed out an old dictionary key "system_name_server_dhcp"
and thus system nameservers configured via DHCP did not get used for the DNS
forwar recursor.
|
|
|
|
|
|
Changing the WWAN interface description will trigger an interface reconnect.
Reconnects should only be triggered in changes to the connection parameters
like bond interfaces.
|
|
ipoe: T2580: Add pools and gateway options
|
|
Add new feature to allow to use named pools
Can be used also with Radius attribute 'Framed-Pool'
set service ipoe-server client-ip-pool name POOL1 gateway-address '192.0.2.1'
set service ipoe-server client-ip-pool name POOL1 subnet '192.0.2.0/24'
|
|
|
|
add/removal
|
|
|
|
|
|
|
|
This reverts commit 1cbcbf40b7721849f9696c05fac65db010a66b7c.
|
|
|
|
|
|
|
|
|
|
|
|
bgp: T4290: Add verify source-interface for none ip neighbor
|
|
|
|
|
|
|
|
|
|
|
|
In verify function for arp-monitor option was used by mistake an extra
conversion for incoming data before comparing items. This commit removed
these unnecessary conversions and makes the option operable.
|
|
When we use neighbor as interface we must not use option
'source-interface'
for example:
neighbor eth0 source-interface eth0
Such option can be used for IP/IPv6 neighbors
|
|
* Removed `/var/log/auth.log` and `/var/log/messages` from
`/etc/logrotate.d/rsyslog`, because they conflict with VyOS-controlled
items what leads to service error.
* Removed generation config file for `/var/log/messages` from
`system-syslog.py` - this should be done from `syslom logs` now.
* Generate each logfile from `system syslog file` to a dedicated
logrotate config file.
* Fixed logrotate config file names in
`/etc/rsyslog.d/vyos-rsyslog.conf`.
* Added default logrotate settins for `/var/log/messages`
|
|
|
|
It should be possible to send the gathered data via a VRF bound interface to
the collector. This is somehow related to T3981 but it's the opposite side of
the netflow process.
set system flow-accounting vrf <name>
|
|
|
|
Instead of hardcoding the default behavior inside the Jinaj2 template, all
defaults are required to be specified inside teh XML definition. This is
required to automatically render the appropriate CLI tab completion commands.
|
|
|
|
When changing "general" parameters like:
- interface IP address
- MTU
- description
the interface is destroyed and recreated ... this should not happen!
|
|
|
|
|
|
VXLAN does support using multiple remotes but VyOS does not. Add the ability
to set multiple remotes and add their flood lists using "bridge" command.
|
|
Ability to attach host devices to the container
It can be disk, USB device or any device from the directory /dev
set container name alp01 device disk source '/dev/vdb1'
set container name alp01 device disk destination '/dev/mydisk'
|
|
files
This commit updates the eapol code so that it writes the full
certificate chains for both the specified CA and the client certificate
to `<iface>_ca.pem` and `<iface>_cert.pem`, respectively.
The full CA chain is necessary for validating the incoming server
certificate when it is signed by an intermediate CA and the
intermediate CA cert is not included in the EAP-TLS ServerHello. In this
scenario, wpa_supplicant needs to have both the intermediate CA and the
root CA in its `ca_file`.
Similarly, the full client certificate chain is needed when the ISP
expects/requires that the client (wpa_supplicant) sends the client cert
+ the intermediate CA (or even + the root CA) as part of the EAP-TLS
ClientHello.
Signed-off-by: Andrew Gunnerson <chillermillerlong@hotmail.com>
|
|
|