Age | Commit message (Collapse) | Author |
|
|
|
|
|
|
|
In verify function for arp-monitor option was used by mistake an extra
conversion for incoming data before comparing items. This commit removed
these unnecessary conversions and makes the option operable.
|
|
Firewall: T4286: Correct ipv6-range validator
|
|
|
|
This reverts commit 534f677d36285863decb2cdff179687b4fd690cb.
Revert while investigating failure in vyos-configtest.
|
|
This reverts commit c4d389488970c8510200cac96a67182e9333b891.
Revert while investigating failure in vyos-configtest.
|
|
This reverts commit 2a4b45ba7fa4dabf7e592f499cfb06a7ae38cdea.
Revert while investigating failure in vyos-configtest.
|
|
|
|
|
|
|
|
* Removed `/var/log/auth.log` and `/var/log/messages` from
`/etc/logrotate.d/rsyslog`, because they conflict with VyOS-controlled
items what leads to service error.
* Removed generation config file for `/var/log/messages` from
`system-syslog.py` - this should be done from `syslom logs` now.
* Generate each logfile from `system syslog file` to a dedicated
logrotate config file.
* Fixed logrotate config file names in
`/etc/rsyslog.d/vyos-rsyslog.conf`.
* Added default logrotate settins for `/var/log/messages`
|
|
|
|
|
|
|
|
|
|
It should be possible to send the gathered data via a VRF bound interface to
the collector. This is somehow related to T3981 but it's the opposite side of
the netflow process.
set system flow-accounting vrf <name>
|
|
After hardning the regex validator to be preceeded with ^ and ending with $
it was no longer possible to have a comma separated list as SSH ciphers. The
migrations cript is altered to migrate the previous comma separated list
to individual multi node entries - cipher and key-exchange always had been
multinodes - so this just re-arranges some values and does not break CLI
compatibility
|
|
|
|
Instead of hardcoding the default behavior inside the Jinaj2 template, all
defaults are required to be specified inside teh XML definition. This is
required to automatically render the appropriate CLI tab completion commands.
|
|
|
|
When changing "general" parameters like:
- interface IP address
- MTU
- description
the interface is destroyed and recreated ... this should not happen!
|
|
T2719: initial batch of standardized structure op mode scripts
|
|
T4115:Reboot:Options "in" and "at" are not working as expected
|
|
|
|
|
|
|
|
VXLAN does support using multiple remotes but VyOS does not. Add the ability
to set multiple remotes and add their flood lists using "bridge" command.
|
|
When reboot is executed with "in" option it only accepts minutes till 99 value
and does not accept greater values and "at" is also working same like in option
where as it should work with exact timings.
|
|
Ability to attach host devices to the container
It can be disk, USB device or any device from the directory /dev
set container name alp01 device disk source '/dev/vdb1'
set container name alp01 device disk destination '/dev/mydisk'
|
|
files
This commit updates the eapol code so that it writes the full
certificate chains for both the specified CA and the client certificate
to `<iface>_ca.pem` and `<iface>_cert.pem`, respectively.
The full CA chain is necessary for validating the incoming server
certificate when it is signed by an intermediate CA and the
intermediate CA cert is not included in the EAP-TLS ServerHello. In this
scenario, wpa_supplicant needs to have both the intermediate CA and the
root CA in its `ca_file`.
Similarly, the full client certificate chain is needed when the ISP
expects/requires that the client (wpa_supplicant) sends the client cert
+ the intermediate CA (or even + the root CA) as part of the EAP-TLS
ClientHello.
Signed-off-by: Andrew Gunnerson <chillermillerlong@hotmail.com>
|
|
|
|
openvpn: T4230: Delete checks if local-host address assigned
|
|
|
|
Verify section conntrack_sync.py funciton 'is_addr_assigned'
should checks address as string not as list
(cherry picked from commit c41c51e4ed7ceb293161014a73bdd350162c3300)
|
|
This commit fixes a small typo where the client cert name was being used
to index the CA configuration dict.
Signed-off-by: Andrew Gunnerson <chillermillerlong@hotmail.com>
|
|
|
|
interface
It is impossible for the OS kernel to distinguish multiple GRE tunnels when no
"gre key" is configured when sourcing tunnels from the same interface.
|
|
We always mangled and worked on the "ip rule" singleton even when nothing
needed to be changed. This resulted in a VRF hickup when the same VRF was added
and removed multiple times.
set interfaces ethernet eth1 vrf foo
set vrf name foo table '1000'
commit
delete interfaces ethernet eth1 vrf
delete vrf
commit
set interfaces ethernet eth1 vrf foo
set vrf name foo table '1000'
commit
broke reachability on eth1 - a reboot was required.
This change will now only alter the ip rule tables once when VRF instances
are created for the first time and will not touch the Kernel "ip rule"
representation afterwards.
|
|
Related to #1215
|
|
openvpn: T3686: Fix for check local-address in script and tmpl
|
|
This generator generates client .ovpn files with required initial
configuration
It gets information from interface vtun, pki ca and certificates
|
|
ipsec: T1925: Fixed `show vpn ipsec sa` output
|
|
Local-address should be checked/executed only if it exists in the
openvpn configuration, dictionary, jinja2 template
|
|
OpenVPN can't start if it depends on VRRP virtual-address as
virtual-address is not yet assigned by HA (openvpn and ha
in one commit) as we have checks "if address assigned"
It depends on commit priorities:
460 interfaces/openvpn
800 high-availability
Replace check if local-host address assigned from raise ConfigError
to print (just notification)
Allow to bind OpenVPN service to nonlocal address
|
|
Input filter for firewall allows to get bytes/counters from
nftables in format, required for InfluxDB2
|
|
|
|
firewall: T4209: Fix support for rule `recent` matches
|
|
|