| Age | Commit message (Collapse) | Author |
|
T7122: pki: unable to switch from custom cert to ACME when HAProxy service is running with 'redirect-http-to-https' option
|
|
This will add support for BPDU Guard and Root Guard to the bridge interface.
Verification will come from:
show log spanning-tree
|
|
Migration from 1.3.x may not contain table entries, later required.
The migration script should not fail with error, leaving enforcement to
config scripts.
|
|
The migration script assumed the existence of path
['vrf', 'name', tag-val-name, 'protocols', 'static', 'route']
ignoring sole entries for [..., 'route6'].
Check existence of each path before calling set_tag.
|
|
When instructing certbot to listen on a given address, check if the address is
free to use. Also take this into account when spawning certbot behind HAProxy.
If the address is not (yet) bound - the request must be done in standalone mode
and not via the reverse-proxy.
|
|
When both the CLI PKI node for an ACME-issued certificate and HAProxy are
configured during initial setup, the certbot challenge cannot be served via the
reverse proxy because HAProxy has not yet been configured at all.
This commit introduces a special case to handle this bootstrap scenario,
ensuring that the certbot challenge can still be served correctly in standalone
mode on port 80 despite initial config dependencies/priorities between PKI
and HAProxy.
|
|
Some VyOS CLI nodes support defining multiple certificates. The previous check
when removing a certificate from the CLI only performed a string comparison,
which failed in cases where the underlying data was a list (CLI <multi/> node).
This update extends the check to handle both cases:
- If the datum is a string, perform a string comparison.
- If the datum is a list, check whether the target certificate is part of the
list.
This ensures proper removal behavior regardless of the data type used in the
CLI node.
|
|
This will wrap the messages at 72 characters in the same way as Warning() and
DeprecationWarning() would do. We now have simple wrappers for it!
Example:
vyos@vyos# commit
[ pki ]
Updating configuration: "load-balancing haproxy service frontend ssl
certificate LE_cloud"
Add/replace automatically imported CA certificate for "LE_cloud"
|
|
Revert "vyos-router: T7356: unset ANSI bold control character during boot"
|
|
bgp: T7157: Fixed error with the unknown key in the verification
|
|
This reverts commit ddca20df57008bd85b1363e089152e0ebf014f73.
|
|
Always enable the ACL entry to reverse-proxy requests to the path
"/.well-known/acme-challenge/" when "redirect-http-to-https" is configured for
a given HAProxy frontend service.
This is an intentional design decision to simplify the implementation and reduce
overall code complexity. It poses no risk: a missing path returns a 404, and an
unavailable backend yields an error 503.
This approach avoids a chicken-and-egg problem where certbot might try to
request a certificate via reverse-proxy before the proxy config is actually
generated and active.
By always routing through HAProxy, we also eliminate downtime as port 80 does
not need to be freed for certbot's standalone mode.
|
|
Add a new category if Jinja2 operands. We already have filters and tests, but
sometimes we would like to call a Python function without and data "|" piped
to it - that's what they call a clever-function.
{{ get_default_port(NAME) }} can be used to retrieve the value from
vyos.defaults.internal_ports[NAME] within Jinja2. We no longer need to extend
the dictionary with arbitrary data retrieved from vyos.defaults, we can now
simply register another clever-function to the Jinja2 backend.
|
|
T7412: Allow privileged containers
|
|
CLI:
```
set vpp nat cgnat interface outside <interface> # multi
set vpp nat cgnat interface inside <interface> # multi
set vpp nat cgnat rule <rule> outside-prefix <prefix>
set vpp nat cgnat rule <rule> inside-prefix <prefix>
set vpp nat cgnat timeout udp <sec> # default 300
set vpp nat cgnat timeout tcp-established <sec> # default 7440
set vpp nat cgnat timeout tcp-transitory <sec> # default 240
set vpp nat cgnat timeout icmp <sec> # default 60
```
OP mode:
```
show vpp nat cgnat interfaces
show vpp nat cgnat mappings
show vpp nat cgnat sessions
clear vpp cgnat inside-address <address> port <port> external-address <address> port <port>
```
|
|
installer: T7420: pass image download credentials in environment variables
|
|
T7364: Fixing Route reflector client check not working for peer-group
|
|
rather than in the command line
|
|
Fixed error with the unknown key in the verification
|
|
The apply stage calls systemctl reload-or-restart on the https server,
however, some settings require a restart or will silently fail, since
nginx drops privileges after start up.
Add flag when restart may be needed and check in apply stage.
|
|
Add CLI config node for "group" when configuring NAT66 source
Ensure there is only one group in NAT66 source rule config
Add smoketest to cover new group usage in source NAT66 rules
|
|
tech-support: T7410: handle possible errors when executing lsusb
|
|
Commiting suggestions from dmbaturin
Co-authored-by: Daniil Baturin <daniil@baturin.org>
|
|
T7397: add "system kernel option quiet" to suppress boot messages
|
|
|
|
Automatically render HaProxy rules to reverse-proxy ACME challanges when the
requested certificate was issued using ACME.
|
|
|
|
If we detect that an ACME issued certificate is consumed by haproxy service,
we will move the certbot webserver to localhost and a highport, to proxy the
request via haproxy which is already using port 80.
|
|
changed_keys had the same content as the values inside the sync_translate
dictionary. Infact they were both used together do defined changed CLI keys.
The list for changed_keys is a list of all unique values inside the
sync_translate dict.
|
|
Commit 4523e9c897b3 ("wireguard: T3763: Added check for listening port
availability") added a function to check if a port is free to use or already
occupied by a different running service. This has been done by trying to bind a
socket to said given port.
Unfortunately there is no support for IPv6 address-fdamily in both
socketserver.TCPServer or socketserver.UDPServer. This must be done manually by
deriving TCPServer and setting self.address_family for IPv6.
The new implementation gets rid of both TCPServer and UDPServer and replaces it
with a simple socket binding to a given IPv4/IPv6 address or any interface/
address if unspecified.
In addition build time tests are added for the function to check for proper
behavior during build time of vyos-1x.
|
|
because it exits with a non-zero code on machines
without USB controllers
|
|
Add option to limit the number of messages that are displayed on the console
during the boot process and to persist this setting with image upgrades.
set system option kernel quiet
|
|
'NoneType' is not iterable" (#4471)
Co-authored-by: canoziia <canoziia@qq.com>
|
|
|
|
|
|
firewall: T7358: add offload option to global state policy
|
|
New CLI for static and dynamic NAT:
```
set vpp nat44 interface outside <interface> # multi
set vpp nat44 interface inside <interface> # multi
set vpp nat44 address-pool translation interface <interface> # multi
set vpp nat44 address-pool translation address <address> # multi
set vpp nat44 address-pool twice-nat interface <interface> # multi
set vpp nat44 address-pool twice-nat address <address> # multi
set vpp nat44 static rule <rule> external address <address>
set vpp nat44 static rule <rule> external port <port>
set vpp nat44 static rule <rule> local address <address>
set vpp nat44 static rule <rule> local port <port>
set vpp nat44 static rule <rule> protocol <protocol>
set vpp nat44 static rule <rule> options twice-nat
set vpp nat44 static rule <rule> options self-twice-nat
set vpp nat44 static rule <rule> options out-to-in-only
set vpp nat44 static rule <rule> options twice-nat-address <address>
set vpp nat44 exclude rule <rule> protocol <protocol>
set vpp nat44 exclude rule <rule> local-port <port>
set vpp nat44 exclude rule <rule> local-address <address>
set vpp nat44 exclude rule <rule> external-interface <interface>
```
Settings:
```
set vpp settings nat44 session-limit <limit> # default 64512
set vpp settings nat44 timeout udp <sec> # default 300
set vpp settings nat44 timeout tcp-established <sec> # default 7440
set vpp settings nat44 timeout tcp-transitory <sec> # default 240
set vpp settings nat44 timeout icmp <sec> # default 60
set vpp settings nat44 workers <list>
set vpp settings nat44 no-forwarding
```
|
|
'NoneType' is not iterable"
|
|
T7282: op-mode: show firewall group filtering and tab completion update
|
|
T7316: Add MTU validation for interfaces with MTU less then 1200
|
|
dhclient: T6253: Respect `no-default-route`
|
|
syslog: T7367: ensure rsyslog is registered as default systemd syslog service
|
|
interface: T7375: cleanup SLAAC assigned address and default route after removing SLAAC CLI configuration
|
|
geoip: T5636: Add geoip for policy route/route6
|
|
|
|
|
|
|
|
|
|
lo address was an edge case and needed to be handled.
|
|
Created op-mode script per request
Commands added:
show interfaces kernel
show interfaces kernel detail
show interfaces kernel json
show interfaces kernel <interface>
show interfaces kernel <interface> detail
show interfaces kernel <interface> json
|