summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2024-06-09op-mode: T6424: ipsec: honor certificate CN and CA chain during profile ↵Christian Breunig
generation In e6fe6e50a5c ("op-mode: ipsec: T6407: fix profile generation") we fixed support for multiple CAs when dealing with the generation of Apple IOS profiles. This commit extends support to properly include the common name of the server certificate issuer and all it's paren't CAs. A list of parent CAs is automatically generated from the "PKI" subsystem content and embedded into the resulting profile.
2024-06-07reverse-proxy: T6454: Set default value of http for haproxy modeAlex W
2024-06-06T6412: CGNAT fix allocation calcluation for verify (#3585)Viacheslav Hletenko
Fix external address/port allocation for CGN. It fixes some cases where external address/ports can be allocated again to another user.
2024-06-06Merge pull request #3578 from nicolas-fort/raw-hookDaniil Baturin
T3900: Add support for raw tables in firewall
2024-06-05migration: T6006: add activation script dir and helper functionJohn Estabrook
2024-06-05migration: T6006: update config.boot.default and move to vyos-1xJohn Estabrook
2024-06-04T3900: T6394: extend functionalities in firewall; move netfilter sysctl ↵Nicolas Fort
timeout parameters defined in conntrack to firewall global-opton section.
2024-06-03Merge pull request #3572 from talmakion/bugfix/T6403Daniil Baturin
nat64: T6403: validate source prefix for RFC compliance
2024-06-03bfd: T6440: BFD peer length typoHannes Tamme
2024-06-03reverse-proxy: T6434: Support additional healthcheck options (#3574)Alex W
2024-06-01nat64: T6403: validate source prefix for RFC complianceAndrew Topp
Simplest fix is to comply with RFC6052. The code change is just masking out the relevant bits and ensuring they're zeroed.
2024-05-31tunnel: T6157: fixing GRE tunnel uniqueness checksAndrew Topp
Unset params would mistakenly match when None and trigger a validation error even when used params were unique. Updated check to ensure unique source-addresses if not None, and that (source-interfaces, source-addresses) are unique together appropriately.
2024-05-31Merge pull request #3557 from haimgel/T6422/allow-multiple-ns-recordsChristian Breunig
dns: T6422: allow multiple redundant NS records
2024-05-31T5307: QoS - traffic-class-map services (#3492)Roman Khramshin
added new syntax to work with class match filters in QoS policy
2024-05-31op-mode: T683: remove superfluous debug print in snmpv3 display codeChristian Breunig
This was a leftover from the early days.
2024-05-30T6422: Smoke test for NS record configration in authoritative DNS, typo & ↵Haim Gelfenbeyn
style fixes
2024-05-30Merge pull request #3531 from Embezzle/T6409Christian Breunig
reverse-proxy: T6409: Remove unused backend parameters
2024-05-30reverse-proxy: T6409: unindent migration script code pathChristian Breunig
2024-05-30Merge pull request #3552 from c-po/ipsec-profileChristian Breunig
op-mode: ipsec: T6407: fix profile generation
2024-05-30dns: T6422: allow multiple redundant NS recordsHaim Gelfenbeyn
NS is unlike CNAME or PTR, multiple NS records are perfectly valid and is a common use case: multiple redundant DNS servers is a common configuration and should be supported.
2024-05-30Merge pull request #3546 from c-po/haproxyChristian Breunig
reverse-proxy: T6419: build full CA chain when verifying backend server
2024-05-30op-mode: ipsec: T6407: fix profile generationChristian Breunig
Commit 952b1656f51 ("ipsec: T5606: T5871: Use multi node for CA certificates") added support for multiple CA certificates which broke the OP mode command to generate the IPSec profiles as it did not expect a list and was rather working on a string. Now multiple CAs can be rendered into the Apple IOS profile.
2024-05-29container: T6406: fix NameError: name 'vyos' is not definedChristian Breunig
Commit 74910564f ("T6406: rename cpus to cpu") did not import the function from the Python module.
2024-05-29reverse-proxy: T6419: build full CA chain for frontend SSL certificateChristian Breunig
2024-05-29reverse-proxy: T6419: build full CA chain when verifying backend serverChristian Breunig
2024-05-29reverse-proxy: T5231: remove frontend ca-certificate code pathChristian Breunig
The code path to handle the ca certificate used for the frontend service is removed, as there is no way on the XLI to define the CA certificate used for the frontend service.
2024-05-29nat: T6371: fix op mode display of configured ports when comma separated ↵Ginko
list of ports/ranges exists Before: Issuing the op mode command "show nat source rules" will throw an exception if the user has configured NAT rules using a list of ports as a comma-separated list (e.g. '!22,telnet,http,123,1001-1005'). Also there was no handling for the "!" rule and so '!53' would display as '53'. With this PR: Introduced iteration to capture all configured ports and append to the appropriate string for display to the user as well as handling of '!' if present in user's configuration.
2024-05-29openvpn: T6374: only check TLS role for s2s if TLS is configuredDaniil Baturin
2024-05-29Merge pull request #3534 from sever-sever/T6411Daniil Baturin
T6411: CGNAT fix sequences for external address ranges
2024-05-28Merge pull request #3528 from dmbaturin/T6374-openvpn-s2s-tls-validationChristian Breunig
openvpn: T6374: ensure that TLS role is configured for site-to-site with TLS
2024-05-28Merge pull request #3533 from natali-rs1985/T6389-currentJohn Estabrook
op_mode: T6389: Check architecture and flavor compatibility on upgrade attempts
2024-05-28Merge pull request #3529 from HollyGurza/T5786Christian Breunig
T5786: Add set/show system image to /image endpoint
2024-05-28T6411: CGNAT fix sequences for external address rangesViacheslav Hletenko
Fix the bug where address external alocation was not rely on sequences of the external IP addresses (if set)
2024-05-28op mode: T6389: Check architecture and flavor compatibility on upgrade attemptsNataliia Solomko
2024-05-28T6406: rename cpus to cpuNicolas Vollmar
2024-05-28T6406: add container cpu limit optionNicolas Vollmar
2024-05-27reverse-proxy: T6409: Remove unused backend parametersAlex W
2024-05-27T5786: Add set/show system image to /image endpointkhramshinr
2024-05-27openvpn: T6374: ensure that TLS role is configured for site-to-site with TLSDaniil Baturin
2024-05-26reverse-proxy: T6402: Fix invalid checks in validation scriptAlex W
2024-05-25op-mode: T6400: pki: unable to generate fingerprint for ACME issued certificatesChristian Breunig
This fixes (for and ACME generated certificate) vyos@vyos:~$ show pki certificate vyos fingerprint sha512 Traceback (most recent call last): File "/usr/libexec/vyos/op_mode/pki.py", line 1081, in <module> show_certificate_fingerprint(args.certificate, args.fingerprint) File "/usr/libexec/vyos/op_mode/pki.py", line 934, in show_certificate_fingerprint print(get_certificate_fingerprint(cert, hash)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/vyos/pki.py", line 76, in get_certificate_fingerprint fp = cert.fingerprint(hash_algorithm) ^^^^^^^^^^^^^^^^ AttributeError: 'bool' object has no attribute 'fingerprint' After the fix: vyos@vyos# run show pki certificate vyos fingerprint sha256 10:2C:EF:2C:DA:7A:EE:C6:D7:8E:53:12:F0:F5:DE:B9:E9:D0:6C:B4:49:1C:8B:70:2B:D9:AF:FC:9B:75:A3:D2
2024-05-23Merge pull request #3399 from 0xThiebaut/suricataChristian Breunig
suricata: T751: Initial support for suricata
2024-05-23suricata: T751: use key_mangling in get_config_dict()Christian Breunig
2024-05-23suricata: T751: remove implicit default dictionaryChristian Breunig
2024-05-23suricata: T751: move CLI from "service ids suricata" -> "service suricata"Christian Breunig
2024-05-23Merge pull request #3487 from Embezzle/T6370Christian Breunig
reverse-proxy: T6370: Set custom HTTP headers in reverse-proxy responses
2024-05-23Merge pull request #3507 from c-po/nat-T6345Daniil Baturin
nat: T6345: source NAT port mapping "fully-random" is superfluous in Kernel >=5.0
2024-05-23Merge pull request #3505 from c-po/nat66-T6365Daniil Baturin
nat66: T6365: remove warnings for negated interface selections by name
2024-05-23dhcpv6-server: T6381: fix typos in select ConfigError messages in VyOS ↵Ginko
current (#3508)
2024-05-22nat: T6345: source NAT port mapping "fully-random" is superfluous in Kernel ↵Christian Breunig
>=5.0 random - In kernel 5.0 and newer this is the same as fully-random. In earlier kernels the port mapping will be randomized using a seeded MD5 hash mix using source and destination address and destination port. https://git.netfilter.org/nftables/commit/?id=fbe27464dee4588d906492749251454
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-05 19:38:27 +0000