Age | Commit message (Collapse) | Author |
|
|
|
Migration for "remote-id" where peer is IPv4 or IPv6 address
was missed
It was only migration if peer starts with "@"
It cause that you must manualy set 'remote-id' to get it working
correctly
replace 'vpn ipsec site-to-site peer 192.0.2.2'
=> 'vpn ipsec site-to-site peer peer_192-0-2-2 authentication remote-id 192.0.2.2'
|
|
|
|
As the script itself (vpn_ipsec.py) is already invoked using sudo, there is no
further need to also call sudo inside the script again.
|
|
|
|
As the API daemon has the proper permissions and also the CLI op-mode calls the
script already with "sudo", there is no need to call "sudo" inside this script,
again.
|
|
The implementation of is_node_changed() is less error prone and should always
be favoured.
|
|
T4780: Firewall: add firewall groups in firewall. Extend matching cri…
|
|
login: T4751: 2FA OTP key generator in VyOS CLI
|
|
1. Added in script update webproxy blacklists generation of all DBs
2. Fixed: if the blacklist category does not have generated db,
the template generates an empty dest category
in squidGuard.conf and a Warning message.
3. Added template generation for local's categories
in the rule section.
4. Changed syntax in the generation dest section for blacklist's
categories
4. Fixed generation dest local sections in squidGuard.conf
5. Fixed bug in syntax. The word 'allow' changed to the word 'any'
in acl squidGuard.conf
|
|
routing: T1237: Add new feature failover route
|
|
There was a mistake in a config level that caused triggering the
`shutdown_required` flag, even if there were no new interfaces added to a
bonding.
This commit sets the proper config level to avoid the problem.
|
|
Failover route allows to install static routes to the kernel routing
table only if required target or gateway is alive
When target or gateway doesn't respond for ICMP/ARP checks this route
deleted from the routing table
Routes are marked as protocol 'failover' (rt_protos)
cat /etc/iproute2/rt_protos.d/failover.conf
111 failover
ip route add 203.0.113.1 metric 2 via 192.0.2.1 dev eth0 proto failover
$ sudo ip route show proto failover
203.0.113.1 via 192.0.2.1 dev eth0 metric 1
So we can safely flush such routes
|
|
|
|
validators: T4798: replace python file-exists validator with file-path
|
|
|
|
|
|
openvpn: T4770: rewrite op-mode show/reset to use vyos.opmode
|
|
|
|
|
|
vyos@vyos# show interfaces sstpc
sstpc sstpc10 {
authentication {
password vyos
user vyos
}
server sstp.vyos.net
ssl {
ca-certificate VyOS-CA
}
}
|
|
|
|
|
|
L2TP 'ppp-options ipv6 x' can work without declaring IPv6 pool
As we can get addresses via RADIUS attributes:
- Framed-IPv6-Prefix
- Delegated-IPv6-Prefix
|
|
Fix l2tp dae server template and python config dict for correctlly
handling Dynamic Authorization Extension server configuration
|
|
Every change in openconnect restarts the ocserv.service
Replace "restart" to "reload-or-restart" to avoid disconnect
clients during change configs
|
|
T4860: Verify if mode in openconnect ocserv dict
|
|
openconnect authentication mode must be set
check dict that 'mode' exists in openconnect authentication
|
|
ocserv template expects list of routes but gets str "default"
it cause wrong routes like:
route = d
route = e
route = f
route = a
route = u
route = l
route = t
Fix it
|
|
firewall: T478: Fix firewall group circular dependency check
|
|
|
|
T4805: Restart pppoe-server if client pool was changed
|
|
T4825: Verify if you are trying to add a new vethX to exists pair
|
|
|
|
Verify if you are trying to add a new vethX to exists pair:
set int virtual-ethernet veth0 peer-name 'veth1'
set int virtual-ethernet veth1 peer-name 'veth0'
set int virtual-ethernet veth12 peer-name 'veth0'
Verify veth-name and peer-name cannot be the same:
set interfaces virtual-ethernet veth0 peer-name veth0
|
|
Some changes for 'service pppoe-server' require 'restart' the
accel-ppp@pppoe.service
But we use option 'reload-or-restart' that doesn't work correctly
with 'accel-ppp'
Restart pppoe-server if client pool was changed
|
|
It's easier and more obvious if the script is called with sudo itself and not
spawning a sudo sessionf or each individual command.
|
|
T4767: Rewrite generate ipsec archive to python
|
|
|
|
|
|
|
|
|
|
Squidguard:
Set DB directory rigths 755 in the update blacklist
webproxy script
|
|
Prevent to delete interface "vethX" which used for another
interface as "vethY peer-name vethX"
set interfaces virtual-ethernet veth0 peer-name 'veth1'
set interfaces virtual-ethernet veth1 peer-name 'veth0'
commit
delete interfaces virtual-ethernet veth0
commit
|
|
|
|
* 'T4825' of https://github.com/sever-sever/vyos-1x:
T4825: Add basic smoketest for veth interfaces
T4825: Add interface type veth
|
|
Add interface type veth (Virtual ethernet)
One of the usecases it's interconnect different vrf's and
default vrf via bridge
set interfaces virtual-ethernet veth0 peer-name 'veth1010'
set interfaces virtual-ethernet veth1010 address '10.0.0.10/24'
set interfaces virtual-ethernet veth1010 peer-name 'veth0'
set interfaces virtual-ethernet veth1010 vrf 'foo'
set interfaces bridge br0 address '10.0.0.1/24'
set interfaces bridge br0 member interface veth0
|
|
|
|
Catch expiration error and return error-specific message instead of
general 'not authenticated'.
|
|
A misreading of the makefun docs seemed to indicate Optional was not
supported; it is.
|