| Age | Commit message (Collapse) | Author |
|---|
|
Fix the IPsec log level option processing
set vpn ipsec log level '2'
Render Jinja2 template to generate correct log for IPsec for
the file /etc/strongswan.d/charon-systemd.conf
|
|
login: T7159: limit the "not a production version" to dev builds
|
|
installer: T7301: remove support for GnuPG signatures
|
|
|
|
(as in, display it only if the build_type version data field is not "release")
|
|
pki: T7299: race condition for acme requested certificates / CA chain
|
|
When using the VyOS internal PKI subsystem to request a certificate using ACME,
the issuer CA is not automatically imported in the PKI subsystem on the first
run due to a race condition.
Issue is fixed by adding all newly requested and granted ACME certificates to
the list of ACME certificates "on disk" which are used to extract the issuing
CA certificate.
|
|
The service certbot expects symbolic links for
/config/auth/letsencrypt/live/<cert_name>/*.pem
however, the default behavior of copytree copies the linked files during
image upgrade. Set copytree argument to preserve symlinks.
|
|
T7278: Remove cracklib hack from postconfig script template
|
|
firewall: T5493: Implement remote-group
|
|
|
|
|
|
T7138: Fix show qos
|
|
wireguard: T7246: verify Base64 encoded 32byte boundary on keys
|
|
Not 31 bytes or 33 bytes, but exactly 32. This matters, because 32 does not
divide evenly by .75, so there's a padding character and the penultimate
character does not include the whole base64 alphabet.
Extend the base64 validator with an optional argument to define the length
to match of the decrypted Base64 encoded string.
Source: https://lists.zx2c4.com/pipermail/wireguard/2020-December/006222.html
|
|
|
|
T7121: Set up communication vyconfd to vyos-commitd
|
|
pki: T7249: fix shebang to support CLI backend
|
|
* bgp: T7157: Allow using route-maps for VRF route leaking in BGP
Added the possibility of using route-map in route leaking.
* Improve the constraint error message
---------
Co-authored-by: Daniil Baturin <daniil@baturin.org>
|
|
Fixes an error:
interpreter/vyatta-cfg-run: line 162: `vyatta_config_commit-confirm': not a valid identifier
Which prevented to renew the certificates. This will only fix renewing of the
certificates. Nothing changed in how daemons will be restarted if a certificate
is updated.
|
|
|
|
|
|
This change corrects a behavior witnessed in T7138. If a policy name had a `-` in it, the command would fail, returning nothing.
|
|
|
|
vyos-commitd exchanges messages with vyconfd, to replace the shim
redirection of legacy commands to vyos-configd.
|
|
|
|
|
|
|
|
T7219: Add check for remote and group command to verify
|
|
T7092: Add Container Registry Mirror
|
|
|
|
|
|
|
|
T6948: Keep DHCP server leases in sync with hostd records
|
|
wireguard: T7166: Call vxlan dependency if interface exist
|
|
|
|
policy: T7116: Remove unsupported use of BGP community "internet"
|
|
* wlb: T7196: Migrate interface wildcards to nftables format
* wlb: T7196: Fix exclude/interface verify check
* wlb: T7196: Extra sanity check on ipv4 address function
|
|
This has been split into a separate commit in case this is overkill for
the fix. 1.2 and 1.3 installs predate the change to FRR that removed support,
but "internet" is already broken on 1.4.
|
|
* snmp: T7180: Fixed verification of engineid in snmpv3
EngineID must be configured if snmpv3 user is configured.
Fixed engineid help string.
|
|
lldp: T7165: add support to enable only rx/tx on specific interfaces
|
|
T7171: Add dstport option to GENEVE tunnels
|
|
|
|
LLDP is a stateless protocol which does not necessitate sending to receive
advertisements. There are multiple scenarios such as provider peering links in
which it is advantageous to receive LLDP but not disclose internal information
to the provider.
Add new CLI command:
* set service lldp interface <name> mode [disable|rx-tx|rx|tx]
The default is unchanged and will be rx-tx.
Furthermore if an interface has an explicit LLDP disable configured under
"set service lldp interface <name> disable" this will be migrated to
"set service lldp interface <name> mode disable"
|
|
bond: T7191: fix error message when member interface is used multiple times
|
|
bridge: T7192: do not allow a member interface to be used multiple times
|
|
When configuring
set interfaces bridge br10 member interface eth1
set interfaces bridge br20 member interface eth1
commit
Checking the interface assignment afterwards shows
242: br20: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 62:34:3a:8a:fe:49 brd ff:ff:ff:ff:ff:ff
[edit]
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br20 state UP mode DEFAULT group default qlen 1000
link/ether 00:50:56:b3:cd:ba brd ff:ff:ff:ff:ff:ff
altname enp0s19
altname ens19
The later addition wins and the CLI reports eth1 is assigned to br20 "master
br20". A member interface can not be used multiple times.
|
|
Sharing the same physical interface among multiple bond interfaces causes
information to be lost within the error message
set interfaces bonding bond10 member interface eth1
set interfaces bonding bond10 member interface eth2
set interfaces bonding bond20 member interface eth1
set interfaces bonding bond20 member interface eth2
commit
Results in:
[ interfaces bonding bond10 ]
Can not add interface "eth1" to bond, it is already a member of bond
"b"!
[[interfaces bonding bond10]] failed
[ interfaces bonding bond20 ]
Can not add interface "eth1" to bond, it is already a member of bond
"b"!
It should infact output the full name of the bond interface.
|
|
|
|
|
