Age | Commit message (Collapse) | Author |
|
- Update the base (rebase)
- Move include/nat64-protocol.xml.i => include/nat64/protocol.xml.i
- Delete unwanted `write_json`, use `write_file` instead
- Remove unnecessary deleting of default values for tagNodes T2665
- Add smoketest
Example:
```
set interfaces ethernet eth0 address '192.168.122.14/24'
set interfaces ethernet eth0 address '192.168.122.10/24'
set interfaces ethernet eth2 address '2001:db8::1/64'
set nat64 source rule 100 source prefix '64:ff9b::/96'
set nat64 source rule 100 translation pool 10 address '192.168.122.10'
set nat64 source rule 100 translation pool 10 port '1-65535'
```
(cherry picked from commit 336bb5a071b59264679be4f4f9bedbdecdbe2834)
|
|
Signed-off-by: Joe Groocock <me@frebib.net>
(cherry picked from commit 7d49f7079f1129c2fadc7f38ceb230804d89e177)
# Conflicts:
# debian/control
|
|
vti: T5769: restore interface settings on down -> up event (backport #2566)
|
|
On VTI interface link down the link-local IPv6 address is removed. As soon as
the IPSec tunnel is online again, vti-up-down helper is called which only places
the interface in up state using iproute2 command
sudo ip link set vti0 up
This does not restore the IPv6 LL address. Instead use vyos.ifconfig to properly
re-initialize the VTI interface using the generic update() method.
(cherry picked from commit d90ca4415bed8ce99c854243dca3036e76497270)
|
|
T5796:add/fixed OCSERV HTTP security headers (backport #2564)
|
|
(cherry picked from commit db51546edd653d3637cb26d6957ce5222d44d395)
|
|
mdns: T5793: Cleanup avahi-daemon configuration in `/etc` [followup] (backport #2562)
|
|
`/etc/avahi` technically can be deleted since we operate with
avahi-daemon configuration in `/run/avahi-daemon`.
But we still need to keep `/etc/avahi/services` because avahi-daemon
`chroot` to that location at startup. This is setup at build time via
`AVAHI_CONFIG_DIR` and there is no way to change it at runtime.
(cherry picked from commit 2b57ca6c3f9ff98cd6d4dd2a101a8b72ed2d94f4)
|
|
http-api: T5782: simplifications for config mode http-api
|
|
mdns: T5793: Cleanup avahi-daemon configuration in `/etc` (backport #2559)
|
|
|
|
|
|
`/etc/avahi` can be deleted since we operate with avahi-daemon
configuration in `/run/avahi-daemon`.
(cherry picked from commit 33c96654f485a13fe3475bb89dec3ad26107058e)
|
|
T5727: Use native URL validator instead of regex-based validator (backport #2467)
|
|
policy: T4704: Allowed to set metric (MED) to (+/-)rtt (backport #2547)
|
|
Allowed to set metric (MED) to (+/-)rtt in the route-map.
(cherry picked from commit 5d98e806ef4edb4439620eff60215aaf30b5a592)
|
|
ddclient: T5573,T5574,T5612,T5708: Backport ddclient related changes
|
|
mdns: T5723: Always reload systemd daemon before applying changes (backport #2459)
|
|
Replace regex-based URL validator with native validator from vyos-utils.
Also, move `include/url.xml.i` to `include/url-http-https.xml.i` to
reflect the fact that it is used only for HTTP(S) URLs.
(cherry picked from commit 64322b19d6968195a6dc7c82e7e22126072377f5)
|
|
Additionally, templatize system service override and move it to the
runtime path.
(cherry picked from commit eb906739047187c322b6ce9efe7c9479bed9a024)
|
|
Ensure that the random VRF table name is 4 digits long, not 5 and stays
within the the range of 100 - 65535.
|
|
Add additional smoketests for web-options validation.
Also, format error messages to optionally include protocol name.
|
|
Fix execution bit for migration script
|
|
- Migrate to ddclient 3.11.1 and enforce debian/control dependency
- Add dual stack support for additional protocols
- Restrict usage of `porkbun` protocol, VyOS configuration structure
isn't compatible with porkbun yet
- Improve and cleanup error messages
|
|
`web-options` is only applicable when using HTTP(S) web request to
obtain the IP address. Apply guard for that.
|
|
Migration to 3.11.1 follow-up: This should make `ddclient.conf` parsing
more resilient to edge cases (particularly when `password` isn't the
last option right before the host parameter).
ddclient config parser applies special treatment to the password field
and would unwrap the quotes automatically.
Also, switch from now deprecated `use=no` to `use=disabled`.
|
|
Time interval in seconds to wait between DNS updates would be a bit
more intuitive as `interval` than `timeout`.
|
|
Add support for per-service cache management for ddclient providers
via `wait-time` and `expiry-time` options. This allows for finer-grained
control over how often a service is updated and how long the hostname
will be cached before being marked expired in ddclient's cache.
More specifically, `wait-time` controls how often ddclient will attempt
to check for a change in the hostname's IP address, and `expiry-time`
controls how often ddclient to a forced update of the hostname's IP
address.
These options intentionally don't have any default values because they
are provider-specific. They get treated similar to the other provider-
specific options in that they are only used if defined.
|
|
Additional cleanup and refactoring for ddclient scripts including the
smotektests.
|
|
Adjust the validator and completion for ddclient to remove unsupported
or superfluous protocols.
Specifically,
- remove 'nsupdate' protocol from the list because there is a separate
config path for that protocol (rfc2136)
- remove 'cloudns' protocol from the list because it has non standard
configuration and is not supported by our configurator at this time
|
|
Refactor zone configuration to use shared XML snippet for all cases.
|
|
dyndns2 protocol in ddclient honors dual stack for selective servers
because of the way it is implemented in ddclient.
We formalize the well known servers that support dual stack in a list
and check against it when validating the configuration.
|
|
Adjust the jinja template to avoid generating incorrect ddclient.conf in
some cases. The template is reformatted to guarantee whitespacing and
empty line separation.
|
|
Some porvides (like 'namecheap') allow to use '@' or '*' as hostname
prefix for apex and wildcard records. This commit relaxes the hostname
validation to allow these prefixes.
|
|
Enable TTL support for web-service based protocols in addition to
RFC2136 based (nsupdate) protocol.
Since TTL is not supported by all protocols, and thus cannot have a
configuration default, the existing XML snippet `include/dns/time-to-live.xml.i`
does not have common `<defaultValue>300</defaultValue>` anymore and is
instead added explicitly whenever necessary.
|
|
Fix VRF support interface definition and configuration mode for ddclient
to actually capture the VRF name and pass it to the template.
|
|
|
|
Now that the caching fixes are in place, we can update the config to
remove legacy treatment of ipv4 related properties.
|
|
vxlan: T5759: change default MTU from 1450 -> 1500 bytes (backport #2503)
|
|
vyos.utils: T5749: fix get_vrf_members() call to iproute2 (backport #2546)
|
|
The iproute2 master argument is used for both a VRF and a bridge device. Using
this in the VRF context would retrieve and report back the wrong interfaces:
Old implementation:
===================
>>> from vyos.utils.network import get_vrf_members
>>> get_vrf_members('br1')
['eth1', 'eth2', 'vxlan1']
>>> get_vrf_members('black')
['br1.3002', 'br1.4000', 'pim6reg10200']
The new implementation:
=======================
>>> from vyos.utils.network import get_vrf_members
>>> get_vrf_members('br1')
[]
>>> get_vrf_members('black')
['br1.3002', 'br1.4000', 'pim6reg10200']
(cherry picked from commit e02546655adefe1a6fb3660402e697f872d3ffe7)
|
|
smoketest: T5783: check for any abnormal daemon termination (backport #2544)
|
|
We need to ensure when stressing FRR with the smoketests that no unexpected
crash happens. We simply verify the PID of the individual FRR daemons.
(cherry picked from commit 080e117884196136cd63e5d312ff43fba15f7182)
|
|
https api: T5772: check if keys are configured unless PAM auth is enabled for GraphQL (backport #2522)
|
|
unless PAM auth is enabled for GraphQL
(cherry picked from commit 8c450ea7f538beb0b2cd21d35c05d18db49a1802)
|
|
pppoe: T5630: make MRU default to MTU if unspecified (backport #2527)
|
|
This fixes the implementation in e062a8c11 ("pppoe: T5630: allow to specify MRU
in addition to already configurable MTU") and restores the bahavior that MRU
defaults to MTU if MRU is not explicitly set.
This was the behavior in VyOS 1.3.3 and below before we added ability to define
the MRU value.
(cherry picked from commit ffd7339e2ea3eafdd97ac0763ca4a3913fe71bf3)
|
|
Found an odd behavior on Linux and the VyOS CLI implementation. If adding VXLAN
interfaces using iproute2 the MTU differs depending on the creation syntax:
ip -4 link add vxlan100 type vxlan dstport 4789 external df unset tos inherit \
ttl 16 nolearning vnifilter local 172.16.33.201
ip -4 link add vxlan200 type vxlan id 200 dstport 4789 local 172.16.33.201 dev eth0
ip -6 link add vxlan300 type vxlan id 300 dstport 4789 local 2001:db8:1::1 dev eth0
132: vxlan300: <BROADCAST,MULTICAST> mtu 1430 qdisc noop state DOWN group default qlen 1000
link/ether 4e:fb:e3:f5:d9:59 brd ff:ff:ff:ff:ff:ff
133: vxlan200: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000
link/ether 0e:4e:f4:76:59:3f brd ff:ff:ff:ff:ff:ff
134: vxlan100: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether ba:b6:b7:0c:b1:37 brd ff:ff:ff:ff:ff:ff
VyOS always sets a default MTU of 1450 bytes which is correct for IPv4 p2p links
or multicast, but invalid for IPv6 p2p. Also this will break EVPN deployments
as ethernet bridges with MTU < 1500 bytes are less fun.
Increase default MTU to 1500 bytes. Migrate old configurations to use 1450
bytes if not specified otherwise on the CLI.
(cherry picked from commit 4a163b016333e58fee9d6ec6b53a09e0160b3213)
|
|
vxlan: T5753: add support for VNI filtering (backport #2499)
|
|
In a service provider network a service provider typically supports multiple
bridge domains with overlapping vlans. One bridge domain per customer. Vlans in
each bridge domain are mapped to globally unique VXLAN VNI ranges assigned to
each customer.
Without the ability of VNI filtering, we can not provide VXLAN tunnels
with multiple tenants all requiring e.g. VLAN 10.
To Test:
set interfaces vxlan vxlan987 parameters external
set interfaces vxlan vxlan987 source-interface eth0
set interfaces vxlan vxlan987 parameters vni-filter
set interfaces vxlan vxlan987 vlan-to-vni 50 vni 10050
set interfaces vxlan vxlan987 vlan-to-vni 51 vni 10051
set interfaces vxlan vxlan987 vlan-to-vni 52 vni 10052
set interfaces vxlan vxlan987 vlan-to-vni 53 vni 10053
set interfaces vxlan vxlan987 vlan-to-vni 54 vni 10054
set interfaces vxlan vxlan987 vlan-to-vni 60 vni 10060
set interfaces vxlan vxlan987 vlan-to-vni 69 vni 10069
set interfaces bridge br0 member interface vxlan987
Add new op-mode command: show bridge vni
Interface VNI
----------- -----------
vxlan987 10050-10054
vxlan987 10060
vxlan987 10069
(cherry picked from commit 35f6033d21053fa420e837f157cd9377a4ccd26a)
|