Age | Commit message (Collapse) | Author |
|
dmbaturin/T5271-openvpn-peer-fingerprint-restrictions
T5271: allow OpenVPN peer-fingerprint to be used instead of a CA in site-to-site mode
|
|
There are two hooks called for bridge, ethernet and bond interfaces if the
link-state changes up -> down or down -> up.
The helpers are:
* /etc/netplug/linkdown.d/dhclient
* /etc/netplug/linkup.d/dhclient
As those helpers use Linux actions to start/restart the dhclient process in
Perl it's time to rewrite it. First goal is to get rid of all Perl code and the
second is that we now have a Proper Python library. Instead of checking if the
process is running the then restarting it without even systemd noticing
(yeah we might get two processes beeing alive) we should:
* Add a Python helper that can be used for both up and down (see man 8 netplugd
FILES section)
* Query the VyOS CLI config if the interface in question has DHCP(v6)
configured and is not disabled
* Add IPv6 DHCPv6 support
MAN page: https://linux.die.net/man/8/netplugd
|
|
|
|
|
|
in OpenVPN site-to-site mode
|
|
|
|
The condition is useless since OpenVPN simply switches to ECDH in all modes
when the classic DH prime is not specified
|
|
|
|
|
|
Testcases after the bugfix in commit 011697508 ("T5467: removing ospf(v3) or
isis interface in VRF context did not clear FRR config").
For ISIS change in the tests - do not run self_commit() in a for loop if not
really necessary, this will slow down the tests.
|
|
This fixes the smoketest after the change in commit e7d7bd20b ("openvpn: T5270:
do not require classic DH params in any more Generate 'dh none' instead and let
OpenVPN use ECDH")
... as there is no exception raised
05:47:26 DEBUG - ======================================================================
05:47:26 DEBUG - FAIL: test_openvpn_server_verify (__main__.TestInterfacesOpenVPN.test_openvpn_server_verify)
05:47:26 DEBUG - ----------------------------------------------------------------------
05:47:26 DEBUG - Traceback (most recent call last):
05:47:26 DEBUG - File "/usr/libexec/vyos/tests/smoke/cli/test_interfaces_openvpn.py", line 342, in test_openvpn_server_verify
05:47:26 DEBUG - with self.assertRaises(ConfigSessionError):
05:47:26 DEBUG - AssertionError: ConfigSessionError not raised
|
|
|
|
utils: T5410: Extended supported types in `convert_data()`
|
|
|
|
config
To reproduce:
set vrf name red table 2000
set vrf name red protocols ospf interface eth1 area 0
set vrf name red protocols ospf parameters router-id 1.1.1.1
set interfaces ethernet eth1 vrf red
commit
FRR now has an interface config
vyos@vyos# vtysh -c "show run" no-header | sed -n "/^interface eth1/,/!/p"
interface eth1
ip ospf area 0
ip ospf dead-interval 40
exit
Now delete the interface from the OSPF(v3) or ISIS process
delete vrf name red protocols ospf interface
commit
It's still there
vyos@vyos# vtysh -c "show run" no-header | sed -n "/^interface eth1/,/!/p"
interface eth1
ip ospf area 0
ip ospf dead-interval 40
exit
!
Issue was caused in the FRR vtysh representation of an interface. It used to
have a "vrf <name>" marker in earlier versions but FRR 8.5 and later no longer
have the marker. So "interface eth1 vrf red" became "interface eth1" in vtysh,
but our regex expected the "vrf" identifier when modifying FRR config.
|
|
setting
|
|
This is only a cosmetic change so that the default value is properly retrieved
from the defaultValue XML node.
|
|
T5160: Firewall refactor
|
|
T5448: Move zabbix-agent to node monitoring
|
|
Q-in-Q interface
When migration from 1.3 to 1.4 and a user hat the following configured:
options {
interface eth0.10{
adjust-mss 1452
adjust-mss6 1432
}
}
The configuration was wrongly migrated to:
interfaces {
ethernet eth0.10 {
ipv6 {
adjust-mss "1432"
}
ip {
adjust-mss "1452"
}
}
Instead of
interfaces {
ethernet eth0 {
vif 10 {
ipv6 {
adjust-mss "1432"
}
ip {
adjust-mss "1452"
}
}
}
|
|
Using variable ${vyos_rootfs_dir} instead of wildcard for both restore_if_missing_preconfig
and restore_if_missing_postconfig.
|
|
|
|
with common matcher for ipv4 and ipv6, and use include on all chains for all this comman matchers
|
|
<drop> to <accept> if default-action is not specified in base chains
|
|
firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip.
|
|
that contains fqnd and/or geo-ip in base chains. Fix mig script
|
|
firewall smoketest
|
|
show_firewall_group.
|
|
|
|
|
|
accidentaly removed. Update smokestest: remove zone test and fix test_sysfs test
|
|
smoketest
|
|
scripts and src firewall
|
|
|
|
Move 'service zabbix-agent'
=> 'service monitoring zabbix-agent'
|
|
T5434: remove reamining calls to incorrect defaults
|
|
openvpn: T5270: do not require classic DH params in any mode
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
T5448: Add service zabbix-agent
|
|
Generate 'dh none' instead and let OpenVPN use ECDH
|
|
|
|
openvpn: T5271: add peer certificate fingerprint option
|