Age | Commit message (Collapse) | Author |
|
This improves commit 3c990f49e ("login: T5875: restore home directory
permissions when re-adding user account") in a way that the home directory
owner is only altered if it differs from the expected owner.
Without this change on every boot we would alter the owner which could increase
the boot time if the home of a user is cluttered.
(cherry picked from commit 1b364428f79b7e4588a000fca40582ef968fc7fd)
|
|
(cherry picked from commit 9f66b9ccfa25f56c209d90a0ad5ad779f3963bee)
|
|
A tunnel interface can not properly be sourced from a pppoe0 interface when
such interface is not (yet) connected to the BRAS. It might work on a running
system, but subsequent reboots will fail as the source-interface most likely
does not yet exist.
(cherry picked from commit 66ce19058b7b8597536ddf63bbca027add2ca8a1)
|
|
interfaces
Interfaces matching the following regex (ppp|pppoe|sstpc|l2tp|ipoe)[0-9]+ can
not be used as source-interface for e.g. a tunnel.
The main reason is that these are dynamic interfaces which come and go from a
kernel point of view, thus it's not possible to bind an interface to them.
(cherry picked from commit 5062f5d313548d6ebb9c07fee6b6d6be25b8f8f0)
|
|
T5474: establish common file name pattern for XML conf mode commands (backport #2729)
|
|
We will use _ as CLI level divider. The XML definition filename and also
the Python helper should match the CLI node.
Example:
set interfaces ethernet -> interfaces_ethernet.xml.in
set interfaces bond -> interfaces_bond.xml.in
set service dhcp-server -> service_dhcp-server-xml.in
(cherry picked from commit 4ef110fd2c501b718344c72d495ad7e16d2bd465)
|
|
firewall: T5834: Rename 'enable-default-log' to 'default-log' (backport #2651)
|
|
T5870: ipsec remote access VPN: add x509 ("pubkey") authentication. (backport #2707)
|
|
(cherry picked from commit 656934e85cee799dba5b495d143f6be445ac22d5)
|
|
`include/firewall/rule-log-options.xml.i` is now more aptly renamed to
`include/firewall/log-options.xml.i`.
(cherry picked from commit 53a48f499ae9bcc2f657136bb7779b38aad1c242)
|
|
This file is a left over from previous refactoring and no longer
referenced anywhere in the interface definitions.
(cherry picked from commit f8f382b2195da8db8b730f107ffba16e67dac822)
|
|
One can now do `set policy route foo default-log` which will add log
to the policy route chain.
(cherry picked from commit 6278ce9b7cb2060c8226a60ccbdb580a0d8a3fb5)
|
|
(cherry picked from commit 7c40b70af9def9242b30d1fc949288d9da2bd027)
|
|
Rename chain level defaults log option from `enable-default-log` to
`default-log` for consistency.
(cherry picked from commit 245e758aa2ea8779186d0c92d79d33170d036992)
|
|
ipsec: T1210: add smoketest for remote-access (road-warrior) users (backport #2722)
|
|
This extends commit f9207ed4a ("ipsec: T1210: add smoketest for remote-access
(road-warrior) users") in a way that also the IPv4 pool and its DNS servers get
validated. There is no separate IPv6 test, as both address families behave
the same way when configuring these.
(cherry picked from commit 1e46cd606d9d87226fe0400bf3a53bda360808d8)
|
|
(cherry picked from commit 1a84c4d0e6ff88b650bcfc8ba81827af7fc079f3)
|
|
vyos.template: T5869: first_host_address() does not honor RFC4291 section 2.6.1 (backport #2704)
|
|
tacacs: T141: Wrap string in double quotes to allow expansion (backport #2715)
|
|
system: T5877: Shorten system domain-search config path (backport #2718)
|
|
login: T5875: restore home directory permissions when re-adding user account (backport #2716)
|
|
After deleting a user account and working with a newly added account, we see
that after rebooting in the previously saved configuration, the user is
re-added but it's home directory might have an old UID set on the filesystem.
This is due to the fact that vyos config does not store UIDs. When adding a
user account to the system we now check if the home directory already exists
and adjust the ownership to the new UID.
(cherry picked from commit 3c990f49e2bf9347bd2cc478995baa995ee822fd)
|
|
In addition to testing for shortening the domain-search path, add and
improve tests for other resolv.conf entries.
(cherry picked from commit 584c63f4473373a377db802c173f6252c8085fa3)
|
|
Shorten and simplify `system domain-search` config path from:
```
set system domain-search domain <domain1>
```
to:
```
set system domain-search <domain1>
```
This will shorten the path and also make consistent with `domain-search`
config in other places (like `dhcp-server`).
(cherry picked from commit f77bf573c608b6c09182e1bad4312c4dd1e5195e)
|
|
(cherry picked from commit a95ee3fd38f3c1d54ea359088d0eb1a4d4582b6b)
|
|
We have had duplicated test cases in test_jinja_filters.py and test_template.py,
They have been consolidated into test_template.py.
(cherry picked from commit 80e2e80b5504d1da643a0d5c9772a1f9dee0aa99)
|
|
The subnet router anycast address is predefined. Its format is as follows:
| n bits | 128-n bits |
+------------------------------------------------+----------------+
| subnet prefix | 00000000000000 |
+------------------------------------------------+----------------+
The "subnet prefix" in an anycast address is the prefix that identifies a
specific link. This anycast address is syntactically the same as a unicast
address for an interface on the link with the interface identifier set to zero.
Packets sent to the Subnet-Router anycast address will be delivered to one
router on the subnet. All routers are required to support the Subnet-Router
anycast addresses for the subnets to which they have interfaces.
The Subnet-Router anycast address is intended to be used for applications where
a node needs to communicate with any one of the set of routers.
Our code as of now returns the subnet router anycast address as the
first_host_address().
(cherry picked from commit cc4ce81ece57faca8ce111b8f3748389ecb40202)
|
|
nat: T5681: relax wording on non existing interface Warning message (backport #2709)
|
|
Remove the word "error" from a Warning only message to not irritate the user.
(cherry picked from commit 9f863a50f1ac6c81782df6c43f7df816d9e11b16)
|
|
smoketest: T5867: extend container tests for IPv4 and IPv6 networks (backport #2710)
|
|
(cherry picked from commit 503e0d1836aa99e34542031fb6c401eb6877eff7)
|
|
ddclient: T5852: add missing priority (backport #2703)
|
|
Running ddclient on a VLAN interface will fail during reboot as there is no
discrete priority to tell that the dynamic DNS service needs to be started
after the interfaces.
(cherry picked from commit ef237a7555843226e9bf48e552ed5feb5df581f4)
|
|
container: T5829: verify container network used supports the given AFI (backport)
|
|
accel-ppp: T5688: Standardized pool configuration in accel-ppp (backport #2501)
|
|
container: T5867: disable healthchecks due to upstream issue (backport #2699)
|
|
op-mode: T5866: Add command to restart IPv6 RA daemon (backport #2698)
|
|
conmon 402de34b31388b5a2e1c <error>: Unable to send container stderr message to parent Broken pipe
https://github.com/containers/conmon/issues/438
(cherry picked from commit 6c84ff41b92d7c2e0b239dca59955e8a247fecdb)
|
|
vyos@vyos:~$ restart router-advert
(cherry picked from commit 9d15c7d3fb21648a52b9c06bdc0a5055f8099119)
|
|
Fixed format of ipv4 pool range from 'x.x.x.x-x.x.x.y'
to 'x.x.x.x-y'
(cherry picked from commit 714a6b1dd5e4de6c85911fa64f4b5f37b44979cf)
|
|
Fixed migration script for pppoe-server
(cherry picked from commit 17722f3ee1151d2e4ccf23655f7079615bf61e24)
|
|
Standardized pool configuration for all accel-ppp services.
1. Only named pools are used now.
2. Allows all services to use range in x.x.x.x/mask
and x.x.x.x-x.x.x.y format
3. next-pool can be used in all services
2. Allows to use in ipoe gw-ip-address without pool configuration
which allows to use Fraimed-IP-Address attribute by radius.
3. Default pool name should be explicidly configured
with default-pool.
4. In ipoe netmask and range subnet can be different.
(cherry picked from commit 422eb463d413da812eabc28706e507a9910d7b53)
|
|
(cherry picked from commit 405cc66041d8035500f7b7116301983c48464a9b)
|
|
(cherry picked from commit e70ca62c474b4e2cc135851a6e5cceee037bf378)
|
|
ddclient: T5144,T5791: Consolidated backport for dynamic dns updates and fixes
|
|
We always enable HTTPS in ddclient configuration, however
`http://checkip.dyndns.org` is HTTP only and does not support HTTPS.
Warn the user if they are using this service.
Also, make `url` in `web-options` mandatory.
|
|
Legacy ddclient allowed arbitrary URLs in web-options, but the new
has stricter validations. Apply migration to the old URLs.
Also migrate checkip.dyndns.org to https://domains.google.com/checkip
for better TLS support.
|
|
When migrating from `service dns dynamic interface <interface> ...` to
`service dns dynamic address <address> ...`, the config name can
potentially have a conflict when `address == 'web'`.
Although the `/run/ddclient/ddclient.conf` that was generated earlier
was incorrect, one could still potentially have misconfigured VyOS
config without realizing it.
We now append the old <interface> name to the config name to avoid
conflict.
|
|
Since `service dns dynamic address <address> service <service> ...`
changed to `service dns dynamic name <service> address <address> ...`,
the resulting service and address config flip can result in conflicting
`service` name.
Additionally, since dynamic DNS service name now have name constraint,
we need to normalize the service name to conform with the constraint.
We now migrate the service name to (service|rfc2136)-<service>-<address>
to avoid the conflict and optionally append an index if there is still a
name conflict after normalization.
|
|
Enforce constraint on Dynamic DNS service name to be alphanumeric
(including hyphens and underscores).
|