Age | Commit message (Collapse) | Author |
|
We have not seen the adoption of the https virtual-host CLI option.
What it did?
* Create multiple webservers each listening on a different IP/port
(but in the same VRF)
* All webservers shared one common document root
* All webservers shared the same SSL certificates
* All webservers could have had individual allow-client configurations
* API could be enabled for a particular virtual-host but was always enabled on
the default host
This configuration tried to provide a full webserver via the CLI but VyOS is a
router and the Webserver is there for an API or to serve files for a local-ui.
Changes
Remove support for virtual-hosts as it's an incomplete and thus mostly useless
"thing". Migrate all allow-client statements to one top-level allow statement.
|
|
|
|
The "idea" of this PR is to add new CLI nodes under the pki subsystem to
activate ACME for any given certificate.
vyos@vyos# set pki certificate NAME acme
Possible completions:
+ domain-name Domain Name
email Email address to associate with certificate
listen-address Local IPv4 addresses to listen on
rsa-key-size Size of the RSA key (default: 2048)
url Remote URL (default:
https://acme-v02.api.letsencrypt.org/directory)
Users choose if the CLI based custom certificates are used
set pki certificate EXAMPLE acme certificate <base64>
or if it should be generated via ACME.
The ACME server URL defaults to LetsEncrypt but can be changed to their staging
API for testing to not get blacklisted.
set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory
Certificate retrieval has a certbot --dry-run stage in verify() to see if it
can be generated.
After successful generation, the certificate is stored in under
/config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set
interfaces ethernet eth0 eapol certificate EXAMPLE) we call
vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the
base64 encoded certificate into the JSON data structure normally used when
using a certificate set by the CLI.
Using this "design" does not need any change to any other code referencing the
PKI system, as the base64 encoded certificate is already there.
certbot renewal will call the PKI python script to trigger dependency updates.
|
|
underscore and dot
|
|
interfaces
Interfaces matching the following regex (ppp|pppoe|sstpc|l2tp|ipoe)[0-9]+ can
not be used as source-interface for e.g. a tunnel.
The main reason is that these are dynamic interfaces which come and go from a
kernel point of view, thus it's not possible to bind an interface to them.
|
|
Shorten and simplify `system domain-search` config path from:
```
set system domain-search domain <domain1>
```
to:
```
set system domain-search <domain1>
```
This will shorten the path and also make consistent with `domain-search`
config in other places (like `dhcp-server`).
|
|
T5801: Rewritten L2TP to get_config_dict
|
|
dhcp: T3316: Support hostname, DUID and MAC address in reservation
|
|
`include/firewall/rule-log-options.xml.i` is now more aptly renamed to
`include/firewall/log-options.xml.i`.
|
|
This file is a left over from previous refactoring and no longer
referenced anywhere in the interface definitions.
|
|
|
|
Rename chain level defaults log option from `enable-default-log` to
`default-log` for consistency.
|
|
|
|
|
|
T2898: add ndp-proxy service
|
|
The DUID regex was missing a lower bound, which could cause it not to
match when it should.
We have to specify the lower bound explicitly as 0 to keep the regex
behavior similar to that in Python (in Python, omitting the lower bound
is equivalent to specifying 0).
|
|
|
|
Refactor DUID XML definition in conf-mode to be reusable. Additionally, remove
explicit call to a separate validator `ipv6-duid` and inline the regex into the
XML definition.
|
|
VyOS CLI command
set service ndp-proxy interface eth0 prefix 2001:db8::/64 mode 'static'
Will generate the following NDP proxy configuration
$ cat /run/ndppd/ndppd.conf
# autogenerated by service_ndp-proxy.py
# This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route
route-ttl 30000
# This sets up a listener, that will listen for any Neighbor Solicitation
# messages, and respond to them according to a set of rules
proxy eth0 {
# Turn on or off the router flag for Neighbor Advertisements
router no
# Control how long to wait for a Neighbor Advertisment message before invalidating the entry (milliseconds)
timeout 500
# Control how long a valid or invalid entry remains in the cache (milliseconds)
ttl 30000
# This is a rule that the target address is to match against. If no netmask
# is provided, /128 is assumed. You may have several rule sections, and the
# addresses may or may not overlap.
rule 2001:db8::/64 {
static
}
}
|
|
Rewritten L2TP to get_config_dict
Rewritten L2TP xml to accel-ppp patterns
Migrated 'idle' to 'ppp-options.lcp-echo-timeout'
Migrated 'authentication.mppe' to 'ppp-options.mppe'
Migrated 'authentication.radius.dae-server' to
'authentication.radius.dynamic-author'
Migrated 'authentication.require' to 'authentication.protocol'
Added 'authentication.radius.acct-interim-jitter'
Added 'authentication.radius.preallocate-vif'
Added 'authentication.radius.server.<IP>.acct-port'
Added 'ppp-options.ipv4'
Added smoke-tests
Fixed 'preallocate-vif' in SSTP
|
|
|
|
T4163: Add BGP Monitoring Protocol BMP feature
|
|
T5798: load-balancing revese-proxy add multiple SSL certificates
|
|
Add BMP feature.
BMP (BGP Monitoring Protocol, RFC 7854) is used to send monitoring
data from BGP routers to network management entities
https://docs.frrouting.org/en/latest/bmp.html
Example:
set system frr bmp
commit
run restart bgp
set protocols bgp system-as '65001'
set protocols bgp neighbor 192.0.2.11 address-family ipv4-unicast
set protocols bgp neighbor 192.0.2.11 remote-as '65001'
set protocols bgp bmp mirror-buffer-limit '256000000'
set protocols bgp bmp target foo address '127.0.0.1'
set protocols bgp bmp target foo port '5000'
set protocols bgp bmp target foo min-retry '1000'
set protocols bgp bmp target foo max-retry '2000'
set protocols bgp bmp target foo mirror
set protocols bgp bmp target foo monitor ipv4-unicast post-policy
set protocols bgp bmp target foo monitor ipv4-unicast pre-policy
set protocols bgp bmp target foo monitor ipv6-unicast post-policy
set protocols bgp bmp target foo monitor ipv6-unicast pre-policy
|
|
set protocols bgp sid vpn per-vrf export '99'
set protocols bgp srv6 locator 'foo'
set protocols bgp system-as '100'
Will generate in FRR config
router bgp 100
no bgp ebgp-requires-policy
no bgp default ipv4-unicast
no bgp network import-check
!
segment-routing srv6
locator foo
exit
sid vpn per-vrf export 99
exit
|
|
dhcp: T3316: Migrate dhcp/dhcpv6 server to Kea
|
|
Apply baseline defaults for `.gitattributes` and `.vscode/settings.json`
for improved developer experience.
The `.gitattrbutes` settings are based on:
Git documentation (https://git-scm.com/docs/gitattributes#_effects)
GitHub documentation (https://docs.github.com/en/get-started/getting-started-with-git/configuring-git-to-handle-line-endings)
Community templates (https://github.com/gitattributes/gitattributes)
Since editor-agnostic line-ending specific settings are applied to
`.gitattributes`, they can be removed from `.vscode/settings.json`.
The global VSCode defaults have also been removed to avoid duplication.
|
|
Add ability to configure multiple SSL certificates for
frontend/service
set load-balancing reverse-proxy service web mode http
set load-balancing reverse-proxy service web port 443
set load-balancing reverse-proxy service web ssl certificate cert1
set load-balancing reverse-proxy service web ssl certificate cert2
|
|
|
|
|
|
T5775: firewall: re-add state-policy to firewall. These commands are …
|
|
- Update the base (rebase)
- Move include/nat64-protocol.xml.i => include/nat64/protocol.xml.i
- Delete unwanted `write_json`, use `write_file` instead
- Remove unnecessary deleting of default values for tagNodes T2665
- Add smoketest
Example:
```
set interfaces ethernet eth0 address '192.168.122.14/24'
set interfaces ethernet eth0 address '192.168.122.10/24'
set interfaces ethernet eth2 address '2001:db8::1/64'
set nat64 source rule 100 source prefix '64:ff9b::/96'
set nat64 source rule 100 translation pool 10 address '192.168.122.10'
set nat64 source rule 100 translation pool 10 port '1-65535'
```
|
|
Signed-off-by: Joe Groocock <me@frebib.net>
|
|
T5779: conntrack: Apply fixes to <set system conntrack timeout custom>
|
|
Remove what was not working on 1.3, migrate what was working to new syntax and extend feature for ipv6.
|
|
accel-ppp: T5688: Standardized pool configuration in accel-ppp
|
|
Standardized pool configuration for all accel-ppp services.
1. Only named pools are used now.
2. Allows all services to use range in x.x.x.x/mask
and x.x.x.x-x.x.x.y format
3. next-pool can be used in all services
2. Allows to use in ipoe gw-ip-address without pool configuration
which allows to use Fraimed-IP-Address attribute by radius.
3. Default pool name should be explicidly configured
with default-pool.
4. In ipoe netmask and range subnet can be different.
|
|
|
|
As followup to interface definition change, remove XML snippets that
aren't used anymore. They were there because they were 'include'-ed
multiple times in the interface definition `dynamic-dns.xml.in`. Since
that's not the case anymore, they can be removed.
|
|
included in <set firewall global-options state-policy> node.
|
|
T5637: firewall: extend rule for default-action to firewall bridge
|
|
to be able to catch logs using separte rule for default-action
|
|
http: T5762: api: make API socket backend communication the one and only default
|
|
Why: Smoketests fail as they can not establish IPv6 connection to uvicorn
backend server.
https://github.com/vyos/vyos-1x/pull/2481 added a bunch of new smoketests.
While debugging those failing, it was uncovered, that uvicorn only listens on
IPv4 connections
vyos@vyos# netstat -tulnp | grep 8080
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN -
As the CLI already has an option to move the API communication from an IP to a
UNIX domain socket, the best idea is to make this the default way of
communication, as we never directly talk to the API server but rather use the
NGINX reverse proxy.
|
|
Example:
set interfaces ethernet eth0 dhcp-options user-class VyOS
or
set interfaces ethernet eth0 dhcp-options user-class 56:79:4f:53
|
|
The string data type specifies either an NVT ASCII string enclosed in double
quotes, or a series of octets specified in hexadecimal, separated by colons.
For example:
set interfaces ethernet eth0 dhcp-options client-id CLIENT-FOO
or
set interfaces ethernet eth0 dhcp-options client-id 43:4c:49:45:54:2d:46:4f:4f
As of now there was no input validation performed.
|
|
|
|
pim(6): T5733: add missing FRR related features
|
|
|
|
|