Age | Commit message (Collapse) | Author |
|
|
|
|
|
|
|
T2486: DNS, vyos-hostsd fixes
|
|
... to ensure the service is started very late.
|
|
|
|
|
|
A user can define a port under the SSH node per device. WHen connecting to that
port and authenticating using regular credentials we will immediately drop to
the serial console. This is the same as executing "connect serial-proxy <name>".
|
|
For more examples on the new get_config_dict() approach migrate this
implementation as it is not yet in production use. Also this serves as proof of
concept code for further migrations.
|
|
|
|
|
|
|
|
Using "ls" is much faster compared to "find ... -exec basename"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Add new nodes for 'service dns forwarding domain':
'addnta': adds addNTA to lua-config-file
'recursion-desired': sets '+' before the zone in forward-zones-file
The migrator sets both options for all configured domains. This is
usually the desired config.
|
|
The previous implementation only supported disabling DHCP nameservers for
all interfaces, and was implemented improperly so it didn't work anyway.
This migrates it to name-servers-dhcp <interface>, which allows us to enable
just the interfaces we want to use for system DNS, identical in syntax to
'service dns forwarding dhcp <interface>'.
The migrator searches through all interfaces that have address 'dhcp(v6)?'
and adds them to the name-servers-dhcp list if disable-dhcp-nameservers is
not set, else it does nothing.
|
|
|
|
During testing it was discovered that there is a well known problem (we had for
ethernet interfaces) also in the serial port world. They will be enumerated and
mapped to /dev/ttyUSBxxx differently from boot to boot. This is especially
painful on my development APU4 board which also has a Sierra Wireless MC7710
LTE module installed.
The serial port will toggle between ttyUSB2 and ttyUSB5 depending on the
amount of serial port extenders attached (FT4232H).
The shipped udev rule (/usr/lib/udev/rules.d/60-serial.rules) partly solves
this by enumerating the devices into /dev/serial/by-id folder with their name
and serial number - it's a very good idea but I've found that not all of the
FT4232H dongles have a serial number programmed - this leads to the situation
that when you plug in two cables with both having serial number 0 - only one
device symlink will appear - the previous one is always overwritten by the
latter one.
Derive /usr/lib/udev/rules.d/60-serial.rules and create a /dev/serial/by-bus
directory and group devices by attached USB root port.
|
|
Migrate the serial console subsystem to XML and Python.
|
|
|
|
Commit 1c7d7cbd39 ("wwan: T2529: migrate device from ttyUSB to usbXbY.YpZ.Z")
added a new completion helper path for USB based serial interfaces. If no USB
based serial port was available on the system this produced the following
error: "ls: cannot access '/dev/serial/by-bus': No such file or directory"
Only list USB based serial interfaces if there is at least one connected to
the system.
|
|
During testing it was discovered that there is a well known problem (we had for
ethernet interfaces) also in the serial port world. They will be enumerated and
mapped to /dev/ttyUSBxxx differently from boot to boot. This is especially
painful on my development APU4 board which also has a Sierra Wireless MC7710
LTE module installed.
The serial port will toggle between ttyUSB2 and ttyUSB5 depending on the
amount of serial port extenders attached (FT4232H).
The shipped udev rule (/usr/lib/udev/rules.d/60-serial.rules) partly solves
this by enumerating the devices into /dev/serial/by-id folder with their name
and serial number - it's a very good idea but I've found that not all of the
FT4232H dongles have a serial number programmed - this leads to the situation
that when you plug in two cables with both having serial number 0 - only one
device symlink will appear - the previous one is always overwritten by the
latter one.
Derive /usr/lib/udev/rules.d/60-serial.rules and create a /dev/serial/by-bus
directory and group devices by attached USB root port.
vyos@vyos:~$ find /dev/serial/by-bus/ -name usb* -exec basename {} \; | sort
usb0b1.3p1.0
usb0b1.3p1.2
usb0b1.3p1.3
usb0b2.4p1.0
usb0b2.4p1.1
usb0b2.4p1.2
usb0b2.4p1.3
So we have USB root 0 with bus 1.3 and port 1.0. The enumeration is constant
accross reboots.
|
|
|
|
openvpn: T2550: fix for IPv4 remote-host addresses
|
|
Commit bb9f998 added IPv6 support for OpenVPN, but IPv4 only
configurations stopped working (Address family for hostname not supported)
Commit fc467519 fixed some scenarios by using IPv4 protocols
if 'local-host' is IPv4 address, but the client mode is using
'remote-host' instead and was still broken.
This commit in addition to 'local-host' also checks all the
'remote-host' addresses.
|
|
When migrating all single instances of the IP address XML definition to the
reusable include file an error was ported, too. This allowed an interface be
assigned an IPv4/IPv6 network address es e.g. 192.0.2.0/24 which is invalid.
The validator has been fixed to only allow IPv4/IPv6 host addresses instead.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Rename the CLI nodes for prefix delegation from "dhcpv6-options delegate
<interface>" to "dhcpv6-options prefix-delegation interface <interface>".
The change is required to add the possibility to request for specific prefix
sized via the CLI. That option was not possible with the old configuration
tree.
|
|
|
|
|
|
|
|
|
|
|
|
MACsec always talks about MKA (MACsec Key Agreement protocol) thus the node
should reflect that.
|
|
|
|
This is best suited as a key is required, too.
|
|
Cipher type gcm-aes-256 is supported by Linux 4.19 but it is not available in
iproute2 4.19. We could backport it of course but the plan is to Upgrade to a
more recent 5.x series kernel anyway once all out-of-tree module issues are
resolved, mainly Intel QAT.
gcm-aes-256 support was added to iproute2 package with commit b16f5253233 ("Add
support for configuring MACsec gcm-aes-256 cipher type.") which made it into
the 5.2 release of iproute2.
|
|
By default MACsec only authenticates traffic but has support for optional
encryption. Encryption can now be enabled using:
set interfaces macsec <interface> encrypt
|
|
|