Age | Commit message (Collapse) | Author |
|
interfaces
Interfaces matching the following regex (ppp|pppoe|sstpc|l2tp|ipoe)[0-9]+ can
not be used as source-interface for e.g. a tunnel.
The main reason is that these are dynamic interfaces which come and go from a
kernel point of view, thus it's not possible to bind an interface to them.
(cherry picked from commit 5062f5d313548d6ebb9c07fee6b6d6be25b8f8f0)
|
|
Standardized pool configuration for all accel-ppp services.
1. Only named pools are used now.
2. Allows all services to use range in x.x.x.x/mask
and x.x.x.x-x.x.x.y format
3. next-pool can be used in all services
2. Allows to use in ipoe gw-ip-address without pool configuration
which allows to use Fraimed-IP-Address attribute by radius.
3. Default pool name should be explicidly configured
with default-pool.
4. In ipoe netmask and range subnet can be different.
(cherry picked from commit 422eb463d413da812eabc28706e507a9910d7b53)
|
|
|
|
* T5195: move run, cmd, call, rc_cmd helper to vyos.utils.process
* T5195: use read_file and write_file implementation from vyos.utils.file
Changed code automatically using:
find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import read_file$/from vyos.utils.file import read_file/g' {} +
find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import write_file$/from vyos.utils.file import write_file/g' {} +
* T5195: move chmod* helpers to vyos.utils.permission
* T5195: use colon_separated_to_dict from vyos.utils.dict
* T5195: move is_systemd_service_* to vyos.utils.process
* T5195: fix boot issues with missing imports
* T5195: move dict_search_* helpers to vyos.utils.dict
* T5195: move network helpers to vyos.utils.network
* T5195: move commit_* helpers to vyos.utils.commit
* T5195: move user I/O helpers to vyos.utils.io
|
|
The original implementation of defaults, and workaround required, would
leave an entry {'dhcpv6_options': {'pd': {}}} in the interface_dict.
|
|
Some interface drivers don't support/provide min_mtu and max_mtu values
For example VyOS in docker container with 'veth' driver on some
platforms
As a workarund add default values for min/max MTU for calculations
and pass function "verify_mtu(config)"
|
|
If 'client_ip_pool' not exists in config we cannot search it
in the dictionary
dict_search_recursive(config, 'gateway_address', ['client_ip_pool', 'name'])
Add check
|
|
sstp-client
|
|
Add a new feature to allow to use named pools
Also it can be used with RADIUS attribute 'Framed-Pool'
set service pppoe-server client-ip-pool name POOL1 gateway-address '192.0.2.1'
set service pppoe-server client-ip-pool name POOL1 subnet '192.0.2.0/24'
|
|
We check if local_users is None
Check also and empty dict
{'access_concentrator': 'vyos-ac',
'authentication': {'local_users': {},
|
|
In addition to the rewrite to make use of get_config_dict() the CLI is
slightly adjusted as specified in T4703.
* Rename vlan-id and vlan-range to simply vlan
* Rename network-mode to simply mode
* Re-use existing common Jinja2 template for Accel-PPP which are shared
with PPPoE and SSTP server.
* Retrieve default values via defaultValue XML node
|
|
A macsec interface requires a dedicated source interface, it can not be
shared with another macsec or a pseudo-ethernet interface.
set interfaces macsec macsec10 address '192.168.2.1/30'
set interfaces macsec macsec10 security cipher 'gcm-aes-256'
set interfaces macsec macsec10 security encrypt
set interfaces macsec macsec10 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4232e44b7fda6f8e2d88a07bf78a7aff4'
set interfaces macsec macsec10 security mka ckn '09924585a6f3010208cf5222ef24c821405b0e34f4b4f63b1f0ced474b9bb6e6'
set interfaces macsec macsec10 source-interface 'eth1'
commit
set interfaces pseudo-ethernet peth0 source-interface eth1
commit
Reuslts in
FileNotFoundError: [Errno 2] failed to run command: ip link add peth0 link eth1 type macvlan mode private
returned:
exit code: 2
noteworthy:
cmd 'ip link add peth0 link eth1 type macvlan mode private'
returned (out):
returned (err):
RTNETLINK answers: Device or resource busy
[[interfaces pseudo-ethernet peth0]] failed
Commit failed
|
|
on error
|
|
We should not print the entire dictionary - we only need the bridge interface
name:
Bug:
Cannot assign address to interface "eth1" as it is a member of bridge
"{'br0': {'allowed_vlan': ['5-50', '101'], 'native_vlan': '101'}}"!
Fixed:
Cannot assign address to interface "eth1" as it is a member of bridge
"br0"!
|
|
|
|
Fix logic for verify traffic-policy in def verify_mirror_redirect
It checks just "traffic_policy.in" and should also checks if
'mirror' or 'redirect' exists in config
|
|
|
|
|
|
|
|
|
|
|
|
This commit fixes a small typo where the client cert name was being used
to index the CA configuration dict.
Signed-off-by: Andrew Gunnerson <chillermillerlong@hotmail.com>
|
|
(cherry picked from commit c1015d8ce0013719eb898b60b14ffec192b8141c)
|
|
|
|
This commit also extends the smoketest to verify that the exception for this
error is raised.
|
|
|
|
VyOS will automatically append the subsystem name (pppoe-server or sstp) when
something goes wrong. No need to hardcode this into the error string a second
time.
|
|
|
|
A validator is missing checking that if authentication is used on a PPPoE
interface, both username and password are set.
(cherry picked from commit 0361c3ac449f183476f7aee31439417d9f7f8012)
|
|
|
|
|
|
The introduction of key_mangling=('-', '_') when working with get_config_dict()
caused more harm then good. This commit extends common helpers and adds new
helpers when verifying the existence of route-maps, access-lists or prefix-lists.
|
|
We can leak routes back to the default VRF, thus the check added by commit
9184dfb5 ("static: vrf: T3344: add target vrf verify()") must have a "bail out"
option when one want's to leak routes into the default VRF.
|
|
|
|
Streamline the CLI configuration where we try to use remote on other interfaces
like vxlan, geneve.
|
|
Streamline the CLI configuration where we try to use source-address when
creating connections which are especially sourced from a discrete address.
|
|
The following list shows the mapping of VyOS tunnel encapsulation modes to the
corresponding Linux modes.
VyOS Linux
gre gre
gre-bridge gretap
ipip ipip
ipip6 ipip6
ip6ip6 ip6ip6
ip6gre ip6gre
sit sit
Besides gre-bridge this is pretty consistent. As bridge interfaces are also
called tap interfaces gre-bridge will be renamed to gretap to make the
post-processing much easier.
This means (in detail) that there are no more child classes of _Tunnel and
there will be now one geneirc TunnelIf class handling all sorts of encapsulation.
|
|
Interface.get_config() was always a pure helper which exposed a "per interface
type" dictionary which was then fed by the caller to create interfaces by
iproute2 which required additional options during creation time.
Such interfaces had been:
* tunnel
* vxlan
* geneve
* macsec
* wifi
* macvlan / pseudo-ethernet
The code was always duplicated to convert from the VyOS CLI based get_config_dict()
to a dict which can be used to feed iproute2.
This path has been removed and we now always feed in the entire dictionary
retrieved by get_config_dict() or in the interfaces case, it's high-level wrapper
get_interface_dict() to the interface we wan't to create.
This also adds the - personally long awaited - possibility to get rid of the
derived tunnel classes for e.g. GRE, IPIP, IPIP6 and so on.
|
|
tunnel: T3030: Add erspan protocol support
|
|
In the past it was possible to configure a vif-s interface and a vif interface
both with the same VLAN ID. VyOS 1.2 reported a Kernel error:
RTNETLINK answers: File exists
Error creating VLAN device eth1.100
so this should not be possible at all in VyOS 1.3
|
|
package type automatic detection)
|
|
|
|
A hyphen in a route-map name will be converted to _, take care about this
effect during validation.
|
|
|
|
|
|
configured SLA-IDs
"data/templates/dhcp-client/ipv6.tmpl" handles the auto-assigning of SLA-IDs on
lines 39, 46, and 52.
|
|
"data/templates/dhcp-client/ipv6.tmpl" handles the auto-assigning of SLA-IDs on
lines 39, 46, and 52.
|
|
VLAN interfaces contain periods, which make them incompatible with
dict_search().
|
|
|
|
|