Age | Commit message (Collapse) | Author |
|
A macsec interface requires a dedicated source interface, it can not be
shared with another macsec or a pseudo-ethernet interface.
set interfaces macsec macsec10 address '192.168.2.1/30'
set interfaces macsec macsec10 security cipher 'gcm-aes-256'
set interfaces macsec macsec10 security encrypt
set interfaces macsec macsec10 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4232e44b7fda6f8e2d88a07bf78a7aff4'
set interfaces macsec macsec10 security mka ckn '09924585a6f3010208cf5222ef24c821405b0e34f4b4f63b1f0ced474b9bb6e6'
set interfaces macsec macsec10 source-interface 'eth1'
commit
set interfaces pseudo-ethernet peth0 source-interface eth1
commit
Reuslts in
FileNotFoundError: [Errno 2] failed to run command: ip link add peth0 link eth1 type macvlan mode private
returned:
exit code: 2
noteworthy:
cmd 'ip link add peth0 link eth1 type macvlan mode private'
returned (out):
returned (err):
RTNETLINK answers: Device or resource busy
[[interfaces pseudo-ethernet peth0]] failed
Commit failed
|
|
on error
|
|
We should not print the entire dictionary - we only need the bridge interface
name:
Bug:
Cannot assign address to interface "eth1" as it is a member of bridge
"{'br0': {'allowed_vlan': ['5-50', '101'], 'native_vlan': '101'}}"!
Fixed:
Cannot assign address to interface "eth1" as it is a member of bridge
"br0"!
|
|
|
|
Fix logic for verify traffic-policy in def verify_mirror_redirect
It checks just "traffic_policy.in" and should also checks if
'mirror' or 'redirect' exists in config
|
|
|
|
|
|
|
|
|
|
|
|
This commit fixes a small typo where the client cert name was being used
to index the CA configuration dict.
Signed-off-by: Andrew Gunnerson <chillermillerlong@hotmail.com>
|
|
(cherry picked from commit c1015d8ce0013719eb898b60b14ffec192b8141c)
|
|
|
|
This commit also extends the smoketest to verify that the exception for this
error is raised.
|
|
|
|
VyOS will automatically append the subsystem name (pppoe-server or sstp) when
something goes wrong. No need to hardcode this into the error string a second
time.
|
|
|
|
A validator is missing checking that if authentication is used on a PPPoE
interface, both username and password are set.
(cherry picked from commit 0361c3ac449f183476f7aee31439417d9f7f8012)
|
|
|
|
|
|
The introduction of key_mangling=('-', '_') when working with get_config_dict()
caused more harm then good. This commit extends common helpers and adds new
helpers when verifying the existence of route-maps, access-lists or prefix-lists.
|
|
We can leak routes back to the default VRF, thus the check added by commit
9184dfb5 ("static: vrf: T3344: add target vrf verify()") must have a "bail out"
option when one want's to leak routes into the default VRF.
|
|
|
|
Streamline the CLI configuration where we try to use remote on other interfaces
like vxlan, geneve.
|
|
Streamline the CLI configuration where we try to use source-address when
creating connections which are especially sourced from a discrete address.
|
|
The following list shows the mapping of VyOS tunnel encapsulation modes to the
corresponding Linux modes.
VyOS Linux
gre gre
gre-bridge gretap
ipip ipip
ipip6 ipip6
ip6ip6 ip6ip6
ip6gre ip6gre
sit sit
Besides gre-bridge this is pretty consistent. As bridge interfaces are also
called tap interfaces gre-bridge will be renamed to gretap to make the
post-processing much easier.
This means (in detail) that there are no more child classes of _Tunnel and
there will be now one geneirc TunnelIf class handling all sorts of encapsulation.
|
|
Interface.get_config() was always a pure helper which exposed a "per interface
type" dictionary which was then fed by the caller to create interfaces by
iproute2 which required additional options during creation time.
Such interfaces had been:
* tunnel
* vxlan
* geneve
* macsec
* wifi
* macvlan / pseudo-ethernet
The code was always duplicated to convert from the VyOS CLI based get_config_dict()
to a dict which can be used to feed iproute2.
This path has been removed and we now always feed in the entire dictionary
retrieved by get_config_dict() or in the interfaces case, it's high-level wrapper
get_interface_dict() to the interface we wan't to create.
This also adds the - personally long awaited - possibility to get rid of the
derived tunnel classes for e.g. GRE, IPIP, IPIP6 and so on.
|
|
tunnel: T3030: Add erspan protocol support
|
|
In the past it was possible to configure a vif-s interface and a vif interface
both with the same VLAN ID. VyOS 1.2 reported a Kernel error:
RTNETLINK answers: File exists
Error creating VLAN device eth1.100
so this should not be possible at all in VyOS 1.3
|
|
package type automatic detection)
|
|
|
|
A hyphen in a route-map name will be converted to _, take care about this
effect during validation.
|
|
|
|
|
|
configured SLA-IDs
"data/templates/dhcp-client/ipv6.tmpl" handles the auto-assigning of SLA-IDs on
lines 39, 46, and 52.
|
|
"data/templates/dhcp-client/ipv6.tmpl" handles the auto-assigning of SLA-IDs on
lines 39, 46, and 52.
|
|
VLAN interfaces contain periods, which make them incompatible with
dict_search().
|
|
|
|
|
|
|
|
We had two places were the is_ip, is_ipv4 and is_ipv6 helpers had been defined.
All places now have been converged into vyos.template as they are used both
in the Jinja2 templates and also in our scripts.
|
|
|
|
|
|
Renamed using snippet below:
----------------------------
for file in $(find . -name "*.py")
do
sed -i "s/vyos_dict_search/dict_search/" $file
done
|
|
Commit 5db3d631 ("ifconfig: mtu: disallow MTU < 1280 bytes when IPv6 is enabled
on the interface") checked the "mtu" key for it's value and the test only passed
if mtu was larger then the required 1280 bytes when IPv6 address have
been configured on the link.
wireless (WiFi) interfaces have no MTU node - thus this always resulted in a
Python KeyError.
|
|
|
|
Using an MTU less then the required 1280 bytes (as per RFC) on an interface
where IPv6 is not explicitly disabled by:
- set interfaces ethernet eth1 ipv6 address no-default-link-local
- not having any other IPv6 address configured
Will now trigger a commit error via verify() instead of raising
FileNotFoundError!
|
|
Currently the MTU size of an interface is only checked when entered via CLI but
if the interface supportes the configured MTU at all is not verified at all.
New helper functions get_min_mtu(), get_max_mtu() and verify_mtu() have been
added to provide a central API for validation.
|
|
When configuring DHCPv6-PD it is mandatory to also specify at least one
interface where the newly delegated prefix will be used. Without this setting
DHCPv6-PD makes no sense at all.
|
|
As we already check that a bond/bridge member interface is not a member of any
other bridge or bond, the check must be extended. We also need to ensure that
the bond member interface is not used as a source-interface to pppoe, macsec,
tunnel, pseudo-ethernet, vxlan interfaces.
|