Age | Commit message (Collapse) | Author |
|
wireguard: T3763: Added check for listening port availability
|
|
We need to copy the configuration before this is done in super().update() as we
utilize self.set_dhcpv6() before this is done by the base class.
|
|
`print` was removed or replaced to `ValueError`, where possible.
|
|
Each wireguard interface requires a unique port for in and out
connections. This commit adds the new `vyos.util` function -
`check_port_availability`, and uses it to be sure that a port
that is planned to be used for wireguard interface is truly
available and not used by any other services (not only other
wireguard interfaces).
|
|
... there was a type setting ecp512 instead of ecp521.
|
|
When the interface name was stripped down from "eth0.201" to "eth" to determine
the appropriate interface section, VRRP interfaces got left out on the call
to rstrip().
VRRP interfaces now show up in "show interfaces" as they did in VyOS 1.2.
vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
dum0 172.18.254.201/32 u/u
eth0 - u/u
eth0.10 172.16.33.8/24 u/u
eth0.201 172.18.201.10/24 u/u
eth1 10.1.1.2/24 u/u
eth1v10 10.1.1.1/24 u/u
eth2 - u/u
lo 127.0.0.1/8 u/u
::1/128
|
|
|
|
vyos@vyos# show interfaces pppoe
pppoe pppoe10 {
+ access-concentrator asdfg
authentication {
password bar
user foo
}
default-route force
no-peer-dns
source-interface eth0.202
}
vyos@vyos# python3
Python 3.9.2 (default, Feb 28 2021, 17:03:44)
[GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from vyos.config import Config
>>> from vyos.configdict import get_interface_dict
>>> from vyos.configdict import leaf_node_changed
>>> conf = Config()
>>> base = ['interfaces', 'pppoe']
>>> tmp = get_interface_dict(conf, base, 'pppoe10')
>>> leaf_node_changed(conf, ['access-concentrator'])
>>> ['']
|
|
Now that MSS clamping is done on the "per-interface" level the entire PPPoE
stuff would have needed to get a full copy in GNU BASH for this or, participate
in the common library.
Add a new PPP ip-up script named 99-vyos-pppoe-callback which will call the
vyos.ifconfig.PPPoEIf.update() function to configure everything as done with
all other interfaces. This removes duplicated code for VRF assignment and route
installation when a PPPoE interface is brought up or down.
|
|
WireGuard, Tunnel and also PPPoE all need a ways to calculate a synthetic MAC
address used for the EUI64 link-local addresses. Instead of copying the code
from Tunnel to WireGuard to PPPoE, use a generic implementation.
|
|
|
|
|
|
level
Getting rid of "set firewall options" and move it from:
set firewall options interface ethX adjust-mss 1400
set firewall options interface ethX adjust-mss6 1400
to:
set interfaces ethernet ethX ip adjust-mss 1400
set interfaces ethernet ethX ipv6 adjust-mss 1400
In addition add an extra option called clamp-mss-to-pmtu instead of a value.
|
|
|
|
|
|
This reverts commit 29e438755c8bd2b9598a2016a3c42891f0cbfa1d.
|
|
|
|
commit_in_progress()
|
|
Inspired by the comments of https://unix.stackexchange.com/a/435317 use a more
robust approach. A service can be "active" but not "running" (e.g. restarting
with a configuration error). We can now test if a systemd unit is "activated"
and if it is "running" at all.
>>> from vyos.util import is_systemd_service_active
>>> from vyos.util import is_systemd_service_running
>>> is_systemd_service_active('ssh')
True
>>> is_systemd_service_running('sshd')
False
>>> is_systemd_service_running('ssh')
True
|
|
|
|
VyOS will automatically append the subsystem name (pppoe-server or sstp) when
something goes wrong. No need to hardcode this into the error string a second
time.
|
|
|
|
|
|
This reverts commit a2b959c50c96698da173b9c4720369a51442cc5c.
|
|
|
|
|
|
|
|
|
|
|
|
The class ConfigTreeActiveQuery uses configtree to access tag node
values; note that this will only report saved configuration data.
|
|
In some cases, we need to wait until local address is assigned.
And only then l2tpv3 tunnel can be configured.
For example when ipv6 address is in "tentative" state
or we wait for some routing daemon/route for a remote address.
|
|
Commit f520182b ("vyos.util: add is_systemd_service_running() helper function")
added a new helper function that can be used to check if a systemd service is
running.
Drop all custom implementations in favor of this library call.
|
|
Test is a specified systemd service is actually running.
Returns True if service is running, false otherwise.
|
|
|
|
generate ipsec mac-ios-profile <connection> remote <ip|fqdn>
will generate a matching IPSec profile which can be loaded on an iOS device.
|
|
|
|
Also renames peer pubkey to public-key for consistency
|
|
VRF: T3655: proper connection tracking for VRFs
|
|
Currently, all VRFs share the same connection tracking table, which can
lead to problems:
- traffic leaks to a wrong VRF
- improper NAT rules handling when multiple VRFs contain the same IP
networks
- stateful firewall rules issues
The commit implements connection tracking zones support. Each VRF
utilizes its own zone, so connections will never mix up.
It also adds some restrictions to VRF names and assigned table numbers,
because of nftables and conntrack requirements:
- VRF name should always start from a letter (interfaces that start from
numbers are not supported in nftables rules)
- table number must be in the 100-65535 range because conntrack supports
only 65535 zones
|
|
|
|
|
|
|
|
When waiting for processes that don't take long,
we need add an inotify watcher _before_ starting that process.
The pre-hook arguments allows the user to pass a () -> () anonymous function
to be called before adding a watch.
|
|
|
|
Also adds check for the charon socket instead of an arbitrary sleep()
|
|
vyos.util method `dict_search_args` to allow for dot characters in keys.
|
|
|
|
pki: T3642: Add standard extensions to generated certificates
|
|
|
|
Keep the vyos.util function clean and not pull in the rest of the world
when importing it.
|