Age | Commit message (Collapse) | Author |
|
When any configured peer is set to `disable` while the Wireguard tunnel is up
and running it does not get actively revoked and removed. This poses a security
risk as connections keep beeing alive.
Whenever any parameter of a peer changes we actively remove the peer and fully
recreate it on the fly.
(cherry picked from commit a4feb96af9ac45aff41ded1744cf302b5c5a9e7e)
|
|
(cherry picked from commit 81e0f4a8dece85da7169ba05448e870206aaf57b)
|
|
(cherry picked from commit ea4c72ed0dbcee3f7e8f9693c5310190833651d8)
|
|
(cherry picked from commit 452a9c504f472dcaee8c93947a889dab4f8259ce)
|
|
|
|
When individual peers that have been removed got determined they have been
added to the config dict as list instead of string - which broke the system
plumbing commands as they can not handle a Python list.
|
|
Using an MTU less then the required 1280 bytes (as per RFC) on an interface
where IPv6 is not explicitly disabled by:
- set interfaces ethernet eth1 ipv6 address no-default-link-local
- not having any other IPv6 address configured
Will now trigger a commit error via verify() instead of raising
FileNotFoundError!
|
|
|
|
Migration files on the storage should be done one time by a migration script
instead of every time the configuration changes. Moving this to an older
migration script is fine as this is around for a long time and all rolling
releases are already up2date. It only affects updates from VyOS 1.2 series.
|
|
The current VyOS CLI parser code written in Python contains a ton of duplicates
which I can also hold myself accountable for - or maybe mainly me - depends on
the angle of judge.
|
|
l2tpv3, wireguard, wirelessmodem, nat all require additional Kernel modules
to be present on the system. Each and every interface implemented their own
way of loading a module - by copying code.
Use a generic function, vyos.util.check_kmod() to load any arbitrary kernel
module passed as string or list.
|
|
It was not possible to configure two WG peers with both utilized a pre-shared
key. This has been corrected.
WG psk can only be read from a file when starting the interface. The code for
creating this temporary file has been moved into the ifconfig.WireGuardIf()
class.
Tested with:
============
set interfaces wireguard wg0 address '192.0.2.0/31'
set interfaces wireguard wg0 peer one allowed-ips '0.0.0.0/0'
set interfaces wireguard wg0 peer one preshared-key 'e+SIIUcrnrSDHhbTtpjwKhSlSdUALA5ZvoCjfQXcvmA='
set interfaces wireguard wg0 peer one pubkey '/qQGAQ2HfLSZBSCpdgps04r9wRlK7bSFraCH9+MScmw='
set interfaces wireguard wg0 peer two allowed-ips '0.0.0.0/0'
set interfaces wireguard wg0 peer two pubkey '/qQGAQ2HfLSZBSCpdgfooor9wRlK7bSFraCH9+MScmw='
|
|
airbag must now be explicitly installed.
the patch also allow to fully disables the installation of the logging
code at setup (and not just installing and doing nothing)
|
|
|
|
- make error output more user friendly
- replace .format with f-strings
- split into lines less than ~80 characters long
|
|
Previously, set_vrf was always called, which uses the same master and nomaster
commands as bridge, so it removed the interface from the bridge.
- add checks to make VRF and bridge membership mutually exclusive
|
|
Bridge members should not have any addresses assigned.
|
|
|
|
- rewrite the function to support both bridge and bonding interface types,
if the type is passed it searches only that type, otherwise it searches
both
- move is_member check out of the deleted condition
- move is_member check to intf_from_dict for interfaces that use it
|
|
other
|
|
|
|
|
|
os.system does print the ouput of the command, run() does not.
A new function called call() does the printing and return the error code.
|
|
|
|
|
|
|
|
... to make it clear also directories can be chown(-ed)
|
|
|
|
Accessing a list of dictionaries and parsind/manipulating the content can and
should be done in a way other interface implementations do it. Just to name a
few:
- Ethernet
- L2TPv3
- WWAN (WirelessModem)
|
|
Interfaces enslaved to a bridge are not allowed to be deleted. If an interface
is deleted from the config but it is still enslaved to a bridge will cause a
configuration error on the subsequent boot.
|
|
|
|
WireGuard has been the only subsystem combining a remote ip address and a
remote port number into a single node. This is bad as there is no possiblity
for the XML based input validation for IP address and port numbers.
That's the reason the peer endpoint node goets migrated into a peer address
and a peer port node utilizing the embedded syntax node checking for IP
addresses and port ranges.
|
|
The Interface get_state/set_state were not clear about
if they edited the admin or operational state.
functions are now using admin_state and oper_state
for clarity.
|
|
os.environ['VYOS_TAGNODE_VALUE']
This has been only a theoretical problem but then the error condition was
triggered - only an error has been printed instead of raising an Exception.
|
|
|
|
|
|
|
|
renamed: interface-bonding.py -> interfaces-bonding.py
renamed: interface-bridge.py -> interfaces-bridge.py
renamed: interface-dummy.py -> interfaces-dummy.py
renamed: interface-ethernet.py -> interfaces-ethernet.py
renamed: interface-loopback.py -> interfaces-loopback.py
renamed: interface-openvpn.py -> interfaces-openvpn.py
renamed: interface-vxlan.py -> interfaces-vxlan.py
renamed: interface-wireguard.py -> interfaces-wireguard.py
|