Age | Commit message (Collapse) | Author |
|
|
|
|
|
|
|
|
|
Netmasks (both IPv4 and IPv6) that are allowed to use the server. The default
allows access only from RFC 1918 private IP addresses. Due to the aggressive
nature of the internet these days, it is highly recommended to not open up the
recursor for the entire internet. Questions from IP addresses not listed here
are ignored and do not get an answer.
https://docs.powerdns.com/recursor/settings.html#allow-from
Imagine an ISP network with non RFC1918 IP adresses - they can't make
use of PowerDNS recursor.
As of now VyOS hat allow-from set to 0.0.0.0/0 and ::/0 which created an open
resolver. If there is no allow-from statement a config-migrator will add
the appropriate nodes to the configuration, resulting in:
service {
dns {
forwarding {
allow-from 0.0.0.0/0
allow-from ::/0
cache-size 0
ignore-hosts-file
listen-address 192.0.2.1
}
}
}
(cherry picked from commit dc0f641956d002fa8588ef8d1213791cf36e92f2)
|
|
(cherry picked from commit 3945b2259aaa64eb9f4d61334126235f2d641293)
|
|
configuration line
In the past we used the PowerDNS cofniguration option forward-zones and
forward-zones-recurse, but only the latter one sets the recursion bit in
the DNS query.
Thus all recursions have been moved to this config statement.
(cherry picked from commit 5886dd27cbc65f8cda04752bbd39a960b0887523)
|
|
when a non-unique subnet is found.
|
|
|
|
script.
|
|
|
|
from DHCP.
|
|
|
|
|
|
return_effective_values output.
|
|
[pdns-recursor] T1469 - replace forward-zones with forward-zones-recurse
|
|
of CLI mode.
|
|
|
|
forward-zones-recurse behaves identically to dnsmasq server option
in legacy vyos 1.1.8, while forward-zones option disallow recursive
name resolving, which leads to dns lookup failure
|
|
... to have the same pattern as the DHCPDv6 lease file
(cherry picked from commit adaa9b78e2fb0c7da58ca6c09934b3e3cff44795)
|
|
A wrong lease file caused the show command to fail:
vyos@vyos:~$ show dhcpv6 server leases
Traceback (most recent call last):
File "/usr/libexec/vyos/op_mode/show_dhcpv6.py", line 81, in <module>
leases = get_leases(lease_file, state='active')
File "/usr/libexec/vyos/op_mode/show_dhcpv6.py", line 44, in get_leases
leases = IscDhcpLeases(lease_file).get()
File "/usr/lib/python3/dist-packages/isc_dhcp_leases/iscdhcpleases.py", line 110, in get
with open(self.filename) as lease_file:
FileNotFoundError: [Errno 2] No such file or directory: '/config/dhcpdv6.leases'
(cherry picked from commit 3b9bfe322fd4a7d652b25b28cbcd4825fee0ea4b)
|
|
(cherry picked from commit 690ae8bf526b6d45997bedf5e856f858ad251658)
|
|
[ firewall options interface wg01 ]
Traceback (most recent call last):
File "/usr/libexec/vyos/conf_mode/firewall_options.py", line 139, in <module>
apply(c)
File "/usr/libexec/vyos/conf_mode/firewall_options.py", line 97, in apply
if tcp['new_chain4']:
TypeError: 'NoneType' object is not subscriptable
delete [ firewall options ] failed
delete [ firewall ] failed
Commit failed
(cherry picked from commit efb1a1c88f436a3704c4ca6e15b65aeded4b9654)
|
|
|
|
Conflicts:
src/conf_mode/host_name.py
|
|
|
|
- rsyslog appears now to be started via systemd automatically,
checking for the pid to avoid restart race condition between systemd
vyos conf script
|
|
|
|
|
|
|
|
|
|
Conflicts:
src/tests/test_host_name.py
|
|
Conflicts:
src/conf_mode/host_name.py
|
|
|
|
(cherry picked from commit 31ad6b67e3bc22bc340ba5b4f95cf3dd548e31b9)
|
|
* clamp MSS IPv4
set firewall options interface pppoe0 adjust-mss '1452'
* clamp MSS IPv6
set firewall options interface pppoe0 adjust-mss6 '1452'
* disable entire rule
set firewall options interface pppoe0 disable
Output
------
$ sudo iptables-save -t mangle
# Generated by iptables-save v1.4.21 on Sun Apr 21 12:56:25 2019
*mangle
:PREROUTING ACCEPT [1217:439885]
:INPUT ACCEPT [290:52459]
:FORWARD ACCEPT [920:375774]
:OUTPUT ACCEPT [301:100053]
:POSTROUTING ACCEPT [1221:475827]
:VYOS_FW_OPTIONS - [0:0]
-A FORWARD -j VYOS_FW_OPTIONS
-A VYOS_FW_OPTIONS -o pppoe0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1452
COMMIT
Completed on Sun Apr 21 12:56:25 2019
|
|
|
|
WPAD url could be configured by CLI but the generated config was not
understood by ISC dhcp - caused by infalid if {} statement resulting in
a missing option wpad-url block.
(cherry picked from commit bfa9d55e9f1c3a091cff2fc214f2587d9b049cdb)
|
|
Same cause as with commit c6988bb4110541478dad74d0b892fd4643ed530a
(cherry picked from commit 40c342f3a84a75acc9f41c83cb735e966da7c47e)
|
|
Add support for relaying a DHCPv6 packet to multiple servers on one upstream
interface.
(cherry picked from commit d5b113923aaa776f89749c820d6283b593e80c3a)
|
|
When generation the configuration for multiple upstream interfaces a whitespace
was missing in the generated configuration:
OPTIONS="-6 -l 2001:db8::ffff%eth1 -u 2001:db8:1:ffff%eth2-u 2001:db8:2:ffff%eth3"
^---
This caused an error when starting up the DHCPv6 relay service
(cherry picked from commit c6988bb4110541478dad74d0b892fd4643ed530a)
|
|
parameter in /etc/resolv.conf"
This reverts commit 1a384ed21f1777faaef653f9d1e3d9c05542fdc8.
|
|
/etc/resolv.conf
|
|
using fully-qualified domain name
|
|
(cherry picked from commit 0fefe3c3b9250ad2ba841287a94036119728c708)
|
|
|
|
disable' to disable single peers
Conflicts:
debian/changelog
|
|
|
|
in unicast mode (patch by Johan Fredin).
|
|
(cherry picked from commit f0084de554d71d0f011c7fd2c6009f1864bd9d77)
|