Age | Commit message (Collapse) | Author |
|
Adopt RADIUS configuration and harmonize it with the rest of VyOS. Move the
following configuration block:
security {
wpa {
cipher CCMP
mode wpa2
radius-server 172.16.100.10 {
port 1812
secret secretkey
}
radius-server 172.16.100.11 {
port 1812
secret secretkey
}
}
}
to the harmonized version of:
security {
wpa {
cipher CCMP
mode wpa2
radius {
server 172.16.100.10 {
port 1812
secret secretkey
}
server 172.16.100.11 {
port 1812
secret secretkey
}
}
}
}
And add the new "set interfaces wireless wlan0 security wpa radius
source-address" CLI command to specify the origin of any RADIUS query on
systems having multiple IP addresses.
|
|
convert all nodes to lowercase
|
|
Working:
- Wireless modes b, g, n, ac
- WPA/WPA2 psk and RADIUS (tested using Microsoft NPS)
|
|
[OpenVPN]: T1704: Changed config structure for OpenVPN encryption to support ncp-ciphers.
[OpenVPN]: T1704: Added migration scripts for interface 2-to-3
|
|
The SNMPv3 TSM is very complex and I know 0 users of it. Also this is untested
and I know no way how it could be tested. Instead of carrying on dead and
unused code we should favour a drop of it using a proper config migration
script.
|
|
As of the SNMP specification an SNMP engine ID should be unique per device.
To not make it more complicated for users - only use the global SNMP engine ID.
|
|
|
|
|
|
As in the past during the priority race of the bash script invalid configuration
could appear in the CLI and are de-synced from the kernle state, e.g. some
bonding modes do not support arp_interval.
This is no longer allowed and added to the migration script so that the config
again represents the truth.
|
|
The node 'interfaces ethernet eth0 bond-group' has been changed and
de-nested. Bond members are now configured in the bond interface itself.
set interfaces bonding bond0 member interface eth0
|
|
|
|
|
|
Netmasks (both IPv4 and IPv6) that are allowed to use the server. The default
allows access only from RFC 1918 private IP addresses. Due to the aggressive
nature of the internet these days, it is highly recommended to not open up the
recursor for the entire internet. Questions from IP addresses not listed here
are ignored and do not get an answer.
https://docs.powerdns.com/recursor/settings.html#allow-from
Imagine an ISP network with non RFC1918 IP adresses - they can't make
use of PowerDNS recursor.
As of now VyOS hat allow-from set to 0.0.0.0/0 and ::/0 which created an open
resolver. If there is no allow-from statement a config-migrator will add
the appropriate nodes to the configuration, resulting in:
service {
dns {
forwarding {
allow-from 0.0.0.0/0
allow-from ::/0
cache-size 0
ignore-hosts-file
listen-address 192.0.2.1
}
}
}
|
|
Fixes:
Traceback (most recent call last):
File "/opt/vyatta/etc/config-migrate/migrate/interfaces/0-to-1", line 27, in <module>
for br in config.list_nodes(base):
File "/usr/lib/python3/dist-packages/vyos/configtree.py", line 255, in list_nodes
raise ConfigTreeError("Path [{}] doesn't exist".format(path_str))
vyos.configtree.ConfigTreeError: Path [b'interfaces bridge'] doesn't exist
|
|
|
|
This is the new syntax
bridge br0 {
member {
interface eth0 {
cost 10
}
interface eth1 {
cost 11
}
}
}
|
|
|
|
|
|
This reverts commit 685b1e0d050c7883303733d710327161fe046b60.
|
|
To have a consitent IPv4/IPv6 CLI a lot of BGP neighbor nodes have been
migrated. The IPv4 peer-group has been forgotten, leaving a non consistent CLI.
Previously:
-----------
neighbor 2001:DB8:FFFF::1 {
address-family {
ipv6-unicast {
peer-group iBGP
}
}
peer-group iBGP
}
Now:
----
neighbor 2001:DB8:FFFF::1 {
address-family {
ipv6-unicast {
peer-group iBGP
}
}
address-family {
ipv4-unicast {
peer-group iBGP
}
}
}
|
|
Rewrite vyatta-config-migrate/migrate/system/6-to-7 in the canonical
style and add to vyos-1x migration-scripts. This completes the
collection of scripts needed to drop compatability with Vyatta Core
older than 6.5.
|
|
|
|
radius-source-address was backported to vyOS 1.2.2 so also migrate this node.
|
|
|
|
This reverts commit 05c539ea5595790b297904569cbe13089ce79e18.
|
|
Debian/Systemd provides hostnamectl which disabllows setting a FQDN when
there is a trailing (.) in the provided hostname. Extend regex when setting
"system domain-name" that there can't be a trailing (.).
Provide migration script for current installations to remove the dot.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Commit 9d35610c173 ("T1060: add missing version file for webproxy")
assumed that there is a webproxy config version of 0 but we already have 1.
This lead to duplicate files detected by apt.
|
|
|
|
change to 'mode local|radius'
|
|
Increase NTP config version from 0 to 1. For more information see [1].
ntpd: Warning: the "dynamic" keyword has been obsoleted and will
be removed in the next release
[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=553976
|
|
|
|
In other words, remove top level tag nodes from radius-server and introduce
a regular "radius" node, thus we can add additional features, too. A migration
script is provided in vyos-1x which takes care of this config migration.
Change VyOS CLI from:
vyos@vyos# show vpn pptp
remote-access {
authentication {
mode radius
radius-server 172.16.100.10 {
key barbarbar
}
radius-server 172.16.100.20 {
key foofoofoo
}
}
To:
vyos@vyos# show vpn l2tp
remote-access {
authentication {
mode radius
radius {
server 172.16.100.10 {
key barbarbar
}
server 172.16.100.20 {
key foofoofoo
}
}
}
|
|
In other words, remove top level tag nodes from radius-server and
introduce a regular
"radius" node, thus we can add additional features, too. A migration
script is provided
in vyos-1x which takes care of this config migration.
Change VyOS CLI from:
vyos@vyos# show vpn l2tp
remote-access {
authentication {
mode radius
radius-server 172.16.100.10 {
key barbarbar
}
radius-server 172.16.100.20 {
key foofoofoo
}
radius-source-address 172.16.254.100
}
To:
vyos@vyos# show vpn l2tp
remote-access {
authentication {
mode radius
radius {
server 172.16.100.10 {
key barbarbar
}
server 172.16.100.20 {
key foofoofoo
}
source-address 172.16.254.100
}
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This commit changes in addtion the DHCP server config syntax as defined
in "T782: Cleanup dhcp-server configuration".
Replace boolean parameter from the folowing nodes and make it valueless.
This requires a migration script which is tracked with this task
* set service dhcp-server shared-network-name <xyz> subnet 172.31.0.0/24
ip-forwarding enable (true|false)
* set service dhcp-server shared-network-name <xyz> authoritative (true|false)
* set service dhcp-server disabled (true|false)
* set service dhcp-server dynamic-dns-update enable (true|fals)
* set service dhcp-server hostfile-update (enable|disable)
Replace the nested start/stop ip address from "subnet 172.31.0.0/24 start
172.31.0.101 stop 172.31.0.149" to "subnet 172.31.0.0/24 range <foo> start" and
"subnet 172.31.0.0/24 range <foo> stop" where foo can be any character or number.
In addition the vyatta-cfg-dhcp-server package used it's own init/config file
for service startup. This has been migrated to the vanilla Debian files.
Copy 'on-dhcp-event.sh' from vyatta-cfg-shcp-server package commit 4749e648bca6.
|
|
|
|
|
|
"protocols static route 0.0.0.0".
Code-wise that option was in vyatta-cfg-quagga, but the syntax is inside "system", so let's keep
the script under system too.
|