Age | Commit message (Collapse) | Author |
|
firewall: T5814: Retain legacy 'accept' behaviour and re-order migration
|
|
the lease file (#2796)
|
|
T5688: Changed 'range' to multi in 'client-ip-pool' for accell-ppp
|
|
dhcp: T3316: T5787: T5912: Extend scope of DHCP options, bugfixes
|
|
Pre-1.4 firewall 'accept' action acted as a 'return'. This change ensures the migrated rules meet the expected behaviour.
This commit also re-orders migrated in/out/local jumps ordered by direction instead of interface.
|
|
|
|
Changed node 'range' to multi in 'client-ip-pool' for accell-ppp
services.
Added completionHelp to default-pool and next-pool.
Fixed verification in vpn l2tp config script.
|
|
We have not seen the adoption of the https virtual-host CLI option.
What it did?
* Create multiple webservers each listening on a different IP/port
(but in the same VRF)
* All webservers shared one common document root
* All webservers shared the same SSL certificates
* All webservers could have had individual allow-client configurations
* API could be enabled for a particular virtual-host but was always enabled on
the default host
This configuration tried to provide a full webserver via the CLI but VyOS is a
router and the Webserver is there for an API or to serve files for a local-ui.
Changes
Remove support for virtual-hosts as it's an incomplete and thus mostly useless
"thing". Migrate all allow-client statements to one top-level allow statement.
|
|
|
|
|
|
We will use _ as CLI level divider. The XML definition filename and also
the Python helper should match the CLI node.
Example:
set interfaces ethernet -> interfaces_ethernet.xml.in
set interfaces bond -> interfaces_bond.xml.in
set service dhcp-server -> service_dhcp-server-xml.in
|
|
system: T5877: Shorten system domain-search config path
|
|
Shorten and simplify `system domain-search` config path from:
```
set system domain-search domain <domain1>
```
to:
```
set system domain-search <domain1>
```
This will shorten the path and also make consistent with `domain-search`
config in other places (like `dhcp-server`).
|
|
Fixed migration 'subnet' option in l2tp, sstp, pppoe.
'subnet' option can contain several values.
|
|
T5801: Rewritten L2TP to get_config_dict
|
|
dhcp: T3316: Support hostname, DUID and MAC address in reservation
|
|
|
|
ddclient: T5144: Migrate web-options url to stricter format
|
|
|
|
|
|
Legacy ddclient allowed arbitrary URLs in web-options, but the new
has stricter validations. Apply migration to the old URLs.
Also migrate checkip.dyndns.org to https://domains.google.com/checkip
for better TLS support.
|
|
|
|
|
|
VyOS CLI command
set service ndp-proxy interface eth0 prefix 2001:db8::/64 mode 'static'
Will generate the following NDP proxy configuration
$ cat /run/ndppd/ndppd.conf
# autogenerated by service_ndp-proxy.py
# This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route
route-ttl 30000
# This sets up a listener, that will listen for any Neighbor Solicitation
# messages, and respond to them according to a set of rules
proxy eth0 {
# Turn on or off the router flag for Neighbor Advertisements
router no
# Control how long to wait for a Neighbor Advertisment message before invalidating the entry (milliseconds)
timeout 500
# Control how long a valid or invalid entry remains in the cache (milliseconds)
ttl 30000
# This is a rule that the target address is to match against. If no netmask
# is provided, /128 is assumed. You may have several rule sections, and the
# addresses may or may not overlap.
rule 2001:db8::/64 {
static
}
}
|
|
Rewritten L2TP to get_config_dict
Rewritten L2TP xml to accel-ppp patterns
Migrated 'idle' to 'ppp-options.lcp-echo-timeout'
Migrated 'authentication.mppe' to 'ppp-options.mppe'
Migrated 'authentication.radius.dae-server' to
'authentication.radius.dynamic-author'
Migrated 'authentication.require' to 'authentication.protocol'
Added 'authentication.radius.acct-interim-jitter'
Added 'authentication.radius.preallocate-vif'
Added 'authentication.radius.server.<IP>.acct-port'
Added 'ppp-options.ipv4'
Added smoke-tests
Fixed 'preallocate-vif' in SSTP
|
|
Since `service dns dynamic address <address> service <service> ...`
changed to `service dns dynamic name <service> address <address> ...`,
the resulting service and address config flip can result in conflicting
`service` name.
Additionally, since dynamic DNS service name now have name constraint,
we need to normalize the service name to conform with the constraint.
We now migrate the service name to (service|rfc2136)-<service>-<address>
to avoid the conflict and optionally append an index if there is still a
name conflict after normalization.
|
|
When migrating from `service dns dynamic interface <interface> ...` to
`service dns dynamic address <address> ...`, the config name can
potentially have a conflict when `address == 'web'`.
Although the `/run/ddclient/ddclient.conf` that was generated earlier
was incorrect, one could still potentially have misconfigured VyOS
config without realizing it.
We now append the old <interface> name to the config name to avoid
conflict.
|
|
was set to <any>.
|
|
migration: T5413: re-sequence interfaces migration scripts
|
|
PR https://github.com/vyos/vyos-1x/pull/2540 backported a migration script from
current to the equuleus LTS branch. As migration scripts are executed in order
to adjust the CLI for necessary improvements in future LTS releases we need to
change the versioning of the migration files to match the new "base" version
from the previous LTS release.
In theory this could break very ancient 1.4 rolling releases (from the early
days of the OSPF refactoring) - but those versions are considered very much
unstable.
Now this is the last chance to sync up the migration scripts before the 1.4 LTS
release.
|
|
dhcp: T3316: Migrate dhcp/dhcpv6 server to Kea
|
|
|
|
|
|
T5775: firewall: re-add state-policy to firewall. These commands are …
|
|
T5779: conntrack: Apply fixes to <set system conntrack timeout custom>
|
|
Fixed migration script for pppoe-server
|
|
Remove what was not working on 1.3, migrate what was working to new syntax and extend feature for ipv6.
|
|
accel-ppp: T5688: Standardized pool configuration in accel-ppp
|
|
Standardized pool configuration for all accel-ppp services.
1. Only named pools are used now.
2. Allows all services to use range in x.x.x.x/mask
and x.x.x.x-x.x.x.y format
3. next-pool can be used in all services
2. Allows to use in ipoe gw-ip-address without pool configuration
which allows to use Fraimed-IP-Address attribute by radius.
3. Default pool name should be explicidly configured
with default-pool.
4. In ipoe netmask and range subnet can be different.
|
|
Mark 'dns dynamic name' as tag node to avoid unexpected nesting.
|
|
|
|
|
|
|
|
Found an odd behavior on Linux and the VyOS CLI implementation. If adding VXLAN
interfaces using iproute2 the MTU differs depending on the creation syntax:
ip -4 link add vxlan100 type vxlan dstport 4789 external df unset tos inherit \
ttl 16 nolearning vnifilter local 172.16.33.201
ip -4 link add vxlan200 type vxlan id 200 dstport 4789 local 172.16.33.201 dev eth0
ip -6 link add vxlan300 type vxlan id 300 dstport 4789 local 2001:db8:1::1 dev eth0
132: vxlan300: <BROADCAST,MULTICAST> mtu 1430 qdisc noop state DOWN group default qlen 1000
link/ether 4e:fb:e3:f5:d9:59 brd ff:ff:ff:ff:ff:ff
133: vxlan200: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000
link/ether 0e:4e:f4:76:59:3f brd ff:ff:ff:ff:ff:ff
134: vxlan100: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether ba:b6:b7:0c:b1:37 brd ff:ff:ff:ff:ff:ff
VyOS always sets a default MTU of 1450 bytes which is correct for IPv4 p2p links
or multicast, but invalid for IPv6 p2p. Also this will break EVPN deployments
as ethernet bridges with MTU < 1500 bytes are less fun.
Increase default MTU to 1500 bytes. Migrate old configurations to use 1450
bytes if not specified otherwise on the CLI.
|
|
This complements commit f5e43b136 ("http: T5762: api: make API socket backend
communication the one and only default") so we have a consistent port CLI node
across VyOS components.
|
|
Why: Smoketests fail as they can not establish IPv6 connection to uvicorn
backend server.
https://github.com/vyos/vyos-1x/pull/2481 added a bunch of new smoketests.
While debugging those failing, it was uncovered, that uvicorn only listens on
IPv4 connections
vyos@vyos# netstat -tulnp | grep 8080
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN -
As the CLI already has an option to move the API communication from an IP to a
UNIX domain socket, the best idea is to make this the default way of
communication, as we never directly talk to the API server but rather use the
NGINX reverse proxy.
|
|
pim(6): T5733: add missing FRR related features
|
|
|
|
IGMP and PIM are two different but related things.
FRR has both combined in pimd. As we use get_config_dict() and FRR reload it
is better to have both centrally stored under the same CLI node (as FRR does,
too) to just "fire and forget" the commit to the daemon.
"set protocols igmp interface eth1" -> "set protocols pim interface eth1 igmp"
|
|
<enable|disable> commands; log and state moved to new syntax.
|