Age | Commit message (Collapse) | Author |
|
|
|
|
|
|
|
and return an empty list in that case
(handy for migration scripts and the like)
|
|
OpenVPN CLI-option: T6571: rename ncp-ciphers with data-ciphers
|
|
This patch on #3616 will only attempt to fix ipsec matches in rules if the
firewall config tree passed to migrate_chain() has rules attached.
|
|
(#3616)
* Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for
fw rules
* Add ipsec match-ipsec-out and match-none-out
* Change all the points where the match-ipsec.xml.i include was used
before, making sure the new includes (match-ipsec-in/out.xml.i) are
used appropriately. There were a handful of spots where match-ipsec.xml.i
had snuck back in for output hooked chains already
(the common-rule-* includes)
* Add the -out generators to rendered templates
* Heavy modification to firewall config validators:
* I needed to check for ipsec-in matches no matter how deeply nested
under an output-hook chain(via jump-target) - this always generates
an error.
* Ended up retrofitting the jump-targets validator from root chains
and for named custom chains. It checks for recursive loops and improper
IPsec matches.
* Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation"
smoketests
|
|
|
|
|
|
defined in zone policy.
|
|
in 1.3 <+> with character supported in latest version <*>
|
|
|
|
During a corner case where the configuration is migrated to a different system
with fewer ethernet interfaces, migration will fail during an image upgrade.
vyos.ethtool.Ethtool() is instantiated with an invalid interface leading to an
exception that kills the migrator
|
|
wireless: T6318: move country-code to a system wide configuration
|
|
Wireless devices are subject to regulations issued by authorities. For any
given AP or router, there will most likely be no case where one wireless NIC is
located in one country and another wireless NIC in the same device is located
in another country, resulting in different regulatory domains to apply to the
same box.
Currently, wireless regulatory domains in VyOS need to be configured per-NIC:
set interfaces wireless wlan0 country-code us
This leads to several side-effects:
* When operating multiple WiFi NICs, they all can have different regulatory
domains configured which might offend legislation.
* Some NICs need additional entries to /etc/modprobe.d/cfg80211.conf to apply
regulatory domain settings, such as: "options cfg80211 ieee80211_regdom=US"
This is true for the Compex WLE600VX. This setting cannot be done
per-interface.
Migrate the first found wireless module country-code from the wireless
interface CLI to: "system wireless country-code"
|
|
Migration script introduced in commit 0f669a226 ("openvpn: T5487: Remove
eprecated option --cipher for server and client mode") lacked executable
permission.
|
|
openvpn: T5487: Remove deprecated option --cipher for server and client mode
|
|
|
|
Commit 770edf016838523 ("T3900: T6394: extend functionalities in firewall")
changed the position in the CLI for conntrack timeout. This lead to failing
smoketests because of a regression in the migrator.
|
|
T3900: Add support for raw tables in firewall
|
|
timeout parameters defined in conntrack to firewall global-opton section.
|
|
|
|
|
|
>=5.0
random - In kernel 5.0 and newer this is the same as fully-random. In earlier
kernels the port mapping will be randomized using a seeded MD5 hash mix using
source and destination address and destination port.
https://git.netfilter.org/nftables/commit/?id=fbe27464dee4588d906492749251454
|
|
|
|
pppoe-server: T6234: PPPoE-server pado-delay refactoring
|
|
|
|
|
|
to firewall global-optinos
|
|
T6100: Added NAT migration from IP/Netmask to Network/Netmask
|
|
Added NAT migration from IP/Netmask to Network/Netmask.
In 1.3 allowed using IP/Netmask in Nat rules.
In 1.4 and 1.5 it is prohibited. Allowed Network/Netmask.
|
|
errors when using character <+> in 1.3 in firewall groups and custom firewall chains.
|
|
Commit a5ccc06c0 ("ipoe: T6205: error in migration script logic while renaming
mac-address to mac node") added a conditional path into the config which could
result in the migrated config not beeing written if precondition was not met.
|
|
Containers have the ability to add Linux system capabilities to them, this is
done using the "set container name <name> cap-add" command.
The CLI node sounds off and rather should be "set container name <name>
capability" instead as we use and pass a capability to a container and not
add/invent new ones.
|
|
mac node
The problem was introduced in [1] but the config migrator part unfortunately
was added to the wrong version [2]. As IPoE config version 0 was only active
during the 1.3 development cycle and VyOS 1.3.0 was already released with config
version 1 we can safely drop the migrator 0-to-1 and move the code to 1-to-2 to
properly support upgrades from VyOS 1.3 -> 1.4 or newer.
1: https://github.com/vyos/vyos-1x/commit/05df2a5f021f0c7aab7c06db645d210858b6e98d#diff-08291bf77870abe3af8bbe3e8ce4bbf344fd0498b2c5c75a75aa7235d381c88eL168
2: https://github.com/vyos/vyos-1x/commit/05df2a5f021f0c7aab7c06db645d210858b6e98d#diff-b8bb58b75607d3653e74d82eff02442f9f3ab82698f160ba37858f7cdf6c79ccR44-R46
|
|
|
|
The option "passive-interface default" was set even if it was not present in
the previous version we are migrating from. Fix migration script to handle this
with a conditional path.
|
|
dhcp-server high-availability>.
|
|
This reverts commit 960cace189d7ace2bea0968646b1348b415e0363.
All community rules syntax was changed.
T5357 is invalid bug report.
VyOS cannot use new configuration syntax in the previous versions.
|
|
occurs also if only <policy route> is defined.
|
|
|
|
|
|
|
|
|
|
|
|
dhcpv6-server: T5993: Extend interface migrator to check VLAN/QinQ
|
|
T6029: Rewritten Accel-PPP services to an identical feature set
|
|
Removed dhcp-interface option (l2tp)
Added wins-server (sstp)
Added description (ipoe, pppoe, sstp, pptp)
Added exteded-script (l2tp, sstp, pptp)
Added shaper (ipoe, pptp, sstp, l2tp)
Added limits (ipoe, pptp, sstp, l2tp)
Added snmp ( ipoe, pptp,sstp, l2tp)
Refactoring and reformated code.
|
|
Updates smoketest config to test migrator change
|
|
rpki: T6034: move file based SSH keys for authentication to PKI subsystem
|