Age | Commit message (Collapse) | Author |
|
(cherry picked from commit 0c9c496961dc88110da53943a14dd88086ea920d)
|
|
T4839: firewall: Add dynamic address group in firewall configuration
|
|
ddclient: T5966: Adjust dynamic dns config address subpath
|
|
Add missing name validation in add_image, and fix typo in error msg
string.
|
|
appropiate commands to populate such groups using source and destination address of the packet.
|
|
In some cases we can get error:
```
Traceback (most recent call last):
File "/usr/libexec/vyos/op_mode/show_openvpn.py", line 173, in <module>
data = get_status(args.mode, intf)
File "/usr/libexec/vyos/op_mode/show_openvpn.py", line 130, in get_status
client["tunnel"] = get_vpn_tunnel_address(client['remote'], interface)
File "/usr/libexec/vyos/op_mode/show_openvpn.py", line 66, in get_vpn_tunnel_address
tunnel_ip = lst[0].split(',')[0]
IndexError: list index out of range
```
(cherry picked from commit 58683a2444877bb989929625ad40a7d76259075d)
|
|
op-mode: T5969: list multicast group membership
|
|
cpo@LR1.wue3:~$ show ip multicast group interface eth0.201
Interface Family Address
----------- -------- ---------
eth0.201 inet 224.0.0.6
eth0.201 inet 224.0.0.5
eth0.201 inet 224.0.0.1
cpo@LR1.wue3:~$ show ipv6 multicast group interface eth0
Interface Family Address
----------- -------- -----------------
eth0 inet6 ff02::1:ff00:0
eth0 inet6 ff02::1:ffbf:c56d
eth0 inet6 ff05::2
eth0 inet6 ff01::2
eth0 inet6 ff02::2
eth0 inet6 ff02::1
eth0 inet6 ff01::1
|
|
Update op-mode for dynamic dns to standardize on `vyos.opmode`. All
methods of `op_mode/dns_dynamic.py` are now available in standardized
`op_mode/dns.py`.
Move op-mode command `update dns dynamic` to `reset dns dynamic` to
reflect that it is not an update but a reset of the dynamic dns service.
Also, make the help texts more consistent for all op-mode commands for
`dns dynamic` and `dns forwarding`.
|
|
Streamline configuration and operation of dns forwarding service in
following ways:
- Remove `dns_forwarding_reset.py` as its functionality is now covered
by `dns.py`
- Adjust function names in `dns.py` to disambiguate between DNS
forwarding and dynamic DNS
- Remove `dns_forwarding_restart.sh` as its functionality is inlined in
`dns-forwarding.xml`
- Templatize systemd override for `pdns-recursor.service` and move the
generated override files in /run. This ensures that the override files
are always generated afresh after boot
- Simplify the systemd override file by removing the redundant overrides
- Relocate configuration path for pdns-recursor to `/run/pdns-recursor`
and utilize the `RuntimeDirectory` default that pdns-recursor expects
- We do not need to use custom `--socket-dir` path anymore, the default
path (viz., `/run/pdns-recursor` is fine)
|
|
|
|
|
|
Fix the arg for the `reboot in x` command
The current arg is `--reboot_in [Minutes ...]`
The expected arg is `--reboot-in [Minutes ...]`
|
|
dhcpv6: T3316: Extend scope of DHCP options, bugfixes
|
|
* Also migrate `address-range` to `range` tag node for consistency with dhcpv4 server syntax
|
|
When a router does not have wireless interfaces the proper
unconfigured message must be exist
|
|
GRUB defaults to 9600 in case of serial console; explicitly set to
115200.
|
|
T5915: firewall: re-add opmode command for zone based firewall
|
|
|
|
|
|
The "idea" of this PR is to add new CLI nodes under the pki subsystem to
activate ACME for any given certificate.
vyos@vyos# set pki certificate NAME acme
Possible completions:
+ domain-name Domain Name
email Email address to associate with certificate
listen-address Local IPv4 addresses to listen on
rsa-key-size Size of the RSA key (default: 2048)
url Remote URL (default:
https://acme-v02.api.letsencrypt.org/directory)
Users choose if the CLI based custom certificates are used
set pki certificate EXAMPLE acme certificate <base64>
or if it should be generated via ACME.
The ACME server URL defaults to LetsEncrypt but can be changed to their staging
API for testing to not get blacklisted.
set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory
Certificate retrieval has a certbot --dry-run stage in verify() to see if it
can be generated.
After successful generation, the certificate is stored in under
/config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set
interfaces ethernet eth0 eapol certificate EXAMPLE) we call
vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the
base64 encoded certificate into the JSON data structure normally used when
using a certificate set by the CLI.
Using this "design" does not need any change to any other code referencing the
PKI system, as the base64 encoded certificate is already there.
certbot renewal will call the PKI python script to trigger dependency updates.
|
|
image-tools: T5883: preserve file owner in /config on add system update
|
|
T3476: Add option latest to add system image
|
|
|
|
We will use _ as CLI level divider. The XML definition filename and also
the Python helper should match the CLI node.
Example:
set interfaces ethernet -> interfaces_ethernet.xml.in
set interfaces bond -> interfaces_bond.xml.in
set service dhcp-server -> service_dhcp-server-xml.in
|
|
Add option `latest` for op-mode command `add system image`
If the update check is configured we can get the remote `latest`
version from conrfgure URL
```
set system update-check url 'https://example.com/version.json'
```
This way we can use "latest" option for image update:
```
add system image latest
```
|
|
Move the kea lease file to a separate directory `/config/dhcp` that `kea`
process can write to so that subprocesses spawned by `kea` process can
operate on the lease files.
To allow `kea` process to write to `/config/dhcp`, add `_kea` user to
`vyattacfg` group. And the lease files are owned completely by `_kea`
user to play well with `kea-lfc` process.
Specifically, this is necessary for `kea-lfc` which is spawned by `kea`
process to clean up expired leases. Since `kea-lfc` creates additional
backup lease files, it needs write access to the lease file directory.
Additionally, change the extension of the lease file from `.leases` to
`.csv` to reflect the actual file format.
|
|
Updated image_installer.py to try and validate image with all
minisign public keys in /usr/share/vyos/keys/
|
|
|
|
image-tools: T5821: restore vrf-aware add system image
|
|
|
|
image-tools: T5806: clear previous raid configs on install
|
|
|
|
image-tools: T5819: do not echo password on image install
|
|
|
|
|
|
|
|
configured. In this commit, check is fixed and rules are printed as expected.
|
|
|
|
T5778: dhcp server: fix op-mode command
|
|
Restore scanning previous installations for config data and ssh host
keys on install.
|
|
|
|
|
|
|
|
|
|
|
|
*pool* empty, this means that lease was granted by fail-over server. Also fix issue that <show dhcp server leases state all> print nothing.
|
|
T5637: firewall: extend rule for default-action to firewall bridge
|
|
to be able to catch logs using separte rule for default-action
|
|
vxlan: T5753: add support for VNI filtering
|