Age | Commit message (Collapse) | Author |
|
tunnel: T2920: Add checks tun with same source addr and keys
|
|
This commit also extends the smoketest to verify that the exception for this
error is raised.
(cherry picked from commit 84a429b41175b95634ec9492e0cf3a564a47abdd)
|
|
2 tunnels with the same local-address should has different keys
Check existing tunnels (source-address key) with new tunnel.
|
|
(cherry picked from commit e211cdbb375dba13af33d6ad6c3addab707f2870)
|
|
message
(cherry picked from commit 10814c4d3360598262e991e4b20768dfcde91d75)
|
|
We have "set system name-server <ipv4|ipv6>" to specify a name-server IP
address we wan't to use. We also have "set system name-servers-dhcp <interface>"
which does the same, but the name-server in question is retrieved via DHCP.
Both CLI nodes are combined under "set system name-server <ipv4|ipv6|interface>"
to keep things as they are in real life - we need a name-server.
|
|
T3697: fix the deadlock in IPsec options script
|
|
The root cause is that the ipsec-settings.py script is run _twice_:
first from "vpn ipsec options", then from the top level "vpn" node.
The case when it's not required is when:
* "vpn ipsec" configuration doesn't exist yet
* user configured it with "vpn ipsec options"
* the ipsec-settings.py script is run first time, from "vpn ipsec options"
Trying to restart charon at that stage leads to a deadlock.
|
|
Commit 27e53fbc ("op-mode: T3619: bugfix "show interfaces" for VLANs") fixed
the op-mode command for the "show interfaces" operation, but if a user was
interested in all the ethernet or bridge interfaces, the command "show
interfaces <type> detail" did not yield any output.
The filtered_interfaces() function was further generalized to only operate on
base components and call itself recusively if required.
(cherry picked from commit 5e1f76d16332a917bfd99c6f2bffcd73e61d934d)
|
|
Commit 31169fa8a7 ("vyos.ifconfig: T3619: only set offloading options if
supported by NIC") always instantiated an object of the Ethtool class for an
ethernet object - this is right as a real ethernet interface is managed by
Ethtool.
Unfortunately the script used for "show interface" determindes the "base class"
for an interface by its name, so eth0 -> Ethernet, eth0.10 -> Ethernet. This
assumption is incorrect as a VLAN interface can not have the physical parameters
changed of its underlaying interface. This can only be done for eth0.
There is no need for the op-mode script to determine the implementation class
for an interface at this level, as we are only interested in the state of the
interface and it's IP addresses - which is a common operation valid for every
interface on VyOS.
(cherry picked from commit 27e53fbcd843c3aad27db9e97f9060ae6dfcc5ee)
|
|
(cherry picked from commit 5bde11aceffd3d7fca99e582b16555fc0c584410)
|
|
Keys are not allowed with ipip and sit tunnels
(cherry picked from commit 7e84566dedfdc532ffe05b404005daa6f21df567)
|
|
Several scripts imported by vyos-configd (including
src/conf_mode/protocols_static.py) rely on argv for operating on VRFs.
Always setting script.argv in src/services/vyos-configd ensures those
scripts will operate on the default VRF when called with no arguments.
Otherwise, a stale argv might cause those scripts to operate on the last
modified VRF instead of the default VRF.
(cherry picked from commit 3341c591ad1190f39ff3ffd475eddf5d95aef763)
|
|
nipsec: T3093: Delete temporarily generated code
|
|
This code was generated before to rewrite IPSec to XML style
And this was rewriten/fixed and used in the next 1.4 releases
So we realy don't need it in 1.3 as we use old nodes for it.
|
|
While migrating to get_config_dict() in commit e8a1c291b1 ("login: radius:
T3192: migrate to get_config_dict()") the user-name was not excluded
from mangling (no_tag_node_value_mangle=True).
This resulted in a username "vyos-user" from CLI to be actually created as
"vyos_user" on the system.
This commit also adds respective Smoketests to prevent this in the future.
(cherry picked from commit 658de9ea0fbe91e593f9cf0a8c434791282af100)
|
|
sstp-server: T2661: Delete CA certificate redundancy check
|
|
Commit 9f20bee81c ("T1376: improve show_dhcp and show_dhcpv6") added the tab
completion helper to list the availbale IP pools to query. This was done by
calling a python script which then called cli-shell-api which resulted in a
penalty by the Python interpreter startup.
This can be solved by directly using the cli-shell-api wrapper available
as <path> in op-mode - as also seen for DHCPv6.
(cherry picked from commit b1ff7baaf3c52c8c364955632fcece2da7033b10)
|
|
|
|
It makes no sense to have a parser for the ethtool values in ethtool.py
and ethernet.py - one instance ios more then enough!
(cherry picked from commit 0229645c8248decb5664056df8aa5cd5dff41802)
|
|
Only update the RX/TX ring-buffer settings if they are different from the ones
currently programmed to the hardware. There is no need to write the same value
to the hardware again - this could cause traffic disruption on some NICs.
(cherry picked from commit 29082959e0efc02462fba8560d6726096e8743e9)
|
|
Not all interface drivers have the ability to change the speed and duplex
settings. Known drivers with this limitation are vmxnet3, virtio_net and
xen_netfront. If this driver is detected, an error will be presented to the
user.
(cherry picked from commit cc742d48579e4f76e5d3230d87e22f71f76f9301)
|
|
Ethernet adapters have a discrete set of available speed and duplex settings.
Instead of passing every value down to ethtool and let it decide, we can do
this early in the VyOS verify() function for ethernet interfaces.
(cherry picked from commit 91892e431349ca0edb5e3e3023e4f340ab9b777f)
|
|
SSH keys used for remote login are supplied as base64 encoded data on the CLI.
The key is not validated, thus an invalid copy/pasted key will render the login
useless. This commit adds a custom and re-usable validator which check if the
data is properly base64 encoded.
(cherry picked from commit 00efce716912680354d47a2dca9769cd8c5c89ae)
|
|
(cherry picked from commit 5c29377fa91595088118419275f6d05b1fbfbd1d)
|
|
Deprecated in the Linux Kernel by commit 08a00fea6de277df12ccfadc21 ("net:
Remove references to NETIF_F_UFO from ethtool.").
|
|
An analysis of the code base from VyOS 1.2 -> 1.3 -> 1.4 revealed the following
"root-cause"
VyOS 1.2 uses the "old" node.def file format for:
* Generic Segmentation Offloading
* Generic Receive Offloading
So if any of the above settings is available on the configuration CLI, the
node.def file will be executed - this is how it works.
By default, this CLI option is not enabled in VyOS 1.2 - but the Linux Kernel
enables offloading "under the hood" by default for GRO, GSO... which will boost
the performance for users magically.
With the rewrite in VyOS 1.3 of all the interface related code T1579, and
especially T1637 this was moved to a new approach. There is now only one handler
script which is called whenever a user changes something under the interfaces
ethernet tree. The Full CLI configuration is assembled by get_interface_dict() -
a wrapper for get_config_dict() which abstracts and works for all of our
interface types - single source design.
The problem now comes into play when the gathered configuration is actually
written to the hardware, as there is no GSO, GRO or foo-offloading setting
defined - we behave as instructed and disable the offloading.
So the real bug originates from VyOS 1.2 and the old Vyatta codebase, but the
recent XML Python rewrites brought that one up to light.
Solution:
A configuration migration script will be provided starting with VyOS 1.3 which
will read in the CLI configuration of the ethernet interfaces and if not
enabled, will query the adapter if offloading is supported at all, and if so,
will enable the CLI nodes.
One might say that this will "blow" the CLI configuration but it only represents
the truth - which was masked in VyOS 1.2.
|
|
FRR: op-mode: T3776: rename "restart frr <daemon>" to "restart <daemon>"
|
|
As IS-IS is a new feature and the CLI configuration changed from 1.3 -> 1.4
(required by T3417) it makes sense to synchronize the CLI configuration for
both versions. This means backporting the CLI from 1.4 -> 1.3 to not confuse
the userbase already with a brand new feature.
As 1.3.0-epa1 is on the way and should not contain any CLI changes afterwards,
this is the perfect time.
|
|
(cherry picked from commit d9d923ea4e0bbe0cc154dc2fbdd626585b5d7449)
|
|
(cherry picked from commit 059307f924c604eb2bdeab19a2db8ce6d8e09f90)
|
|
|
|
|
|
(cherry picked from commit 19b16986515dcb58955e153025b24dc012faa574)
|
|
(cherry picked from commit d3ae6304a3eabcddba36452e9519ca7b56bb38af)
|
|
(cherry picked from commit 655876f4c22c0f4ea839a81f4af09d6016e19197)
|
|
(cherry picked from commit 1229665d353a070e14ee9cceafbfdb107d669745)
|
|
(cherry picked from commit 7e52a7079afb522d1456833023ad58fa8b05e880)
|
|
|
|
(cherry picked from commit 0f7833483c0fe4982747bbbace45a83fae793257)
|
|
|
|
|
|
|
|
In this commit we fix the do not fragment capability
for ping commands. Sorry for messing it up earlier :(
(cherry picked from commit d012c732a8902d4848e29f37fcede66a060e3c7f)
|
|
|
|
(cherry picked from commit d77a2f56ea7e76158c07f5829397be4555473e3d)
|
|
|
|
|
|
(cherry picked from commit 0d1ad777daf25ef415bf45032d41b587baf20781)
|
|
|