Age | Commit message (Collapse) | Author |
|
Encrypt and authenticate all control channel packets with the key from keyfile.
Encrypting (and authenticating) control channel packets:
* provides more privacy by hiding the certificate used for the TLS connection
* makes it harder to identify OpenVPN traffic as such
* provides "poor-man's" post-quantum security, against attackers who will
never know the pre-shared key (i.e. no forward secrecy)
|
|
We should not rely on the home dir value stored in user['home_dir'] as if a
crazy user will choose username root or any other system user this will fail.
Should be deny using root at all?
|
|
|
|
Splitting was not a good idea. By combining both we can create a RADIUS server
XML include file which can be reused by multiple implementations to get a
uniformed CLI for the users.
|
|
|
|
|
|
* 'pppoe-t2070' of github.com:c-po/vyos-1x:
pppoe: T2070: rewrite (dis-)connect op-mode commands in XML and Python
gitignore: fix ignore pattern of all debhelper files
pppoe: T2055: make logfile owned by root/vyattacfg
pppoe: T1318: validate existing source-interface
|
|
|
|
|
|
It is not only sufficient to check if there is a source-interface configured,
but rather it must also be checked if the source-interface exists at all in the
system.
If the interface does not exist pppd will complain with:
pppd[2778]: /usr/sbin/pppd: In file /etc/ppp/peers/pppoe1: unrecognized option 'eth0.202'
|
|
|
|
|
|
|
|
|
|
|
|
Instead of letting the user choose between auto and none where auto is default,
it makes more sesne to just offer an option to disable the default behavior.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The generated script was not called at all. Verified in vyOS 1.2.3 and rolling.
Looks like a leftover from the past. If this functionality is required - it
should be re-implemented the proper way!
|
|
|
|
This reduces the amount of self written code to start-stop-daemon and also kill
the process if it has no connection yet (there won't be a PID file in this case)
and getting the proper PID for multiple processes would require me to walk the
/proc/<pid>/cmdline for every binary involved.
|
|
We no longer need to see the command which is used to spawn up PPPd and dial
the connection.
|
|
|
|
|
|
vyos@vyos# show interfaces pppoe
pppoe pppoe0 {
default-route force
link eth2.7
mtu 400
name-server auto
password 12345678
user-id vyos@vyos.io
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ddclient complains when the file permission is not user = rw.
|
|
THe delta check/calculation always returned False on system startup leading
to a non functioning bond interface after a reboot as no physical interface
actually enslaved.
This was fixed by not calculating the current enslaved interfaces from
the existing config but rather retrieving the interfaces from sysfs.
|
|
|
|
A consistency check was missing to prevent deleting the SNMP configuration
but still setting "service lldp snmp enable".
|
|
|
|
Without this override the keepalived stop transaction script won't work
as systemd will just wipe the process.
|
|
dhclient-script: T1987: Multiple fixes in dhclient-script
|
|
|
|
If there is no zone option given it will be "guessed" as in the past.
This means (hostname -> resulting zone entry)
domain.com -> com
foo.domain.com -> domain.com
bar.foo.domain.com -> foo.domain.com
I have zero experience in the CloudFlare zone option what it is and what
it does. SO maybe we still have a chance to auto render this setting.
|
|
This changeset contains multiple changes in structure, logic, and bugfixes for dhclient-script. It should provide better compatibility with new Debian versions and flexibility in controlling and changing VyOS-related functions.
1. Structure change:
* All VyOS-related functionality was moved from dhclient-script itself to separated hook files.
* Old vyatta-dhclient-hook was moved from vyatta-cfg to vyos-1x.
* This change allows discard dhclient-script replacing and use the original one from Debian without any changes. So, we do not need to track all changes in upstream so carefully.
* To provide compatibility between original dhclient-script and VyOS, two internal commands/functions are repaced in hooks: ip and make_resolv_conf. So, in all places where used ${ip} or make_resolv_conf, actually using VyOS-tuned functions instead original.
* `ip` function is a wrapper, which automatically chooses what to use: transparently pass a command to /usr/sbin/ip, change a route in kernel table or FRRouting config via vtysh.
* `make_resolv_conf` function main logic was copied from current VyOS implementation and use vyos-hostsd-client for making changes
2. Added:
* Logging. Now is possible to log all changes, what is doing by dhclient-script. Logs can be saved to the journal and displayed in stderr (for debugging purposes). By default, logging to the journal is enabled (at least for some time) to provide a way to collect enough information in case if some bug in this new implementation will be found. This can be changed in the 01-vyos-logging file.
3. Fixed/Changed:
* If DHCP lease was expired, released or dhclient was stopped, dhclient-script will try to delete default route from this lease.
* Instead of blindly killing all dhclients in case if FRRouting daemon is not running, now used more intelligent logic:
* dhclients are stopping natively (with all triggers processing), instead of killing;
* dhclient-script will not kill parent dhclient process. This allows to fix the problem when systemd inform about failing to rise up interfaces at early boot stages (used in Cloud-init images);
* dhclient-script will not touch dhclients, which are not related to the current interface or IP protocol version.
* For getting FRRouting daemon status used native way via watchfrr.sh, instead of the previous trick with vtysh accessibility.
* before adding a new route to FRRouting configuration, this route will be deleted from the kernel (if it is presented there). This allows to properly replace routes, added at early boot stages, when FRR not available.
* Routes in FRRouting are adding with "tag 210". This allows protecting static routes, added via CLI, from deletion when old routes are deleting by DHCP.
* DNS servers will be reconfigured only when $new_domain_name_servers are not the same as $old_domain_name_servers. Previously, this was done during each RENEW procedure.
* Replacing MTU for preconfigured one was changed to Python (via vyos.config). The previous version with vyatta-interfaces.pl was obsoleted and seems to be broken.
|
|
|
|
|