Age | Commit message (Collapse) | Author |
|
Shorten and simplify `system domain-search` config path from:
```
set system domain-search domain <domain1>
```
to:
```
set system domain-search <domain1>
```
This will shorten the path and also make consistent with `domain-search`
config in other places (like `dhcp-server`).
|
|
After deleting a user account and working with a newly added account, we see
that after rebooting in the previously saved configuration, the user is
re-added but it's home directory might have an old UID set on the filesystem.
This is due to the fact that vyos config does not store UIDs. When adding a
user account to the system we now check if the home directory already exists
and adjust the ownership to the new UID.
|
|
vyos.template: T5869: first_host_address() does not honor RFC4291 section 2.6.1
|
|
Fixed migration 'subnet' option in l2tp, sstp, pppoe.
'subnet' option can contain several values.
|
|
Remove the word "error" from a Warning only message to not irritate the user.
|
|
We have had duplicated test cases in test_jinja_filters.py and test_template.py,
They have been consolidated into test_template.py.
|
|
The subnet router anycast address is predefined. Its format is as follows:
| n bits | 128-n bits |
+------------------------------------------------+----------------+
| subnet prefix | 00000000000000 |
+------------------------------------------------+----------------+
The "subnet prefix" in an anycast address is the prefix that identifies a
specific link. This anycast address is syntactically the same as a unicast
address for an interface on the link with the interface identifier set to zero.
Packets sent to the Subnet-Router anycast address will be delivered to one
router on the subnet. All routers are required to support the Subnet-Router
anycast addresses for the subnets to which they have interfaces.
The Subnet-Router anycast address is intended to be used for applications where
a node needs to communicate with any one of the set of routers.
Our code as of now returns the subnet router anycast address as the
first_host_address().
|
|
Move the kea lease file to a separate directory `/config/dhcp` that `kea`
process can write to so that subprocesses spawned by `kea` process can
operate on the lease files.
To allow `kea` process to write to `/config/dhcp`, add `_kea` user to
`vyattacfg` group. And the lease files are owned completely by `_kea`
user to play well with `kea-lfc` process.
Specifically, this is necessary for `kea-lfc` which is spawned by `kea`
process to clean up expired leases. Since `kea-lfc` creates additional
backup lease files, it needs write access to the lease file directory.
Additionally, change the extension of the lease file from `.leases` to
`.csv` to reflect the actual file format.
|
|
conmon 402de34b31388b5a2e1c <error>: Unable to send container stderr message to parent Broken pipe
https://github.com/containers/conmon/issues/438
|
|
|
|
|
|
T5801: Rewritten L2TP to get_config_dict
|
|
T5842: Rewritten PPTP to get_config_dict
|
|
dhcp: T3316: Support hostname, DUID and MAC address in reservation
|
|
Rewritten PPTP to get_config_dict
Fixed 'dynamic-author' commands. These commands did not create
anything in accel-ppp config.
|
|
|
|
We always enable HTTPS in ddclient configuration, however
`http://checkip.dyndns.org` is HTTP only and does not support HTTPS.
Warn the user if they are using this service.
Also, make `url` in `web-options` mandatory.
|
|
ddclient: T5144: Migrate web-options url to stricter format
|
|
|
|
|
|
Legacy ddclient allowed arbitrary URLs in web-options, but the new
has stricter validations. Apply migration to the old URLs.
Also migrate checkip.dyndns.org to https://domains.google.com/checkip
for better TLS support.
|
|
|
|
configdict: T5837: add support to return added nodes when calling node_changed()
|
|
snmp: 5856: fix service removal error
|
|
When deleting SNMP from CLI the 'delete' key was not honored in the config
dictionary, leading to a false process startup causing the following error:
Job for snmpd.service failed because the control process exited with error code.
See "systemctl status snmpd.service" and "journalctl -xeu snmpd.service" for details.
|
|
node_changed() will return a list of changed keys under "path". We are not
always interested what changed, sometimes we are only interested if something
changed at all, that what vyos.configdict.is_node_changed() is for.
|
|
Match mark allows to use firewall marks of packet to use
a specific pool
Example of instance config /run/jool/instance-100.json
```
...
"pool4": [
{
"protocol": "TCP",
"prefix": "192.0.2.10",
"port range": "1-65535",
"mark": 23
},
...
```
|
|
After update KEA to 2.4.x in the bf04cd8fea44d375fb7d93d75a1f31c220730c88
there is a file that expects ConditionFileNotEmpty=/etc/kea/kea-api-password
It cause the unit `kea-ctrl-agent.service` cannot start
systemd[1]: kea-ctrl-agent.service - Kea Control Agent was skipped because of an unmet condition check (ConditionFileNotEmpty=/etc/kea/kea-api-password)
Override systemd kea-ctrl-agent.service do not check this file
|
|
|
|
Reinstate support for hostname in DHCP reservation. Having `hostname` in
allows for server-side assignment of hostname. This is useful for static
lookup of hostname.
Ensure that hostname is a valid FQDN (doesn't have underscore, etc.)
Additionally, support using either of DUID or MAC address for
reservation. While MAC address is typically used for IPv4, and DUID is
typically used for IPv6, either of them can be used in IPv4 and IPv6
reservations in Kea.
|
|
Updated image_installer.py to try and validate image with all
minisign public keys in /usr/share/vyos/keys/
|
|
srv6: T591: enable SR enabled packet processing on defined interfaces
|
|
T2898: add ndp-proxy service
|
|
Refactor DUID XML definition in conf-mode to be reusable. Additionally, remove
explicit call to a separate validator `ipv6-duid` and inline the regex into the
XML definition.
|
|
VyOS CLI command
set service ndp-proxy interface eth0 prefix 2001:db8::/64 mode 'static'
Will generate the following NDP proxy configuration
$ cat /run/ndppd/ndppd.conf
# autogenerated by service_ndp-proxy.py
# This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route
route-ttl 30000
# This sets up a listener, that will listen for any Neighbor Solicitation
# messages, and respond to them according to a set of rules
proxy eth0 {
# Turn on or off the router flag for Neighbor Advertisements
router no
# Control how long to wait for a Neighbor Advertisment message before invalidating the entry (milliseconds)
timeout 500
# Control how long a valid or invalid entry remains in the cache (milliseconds)
ttl 30000
# This is a rule that the target address is to match against. If no netmask
# is provided, /128 is assumed. You may have several rule sections, and the
# addresses may or may not overlap.
rule 2001:db8::/64 {
static
}
}
|
|
The Linux Kernel needs to be told if IPv6 SR enabled packets whether should be
processed or not. This is done using
/proc/sys/net/conf/<iface>/seg6_* variables:
seg6_enabled - BOOL
Accept or drop SR-enabled IPv6 packets on this interface.
Relevant packets are those with SRH present and DA = local.
0 - disabled (default)
not 0 - enabled
Or the VyOS CLI command:
* set protocols segment-routing interface eth0 srv6
|
|
Enable/Disable VRF strict mode, when net.vrf.strict_mode=0 (default) it is
possible to associate multiple VRF devices to the same table. Conversely, when
net.vrf.strict_mode=1 a table can be associated to a single VRF device.
A VRF table can be used by the VyOS CLI only once (ensured by verify()), this
simply adds an additional Kernel safety net, but a requirement for IPv6 segment
routing headers.
|
|
and use only PAM auth and JWT
|
|
when no API keys are set
|
|
Rewritten L2TP to get_config_dict
Rewritten L2TP xml to accel-ppp patterns
Migrated 'idle' to 'ppp-options.lcp-echo-timeout'
Migrated 'authentication.mppe' to 'ppp-options.mppe'
Migrated 'authentication.radius.dae-server' to
'authentication.radius.dynamic-author'
Migrated 'authentication.require' to 'authentication.protocol'
Added 'authentication.radius.acct-interim-jitter'
Added 'authentication.radius.preallocate-vif'
Added 'authentication.radius.server.<IP>.acct-port'
Added 'ppp-options.ipv4'
Added smoke-tests
Fixed 'preallocate-vif' in SSTP
|
|
dhcp: T3316: Adjust dhcp-run script to align with kea hooks
|
|
The hook arguments passed to `on-dhcp-event.sh` have changed in Kea.
Adjust the script to align with the new arguments.
Additionally, remove FQDN mangling from the script. No need to extract
the domain name from `LEASE4_HOSTNAME` only to append it again.
See: https://kea.readthedocs.io/en/latest/arm/hooks.html#hooks-run-script
|
|
* Move Kea socket permission change on-demand and speed up conf scripts
* Fix issue with DHCP reservations when no `ip-address` value
|
|
ddclient: T5144,T5791: Fix migration to avoid config name conflict
|
|
Since `service dns dynamic address <address> service <service> ...`
changed to `service dns dynamic name <service> address <address> ...`,
the resulting service and address config flip can result in conflicting
`service` name.
Additionally, since dynamic DNS service name now have name constraint,
we need to normalize the service name to conform with the constraint.
We now migrate the service name to (service|rfc2136)-<service>-<address>
to avoid the conflict and optionally append an index if there is still a
name conflict after normalization.
|
|
frr: T4020: add option to define number of open file descriptors
|
|
This allows the operator to control the number of open file descriptors each
daemon is allowed to start with. The current assumed value on most operating
systems is 1024.
If the operator plans to run bgp with several thousands of peers then this is
where we would modify FRR to allow this to happen.
set system frr descriptors <n>
|
|
Add recursive_defaults values for BGP "get_config" dictionary.
|
|
T4163: Add BGP Monitoring Protocol BMP feature
|
|
T5798: load-balancing revese-proxy add multiple SSL certificates
|