From 4a5db8a416fc6126a504bc3a9f1b5f6de84e119d Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 12 Nov 2018 20:33:40 +0100 Subject: T987: Unclutter PPTP/IPSec RADIUS configuration nodes In other words, remove top level tag nodes from radius-server and introduce a regular "radius" node, thus we can add additional features, too. A migration script is provided in vyos-1x which takes care of this config migration. Change VyOS CLI from: vyos@vyos# show vpn pptp remote-access { authentication { mode radius radius-server 172.16.100.10 { key barbarbar } radius-server 172.16.100.20 { key foofoofoo } } To: vyos@vyos# show vpn l2tp remote-access { authentication { mode radius radius { server 172.16.100.10 { key barbarbar } server 172.16.100.20 { key foofoofoo } } } --- Makefile.am | 2 +- cfg-version/pptp@1 | 0 2 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 cfg-version/pptp@1 diff --git a/Makefile.am b/Makefile.am index 08210fbf..c4a4e1b3 100644 --- a/Makefile.am +++ b/Makefile.am @@ -124,7 +124,7 @@ curver_DATA += cfg-version/dhcp-server@5 curver_DATA += cfg-version/dhcp-relay@2 curver_DATA += cfg-version/ssh@1 curver_DATA += cfg-version/l2tp@1 - +curver_DATA += cfg-version/pptp@1 cpiop = find . ! -regex '\(.*~\|.*\.bak\|.*\.swp\|.*\#.*\#\)' -print0 | \ cpio -0pd diff --git a/cfg-version/pptp@1 b/cfg-version/pptp@1 new file mode 100644 index 00000000..e69de29b -- cgit v1.2.3 From 6ab6a0a1857e9ae487642f5aad0c948e12d167c5 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Tue, 13 Nov 2018 21:06:49 +0100 Subject: T1006: remove the check-ipv4-ipv6.pl script that is not used anywhere. --- scripts/check-ipv4-ipv6.pl | 12 ------------ 1 file changed, 12 deletions(-) delete mode 100755 scripts/check-ipv4-ipv6.pl diff --git a/scripts/check-ipv4-ipv6.pl b/scripts/check-ipv4-ipv6.pl deleted file mode 100755 index 0816ebee..00000000 --- a/scripts/check-ipv4-ipv6.pl +++ /dev/null @@ -1,12 +0,0 @@ -#! /usr/bin/perl - -# Trivial script to check for valid IPv4 or IPv6 address - -use strict; -use NetAddr::IP; - -foreach my $addr (@ARGV) { - die "$addr: not valid a valid IPv4 or IPv6 address\n" - unless new NetAddr::IP $addr; -} - -- cgit v1.2.3 From 46d8b9b9105b67ea5ab8c06054586f66bd0daa12 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 17 Nov 2018 13:14:25 +0100 Subject: T1018: remove obsoleted 'dynamic' option from NTP Increase NTP config version from 0 to 1. For more information see [1]. ntpd: Warning: the "dynamic" keyword has been obsoleted and will be removed in the next release [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=553976 --- Makefile.am | 1 + cfg-version/ntp@1 | 0 2 files changed, 1 insertion(+) create mode 100644 cfg-version/ntp@1 diff --git a/Makefile.am b/Makefile.am index c4a4e1b3..71a461b3 100644 --- a/Makefile.am +++ b/Makefile.am @@ -125,6 +125,7 @@ curver_DATA += cfg-version/dhcp-relay@2 curver_DATA += cfg-version/ssh@1 curver_DATA += cfg-version/l2tp@1 curver_DATA += cfg-version/pptp@1 +curver_DATA += cfg-version/ntp@1 cpiop = find . ! -regex '\(.*~\|.*\.bak\|.*\.swp\|.*\#.*\#\)' -print0 | \ cpio -0pd diff --git a/cfg-version/ntp@1 b/cfg-version/ntp@1 new file mode 100644 index 00000000..e69de29b -- cgit v1.2.3 From c0620596e2920926b25074e41bc99db278dcf53b Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Sun, 18 Nov 2018 15:28:34 +0100 Subject: T1011: enable conntrack helper by default. --- sysconf/vyatta-sysctl.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sysconf/vyatta-sysctl.conf b/sysconf/vyatta-sysctl.conf index 54f57541..560c29de 100644 --- a/sysconf/vyatta-sysctl.conf +++ b/sysconf/vyatta-sysctl.conf @@ -77,3 +77,6 @@ net.ipv6.conf.all.keep_addr_on_down=1 # Default value of 20 seems to interfere with larger OSPF and VRRP setups net.ipv4.igmp_max_memberships = 512 + +# Enable conntrack helper by default +net.netfilter.nf_conntrack_helper=1 -- cgit v1.2.3 From 29287219854913b9f1ab6661d8af786b0fd68434 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Sun, 18 Nov 2018 16:59:03 +0100 Subject: T1004: remove the check-ipv4-ipv6.pl script from the automake rules. --- Makefile.am | 1 - 1 file changed, 1 deletion(-) diff --git a/Makefile.am b/Makefile.am index 71a461b3..ccf5fe83 100644 --- a/Makefile.am +++ b/Makefile.am @@ -58,7 +58,6 @@ sbin_SCRIPTS += scripts/vyatta-system-nameservers sbin_SCRIPTS += scripts/vyatta-interfaces.pl sbin_SCRIPTS += scripts/vyatta-address sbin_SCRIPTS += scripts/vyatta-tunnel-cleanup -sbin_SCRIPTS += scripts/check-ipv4-ipv6.pl sbin_SCRIPTS += scripts/vyatta-bonding.pl sbin_SCRIPTS += scripts/vyatta-raid-event sbin_SCRIPTS += scripts/vyatta-update-arp-params -- cgit v1.2.3 From 355d403b3b492b07bfc405b7d7dfa0051a2ab7c2 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Sun, 18 Nov 2018 17:52:49 +0100 Subject: T1000: partially fix the broken 6rd implementation. --- templates/interfaces/tunnel/node.def | 8 +++++++- templates/interfaces/tunnel/node.tag/6rd-prefix/node.def | 3 +-- templates/interfaces/tunnel/node.tag/6rd-relay-prefix/node.def | 3 +-- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/templates/interfaces/tunnel/node.def b/templates/interfaces/tunnel/node.def index c6e3b447..de5431a3 100644 --- a/templates/interfaces/tunnel/node.def +++ b/templates/interfaces/tunnel/node.def @@ -16,7 +16,13 @@ commit:expression: exec " if [ $VAR(./encapsulation/@) = gre ] && [ ! -n \"$VAR(./remote-ip/)\" ]; then \ echo \"No remote-ip configured for $VAR(@), tunnel can only be used for mGRE.\"; \ - fi; \ + fi; \ + if [ -n \"$VAR(./6rd-prefix/)\" ]; then \ + if [ $VAR(./encapsulation/@) != sit ]; then \ + echo \"6rd-prefix can only be set for SIT tunnels\"; \ + exit 1; \ + fi \ + fi; \ if [ $VAR(./encapsulation/@) != gre ] && [ ! -n \"$VAR(./remote-ip/)\" ]; then \ echo \"Must configure the tunnel remote-ip for $VAR(@)\"; \ exit 1; \ diff --git a/templates/interfaces/tunnel/node.tag/6rd-prefix/node.def b/templates/interfaces/tunnel/node.tag/6rd-prefix/node.def index 7e899d5d..c5f7f02c 100644 --- a/templates/interfaces/tunnel/node.tag/6rd-prefix/node.def +++ b/templates/interfaces/tunnel/node.tag/6rd-prefix/node.def @@ -1,9 +1,8 @@ -multi: type: ipv6net val_help: ipv6net; IPv6 address and prefix length help: 6rd network prefix -syntax:expression: exec "/opt/vyatta/sbin/valid_address $VAR(@)" +syntax:expression: exec "ipaddrcheck --verbose --is-ipv6-net $VAR(@)" create:expression: "true" update:expression: "false" ; \ diff --git a/templates/interfaces/tunnel/node.tag/6rd-relay-prefix/node.def b/templates/interfaces/tunnel/node.tag/6rd-relay-prefix/node.def index 0f877e2d..224c3b7e 100644 --- a/templates/interfaces/tunnel/node.tag/6rd-relay-prefix/node.def +++ b/templates/interfaces/tunnel/node.tag/6rd-relay-prefix/node.def @@ -1,9 +1,8 @@ -multi: type: ipv4net val_help: ipv4net; IPv4 prefix of interface for 6rd help: 6rd relay prefix -syntax:expression: exec "/opt/vyatta/sbin/valid_address $VAR(@)" +syntax:expression: exec "ipaddrcheck --verbose --is-ipv4-net $VAR(@)" create:expression: "true" update:expression: "false" ; \ -- cgit v1.2.3 From a5c4c649d51fc7400d2aa0fcba235e84ee43a9d6 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Sun, 18 Nov 2018 19:28:32 +0100 Subject: T992: add commands for ECMP options. --- templates/system/ip/multipath/ignore-unreachable-nexthops/node.def | 5 +++++ templates/system/ip/multipath/layer4-hashing/node.def | 4 ++++ templates/system/ip/multipath/node.def | 1 + templates/system/ipv6/multipath/layer4-hashing/node.def | 5 +++++ templates/system/ipv6/multipath/node.def | 1 + 5 files changed, 16 insertions(+) create mode 100644 templates/system/ip/multipath/ignore-unreachable-nexthops/node.def create mode 100644 templates/system/ip/multipath/layer4-hashing/node.def create mode 100644 templates/system/ip/multipath/node.def create mode 100644 templates/system/ipv6/multipath/layer4-hashing/node.def create mode 100644 templates/system/ipv6/multipath/node.def diff --git a/templates/system/ip/multipath/ignore-unreachable-nexthops/node.def b/templates/system/ip/multipath/ignore-unreachable-nexthops/node.def new file mode 100644 index 00000000..a37d455a --- /dev/null +++ b/templates/system/ip/multipath/ignore-unreachable-nexthops/node.def @@ -0,0 +1,5 @@ +help: Ignore next hops that are not in the ARP table + +create: sudo sysctl -w net.ipv4.fib_multipath_use_neigh=1 >/dev/null +delete: sudo sysctl -w net.ipv4.fib_multipath_use_neigh=0 >/dev/null + diff --git a/templates/system/ip/multipath/layer4-hashing/node.def b/templates/system/ip/multipath/layer4-hashing/node.def new file mode 100644 index 00000000..6cc7e3e2 --- /dev/null +++ b/templates/system/ip/multipath/layer4-hashing/node.def @@ -0,0 +1,4 @@ +help: Use layer 4 information for ECMP hashing + +create: sudo sysctl -w net.ipv4.fib_multipath_hash_policy=1 >/dev/null +delete: sudo sysctl -w net.ipv4.fib_multipath_hash_policy=0 >/dev/null diff --git a/templates/system/ip/multipath/node.def b/templates/system/ip/multipath/node.def new file mode 100644 index 00000000..3625e902 --- /dev/null +++ b/templates/system/ip/multipath/node.def @@ -0,0 +1 @@ +help: IPv4 multipath settings diff --git a/templates/system/ipv6/multipath/layer4-hashing/node.def b/templates/system/ipv6/multipath/layer4-hashing/node.def new file mode 100644 index 00000000..97ffdc61 --- /dev/null +++ b/templates/system/ipv6/multipath/layer4-hashing/node.def @@ -0,0 +1,5 @@ +help: Use layer 4 information for ECMP hashing + +create: sudo sysctl -w net.ipv4.fib_multipath_hash_policy=1 >/dev/null +delete: sudo sysctl -w net.ipv4.fib_multipath_hash_policy=0 >/dev/null + diff --git a/templates/system/ipv6/multipath/node.def b/templates/system/ipv6/multipath/node.def new file mode 100644 index 00000000..76bf4372 --- /dev/null +++ b/templates/system/ipv6/multipath/node.def @@ -0,0 +1 @@ +help: IPv6 multipath settings -- cgit v1.2.3 From c03bf343285b0c79cba59df90139e491e29057b2 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 25 Nov 2018 02:46:13 +0100 Subject: banner/post-login: replace Vyatta with VyOS --- templates/system/login/banner/post-login/node.def | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/system/login/banner/post-login/node.def b/templates/system/login/banner/post-login/node.def index 845611aa..36db657d 100644 --- a/templates/system/login/banner/post-login/node.def +++ b/templates/system/login/banner/post-login/node.def @@ -7,4 +7,4 @@ update: sudo /opt/vyatta/sbin/vyatta-banner.pl \ delete: sudo /opt/vyatta/sbin/vyatta-banner.pl \ --action=delete --banner-type=post-login -comp_help: Example: "\\n\\n\\tWelcome to Vyatta!\\n" +comp_help: Example: "\\n\\n\\tWelcome to VyOS!\\n" -- cgit v1.2.3 From 8f4b8917d23b42d15b7f48eb3f814a56cc5a4343 Mon Sep 17 00:00:00 2001 From: Runar Borge Date: Sun, 25 Nov 2018 21:45:36 +0100 Subject: T1045: static route dhcp-interface: check for ip in response Checks done to verify a dhcp-lease on the interface is updated to look for a ip-address like response from dhclient before returning an error. This fixes the error where a newline was enough to make the checks fail.. Updated to also make sure no newline is returned after the address to make sure commands using adresses from this script is not cut in half by the newline, and to be in line with the syntax on all errors. (no newline at the end) --- scripts/vyatta-dhcp-helper.pl | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scripts/vyatta-dhcp-helper.pl b/scripts/vyatta-dhcp-helper.pl index 6febbaf9..4b236503 100644 --- a/scripts/vyatta-dhcp-helper.pl +++ b/scripts/vyatta-dhcp-helper.pl @@ -22,9 +22,12 @@ sub get_dhcp_router { my $router = `grep new_routers= $lease | cut -d"'" -f2`; my @r = split(/,/, $router); $router = $r[0]; - if ($router eq "") { + # Make sure the result looks like a IP + if ($router !~ /\d+\.\d+\.\d+\.\d+/) { return "127.0.0.1"; } + # Remove trailing newlines + $router =~ s/\n$//; return $router; } -- cgit v1.2.3 From 6bd3ae4fe0b0ea70f26f0b85e39c9c6b01661b4b Mon Sep 17 00:00:00 2001 From: Geoff Adams Date: Tue, 27 Nov 2018 20:40:11 -0800 Subject: T1055: Wait for Duplicate Address Detection on the relevant interface The DHCPv6 client can't start on an interface when DAD is ongoing. There is a workaround in place to wait for DAD to complete, but it only works on eth0! --- scripts/vyatta-dhcpv6-client.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/vyatta-dhcpv6-client.pl b/scripts/vyatta-dhcpv6-client.pl index c0b4cfeb..64c6840d 100755 --- a/scripts/vyatta-dhcpv6-client.pl +++ b/scripts/vyatta-dhcpv6-client.pl @@ -146,7 +146,7 @@ if (defined($start_flag) || defined ($renew_flag)) { # https://phabricator.vyos.net/T903 for (my $attempt_count = 0; $attempt_count <= 60; $attempt_count++) { # Check for any non-tentative addresses (exit code 0 if any exist, 1 otherwise) - if (system("test -n \"\$(ip -6 -o addr show dev eth0 scope link -tentative)\"") != 0) { + if (system("test -n \"\$(ip -6 -o addr show dev $ifname scope link -tentative)\"") != 0) { # No non-tentative address found, sleep and retry or exit if ($attempt_count == 0) { print "Duplicate address detection incomplete, waiting\n" -- cgit v1.2.3 From 74c1a8e3262480b4863a9b86bee77e2f6bf0acd3 Mon Sep 17 00:00:00 2001 From: hagbard Date: Thu, 29 Nov 2018 14:27:41 -0800 Subject: Fix: T1053 - Error when re-configuring an interface from DHCP to static IP --- debian/changelog | 5 +++++ scripts/vyatta-address | 6 +++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index bd4efe61..1f14c36e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,8 @@ +vyatta-cfg-system (0.20.44+vyos2+current16) unstable; urgency=low + + * T1053 - Error when re-configuring an interface from DHCP to static IP + + -- hagbard Thu, 29 Nov 2018 14:26:07 -0800 vyatta-cfg-system (0.20.44+vyos2+current15) unstable; urgency=medium * Virtio network card, no info (maybe not fully supported?) diff --git a/scripts/vyatta-address b/scripts/vyatta-address index c3e57856..a35397de 100755 --- a/scripts/vyatta-address +++ b/scripts/vyatta-address @@ -29,7 +29,10 @@ case $1 in # Get current address from interface when using DHCP if [[ "$3" = "dhcp" ]]; then lease_file=/var/lib/dhcp/dhclient_"$2".leases; - ip_address=$(sed -n 's/^\s\sfixed-address\s\(.*\);/\1/p' $lease_file | sed -n '$p'); + ip=$(sed -n 's/^\s\sfixed-address\s\(.*\);/\1/p' $lease_file | sed -n '$p'); + #ip_address=$(sed -n 's/^\s\sfixed-address\s\(.*\);/\1/p' $lease_file | sed -n '$p'); + # T1053 we need IP/prefix for normalize-ip to function + ip_address=$(ip a s dev $2 | grep $ip | awk '{print $2}') elif [[ "$3" = "dhcpv6" ]]; then lease_file=/var/lib/dhcp/dhclient_v6_"$2".leases; ip_address=$(sed -n 's/^\s\s\s\siaaddr\s\(.*\)\s{/\1/p' $lease_file | sed -n '$p'); @@ -37,6 +40,7 @@ case $1 in ip_address=$3; fi + ### T1053 parameter $ip_address needs to be prefixed, not just the IP ip_address=$(/usr/libexec/vyos/system/normalize-ip $ip_address) if ! ip address show dev $2 2>/dev/null | grep -q "$ip_address"; then -- cgit v1.2.3 From c27f83c59f4567a63d9f9aa5008b8183ee964a2a Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Fri, 30 Nov 2018 05:54:56 +0700 Subject: Revert "T1055: Wait for Duplicate Address Detection on the relevant interface" --- scripts/vyatta-dhcpv6-client.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/vyatta-dhcpv6-client.pl b/scripts/vyatta-dhcpv6-client.pl index 64c6840d..c0b4cfeb 100755 --- a/scripts/vyatta-dhcpv6-client.pl +++ b/scripts/vyatta-dhcpv6-client.pl @@ -146,7 +146,7 @@ if (defined($start_flag) || defined ($renew_flag)) { # https://phabricator.vyos.net/T903 for (my $attempt_count = 0; $attempt_count <= 60; $attempt_count++) { # Check for any non-tentative addresses (exit code 0 if any exist, 1 otherwise) - if (system("test -n \"\$(ip -6 -o addr show dev $ifname scope link -tentative)\"") != 0) { + if (system("test -n \"\$(ip -6 -o addr show dev eth0 scope link -tentative)\"") != 0) { # No non-tentative address found, sleep and retry or exit if ($attempt_count == 0) { print "Duplicate address detection incomplete, waiting\n" -- cgit v1.2.3 From 0ebc3def62c13a19bcfb8d25ae479235ed376268 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Fri, 30 Nov 2018 00:03:44 +0100 Subject: Revert "Revert "T1055: Wait for Duplicate Address Detection on the relevant interface"" This reverts commit c27f83c59f4567a63d9f9aa5008b8183ee964a2a. --- scripts/vyatta-dhcpv6-client.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/vyatta-dhcpv6-client.pl b/scripts/vyatta-dhcpv6-client.pl index c0b4cfeb..64c6840d 100755 --- a/scripts/vyatta-dhcpv6-client.pl +++ b/scripts/vyatta-dhcpv6-client.pl @@ -146,7 +146,7 @@ if (defined($start_flag) || defined ($renew_flag)) { # https://phabricator.vyos.net/T903 for (my $attempt_count = 0; $attempt_count <= 60; $attempt_count++) { # Check for any non-tentative addresses (exit code 0 if any exist, 1 otherwise) - if (system("test -n \"\$(ip -6 -o addr show dev eth0 scope link -tentative)\"") != 0) { + if (system("test -n \"\$(ip -6 -o addr show dev $ifname scope link -tentative)\"") != 0) { # No non-tentative address found, sleep and retry or exit if ($attempt_count == 0) { print "Duplicate address detection incomplete, waiting\n" -- cgit v1.2.3