Age | Commit message (Collapse) | Author |
|
|
|
Move sshd_config file to /run so it must be generated on every boot and is
not stored accidently.
|
|
Pass the interface dictionary transparently to the DHCP module and render the
DHCP client config template directly from the same source instead of transcoding
it once more.
|
|
This removes additional code paths as we can instatly work with the input dict
the same was as it was done for PPPoE. This fixes the entire DHCPv6-PD support
on non PPPoE interfaces as this was lost in translation while processing T2653.
|
|
Make the port used for RADIUS accounting user configurable. This is now
valid for the following services which are based on Accel-PPP:
* ipoe-server
* pppoe-server
* l2tp
* pptp
* sstp
|
|
|
|
|
|
The current VyOS CLI parser code written in Python contains a ton of duplicates
which I can also hold myself accountable for - or maybe mainly me - depends on
the angle of judge.
|
|
|
|
Add additional verify() stage to check that the relaying interface actually
exists on the system.
|
|
* 'curlrc' of github.com:c-po/vyos-1x:
http-client: T2651: support specifying source-interface/address for curl
xml: T2651: provide general source-interface include file
|
|
Please note that either interface or address can be configured.
system {
options {
http-client {
source-interface eth0
source-address 1.1.1.1
}
}
}
|
|
When users use the standard fully qualified domain name writing method,
there will be an extra point after the actual domain name.
In order to ensure that the standard writing method is supported,
it should not be mandatory to add this point in Lua script
|
|
|
|
As of now when adding new credentials for any SNMPv3 user we submit the
credential either plaintext or encrypted. A plaintext credential will be hashed
by SNMPd in the background and then passed back into the CLI so it's not stored
in cleartext. This feels like the wrong way in changing the CLI content with
data produced by a 3rd party daemon which implements the service.
It feels like the tail wiggles the entire dog.
This should be changed in the following way:
- After retrieving the plaintext password from CLI, use Python to hash the key
in advance
- Re-populate the encrypted key into the CLI and drop the plaintext one
- Generate service configuration and continue startup of SNMPd
This also fixes a race condition when SNMPd started up but not properly
provided the hasehd keys in the configuration resulting in a ConfigurationError.
Now as we also support binding SNMPd to a VRF this fixes a deadlock situation
on bootup as we can only bind late to the VRF and require up to 5 restarts of
the service - but the service will never start.
|
|
|
|
Commit 65fa21f5e ("ifconfig: T2653: move pppoe interface to get_config_dict()")
directly takes the configuration keys from the CLI config and thus the keys
used for template generation have not been updated appropriately.
|
|
Commit 03fb97 (pppoe: ipv6: T2681: script bugfix after get_config_dict() migration )
After the PPPoE link is reset, dhcp6c cannot be restarted,
which may cause the prefix delegation of IPv6 to fail to restart.
This submission will restart dhcp6c after the IPv6 of PPPoE is up again
|
|
When migrating the conf from VyOS 1.2 to 1.3 a configuration error could appear
if the user specified "info" as loglevel instead of "INFO". There was no input
validation done in 1.2 but this is now enforced in 1.3.
In VyOS 1.3 loglevel will be always lowercase on the CLI and when migrating the
config this is transformed. Also VyOS 1.2 accpeted any arbitrary loglevel. If
an invalid loglevel is found it will be set to info.
|
|
Commit 65fa21f5 ("ifconfig: T2653: move pppoe interface to get_config_dict()")
did not rename the Jinja2 template vars as required as they are not retrieved
directly as dict from the config backend.
|
|
Linux tries to bind sshd to the VRF but it is yet not ready - for any arbitrary
reason. After restarting SSH to often (rate-limiting) it is blocked by systemd.
Using Restart/RestartSec is not enough - systemd services use start rate
limiting (enabled by default). If service is started more than StartLimitBurst
times in StartLimitIntervalSec seconds is it not permitted to start any more.
Parameters are inherited from DefaultStartLimitIntervalSec (default 10s) and
DefaultStartLimitBurst (default 5).
|
|
Linux tries to bind sshd to the VRF but it is yet not ready - for any arbitrary
reason. After restarting SSH to often (rate-limiting) it is blocked by systemd.
Using Restart/RestartSec is not enough - systemd services use start rate
limiting (enabled by default). If service is started more than StartLimitBurst
times in StartLimitIntervalSec seconds is it not permitted to start any more.
Parameters are inherited from DefaultStartLimitIntervalSec (default 10s) and
DefaultStartLimitBurst (default 5).
|
|
Linux tries to bind sshd to the VRF but it is yet not ready - for any arbitrary
reason. After restarting SSH to often (rate-limiting) it is blocked by systemd.
Using Restart/RestartSec is not enough - systemd services use start rate
limiting (enabled by default). If service is started more than StartLimitBurst
times in StartLimitIntervalSec seconds is it not permitted to start any more.
Parameters are inherited from DefaultStartLimitIntervalSec (default 10s) and
DefaultStartLimitBurst (default 5).
|
|
|
|
ids: T2659: Implement fastnetmon support
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Commit 1d7f88b459d ("ssh: T2635: migrate to get_config_dict()") used a wrong
loop iterator on the rendered ListenAddress statement.
|
|
Jinja template contains some workarounds like {% if port is string %}, this
depends of the resolution of https://phabricator.vyos.net/T2636
|
|
|
|
T2486: DNS, vyos-hostsd fixes
|
|
|
|
|
|
|
|
For more examples on the new get_config_dict() approach migrate this
implementation as it is not yet in production use. Also this serves as proof of
concept code for further migrations.
|
|
|
|
|
|
radvd[31898]: AdvValidLifeTime must be greater than AdvPreferredLifetime in
radvd.conf, line 19
This happens with the following configuration:
vyos@vyos# show service router-advert
interface eth0.20 {
name-server 2001:4860:4860::8888
prefix ::/64 {
valid-lifetime 7200
}
}
A validator is added to solve this issue and radvd will run again.
|
|
|
|
|
|
When multiple RADIUS servers have been configured, they have been all rendered
onto a single line in the config. This lead to errors in syslog and not all
servers beeing reachable.
|
|
The "to" qualifier did not get rendered when using source ports in masquerade
targets. This case was totally missed out when porting.
|
|
|
|
|
|
We specify NFT source/destination ports within a { } group, but if the port
range in question is negated, we need to move the != fraction out of { } and
infront of that group, else NFT loading will fail big time.
|
|
This reverts commit 927c054d9236c2c34ca43c1cbfff10fcfd7f5077.
|