Age | Commit message (Collapse) | Author |
|
After the RESTRICTED view was introduced snmpd requires a network to be
specified. Before adding the RESTRICTED view snmpd always assumed the default
network 0.0.0.0/0.
This commit re-adds the build in default networks for IPv4 and IPv6 and
exposes it as a proper default to the CLI so the user is informed about it:
vyos@vyos# set service snmp community foooo
Possible completions:
authorization Authorization type (default: ro)
+ client IP address of SNMP client allowed to contact system
+ network Subnet of SNMP client(s) allowed to contact system (default:
0.0.0.0/0, ::/0)
|
|
warning message
|
|
|
|
|
|
|
|
|
|
Since introducing the XML <defaultValue> node it was common, but redundant,
practice to also add a help string indicating which value would be used as
default if the node is unset.
This makes no sense b/c it's duplicated code/value/characters and prone to
error. The node.def scripts should be extended to automatically render the
appropriate default value into the CLI help string.
For e.g. SSH the current PoC renders:
$ cat templates-cfg/service/ssh/port/node.def
multi:
type: txt
help: Port for SSH service (default: 22)
val_help: u32:1-65535; Numeric IP port
...
Not all subsystems are already migrated to get_config_dict() and make use of
the defaults() call - those subsystems need to be migrated, first before the new
default is added to the CLI help.
|
|
|
|
|
|
|
|
|
|
As the amount of include files now has reached a certain amount, it is getting
more and more crowsded, thuse introducing "per topic" subdirectories on the
filesystem to keep a clean structure makes sense.
|
|
|
|
This replaces the Python script by a bash variant which is much faster as the
Python interpreter does not need to be launched on invocation.
|
|
This will render the completion help more nicely.
|
|
As of now when adding new credentials for any SNMPv3 user we submit the
credential either plaintext or encrypted. A plaintext credential will be hashed
by SNMPd in the background and then passed back into the CLI so it's not stored
in cleartext. This feels like the wrong way in changing the CLI content with
data produced by a 3rd party daemon which implements the service.
It feels like the tail wiggles the entire dog.
This should be changed in the following way:
- After retrieving the plaintext password from CLI, use Python to hash the key
in advance
- Re-populate the encrypted key into the CLI and drop the plaintext one
- Generate service configuration and continue startup of SNMPd
This also fixes a race condition when SNMPd started up but not properly
provided the hasehd keys in the configuration resulting in a ConfigurationError.
Now as we also support binding SNMPd to a VRF this fixes a deadlock situation
on bootup as we can only bind late to the VRF and require up to 5 restarts of
the service - but the service will never start.
|
|
Match the full input string in regex validation. Previosly "sha123456" was
allowed by the validator but we only support "sha".
|
|
|
|
but commit fails
|
|
* set for trap-(source|target)
|
|
... as the carrot is applied automatically when reading in the XML
definition. Auto replaced by:
$ find interface-definitions -type f | xargs sed -i 's/regex>^/regex>/'
|
|
A lot of XML code is duplicated (VLAN, interface address) for instance. Such
XML definitions should be moved to feature.xml.i files and then just pulled in
via GCC preprocessor #include definition in e.g. bond or ethernet definitions.
This will give us the ability to single-source repeating node definitions as:
* Interface Address
* Interface Description
* Interface Disable
* VLAN (both vif-s and vif-c)
The .in suffix of the interface-definitions is a marker that those files are
input files to the GCC preprocessor. They will be rendered into proper XML
files in the build directory.
Some node definitions have been reworder to remove escaped double quote
occurances which would have been warned about by the GCC preprocessor.
|