Age | Commit message (Collapse) | Author |
|
Add new nodes for 'service dns forwarding domain':
'addnta': adds addNTA to lua-config-file
'recursion-desired': sets '+' before the zone in forward-zones-file
The migrator sets both options for all configured domains. This is
usually the desired config.
|
|
The previous implementation only supported disabling DHCP nameservers for
all interfaces, and was implemented improperly so it didn't work anyway.
This migrates it to name-servers-dhcp <interface>, which allows us to enable
just the interfaces we want to use for system DNS, identical in syntax to
'service dns forwarding dhcp <interface>'.
The migrator searches through all interfaces that have address 'dhcp(v6)?'
and adds them to the name-servers-dhcp list if disable-dhcp-nameservers is
not set, else it does nothing.
|
|
|
|
During testing it was discovered that there is a well known problem (we had for
ethernet interfaces) also in the serial port world. They will be enumerated and
mapped to /dev/ttyUSBxxx differently from boot to boot. This is especially
painful on my development APU4 board which also has a Sierra Wireless MC7710
LTE module installed.
The serial port will toggle between ttyUSB2 and ttyUSB5 depending on the
amount of serial port extenders attached (FT4232H).
The shipped udev rule (/usr/lib/udev/rules.d/60-serial.rules) partly solves
this by enumerating the devices into /dev/serial/by-id folder with their name
and serial number - it's a very good idea but I've found that not all of the
FT4232H dongles have a serial number programmed - this leads to the situation
that when you plug in two cables with both having serial number 0 - only one
device symlink will appear - the previous one is always overwritten by the
latter one.
Derive /usr/lib/udev/rules.d/60-serial.rules and create a /dev/serial/by-bus
directory and group devices by attached USB root port.
|
|
Migrate the serial console subsystem to XML and Python.
|
|
|
|
Commit 1c7d7cbd39 ("wwan: T2529: migrate device from ttyUSB to usbXbY.YpZ.Z")
added a new completion helper path for USB based serial interfaces. If no USB
based serial port was available on the system this produced the following
error: "ls: cannot access '/dev/serial/by-bus': No such file or directory"
Only list USB based serial interfaces if there is at least one connected to
the system.
|
|
During testing it was discovered that there is a well known problem (we had for
ethernet interfaces) also in the serial port world. They will be enumerated and
mapped to /dev/ttyUSBxxx differently from boot to boot. This is especially
painful on my development APU4 board which also has a Sierra Wireless MC7710
LTE module installed.
The serial port will toggle between ttyUSB2 and ttyUSB5 depending on the
amount of serial port extenders attached (FT4232H).
The shipped udev rule (/usr/lib/udev/rules.d/60-serial.rules) partly solves
this by enumerating the devices into /dev/serial/by-id folder with their name
and serial number - it's a very good idea but I've found that not all of the
FT4232H dongles have a serial number programmed - this leads to the situation
that when you plug in two cables with both having serial number 0 - only one
device symlink will appear - the previous one is always overwritten by the
latter one.
Derive /usr/lib/udev/rules.d/60-serial.rules and create a /dev/serial/by-bus
directory and group devices by attached USB root port.
vyos@vyos:~$ find /dev/serial/by-bus/ -name usb* -exec basename {} \; | sort
usb0b1.3p1.0
usb0b1.3p1.2
usb0b1.3p1.3
usb0b2.4p1.0
usb0b2.4p1.1
usb0b2.4p1.2
usb0b2.4p1.3
So we have USB root 0 with bus 1.3 and port 1.0. The enumeration is constant
accross reboots.
|
|
|
|
openvpn: T2550: fix for IPv4 remote-host addresses
|
|
Commit bb9f998 added IPv6 support for OpenVPN, but IPv4 only
configurations stopped working (Address family for hostname not supported)
Commit fc467519 fixed some scenarios by using IPv4 protocols
if 'local-host' is IPv4 address, but the client mode is using
'remote-host' instead and was still broken.
This commit in addition to 'local-host' also checks all the
'remote-host' addresses.
|
|
When migrating all single instances of the IP address XML definition to the
reusable include file an error was ported, too. This allowed an interface be
assigned an IPv4/IPv6 network address es e.g. 192.0.2.0/24 which is invalid.
The validator has been fixed to only allow IPv4/IPv6 host addresses instead.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Rename the CLI nodes for prefix delegation from "dhcpv6-options delegate
<interface>" to "dhcpv6-options prefix-delegation interface <interface>".
The change is required to add the possibility to request for specific prefix
sized via the CLI. That option was not possible with the old configuration
tree.
|
|
|
|
|
|
|
|
|
|
|
|
MACsec always talks about MKA (MACsec Key Agreement protocol) thus the node
should reflect that.
|
|
|
|
This is best suited as a key is required, too.
|
|
Cipher type gcm-aes-256 is supported by Linux 4.19 but it is not available in
iproute2 4.19. We could backport it of course but the plan is to Upgrade to a
more recent 5.x series kernel anyway once all out-of-tree module issues are
resolved, mainly Intel QAT.
gcm-aes-256 support was added to iproute2 package with commit b16f5253233 ("Add
support for configuring MACsec gcm-aes-256 cipher type.") which made it into
the 5.2 release of iproute2.
|
|
By default MACsec only authenticates traffic but has support for optional
encryption. Encryption can now be enabled using:
set interfaces macsec <interface> encrypt
|
|
|
|
|
|
bgp-xml: T2387:Commands in XML for [conf_mode] bgp
|
|
|
|
Add support for prefix delegation when receiving the prefix via ethernet,
bridge, bond, wireless.
|
|
|
|
The following configuration will assign a /64 prefix out of a /56 delegation
to eth0. The IPv6 address assigned to eth0 will be <prefix>::ffff/64.
If you do not know the prefix size delegated to you, start with sla-len 0.
pppoe pppoe0 {
authentication {
password vyos
user vyos
}
description sadfas
dhcpv6-options {
delegate eth0 {
interface-id 65535
sla-id 0
sla-len 8
}
}
ipv6 {
address {
autoconf
}
enable
}
source-interface eth1
}
vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 2001:db8:8003:400::ffff/64 u/u
|
|
|
|
- define XML CLI interface
- read CLI into Python dict
|
|
It allows IP protocol numbers 0-255, protocol names e.g. tcp, ip, ipv6 and the
negated form with a leading "!".
|
|
|
|
|
|
Exclude validators are required to support the ! (not) operator on the CLI to
exclude addresses from NAT.
|
|
|
|
|
|
|
|
New command added:
* set vpn sstp network-settings name-server 2001:db8::1111
|
|
New commands added:
* set vpn sstp network-settings client-ipv6-pool prefix 2001:db8::/64 mask 112
* set vpn sstp network-settings client-ipv6-pool delegate 2001:db8:100::/48 delegation-prefix 64
|
|
|
|
The subnet specific nodes sip-server-address & sip-server-name do the same for
the user - specify a SIP server. Only the backend is rendered in a different
way, as ISC DHCPv6 expects different options. There is absolutely no need for
the user to distinguish between both two nodes.
|