| Age | Commit message (Collapse) | Author |
|---|
|
|
|
When MACsec was bound to an ethernet interface and the underlaying
source-interface got changed (even description only) this terminated the
MACsec session running on top of it.
The root cause is when EAPoL was implemented in commit d59354e52a8a7f we
re-used the same systemd unit which is responsible for MACsec. That indeed lead
to the fact that wpa_supplicant was always stopped when anything happened on
the underlaying source-interface that was not related to EAPoL.
|
|
|
|
ConfigTreeQuery()
When VyOS is booting and an interface is brought up (PPPoE) which requires a
user callback script that is executed asynchronously when the interface is up
we can not use Config(). The problem is, Config() is not available when
the system starts and the initial commit is still processed.
We need to move to ConfigTreeQuery() which was build for this exact same
purpose. TO reduce side effects and also dependencies on the entire
vyos.configdict library the set_level()/get_level() calls got eliminated
from within the library. All calls to functions like:
* get_removed_vlans()
* is_node_changed()
* leaf_node_changed()
* is_mirror_intf()
* ...
Now require that the full config path to the node is passed.
|
|
|
|
|
|
|
|
|
|
files
This commit updates the eapol code so that it writes the full
certificate chains for both the specified CA and the client certificate
to `<iface>_ca.pem` and `<iface>_cert.pem`, respectively.
The full CA chain is necessary for validating the incoming server
certificate when it is signed by an intermediate CA and the
intermediate CA cert is not included in the EAP-TLS ServerHello. In this
scenario, wpa_supplicant needs to have both the intermediate CA and the
root CA in its `ca_file`.
Similarly, the full client certificate chain is needed when the ISP
expects/requires that the client (wpa_supplicant) sends the client cert
+ the intermediate CA (or even + the root CA) as part of the EAP-TLS
ClientHello.
Signed-off-by: Andrew Gunnerson <chillermillerlong@hotmail.com>
|
|
This commit fixes a small typo where the client cert name was being used
to index the CA configuration dict.
Signed-off-by: Andrew Gunnerson <chillermillerlong@hotmail.com>
|
|
Move the two implementations to get the driver name of a NIC from ethernet.py
and ethtool.py to only ethtool.py.
(cherry picked from commit 07840977834816b69fa3b366817d90f44b5dc7a7)
|
|
|
|
|
|
This commit also extends the smoketest to verify that the exception for this
error is raised.
|
|
It makes no sense to have a parser for the ethtool values in ethtool.py
and ethernet.py - one instance ios more then enough!
|
|
Only update the RX/TX ring-buffer settings if they are different from the ones
currently programmed to the hardware. There is no need to write the same value
to the hardware again - this could cause traffic disruption on some NICs.
|
|
Not all interface drivers have the ability to change the speed and duplex
settings. Known drivers with this limitation are vmxnet3, virtio_net and
xen_netfront. If this driver is detected, an error will be presented to the
user.
|
|
Ethernet adapters have a discrete set of available speed and duplex settings.
Instead of passing every value down to ethtool and let it decide, we can do
this early in the VyOS verify() function for ethernet interfaces.
|
|
|
|
In addition to commit cf1156a60e ("ethernet: T3163: probe driver for maximum
rx/tx ring-buffer size") this extends the logic in a way as not every driver
supports setting the buffers at all so it will properly error out.
When invoking "ethtool -g" both stdout and stderr are captured and no exception
is raised if it's an unsupported driver feature. The verify() section will
inform the user about the illegal operation.
|
|
|
|
|
|
|
|
|
|
|
|
set interfaces ethernet <interface> offload rps
|
|
|
|
|
|
|
|
Using an MTU less then the required 1280 bytes (as per RFC) on an interface
where IPv6 is not explicitly disabled by:
- set interfaces ethernet eth1 ipv6 address no-default-link-local
- not having any other IPv6 address configured
Will now trigger a commit error via verify() instead of raising
FileNotFoundError!
|
|
Check the hardware if MTU value is supported at all.
|
|
|
|
Further reduce the boiler-plate code to determine interface tag node or not.
It can be passed into get_interface_dict() if explicitly required - else it
is taken from the environment.
|
|
After switching from raw parsing of the interface options to get_config_dict()
this utilizes another utility function which wraps get_config_dict() and adds
other common and reused parameters (like deleted or bridge member).
Overall this drops redundant code (again) and makes the rest more maintainable
as we only utilize a single function.
|
|
The current VyOS CLI parser code written in Python contains a ton of duplicates
which I can also hold myself accountable for - or maybe mainly me - depends on
the angle of judge.
While providing a new update() method in vyos.ifconfig.interfaces() this is
extended for bridge interfaces in the derived bridge class.
Signed-off-by: Christian Poessinger <christian@poessinger.com>
|
|
The current VyOS CLI parser code written in Python contains a ton of duplicates
which I can also hold myself accountable for - or maybe mainly me - depends on
the angle of judge.
While providing a new update() method in vyos.ifconfig.interfaces() this is
extended for ethernet based interfaces which also supports 802.1q, 802.1ad
VLANs. This commit migrates the existing codebase for an ethernet based
interfaces and implements the missing parts for VLANs. Adding or migrating other
interfaces (e.g. bridge or bond) will become much easier as they must reuse
the entire functionality - we now walk towards a single codepath.
Thanks for all who made this combined effort possible!
Signed-off-by: Christian Poessinger <christian@poessinger.com>
|
|
|
|
airbag :T2088: make airbag explicit
|
|
airbag must now be explicitly installed.
the patch also allow to fully disables the installation of the logging
code at setup (and not just installing and doing nothing)
|
|
|
|
|
|
Some ISPs (e.g. Comcast) only delegate a /64 by default. You have to explicitly
"ask" for a bigger (e.g. /60) prefix. This commit adds a CLI node to request
a specific prefix length in the range 32 - 64.
dhcpv6-options {
prefix-delegation {
length 60
}
}
|
|
Rename the CLI nodes for prefix delegation from "dhcpv6-options delegate
<interface>" to "dhcpv6-options prefix-delegation interface <interface>".
The change is required to add the possibility to request for specific prefix
sized via the CLI. That option was not possible with the old configuration
tree.
|
|
Copy/paste error resulting in:
Traceback (most recent call last):
File "/usr/libexec/vyos/conf_mode/interfaces-ethernet.py", line 303, in <module>
apply(c)
File "/usr/libexec/vyos/conf_mode/interfaces-ethernet.py", line 205, in apply
e.dhcp.v6.options['dhcpv6_pd'] = e['dhcpv6_pd']
TypeError: 'EthernetIf' object is not subscriptable
|
|
Add support for prefix delegation when receiving the prefix via ethernet,
bridge, bond, wireless.
|
|
This is to remove the amount of duplicated entries in dictionaries. It's one
more part to move to a unified interface management.
|
|
|
|
|
|
Previously, set_vrf was always called, which uses the same master and nomaster
commands as bridge, so it removed the interface from the bridge.
- add checks to make VRF and bridge membership mutually exclusive
- always re-add the interface back to any bridge it is part of
|
|
Bond members should not have any addresses assigned.
|
