summaryrefslogtreecommitdiff
path: root/src/migration-scripts
AgeCommit message (Collapse)Author
2022-01-11Merge pull request #1158 from sarthurdev/firewallChristian Poessinger
firewall: policy: T4131: T4144: T4159: T4164: Fix reported firewall issues, policy-route refactor
2022-01-11policy: T2199: Refactor policy route script for better error handlingsarthurdev
* Migrates all policy route references from `ipv6-route` to `route6` * Update test config `dialup-router-medium-vpn` to test migration of `ipv6-route` to `route6`
2022-01-11migrator: interfaces: T4171: bugfix ConfigTreeErrorChristian Poessinger
Migrating 1.2.8 -> 1.4-rolling-202201110811 vyos-router[970]: Waiting for NICs to settle down: settled in 0sec.. vyos-router[1085]: Started watchfrr. vyos-router[970]: Mounting VyOS Config...done. vyos-router[970]: Starting VyOS router: migrate vyos-router[1490]: Traceback (most recent call last): vyos-router[1490]: File "/opt/vyatta/etc/config-migrate/migrate/interfaces/5-to-6", line 112, in <module> vyos-router[1490]: for if_type in config.list_nodes(['interfaces']): vyos-router[1490]: File "/usr/lib/python3/dist-packages/vyos/configtree.py", line 236, in list_nodes vyos-router[1490]: raise ConfigTreeError("Path [{}] doesn't exist".format(path_str)) vyos-router[1490]: vyos.configtree.ConfigTreeError: Path [b'interfaces'] doesn't exist vyos-router[1455]: Migration script error: /opt/vyatta/etc/config-migrate/migrate/interfaces/5-to-6: Command '['/opt/vyatta/etc/config-migrate/migrate/interfaces/5-to-6', '/opt/vyatta/etc/config/config.boot']' returned non-zero exit status 1.. vyos-router[970]: configure. vyos-config[979]: Configuration success
2022-01-11policy: T4170: rename "policy ipv6-route" -> "policy route6"Christian Poessinger
In order to have a consistent looking CLI we should rename this CLI node. There is: * access-list and access-list6 (policy) * prefix-list and prefix-list6 (policy) * route and route6 (static routes)
2021-12-31Merge branch 'firewall' of https://github.com/sarthurdev/vyos-1x into currentChristian Poessinger
* 'firewall' of https://github.com/sarthurdev/vyos-1x: zone_policy: T3873: Implement intra-zone-filtering policy: T2199: Migrate policy route op-mode to XML/Python policy: T2199: Migrate policy route to XML/Python zone-policy: T2199: Migrate zone-policy op-mode to XML/Python zone-policy: T2199: Migrate zone-policy to XML/Python firewall: T2199: Migrate firewall op-mode to XML/Python firewall: T2199: Migrate firewall to XML/Python
2021-12-25flow-accounting: T4105: drop "sflow agent-address auto"Christian Poessinger
The implementation of the "auto" option to specify the sflow/netflow agent-address is very error prone. The current implementation will determine the IP address used for the "auto" value as follow: Get BGP router-id 1) If not found use OSPF router-id 2) If not found use OSPFv3 router-id 3) If not found use "the first IP address found on the system Well, what is the "first IP address found"? Also this changes if DHCP is in use. Also another disadvantage is when the BGP/OSPF/OSPFv3 router-id is changed, the agent-address is not updated upon the next reboot of the system. This task is about removing the "auto" keyword from the CLI at all and make it either entirely configurable by the user and hardcode the value in CLI, or not use this at all. If "auto" is specified we will query the system in the above order and set the proper router-id in the CLI. If none can be found the CLI node is removed.
2021-12-25flow-accounting: T4099: rename "netflow source-ip" to source-addressChristian Poessinger
sFlow uses the source-address CLI node and netflow uses source-ip this is just confusing and should be synced to the common source-address CLI node.
2021-12-06firewall: T2199: Migrate firewall to XML/Pythonsarthurdev
2021-11-27ospf: T3753: adjust to CLI options new in FRR 8.0Christian Poessinger
FRR 7.5 router ospf passive-interface default no passive-interface eth0.202 Changed int FRR 8 to interface eth0.202 no ip ospf passive ! router ospf ospf router-id 172.18.254.202 log-adjacency-changes detail passive-interface default
2021-11-27ospfv3: T3753: adjust to CLI options new in FRR 8.0Christian Poessinger
2021-10-21tunnel: T3925: dhcp-interface was of no use - use source-interface insteadChristian Poessinger
(cherry picked from commit c1015d8ce0013719eb898b60b14ffec192b8141c)
2021-10-21tunnel: T3925: shift migration scripts by oneChristian Poessinger
Required for the dhcp-interface migration
2021-10-04bgp: T3741: "parameter default no-ipv4-unicast" is now a default optionChristian Poessinger
2021-09-26T3866: ignore interfaces without "address" in DNS forwarding migrationDaniil Baturin
2021-09-21vrrp: keepalived: T3847: migrate/streamline CLI optionsChristian Poessinger
Rename virtual-address -> address as we always talk about an IP address.
2021-09-21vrrp: keepalived: T3847: remove "transition-script mode-force" optionChristian Poessinger
2021-09-19dhcp-server: T3672: migrate failover name optionChristian Poessinger
Commit 2985035b (dhcp-server: T3672: re-add missing "name" CLI option) unfortunately did not add the name option to the migration script.
2021-09-19dhcp-server: T3672: only one failover peer is supportedChristian Poessinger
2021-09-18dhcp-server: T3838: rename dns-server to name-server nodeChristian Poessinger
IPv4 DHCP uses "dns-server" to specify one or more name-servers for a given pool. In order to use the same CLI syntax this should be renamed to name-server, which is already the case for DHCPv6.
2021-09-18dhcp-server: T1968: allow multiple static-routes to be configuredChristian Poessinger
vyos@vyos# show service dhcp-server shared-network-name LAN { subnet 10.0.0.0/24 { default-router 10.0.0.1 dns-server 194.145.150.1 lease 88 range 0 { start 10.0.0.100 stop 10.0.0.200 } static-route 192.168.10.0/24 { next-hop 10.0.0.2 } static-route 192.168.20.0/24 { router 10.0.0.2 } } }
2021-09-05name-server: T3804: merge "system name-servers-dhcp" into "system name-server"Christian Poessinger
We have "set system name-server <ipv4|ipv6>" to specify a name-server IP address we wan't to use. We also have "set system name-servers-dhcp <interface>" which does the same, but the name-server in question is retrieved via DHCP. Both CLI nodes are combined under "set system name-server <ipv4|ipv6|interface>" to keep things as they are in real life - we need a name-server. (cherry picked from commit 2ecf7a9f9cbe9359457bd23b4a0c45f3763123c7)
2021-09-05system: T3804: rename migration script 20-to-21 -> 21-to-22Christian Poessinger
VyOS 1.3 equuleus now uses version 21 so we have to bump this by one.
2021-08-31vyos.ethtool: T3163: purify code to read and change flow-control settingsChristian Poessinger
It makes no sense to have a parser for the ethtool values in ethtool.py and ethernet.py - one instance ios more then enough!
2021-08-31ethernet: T2241: check if interface supports changing speed/duplex settingsChristian Poessinger
Not all interface drivers have the ability to change the speed and duplex settings. Known drivers with this limitation are vmxnet3, virtio_net and xen_netfront. If this driver is detected, an error will be presented to the user.
2021-08-30ethernet: T3787: remove deprecated UDP fragmentation offloading optionChristian Poessinger
Deprecated in the Linux Kernel by commit 08a00fea6de277df12ccfadc21 ("net: Remove references to NETIF_F_UFO from ethtool."). (cherry picked from commit f5e46ee6cc2b6c1c1869e26beca4ccd5bf52b62f)
2021-08-30ethernet: T3619: fix VyOS 1.2 -> 1.3 performance degradationChristian Poessinger
An analysis of the code base from VyOS 1.2 -> 1.3 -> 1.4 revealed the following "root-cause" VyOS 1.2 uses the "old" node.def file format for: * Generic Segmentation Offloading * Generic Receive Offloading So if any of the above settings is available on the configuration CLI, the node.def file will be executed - this is how it works. By default, this CLI option is not enabled in VyOS 1.2 - but the Linux Kernel enables offloading "under the hood" by default for GRO, GSO... which will boost the performance for users magically. With the rewrite in VyOS 1.3 of all the interface related code T1579, and especially T1637 this was moved to a new approach. There is now only one handler script which is called whenever a user changes something under the interfaces ethernet tree. The Full CLI configuration is assembled by get_interface_dict() - a wrapper for get_config_dict() which abstracts and works for all of our interface types - single source design. The problem now comes into play when the gathered configuration is actually written to the hardware, as there is no GSO, GRO or foo-offloading setting defined - we behave as instructed and disable the offloading. So the real bug originates from VyOS 1.2 and the old Vyatta codebase, but the recent XML Python rewrites brought that one up to light. Solution: A configuration migration script will be provided starting with VyOS 1.3 which will read in the CLI configuration of the ethernet interfaces and if not enabled, will query the adapter if offloading is supported at all, and if so, will enable the CLI nodes. One might say that this will "blow" the CLI configuration but it only represents the truth - which was masked in VyOS 1.2. (cherry picked from commit a515212f4efb08846df04405f31a828edcd63552)
2021-08-30ethernet: T3619: rename interfaces migration scriptsChristian Poessinger
VyOS 1.4 already had a migrator for interfaces 20 -> 21, but this is a different one compared to the one in VyOS 1.3 - thus we bump every migration scripts version by one to have the same 20-to-21 converter in both VyOS 1.3 and 1.4. This is possible as VyOS 1.4 (sagitta) is still a highly experimental version and expected to break from time to time :(.
2021-08-21interfaces: T3090: migrate adjust-mss from "firewall options" to "interface" ↵Christian Poessinger
level Getting rid of "set firewall options" and move it from: set firewall options interface ethX adjust-mss 1400 set firewall options interface ethX adjust-mss6 1400 to: set interfaces ethernet ethX ip adjust-mss 1400 set interfaces ethernet ethX ipv6 adjust-mss 1400 In addition add an extra option called clamp-mss-to-pmtu instead of a value.
2021-08-15conntrack: T3275: migrate 'disable' syntax to 'enable' syntax for the new ↵Lulu Cathrinus Grimalkin
default behavior
2021-08-06migration: T548: Rename quagga scripts for correct seqViacheslav
Rename quagga migration scripts for correct sequences between 1.3 and 1.4 branches 7-to-8 in 1.3 uses the same migration as 8-to-9 in 1.4 This PR fix it
2021-07-25tunnel: T3366: re-order migration scriptsChristian Poessinger
The migrator from 20-to-21 is required as 19-to-20 on VyOS 1.3 - thus simply rename/reorder the two migrators to not break things the hard way when upgrading from 1.3 -> 1.4.
2021-07-22ipsec: T2816: remove "auto-update" CLI optionChristian Poessinger
Update/refresh of DNS records is now handled internally by Strongswan.
2021-07-22pki: https: T3642: Migrate HTTPS to use PKI configurationsarthurdev
2021-07-21pki: openvpn: T3642: Migrate OpenVPN to PKI and refactorsarthurdev
2021-07-20pki: eapol: T3642: Migrate EAPoL to use PKI configurationsarthurdev
2021-07-20pki: T3642: Fix Wireguard migration commentsarthurdev
2021-07-20pki: sstp: T3642: Migrate SSTP to PKI configurationsarthurdev
2021-07-20pki: openconnect: T3642: Migrate OpenConnect SSL to PKI configurationsarthurdev
2021-07-19pki: wireguard: T3642: Migrate Wireguard private key directly into CLIsarthurdev
Also renames peer pubkey to public-key for consistency
2021-07-17Merge pull request #927 from zdc/T3655-sagittaChristian Poessinger
VRF: T3655: proper connection tracking for VRFs
2021-07-17VRF: T3655: proper connection tracking for VRFszsdc
Currently, all VRFs share the same connection tracking table, which can lead to problems: - traffic leaks to a wrong VRF - improper NAT rules handling when multiple VRFs contain the same IP networks - stateful firewall rules issues The commit implements connection tracking zones support. Each VRF utilizes its own zone, so connections will never mix up. It also adds some restrictions to VRF names and assigned table numbers, because of nftables and conntrack requirements: - VRF name should always start from a letter (interfaces that start from numbers are not supported in nftables rules) - table number must be in the 100-65535 range because conntrack supports only 65535 zones
2021-07-17ipsec: T2816: migrate "ipsec interfaces" to "interface"Christian Poessinger
2021-07-15pki: ipsec: l2tp: T2816: T3642: Move IPSec/L2TP code into vpn_ipsec.py and ↵sarthurdev
update to use PKI.
2021-07-12vrf: route: static: T2450: we also need to migrate the interface based routesChristian Poessinger
Previously during migration if one had used interface routes, the VRF based ones got not migrated. The following "old" VyOS 1.3 configuration did not get migrated: set protocols static interface-route 10.20.0.0/24 next-hop-interface eth2 next-hop-vrf 'blue' set protocols static interface-route 10.30.0.0/24 next-hop-interface br10 next-hop-vrf 'red' set protocols vrf blue static interface-route 10.0.0.0/24 next-hop-interface eth1 next-hop-vrf 'default' set protocols vrf red static interface-route 10.0.0.0/24 next-hop-interface eth1 next-hop-vrf 'default' set vrf name blue table '3000' set vrf name mgmt table '1000' set vrf name red table '2000' It must get migrated to: set protocols static route 10.20.0.0/24 interface eth2 vrf 'blue' set protocols static route 10.30.0.0/24 interface br10 vrf 'red' set vrf name blue protocols static route 10.0.0.0/24 interface eth1 vrf 'default' set vrf name blue table '3000' set vrf name mgmt table '1000' set vrf name red protocols static route 10.0.0.0/24 interface eth1 vrf 'default' set vrf name red table '2000'
2021-07-07pki: T3642: Migrate rsa-keys to PKI configurationsarthurdev
2021-07-03ipsec: T2816: rework log options for debuggingChristian Poessinger
Renamed CLI from "logging log-modes" to "log subsystem" and "logging log-level" to "log level". THat is more human firendly.
2021-07-01pki: ipsec: T3642: Update migration script to account for file permission issuessarthurdev
2021-06-29pki: ipsec: T3642: Migrate IPSec to use PKI configurationsarthurdev
2021-06-17policy: T3631: migrate "set extcommunity-rt|soo" to "set extcommunity rt|soo"Christian Poessinger
migrate "set extcommunity-rt" and "set extcommunity-soo" to "set extcommunity rt|soo" to match FRR syntax. This also makes it easier to implement the "bandwidth" extended community.
2021-06-13wwan: T3620: reorder mirgation scripts for 1.3 backportChristian Poessinger
As the new WWAN interface style is backported to VyOS 1.3 we also need to shift the order of the interface migration scripts. so the same order from VyOS 1.4 also applies to VyOS 1.3. In short, 21-to-22 is renamed to 18-to-19 and all other migrators are shifted up one version.