Age | Commit message (Collapse) | Author |
|
|
|
T5160: Firewall refactor
|
|
Q-in-Q interface
When migration from 1.3 to 1.4 and a user hat the following configured:
options {
interface eth0.10{
adjust-mss 1452
adjust-mss6 1432
}
}
The configuration was wrongly migrated to:
interfaces {
ethernet eth0.10 {
ipv6 {
adjust-mss "1432"
}
ip {
adjust-mss "1452"
}
}
Instead of
interfaces {
ethernet eth0 {
vif 10 {
ipv6 {
adjust-mss "1432"
}
ip {
adjust-mss "1452"
}
}
}
|
|
|
|
firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip.
|
|
that contains fqnd and/or geo-ip in base chains. Fix mig script
|
|
|
|
smoketest
|
|
|
|
T5427: Fix migration script arguments len expects 2 args
|
|
Disabeled adding the peer with the same public key as the router has.
Added smoketest
|
|
The script's name is always provided as the first argument sys.argv[0]
Expected length for argv is 2 (script itself + config file)
Change: 'if (len(argv) < 1)' to 'if len(argv) < 2'
|
|
T5154: NTP: allow maximum of one ipv4 and one ipv6 address on paramet…
|
|
|
|
<listen-address>. Also allow only one single value <interface>.
|
|
policy: T5357: only delete migrated BGP community rules
|
|
* T5195: move run, cmd, call, rc_cmd helper to vyos.utils.process
* T5195: use read_file and write_file implementation from vyos.utils.file
Changed code automatically using:
find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import read_file$/from vyos.utils.file import read_file/g' {} +
find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import write_file$/from vyos.utils.file import write_file/g' {} +
* T5195: move chmod* helpers to vyos.utils.permission
* T5195: use colon_separated_to_dict from vyos.utils.dict
* T5195: move is_systemd_service_* to vyos.utils.process
* T5195: fix boot issues with missing imports
* T5195: move dict_search_* helpers to vyos.utils.dict
* T5195: move network helpers to vyos.utils.network
* T5195: move commit_* helpers to vyos.utils.commit
* T5195: move user I/O helpers to vyos.utils.io
|
|
|
|
Migrate:
high-availability virtual-server 203.0.113.1
to: high-availability virtual-server <name> address 203.0.113.1
|
|
|
|
... this is a step towards a new and better implementation that will utilize
VPP.
|
|
dns: T5144: Modernize dynamic dns operation (round 2)
|
|
Incorrect logic of node deletion now raises error, after T5251.
|
|
Create migration and bump package version from 0 -> 1 for dynamic dns
|
|
The node was already deleted in the 'if path exists' branch; attempt to
delete in 'else' branch will now raise an error.
|
|
|
|
|
|
This would allow using custom ports in name server operating on non-
default port for forwarding zones.
This is a follow-up to T5113 for sake of completeness and having
consistent treatment of all name servers configured in PowerDNS recursor.
Additionally, migrate `service dns forwarding domain example.com server`
to `service dns forwarding domain foo3.com name-server` for consistency
and reusability.
|
|
|
|
* removed unused `re` from imports
* replaced `return_value()` to `return_values()` for `remote-address`
because this is a multi-value configuration node
|
|
Tunnel interface multicast settings can be "enabled or disabled". As we prefer
valueless nodes, and the linux kernel default is "disabled" we should add a
set interfaces tunnel tunXX enable-multicast
command
|
|
Not supported with swanctl
|
|
Replace links to the phabricator site from https://phabricator.vyos.net to
https://vyos.dev
|
|
tc acccepts the bandwidth value/unit pairs as lowercase - so does the VyOS CLI
validator work, too.
|
|
sstp-client
|
|
T4916: Rewrite IPsec peer authentication and psk migration
|
|
config.copy does not recursively create nodes of the path. On install
image, the path ['service'] is not present in config.boot.default, so
must be created before config.copy['service', 'ntp'].
|
|
Rewrite strongswan IPsec authentication to reflect structure
from swanctl.conf
The most important change is that more than one local/remote ID in the
same auth entry should be allowed
replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx'
=> 'ipsec authentication psk <tag> secret xxx'
set vpn ipsec authentication psk <tag> id '192.0.2.1'
set vpn ipsec authentication psk <tag> id '192.0.2.2'
set vpn ipsec authentication psk <tag> secret 'xxx'
set vpn ipsec site-to-site peer <tag> authentication local-id '192.0.2.1'
set vpn ipsec site-to-site peer <tag> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <tag> authentication remote-id '192.0.2.2'
Add template filter for Jinja2 'generate_uuid4'
|
|
T4857: SNMP: Implement FRR SNMP Recomendations
|
|
|
|
|
|
* Move CLI from "system ntp" -> "service ntp"
* Drop NTP server option preempt as not supported by chrony
|
|
|
|
|
|
|
|
Commit 60c80df4 ("container: T4870: bump package version 0 -> 1 for filesystem
change") introduced a fundamental change in the container storage driver that
required a manual migration step from the user to not loose any data.
This commit removes the manual user interaction and temporary exports the
container images and re-imports them after the filesystem got changed. The only
things that get lost are orphaned container images no longer referenced by the
CLI - thats an adequate trade-off as those images can always be re-added to the
system.
|
|
move from vfs to overlay driver
The following pre iage upgrade script must be executed to have containers after
the reboot:
for pod in $(cli-shell-api listActiveNodes container name); do
systemctl stop vyos-container-${pod//\'}.service
done
sed -i 's/vfs/overlay/g' /etc/containers/storage.conf /usr/share/vyos/templates/container/storage.conf.j2
rm -rf /usr/lib/live/mount/persistence/container/storage/libpod
for pod in $(cli-shell-api listActiveNodes container name); do
image=$(cli-shell-api returnActiveValue container name ${pod//\'} image)
podman image pull $image
systemctl start vyos-container-${pod//\'}.service
done
for dir in vfs vfs-containers vfs-images vfs-layers; do
rm -rf /usr/lib/live/mount/persistence/container/storage/$dir
done
|
|
Migration for "remote-id" where peer is IPv4 or IPv6 address
was missed
It was only migration if peer starts with "@"
It cause that you must manualy set 'remote-id' to get it working
correctly
replace 'vpn ipsec site-to-site peer 192.0.2.2'
=> 'vpn ipsec site-to-site peer peer_192-0-2-2 authentication remote-id 192.0.2.2'
|
|
T4780: Firewall: add firewall groups in firewall. Extend matching cri…
|
|
so this new group can be used in inbound and outbound matcher
|