Age | Commit message (Collapse) | Author |
|
firewall: T970: Add firewall group domain-group
|
|
* Removed dynamic generating for systemd unit
* Optimized configuration file deleting process
* Added exceptions handlers to event-handler script to protect service
from most obvious potential troubles
* Improved logging
* Moved pattern compilation outside a messages loop to avoid extra operations
* Added signal handlers for proper systemd integration
|
|
Domain group allows to filter addresses by domain main
Resolved addresses as elements are stored to named "nft set"
that used in the nftables rules
Also added a dynamic "resolver" systemd daemon
vyos-domain-group-resolve.service which starts python script
for the domain-group addresses resolving by timeout 300 sec
set firewall group domain-group DOMAINS address 'example.com'
set firewall group domain-group DOMAINS address 'example.org'
set firewall name FOO rule 10 action 'drop'
set firewall name FOO rule 10 source group domain-group 'DOMAINS'
set interfaces ethernet eth0 firewall local name 'FOO'
nft list table ip filter
table ip filter {
set DOMAINS {
type ipv4_addr
flags interval
elements = { 192.0.2.1, 192.0.2.85,
203.0.113.55, 203.0.113.58 }
}
chain NAME_FOO {
ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10"
counter packets 0 bytes 0 return comment "FOO default-action accept"
}
}
|
|
upnpd: T3420: Support UPNP protocol
|
|
|
|
In case if a CLI configuration is not available, dhclient cannot add
nameservers to a `resolv.conf` file, because `vyos-hostsd` requires that
an interface be listed in the `set system name-server` option.
This commit introduces two changes:
* `vyos-hostsd` service will not be started before Cloud-Init fetch all
remote data. This is required because all meta-data should be available
for Cloud-Init before any of VyOS-related services start since it is
used for configuration generation.
* the `vyos-hostsd-client` in the `dhclient-script` will be used only if
the `vyos-hostsd` is running. In other words - if VyOS services already
started, dhclient changes `resolv.conf` using `vyos-hostsd`; in other
cases - does this directly.
These changes should protect us from problems with DHCP during system
boot if DHCP is required by third-party utils.
|
|
|
|
|
|
tftp: T4012: Add TFTP VRF support
|
|
|
|
|
|
|
|
This reverts commit 6b48900358ce9b01eaa78e3a086e95a26064f0df.
|
|
|
|
|
|
|
|
Debian Bullseye ships an upstream version of lcdproc.service which infact will
start LCDd instead of the lcdproc client.
Divert the Debian Upstream service file and use the ones provided by vyos-1x.
|
|
This reverts commit a4bb1b77ff415700e00df3768915fdc176f779d1.
|
|
|
|
|
|
Replace the Flask micro-framework with FastAPI, in order to support
extensions to the API and OpenAPI 3.* generation. This change will
remain backwards compatible with previous versions. Notably, the
multipart forms version of requests remain supported; in addition
application/json requests are now natively supported.
|
|
(cherry picked from commit d5804b19d3ffecdd4fe6bd89d50ac84dabb549fd)
|
|
|
|
|
|
|
|
Lift the default daemon startup rate-limit when launching the dropbear service
used by SSH connections to the console port.
|
|
|
|
- Upstream interfaces require a DHCPv6 server to be configured
- Listen interface must have a a global unicast address assigned, else
ISC dhcrelay won't start.
|
|
|
|
|
|
|
|
|
|
* set system lcd device <device>
* set system lcd model <modeml>
Both device and model have completion helpers for supported interfaces and LCD
displays.
|
|
t2564-lcd
* 'system-display' of https://github.com/fmertz/vyos-1x:
system display: T2564: Added test model
system display: T2564: Dictionary code update
system display: T2564: Conf files to /run
system display: T2564: Changed "duration" to "time"
system display: T2564: py code cleanup
system display: T2564: Replace "config (enabled|disabled)" with "display disabled"
system display: T2564: Lowercase model names
system display: T2564 Extend VyOS to support appliance LCDs
|
|
|
|
* src/conf_mode/system-display.py conf files to /run
+ src/systemd/LCDd@.service lo
- src/systemd/lcdproc.service
+ src/systemd/lcdproc@.service lo
|
|
Added support for system LCDs under CLI system display
+data/templates/system-display/LCDd.conf.tmpl template for LCDd server configuration file
+data/templates/system-display/lcdproc.conf.tmpl template for lcdproc client configuration file
+interface-definitions/system-display.xml.in CLI for system display
+src/conf_mode/system-display.py processing code for system display
+src/systemd/lcdproc.service systemd service definition file for lcdproc client
CLI:
system display model (SDEC|EZIO)
system display config (enabled|disabled)
system display show host (cpu|cpu-all|cpu-hist|disk|load-hist|memory|proc|uptime)
network interface <intName> alias <alias>
units (bps|Bps|pps)
clock (big|mini|date-time)
title <name>
system display duration <s>
system display hello <string>
system display bye <string>
|
|
T2486: DNS, vyos-hostsd fixes
|
|
StartLimitIntervalSec is part of the [Unit] definition and not the [Service]
definition [1]. This caused the following warning message:
systemd[1]: /lib/systemd/system/dhcp6c@.service:12: Unknown lvalue
'StartLimitIntervalSec' in section 'Service', ignoring
This error has been introduced via commit 992d356 ("dhcpv6-pd: T421: workaround
for non existing interfaces").
[1]: https://www.freedesktop.org/software/systemd/man/systemd.unit.html
|
|
|
|
|
|
A user can define a port under the SSH node per device. WHen connecting to that
port and authenticating using regular credentials we will immediately drop to
the serial console. This is the same as executing "connect serial-proxy <name>".
|
|
|
|
|
|
Add a 'dhcpd' system user that is a member of hostsd group and can
connect to vyos-hostsd.
Run dhcpd as this user.
|
|
To better control access from other daemons that may not be running as root,
create a new group 'hostsd' to which the other daemons running users can be
added.
Run vyos-hostsd as root:hostsd to create the socket file with correct user and
group.
|
|
- set RuntimeDirectory to vyos-hostsd
- set RuntimeDirectoryPreserve in order to not delete the state file between
service restarts (/run will be deleted across reboots as it's on a tmpfs but
the state doesn't need to be saved across reboots anyway)
- set WorkingDirectory to /run/vyos-hostsd
|
|
When DHCPv6-PD is configured to delegate a prefix to a non existing interface,
it is restarted (systemd default) but will then hit the restart rate-limit which
disables the service entirely.
As VyOS currently has no "hook" to be called once an interface goes online we
need this "try and error" approach until there is a way to deal with it. This
behavior can be reproduced when delegating an IPv6 prefix to a bridge interface
as a bridge interface will always be started after all interfaces have been
configured.
We will now restart dhcp6c as long as the requested interface is online.
|
|
|
|
|