Age | Commit message (Collapse) | Author |
|
|
|
T4118: Add default value any for connection remote-id
|
|
|
|
If IPsec "peer <tag> authentication remote-id" is not set
it should be "%any" by default
https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections_conn_remote
Set XML default value in use it in the python vpn_ipsec.py script
|
|
They can't be set at the same time.
|
|
Changed restart to reload-or-restart in commit.
It allows to reload the config and not restart webporxy service
during commit.
|
|
|
|
container: T4880: expose 'add/delete container image' in HTTP-API
|
|
We get incorrect data when shows connections
As we get list of all connections we should compare the connection
name with entries in list and set correct data if they match
|
|
|
|
Encapsulating the add/delete image commands in the op-mode script allows
automatic generation of corresponding API schema definitions.
|
|
|
|
This reverts commit 6857447bf6acba3537d5e5372cd320aef078b81e.
|
|
T4877: Added more checks if "import vrf" is used in bgp
|
|
1. Fixed: If rd and route-target are used in VRF, can not use "import vrf"
in the same VRF in the same AFI/SAFI.
2. Fixed: If rd and route-target is used in VRF, this VRF can not be in
the list of command "import vrf" in the same AFI/SAFI but in
other VRFs.
3. Fixed: Do not allow to delete vrf if it is used in import list
of other vrfs.
4. Added smoketests to check "import vrf" issues.
|
|
Commit dafb0da2 ("static: T4883: add a description field for routing tables")
added an iproute2 description table but lacked checking if the key exists.
This has been fixed and also converted to Jinja2 to keep the "common" style
inside the routing protocols. It might feel overengineered indeed.
|
|
|
|
T1237: Fix failover route install route with diff metrics
|
|
T4883: add a description field for routing tables
|
|
used
We need to ensure that source-address is assigned on source-interface before
applying the configuration, else SSH client will have a hard time talking to
someone.
|
|
|
|
Commit 846e306700a ("ssh: T2651: add cli options for source address") added
support for a basic SSH client option, but it grabbed the entire
/etc/ssh/ssh_config file without the ability to make custom user
adjustments via the /etc/ssh/ssh_config.d/ folder.
This vommit places the VyOS SSH options under /etc/ssh/ssh_config.d/ leaving
the common override system alive.
|
|
This makes transitions/updates faster and less error prone
|
|
|
|
If there is no route in the routing table (requires install route)
it checks routing table and returns best route None
But if we have 2 routes to the same dest ip but with different
metrics it doesn't get None (not first route install)
It cause that bast metric route cannot be installed (wrong logic)
Add func "is_route_exists" and check route/gateway/metric for
the required route
|
|
T4904: keepalived virtual-server allow multiple ports with fwmark
|
|
Add missing option "verbose" for op-mode NAT
|
|
|
|
Allow multiple ports for high-availability virtual-server
The current implementation allows balance only one "virtual" address
and port between between several "real servers"
Allow matching "fwmark" to set traffic which should be balanced
Allow to set port 0 (all traffic) if we use "fwmark"
Add health-check script
set high-availability virtual-server 203.0.113.1 fwmark '111'
set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 health-check script '/bin/true'
set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 port '0'
|
|
T4893: Add ppp-options ipv6-interface-id for L2TP
|
|
|
|
|
|
Add ppp-options IPv6 interface id for vpn L2TP
- fixed or random interface identifier for IPv6
- peer interface identifier for IPv6
- whether to accept peer’s interface identifier
set vpn l2tp remote-access ppp-options ipv6-accept-peer-intf-id
set vpn l2tp remote-access ppp-options ipv6-intf-id 'random'
set vpn l2tp remote-access ppp-options ipv6-peer-intf-id 'calling-sid'
|
|
`leaf_node_changed` returns `[]` (empty list) after a leaf node is
added.
e.g. Setting `source-interface` doesn't work on an existing vxlan
interface.
Steps to reproduce:
- Add a vxlan interface without `source-address` or `source-interface` options set:
```
set interfaces vxlan vxlan999 vni 999
set interfaces vxlan vxlan999 remote 192.168.100.100
commit
```
- Then set `source-address` or `source-interface`:
```
set interfaces vxlan vxlan999 source-interface eth0
commit
```
Actual result:
Source address or source-interface are not set:
```
ip -d link show dev vxlan999
76: vxlan999: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 56:08:ba:4d:4e:a8 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535
vxlan id 999 remote 192.168.100.100 srcport 0 0 dstport 8472 tos inherit ttl 16 ageing 300 udpcsum noudp6zerocsumtx noudp6zerocsumrx addrgenmode none numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
```
Expected result:
```
77: vxlan999: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 9e:05:d9:58:1a:af brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535
vxlan id 999 remote 192.168.100.100 dev eth0 srcport 0 0 dstport 8472 tos inherit ttl 16 ageing 300 udpcsum noudp6zerocsumtx noudp6zerocsumrx addrgenmode none numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
```
All invocations of leaf_node_changed() should be migrated to is_node_changes() if you are only interested in if something changed and don‘t care what exactly changed (content).
|
|
leaf_node_changed()
We only need to use leaf_node_changed() if we are interested in the detailed
change to a CLI node (what was the previous content). If we are only interested
in if a node changed "at all" is_node_changed() should be used.
|
|
We only need to use leaf_node_changed() if we are interested in the detailed
change to a CLI node (what was the previous content). If we are only interested
in if a node changed "at all" is_node_changed() should be used.
|
|
We only need to use leaf_node_changed() if we are interested in the detailed
change to a CLI node (what was the previous content). If we are only interested
in if a node changed "at all" is_node_changed() should be used.
|
|
|
|
|
|
Instead of hardcoding the default protocol as TCP in the Python script we shall
use the XML based defaultValue approach instead. This also automatically exports
the default to the CLI completion helper.
|
|
If port is specified on the CLI so must be source and destination under
the port node.
|
|
Commit 60c80df4 ("container: T4870: bump package version 0 -> 1 for filesystem
change") introduced a fundamental change in the container storage driver that
required a manual migration step from the user to not loose any data.
This commit removes the manual user interaction and temporary exports the
container images and re-imports them after the filesystem got changed. The only
things that get lost are orphaned container images no longer referenced by the
CLI - thats an adequate trade-off as those images can always be re-added to the
system.
|
|
move from vfs to overlay driver
The following pre iage upgrade script must be executed to have containers after
the reboot:
for pod in $(cli-shell-api listActiveNodes container name); do
systemctl stop vyos-container-${pod//\'}.service
done
sed -i 's/vfs/overlay/g' /etc/containers/storage.conf /usr/share/vyos/templates/container/storage.conf.j2
rm -rf /usr/lib/live/mount/persistence/container/storage/libpod
for pod in $(cli-shell-api listActiveNodes container name); do
image=$(cli-shell-api returnActiveValue container name ${pod//\'} image)
podman image pull $image
systemctl start vyos-container-${pod//\'}.service
done
for dir in vfs vfs-containers vfs-images vfs-layers; do
rm -rf /usr/lib/live/mount/persistence/container/storage/$dir
done
|
|
ipsec.py
|
|
|
|
Our python scripts use the shebang logic to set an intepreter - we should
rely on this and not use an external interpreter in front of the helper.
|
|
|
|
script
Sorting DHCP pools and filtering for state can now be done using the new op-mode
mode scripts in DHCP. This allows us to drop the old helpers show_dhcp.py and
show_dhcpv6.py.
|
|
script
Remaining functionality to filter NAT translations for a given address
got implemented to nat.py - with this cahnge we can drop the old files
show_nat*.py
|
|
Fixed op_mode show conntrack table ipv4
Created check on empty column "mark"
|