Page MenuHomeVyOS Platform
Feed All Stories

All Stories
Use Results
Edit Query

May 31 2021

c-po committed rVYOSONEXec958eb3a973: conntrack: T3579: add module disable options.
May 31 2021, 9:03 PM
Viacheslav added a comment to T3591: OpenVPN with/without VRF not working (NordVPN).

@mTx87 Do you have a working example in Linux?
Maybe it also needs OpenVPN >= 2.5.0
https://blog.sdn.clinic/2018/12/openvpn-and-vrfs/

May 31 2021, 8:07 PM · VyOS 1.4 Sagitta
mTx87 created T3591: OpenVPN with/without VRF not working (NordVPN).
May 31 2021, 12:26 PM · VyOS 1.4 Sagitta
erkin added a comment to T1161: Does Vyos take advantage of linux's improved security features?.

Here are some kernel features we need to consider:

  1. Disable kexec. The user should never need to swap the kernel.
  2. Restrict access to /proc/kallsyms for regular users, which makes sense since we're using a custom kernel.
  3. Set hidepid to prevent regular users from seeing process IDs. Might be too intrusive.
  4. Harden BPF JIT. Might interfere with XDP. Testing necessary.
  5. Set kernel lockdown mode. Disables kexec and unprivileged BGP commands. Again, might interfere with XDP.
May 31 2021, 11:12 AM
erkin added a comment to T1161: Does Vyos take advantage of linux's improved security features?.

An easy start would be adding

export DEB_BUILD_MAINT_OPTIONS = hardening=+all
export DEB_CFLAGS_MAINT_APPEND  = -Wall -pedantic
export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed -Wl,-z,-defs

to debian/rules to harden our C programs (which is currently only VyShim and XDP). hardening=+all passes PIE and bindnow linker options to GCC.

May 31 2021, 10:27 AM
shaneshort added a comment to T2315: Ability to have right address-family for BGP peers..

just wanting to chime in here, I think I've been bitten by what appears to be a similar cause.

May 31 2021, 10:25 AM · VyOS 1.4 Sagitta
GitHub <noreply@github.com> committed rVYOSONEXaf6485a0108c: ipsec: T2816: Continued refactor, added proper ipsec-interfaces handling (authored by simon).
May 31 2021, 4:12 AM
fernando added a comment to T3578: Prefix-List(6) update cause empty prefix-list(6).
In T3578#95246, @fernando wrote:

Hi

I tried to replicate that issue with the same version but I couldn't , let me show

vyos@vipv6-lp# run show version

Version: VyOS 1.4-rolling-202104270417
Release Train: sagitta

Built by: autobuild@vyos.net
Built on: Wed 28 Apr 2021 01:17 UTC

May 31 2021, 12:04 AM · VyOS 1.4 Sagitta
fernando added a comment to T3578: Prefix-List(6) update cause empty prefix-list(6).
May 31 2021, 12:00 AM · VyOS 1.4 Sagitta

May 30 2021

c-po closed T3524: Please implement bgp graceful-shutdown as Resolved.
May 30 2021, 8:07 PM · VyOS 1.2 Crux (VyOS 1.2.8)
c-po moved T3524: Please implement bgp graceful-shutdown from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.8) board.
May 30 2021, 8:07 PM · VyOS 1.2 Crux (VyOS 1.2.8)
c-po moved T3524: Please implement bgp graceful-shutdown from Need Triage to Finished on the VyOS 1.3 Equuleus board.
May 30 2021, 8:07 PM · VyOS 1.2 Crux (VyOS 1.2.8)
c-po claimed T3524: Please implement bgp graceful-shutdown.
May 30 2021, 8:06 PM · VyOS 1.2 Crux (VyOS 1.2.8)
c-po added a comment to T3524: Please implement bgp graceful-shutdown.

Turns out this was actually a very small change in the old framework - implemented also on 1.3 and backported to 1.2.8

May 30 2021, 8:06 PM · VyOS 1.2 Crux (VyOS 1.2.8)
c-po moved T3524: Please implement bgp graceful-shutdown from Open to Finished on the VyOS 1.4 Sagitta board.
May 30 2021, 7:58 PM · VyOS 1.2 Crux (VyOS 1.2.8)
c-po moved T2641: Rewrite vpn ipsec OP commands in new style XML syntax from Open to Finished on the VyOS 1.4 Sagitta board.
May 30 2021, 7:58 PM · VyOS 1.4 Sagitta
c-po moved T3093: Add xml for vpn ipsec from Open to Finished on the VyOS 1.4 Sagitta board.
May 30 2021, 7:58 PM · VyOS 1.4 Sagitta
c-po moved T3590: bgp: add option for limiting maximum number of prefixes to be sent to a peer from Open to Finished on the VyOS 1.4 Sagitta board.
May 30 2021, 7:58 PM · VyOS 1.4 Sagitta
c-po updated the task description for T3590: bgp: add option for limiting maximum number of prefixes to be sent to a peer.
May 30 2021, 7:58 PM · VyOS 1.4 Sagitta
c-po committed rVYOSONEX3a8b7d7a10c2: bgp: T3590: limiting maximum number of prefixes to be sent to a peer.
May 30 2021, 7:57 PM
c-po closed T3590: bgp: add option for limiting maximum number of prefixes to be sent to a peer as Resolved.
May 30 2021, 7:41 PM · VyOS 1.4 Sagitta
c-po closed T3590: bgp: add option for limiting maximum number of prefixes to be sent to a peer, a subtask of T2174: Rewrite protocol BGP to new XML/Python style, as Resolved.
May 30 2021, 7:41 PM · VyOS 1.3 Equuleus (1.3.0)
c-po created T3590: bgp: add option for limiting maximum number of prefixes to be sent to a peer.
May 30 2021, 7:41 PM · VyOS 1.4 Sagitta
SrividyaA added a comment to T3582: 'delete log file' does not work.

thank you for the suggestion, I will work on this.

May 30 2021, 4:36 PM · VyOS 1.2 Crux (VyOS 1.2.8)
c-po closed T2641: Rewrite vpn ipsec OP commands in new style XML syntax, a subtask of T2816: Rewrite IPsec scripts with the new XML/Python approach, as Resolved.
May 30 2021, 12:22 PM · VyOS 1.4 Sagitta
c-po closed T2641: Rewrite vpn ipsec OP commands in new style XML syntax as Resolved.
May 30 2021, 12:22 PM · VyOS 1.4 Sagitta
c-po edited projects for T3093: Add xml for vpn ipsec, added: VyOS 1.4 Sagitta; removed VyOS 1.3 Equuleus.
May 30 2021, 12:21 PM · VyOS 1.4 Sagitta
c-po closed T3093: Add xml for vpn ipsec, a subtask of T2816: Rewrite IPsec scripts with the new XML/Python approach, as Resolved.
May 30 2021, 12:21 PM · VyOS 1.4 Sagitta
c-po closed T3093: Add xml for vpn ipsec as Resolved.
May 30 2021, 12:21 PM · VyOS 1.4 Sagitta
c-po added a comment to T1210: About IKEv2 IPSec VPN remote access.

Also mentioned here: https://forum.vyos.io/t/roadwarrior-config-with-ikev2-and-different-user-groups/2457

May 30 2021, 12:21 PM · VyOS 1.4 Sagitta
c-po added a comment to T3582: 'delete log file' does not work.

Maybe a completion helper could work here, too?

May 30 2021, 11:59 AM · VyOS 1.2 Crux (VyOS 1.2.8)
SrividyaA closed T3582: 'delete log file' does not work as Invalid.

When the following command "set system syslog file <filename> facility <keyword> level <keyword>" is applied, then the files are stored in the /var/log/user directory. These files can be deleted using the command "delete log file <text>"

May 30 2021, 11:58 AM · VyOS 1.2 Crux (VyOS 1.2.8)
erkin changed the status of T3506: Migrate loadkey command to op-mode, a subtask of T3355: Remove all remaining legacy Vyatta code, from Open to In progress.
May 30 2021, 10:21 AM · VyOS Rolling
erkin changed the status of T3506: Migrate loadkey command to op-mode, a subtask of T3356: Script for remote file transfers, from Open to In progress.
May 30 2021, 10:21 AM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta
erkin changed the status of T3506: Migrate loadkey command to op-mode from Open to In progress.
May 30 2021, 10:21 AM · VyOS 1.4 Sagitta
erkin added a comment to T3378: commit-archive source-address broken for IPv6 addresses.

This is possibly a problem on curl's end but funnily enough, there's a similar problem with the native implementation over T3563. Once that's solved, this bug will be rendered moot.

May 30 2021, 10:17 AM · VyOS 1.3 Equuleus (1.3.0)
erkin closed T3351: Installer checking MD5 checksums on the ISO image as Resolved.
May 30 2021, 10:16 AM · VyOS 1.4 Sagitta
c-po closed T3589: op-mode: support clearing out logfiles from CLI as Resolved.
May 30 2021, 10:08 AM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta
c-po moved T3589: op-mode: support clearing out logfiles from CLI from Open to Finished on the VyOS 1.4 Sagitta board.
May 30 2021, 10:08 AM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta
c-po moved T3589: op-mode: support clearing out logfiles from CLI from Need Triage to Finished on the VyOS 1.3 Equuleus board.
May 30 2021, 10:08 AM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta
c-po committed rVYOSONEX21669d633a66: op-mode: T3589: add "clear log" command to vacuume journald.
May 30 2021, 10:07 AM
c-po committed rVYOSONEXfd95a460cc8c: op-mode: T3589: replace short journalctl options with long names.
May 30 2021, 10:07 AM
GitHub <noreply@github.com> committed rVYOSONEXd79cbf74142d: ipsec: T2816: Refactor to remove global variable and tidy up (authored by simon).
May 30 2021, 10:07 AM
c-po committed rVYOSONEX3e6e4a1738dc: op-mode: T3589: add "clear log" command to vacuume journald.
May 30 2021, 10:07 AM
c-po committed rVYOSONEXf357cf58f7bd: op-mode: T3589: replace short journalctl options with long names.
May 30 2021, 10:07 AM
erkin renamed T3563: commit-archive breaks with IPv6 source addresses from commit-archive Broken to commit-archive breaks with IPv6 source addresses.
May 30 2021, 10:04 AM · VyOS 1.4 Sagitta
erkin claimed T3378: commit-archive source-address broken for IPv6 addresses.
May 30 2021, 10:03 AM · VyOS 1.3 Equuleus (1.3.0)
erkin closed T3508: Check if there's enough drive space for an upgrade before downloading an image, a subtask of T3356: Script for remote file transfers, as Resolved.
May 30 2021, 10:03 AM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta
erkin closed T3508: Check if there's enough drive space for an upgrade before downloading an image as Resolved.

install-image now calls a routine that queries the size of the remote file and aborts if there isn't enough space to download the image.

May 30 2021, 10:03 AM · VyOS 1.3 Equuleus (1.3.0)
erkin changed the status of T3563: commit-archive breaks with IPv6 source addresses, a subtask of T3356: Script for remote file transfers, from Open to Needs testing.
May 30 2021, 10:00 AM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta
erkin changed the status of T3563: commit-archive breaks with IPv6 source addresses from Open to Needs testing.
May 30 2021, 10:00 AM · VyOS 1.4 Sagitta
erkin closed T1506: commit-archive scp/sftp public key authentication, a subtask of T3356: Script for remote file transfers, as Resolved.
May 30 2021, 9:59 AM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta
erkin closed T1506: commit-archive scp/sftp public key authentication as Resolved.

commit-archive now uses Paramiko for SSH connections instead of curl and directly reads ~/.ssh/known_hosts if it exists.

May 30 2021, 9:59 AM · VyOS 1.3 Equuleus (1.3.0)
erkin closed T3518: Warning messages when using SCP commit-archive, a subtask of T3356: Script for remote file transfers, as Resolved.
May 30 2021, 9:56 AM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta
erkin closed T3518: Warning messages when using SCP commit-archive as Resolved.

This is a consequence of using an old Paramiko version. I just sent a PR upping the version of cryptography and Paramiko.

May 30 2021, 9:56 AM · VyOS 1.4 Sagitta
erkin claimed T3563: commit-archive breaks with IPv6 source addresses.
May 30 2021, 9:55 AM · VyOS 1.4 Sagitta
erkin updated the task description for T3356: Script for remote file transfers.
May 30 2021, 9:54 AM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta
erkin added a parent task for T1866: Commit archive over SFTP doesn't work with non-standard ports: T3356: Script for remote file transfers.
May 30 2021, 9:54 AM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta
erkin added a subtask for T3356: Script for remote file transfers: T1866: Commit archive over SFTP doesn't work with non-standard ports.
May 30 2021, 9:54 AM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta
erkin closed T1866: Commit archive over SFTP doesn't work with non-standard ports as Resolved.

New file transfer script parses the port field in the URL.

May 30 2021, 9:54 AM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta
erkin triaged T1522: If a config session is not close cleanly, the unionfs-mount is not cleaned up as Low priority.
May 30 2021, 9:51 AM · Restricted Project, VyOS 1.5 Circinus
erkin changed the status of T1522: If a config session is not close cleanly, the unionfs-mount is not cleaned up from Open to Confirmed.
May 30 2021, 9:50 AM · Restricted Project, VyOS 1.5 Circinus
sarthurdev added a comment to T3588: IPSec: migrate no longer available options from CLI which are now hardcoded/enabled in strongSwan.

Also vpn ipsec site-to-site peer x tunnel x allow-nat-networks and vpn ipsec site-to-site peer x tunnel x allow-public-networks

May 30 2021, 9:46 AM · VyOS 1.4 Sagitta
c-po updated the task description for T3589: op-mode: support clearing out logfiles from CLI.
May 30 2021, 9:34 AM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta
c-po updated the task description for T3589: op-mode: support clearing out logfiles from CLI.
May 30 2021, 9:28 AM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta
c-po triaged T3589: op-mode: support clearing out logfiles from CLI as Normal priority.
May 30 2021, 9:27 AM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta
c-po created T3589: op-mode: support clearing out logfiles from CLI.
May 30 2021, 9:27 AM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta
c-po added a project to T3588: IPSec: migrate no longer available options from CLI which are now hardcoded/enabled in strongSwan: VyOS 1.3 Equuleus.
May 30 2021, 9:10 AM · VyOS 1.4 Sagitta
c-po updated the task description for T3588: IPSec: migrate no longer available options from CLI which are now hardcoded/enabled in strongSwan.
May 30 2021, 9:10 AM · VyOS 1.4 Sagitta
c-po updated the task description for T3588: IPSec: migrate no longer available options from CLI which are now hardcoded/enabled in strongSwan.
May 30 2021, 9:10 AM · VyOS 1.4 Sagitta
c-po updated the task description for T3588: IPSec: migrate no longer available options from CLI which are now hardcoded/enabled in strongSwan.
May 30 2021, 9:08 AM · VyOS 1.4 Sagitta
c-po claimed T3588: IPSec: migrate no longer available options from CLI which are now hardcoded/enabled in strongSwan.
May 30 2021, 9:06 AM · VyOS 1.4 Sagitta
c-po placed T3588: IPSec: migrate no longer available options from CLI which are now hardcoded/enabled in strongSwan up for grabs.
May 30 2021, 8:54 AM · VyOS 1.4 Sagitta
c-po triaged T3588: IPSec: migrate no longer available options from CLI which are now hardcoded/enabled in strongSwan as Normal priority.
May 30 2021, 8:54 AM · VyOS 1.4 Sagitta
c-po changed the status of T3587: Intel QAT support is broken on VyOS 1.4 due to a Kernel Crash from Open to In progress.
May 30 2021, 8:20 AM · VyOS 1.4 Sagitta
c-po created T3587: Intel QAT support is broken on VyOS 1.4 due to a Kernel Crash.
May 30 2021, 8:17 AM · VyOS 1.4 Sagitta

May 29 2021

c-po moved T1995: "show vpn ike sa" command always show child-sas as down from Backport Candidates to Finished on the VyOS 1.4 Sagitta board.
May 29 2021, 9:12 PM · VyOS 1.2 Crux (VyOS 1.2.8)
c-po moved T3258: ethernet smoke test damaged from Backlog to Finished on the VyOS 1.4 Sagitta board.
May 29 2021, 9:12 PM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta
c-po moved T3374: IPv6 GRE Tunnel issues from In Progress to Finished on the VyOS 1.4 Sagitta board.
May 29 2021, 9:12 PM · VyOS 1.4 Sagitta
c-po moved T3321: Bgp not possible to use internal|external remote as from Backlog to Finished on the VyOS 1.4 Sagitta board.
May 29 2021, 9:12 PM · VyOS 1.4 Sagitta
c-po moved T3404: Exception thrown when executing configuration load from Backlog to Finished on the VyOS 1.4 Sagitta board.
May 29 2021, 9:12 PM · VyOS 1.4 Sagitta
c-po moved T483: Add google-authenticator 2fa from Backlog to Finished on the VyOS 1.4 Sagitta board.
May 29 2021, 9:12 PM · VyOS 1.4 Sagitta
c-po moved T3179: Add the ability to generate a support file from Backlog to Finished on the VyOS 1.4 Sagitta board.
May 29 2021, 9:12 PM · VyOS 1.4 Sagitta
c-po moved T3385: Support for disabling ARP responses from Backlog to Finished on the VyOS 1.4 Sagitta board.
May 29 2021, 9:12 PM · VyOS 1.4 Sagitta
c-po moved T3241: Allow configuration of XAuth on IPsec Tunnels from Backlog to Finished on the VyOS 1.4 Sagitta board.
May 29 2021, 9:12 PM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta, VyOS 1.2 Crux
c-po moved T1888: Update to StrongSwan 5.9.1 from Open to Finished on the VyOS 1.4 Sagitta board.
May 29 2021, 9:12 PM · VyOS 1.4 Sagitta
c-po placed T725: Cake and FQ-PIE up for grabs.
May 29 2021, 9:01 PM · VyOS 1.4 Sagitta
c-po edited projects for T2816: Rewrite IPsec scripts with the new XML/Python approach, added: VyOS 1.4 Sagitta; removed VyOS 1.3 Equuleus.
May 29 2021, 9:00 PM · VyOS 1.4 Sagitta
c-po changed the status of T2816: Rewrite IPsec scripts with the new XML/Python approach from In progress to Needs testing.
May 29 2021, 9:00 PM · VyOS 1.4 Sagitta
c-po closed T1888: Update to StrongSwan 5.9.1 as Resolved.
May 29 2021, 8:59 PM · VyOS 1.4 Sagitta
c-po renamed T3318: Update Linux Kernel to v5.4.208 / 5.10.142 from Update Linux Kernel to v5.4.122 / 5.10.40 to Update Linux Kernel to v5.4.123 / 5.10.41.
May 29 2021, 8:54 PM · VyOS 1.3 Equuleus (1.3.2), VyOS 1.4 Sagitta
c-po committed rVYOSONEX61936ae2c6c2: Debian: T1888: raise required strongSwan version to >= 5.8 for xfrm support.
May 29 2021, 8:38 PM
c-po claimed T1888: Update to StrongSwan 5.9.1.
May 29 2021, 8:36 PM · VyOS 1.4 Sagitta
c-po committed rVYOSONEXa31ab24a9d3b: vpn: ipsec: T3093: test for VTI interface availability the easy way.
May 29 2021, 5:12 PM
c-po added a parent task for T2173: Add the ability to use VRF on VTI interfaces: T1888: Update to StrongSwan 5.9.1.
May 29 2021, 4:46 PM · VyOS 1.4 Sagitta
c-po added a subtask for T1888: Update to StrongSwan 5.9.1: T2173: Add the ability to use VRF on VTI interfaces.
May 29 2021, 4:46 PM · VyOS 1.4 Sagitta
c-po renamed T1888: Update to StrongSwan 5.9.1 from Update to StrongSwan 5.8.1 to Update to StrongSwan 5.9.1.
May 29 2021, 4:45 PM · VyOS 1.4 Sagitta
c-po added a comment to T1200: SNMP GET broken at least for BGP4-MIB.

We have had a lot of tickets about SNMP MIBS for BGP - most of them beeing for IPv6.

May 29 2021, 4:41 PM · VyOS 1.4 Sagitta, VyOS 1.3 Equuleus (1.3.6)
c-po changed the status of T1200: SNMP GET broken at least for BGP4-MIB from Open to Needs testing.
May 29 2021, 4:39 PM · VyOS 1.4 Sagitta, VyOS 1.3 Equuleus (1.3.6)
GitHub <noreply@github.com> committed rVYOSONEX2d3a2c56a33b: ipsec: vti: T2816: Update to use correct VTI mark, code cleanup (authored by simon).
May 29 2021, 4:37 PM
First
Prev
Next