https://github.com/vyos/vyatta-nat/commit/01b9a8598dabd391cc42da4c66d7a8067846b12b
- Feed Queries
- All Stories
- Search
- Feed Search
- Transactions
- Transaction Logs
Feed All Stories
All Stories
All Stories
Dec 25 2021
Dec 25 2021
erkin added a parent task for T4103: Rewrite Vyatta config management module in Python: T3355: Remove all remaining legacy Vyatta code.
erkin changed the status of T4101: commit-archive: Use of uninitialized value $source_address in concatenation from Open to Confirmed.
c-po moved T2764: Increase maximum number of NAT rules from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.
c-po edited projects for T2764: Increase maximum number of NAT rules, added: VyOS 1.3 Equuleus ( 1.3.1); removed VyOS 1.3 Equuleus (1.3.0-epa1).
This happened because the rule numbers only got increased in the XML implementation but not in the old Perl backend. This has been fixed.
Unknown Object (User) reopened T2764: Increase maximum number of NAT rules as "Confirmed".
In 1.3.0 the limitation remains
Unknown Object (User) created T4100: Firewall increase maximum number of rules.
Dec 24 2021
Dec 24 2021
c-po moved T4098: flow-accounting: "disable-imt" and "show flow-accounting" gives PermissionError from Need Triage to 1.3.1 on the VyOS 1.3 Equuleus board.
Viacheslav lowered the priority of T891: Current multi-table usage with VRF-netns tables in FRR is partially broken for PBR. from High to Normal.
Viacheslav added a comment to T891: Current multi-table usage with VRF-netns tables in FRR is partially broken for PBR..
In T891#20803, @Watcher7 wrote:
- VyOS command syntax cannot currently specify both a next-hop and interface for the same static route, despite FRR being able to do so.
GitHub <noreply@github.com> committed rVYOSONEX5f1935ee2b2a: Merge pull request #1120 from sever-sever/T3854-eq (authored by c-po).
Viacheslav moved T3854: Missing op-mode commands for conntrack-sync from Open to Finished on the VyOS 1.4 Sagitta board.
PR for 1.3 https://github.com/vyos/vyos-1x/pull/1120
c-po renamed T3318: Update Linux Kernel to v5.4.208 / 5.10.142 from Update Linux Kernel to v5.4.164 / 5.10.84 to Update Linux Kernel to v5.4.164 / 5.10.88.
Using a space in description withput quotation won‘t work. This is because the underlay of the CLI is bash and needs proper quotation.
Unknown Object (User) added a comment to T4080: Space in "description" commands.
@Viacheslav
If i use this format ('test test test') it works well.
Is it possible using description with space without '' ?
Unknown Object (User) changed the status of T4080: Space in "description" commands from Open to Needs testing.
Dec 23 2021
Dec 23 2021
GitHub <noreply@github.com> committed rVYOSONEX6f637b05adf1: Merge pull request #1119 from sever-sever/T3854 (authored by c-po).
Viacheslav edited projects for T3854: Missing op-mode commands for conntrack-sync, added: VyOS 1.3 Equuleus ( 1.3.1); removed VyOS 1.3 Equuleus (1.3.0).
Viacheslav moved T4092: IKEv2 mobike commit failed with DMVPN nhrp from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.
Viacheslav edited projects for T4092: IKEv2 mobike commit failed with DMVPN nhrp, added: VyOS 1.3 Equuleus ( 1.3.1); removed VyOS 1.3 Equuleus.
PR for crux https://github.com/vyos/vyatta-cfg-vpn/pull/53
Viacheslav moved T4092: IKEv2 mobike commit failed with DMVPN nhrp from Need Triage to Finished on the VyOS 1.3 Equuleus board.
Forgot about the process "vyos-http-api-server". The process must be launched in the required vrf. Otherwise, we get an error: Otherwise, we get an error:
erkin closed T4090: Source port and interface support for `commit-archive`, a subtask of T3356: Script for remote file transfers, as Wontfix.
If anyone actually wants support for source port parameter, feel free to reopen this, but the interface parameter is a no-go. In the meantime, rewriting vyatta-config-mgmt takes precedence.
erkin closed T3354: Convert strip-private script from Perl to Python, a subtask of T3355: Remove all remaining legacy Vyatta code, as Resolved.
erkin added a subtask for T3356: Script for remote file transfers: T4091: Progress bar support for HTTP uploads.
erkin added a parent task for T4091: Progress bar support for HTTP uploads: T3356: Script for remote file transfers.
That's a good idea. What remains in that repo was hardly touched in a decade.
Viacheslav changed the subtype of T3854: Missing op-mode commands for conntrack-sync from "Task" to "Bug".
Viacheslav changed the status of T3854: Missing op-mode commands for conntrack-sync from Open to In progress.
Unknown Object (User) updated subscribers of T4081: VRRP health-check script stops working when setting up a sync group.
Dec 22 2021
Dec 22 2021
Viacheslav changed the status of T4092: IKEv2 mobike commit failed with DMVPN nhrp from Open to In progress.
Viacheslav added a project to T4092: IKEv2 mobike commit failed with DMVPN nhrp: VyOS 1.2 Crux (VyOS 1.2.9).
Viacheslav renamed T4092: IKEv2 mobike commit failed with DMVPN nhrp from Reopen: IKEv2 mobike commit failed to IKEv2 mobike commit failed with DMVPN nhrp.
It doesn't matter what you add mobike disable or enable
A possible reason it generates incorrect swanctl.conf for option mobike
@nikeshhajari thanks, I can reproduce it in 1.3:
set interfaces ethernet eth0 address '192.168.122.14/24' set interfaces tunnel tun0 encapsulation 'gre' set interfaces tunnel tun0 multicast 'enable' set interfaces tunnel tun0 parameters ip key '1' set interfaces tunnel tun0 source-address '192.168.122.14' set protocols nhrp tunnel tun0 cisco-authentication 'orange' set protocols nhrp tunnel tun0 holding-time '300' set protocols nhrp tunnel tun0 multicast 'dynamic' set protocols nhrp tunnel tun0 redirect set protocols nhrp tunnel tun0 shortcut set vpn ipsec esp-group ESP-HUB compression 'disable' set vpn ipsec esp-group ESP-HUB lifetime '3600' set vpn ipsec esp-group ESP-HUB mode 'tunnel' set vpn ipsec esp-group ESP-HUB pfs 'dh-group21' set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha256' set vpn ipsec esp-group ESP-HUB proposal 2 encryption 'aes256' set vpn ipsec esp-group ESP-HUB proposal 2 hash 'sha256' set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no' set vpn ipsec ike-group IKE-HUB key-exchange 'ikev2' set vpn ipsec ike-group IKE-HUB lifetime '28800' set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '21' set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha256' set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '21' set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes256' set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha256' set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'PRE_SHARED_KEY' set vpn ipsec profile NHRPVPN bind tunnel 'tun0' set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' commit
Add mobile disable:
set vpn ipsec ike-group IKE-HUB mobike 'disable' commit [ vpn ] Warning: unable to [reload changes to swanctl.conf], received error code 5632
I prefer to rewrite the whole https://github.com/vyos/vyatta-config-mgmt to XML/python
boevering added a comment to T4062: VRRP IPSEC-AH : sequence number xxxxxxx already processed. Packet dropped. Local(xxxxxxx).
@Viacheslav the only way is by letting it run.
As adviced in the slack I upgraed to differt version, just now it dropped again.
This time it's differtent as the backup still sayes it still the backup node but all traffic to the VRRP address is offline.
A similar bug I see in 1.2 with such configuration:
set service snmp contact 'test' set service snmp listen-address 192.168.122.12 set service snmp location 'test' set service snmp v3 user foo auth encrypted-key '0x2e312e332e362e312e362e332e31302e312e322e34' set service snmp v3 user foo auth type 'sha' set service snmp v3 user foo privacy encrypted-key '0x' set service snmp v3 user foo privacy type 'aes'
Viacheslav added projects to T4093: SNMPv3 snmpd.conf generation bug: VyOS 1.4 Sagitta, VyOS 1.3 Equuleus (1.3.0).
end of /etc/snmp/snmpd.conf
# group group usm test
Thank you, problem solved!
SrividyaA set Issue type to bug on T3678: VyOS 1.4: Invalid error message while deleting ipsec vpn configuration.
SrividyaA closed T3678: VyOS 1.4: Invalid error message while deleting ipsec vpn configuration, a subtask of T2816: Rewrite IPsec scripts with the new XML/Python approach, as Resolved.
SrividyaA closed T3678: VyOS 1.4: Invalid error message while deleting ipsec vpn configuration as Resolved.
Working in latest release:
Unknown Object (User) changed the subtype of T4081: VRRP health-check script stops working when setting up a sync group from "Task" to "Bug".
Unknown Object (User) reopened T4081: VRRP health-check script stops working when setting up a sync group as "Confirmed".
Unknown Object (User) closed T4081: VRRP health-check script stops working when setting up a sync group as Unknown Status.
Duplicate PR:
https://github.com/vyos/vyos-1x/pull/1118
Request revoked
VyOS 1.3.0-epa3 with config below works good:
Dec 22 2021, 8:06 AM · Bugs, VyOS 1.5 Circinus, VyOS 1.4 Sagitta (1.4.1), Restricted Project, openvpn
erkin lowered the priority of T4090: Source port and interface support for `commit-archive` from Low to Wishlist.
I personally think the interface part is high-effort, low-gain since you can simply use the address of the interface to the same effect, whereas simply providing an interface will force it to decide which address to use on dual-stack systems. It needs to pick between AF_INET and AF_INET6 when creating the socket before setsockopt()ing SO_BINDTODEVICE; although I think we can get away with doing what socket.create_connection() does. Even then, only the SFTP portion of the code directly uses socket — everything else relies on higher level libraries that only expose address and port options. (Also, using a single parameter for both addresses and interfaces is a bad idea, in my opinion, because it's probably more useful to resolve an FQDN string to an address rather than assume all strings are interfaces. But otherwise, we'd need to find a way to resolve conflict between address and interface parameters.) All in all, I don't think the interface parameter is a good idea at all but we'll see.
erkin closed T3356: Script for remote file transfers, a subtask of T3355: Remove all remaining legacy Vyatta code, as Resolved.
All parts completely backported to Equuleus.