Previous example was expanded, in order to test filtering between native bridge interface and vlans interface on bridge.
Filtering rules:
- Filter traffic from vlan br0.55 to br0.66
- Filter traffic from vlan1 to br0.55
- Allow all
- Feed Queries
- All Stories
- Search
- Feed Search
- Transactions
- Transaction Logs
Feed All Stories
All Stories
All Stories
Jan 10 2022
Jan 10 2022
I'm experiencing this with a custom ISO built from the stable 1.3 sources. Haven't done further debugging yet, a bgpd restart helped every time.
Unknown Object (User) added a comment to T4100: Firewall increase maximum number of rules.
In 1.3 (VyOS 1.3-rolling-202201030317) the rules are handled correctly (except for the numbers in description).
Viacheslav moved T3299: Allow the web proxy service to listen on all IP addresses from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.
Viacheslav changed the status of T3299: Allow the web proxy service to listen on all IP addresses from Unknown Status to Resolved.
Viacheslav committed rVYOSONEXaa438129337c: squid: T3299: Add listen address 0.0.0.0 (authored by sever-sever <v.gletenko@vyos.io>).
GitHub <noreply@github.com> committed rVYOSONEX1ddbbe90b32e: Merge pull request #1146 from sever-sever/T3299-equ (authored by c-po).
Ah! ok, I will close this. Looking at the man pages, seems like open nhrp doesn't have a no-unique registration feature?
We don’t use frr nhrpd, more details T2326
We use opennhrp
johannrichard added a comment to T4159: Empty firewall group (address, network & port) generates invalid nftables config, commit fails.
I just realize it's getting more complicated as python/vyos/firewall.py will later write out the rules for these empty groups and when reading-them in, nftables will complain (again) when trying to resolve them, e.g.
Pythonic reimplementation complete. Now only the XML op-mode definition and the auto-complete script remain.
johannrichard renamed T4159: Empty firewall group (address, network & port) generates invalid nftables config, commit fails from Rewrite firewall in new XML/Python style: Empty firewall group (address, network & port) generate invalid nftables config, commit fails to Empty firewall group (address, network & port) generates invalid nftables config, commit fails.
johannrichard added a comment to T4159: Empty firewall group (address, network & port) generates invalid nftables config, commit fails.
To my understanding, the template data/templates/firewall/nftables.tmpl is probably the culprit, as it doesn't check whether group_conf.address (and similarly the others) has any elements at all and introduces the offending white-space:
Jan 9 2022
Jan 9 2022
GitHub <noreply@github.com> committed rVYOSONEXa9033074f6d7: Merge pull request #1149 from tacerus/pip (authored by dmbaturin).
GitHub <noreply@github.com> committed rVYOSONEXdfb2b58e00ea: Merge pull request #1143 from sever-sever/T1972 (authored by c-po).
In ISC dhcpd this corresponds to the boot-size option http://www.ipamworldwide.com/ipam/isc-dhcpv4-options.html
c-po moved T3924: VRRP stops working with VRF from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.
c-po moved T4141: Set high-availability vrrp sync-group without members error from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.
c-po moved T4128: keepalived: Upgrade package to add VRF support from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.
c-po added a project to T4128: keepalived: Upgrade package to add VRF support: VyOS 1.3 Equuleus ( 1.3.1).
Package upgraded
c-po moved T3914: VRRP rfc3768-compatibility doesn't work with unicast peers from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.
c-po edited projects for T3914: VRRP rfc3768-compatibility doesn't work with unicast peers, added: VyOS 1.3 Equuleus ( 1.3.1); removed VyOS 1.3 Equuleus (1.3.0).
GitHub <noreply@github.com> committed rVYOSONEX897510fe6fdf: Merge pull request #1142 from sever-sever/T4150 (authored by c-po).
GitHub <noreply@github.com> committed rVYOSONEX17ea91accc4b: Merge pull request #1145 from sever-sever/T4152 (authored by c-po).
Viacheslav updated subscribers of T4155: PBR: `set table main` fails in `firewall.py` with newer rolling releases .
Viacheslav changed the subtype of T4155: PBR: `set table main` fails in `firewall.py` with newer rolling releases from "Task" to "Bug".
Filtering tested on version 1.4-rolling-202201060842
I revisited this in: https://github.com/vyos/vyos-1x/pull/1147
johannrichard updated the task description for T4155: PBR: `set table main` fails in `firewall.py` with newer rolling releases .
aha added a comment to T4110: [IPV6-SSH/DNS} enable IPv6 link local adresses as listen-address %eth0.
@Viacheslav Yes, You're right.
in.tftpd got started (but only a few seconds).
Scenario proposed by @NikolayP gives next content in table ip filter:
A simple check works fine:
Set 20% quota for snmpd
And check it with script:
#!/usr/bin/env bashViacheslav changed the status of T3774: atop logs are not limited in size from In progress to Needs testing.
Viacheslav closed T3822: OpenVPN processes do not have permission to read key files generated with `run generate openvpn key` as Resolved.
It was fixed in above commits, wrong testing form my site.
Viacheslav added a comment to T4110: [IPV6-SSH/DNS} enable IPv6 link local adresses as listen-address %eth0.
@aha As I see tftp can't bind ipv6 link local address:
Viacheslav edited projects for T3299: Allow the web proxy service to listen on all IP addresses, added: VyOS 1.3 Equuleus ( 1.3.1); removed VyOS 1.3 Equuleus (1.3.0).
Cherry-pick PR https://github.com/vyos/vyos-1x/pull/1146
It requires checking for 1.3 as it was changed and it uses the old backend on Perl (links above).
vyos@vyos# run show config comm | grep fire set firewall name FOO default-action 'accept' set firewall name FOO rule 10 action 'accept' set firewall name FOO rule 10 source address '198.51.100.0/24' set firewall name FOO rule 999997 action 'drop' set firewall name FOO rule 999997 source address '203.0.113.0/24' [edit]
It seems -V option:
Viacheslav moved T4142: Input ifbX interfaces not displayed in op-mode from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.
PR for 1.3 https://github.com/vyos/vyos-nhrp/pull/7
PR for 1.4 https://github.com/vyos/vyos-1x/pull/1145
Viacheslav changed the status of T4152: NHRP shortcut-target holding-time does not work from Open to In progress.
Check a real generated firewall iptables/nftables config
As 10000 it is the latest default rule, so your rules can be applied after default action with seq 10000
Viacheslav changed the status of T4087: IPsec IKE-group proposals limit of 10 pieces from Open to Needs testing.
Viacheslav added a project to T4087: IPsec IKE-group proposals limit of 10 pieces : VyOS 1.4 Sagitta.
Could you also create a pr for 1.4?
Or 1.4 doesn’t have such limits?
Does it work with vlan bridges T3115?
Some notes:
- The old syntax is quite terrible. It breaks if an image is named disk-install or running or any remote protocol. There needs to be a cleaner syntax for it, such as copy file from image My-Image/usr/local/foo to path /tmp/foo or show file in remote ftp://ftp.example.net/foo.
- 'Image tools' isn't exactly a descriptive name for it. It does four operations:
- show: List files in a directory, or spit information about a file followed by its contents (hexdump if it's binary).
- copy: Copy a file or directory from one place to another (it can merge directories).
- delete: Deletes a file or directory (doesn't work remotely).
- update and updateone: Updates an image's config directory with rsync (the only part directly related to image manipulation). This is actually called clone in the CLI.
- show, copy and delete should probably be moved to a separate (new) module related to file operations (and coupled with vyos.remote) whilst update needs to become its own thing (a helper script, perhaps).
Unknown Object (User) added a comment to T4100: Firewall increase maximum number of rules.
Tested in VyOS 1.3-rolling-202201030317 & 1.4-rolling-202201070726
Jan 8 2022
Jan 8 2022
@NikolayP Could you test if all works fine?
Check the real generated firewal rules.
Is it an actual task? If yes, can someone explain which configuration you expect from keepalived.conf or radvd.conf?
As I see PR 9aad6f was merged.
Viacheslav moved T4100: Firewall increase maximum number of rules from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.
Viacheslav added a comment to T1972: Allow setting interface name for virtual_ipaddress in VRRP VRID.
Viacheslav changed the subtype of T4150: VRRP with conntrack-sync does not work from "Task" to "Bug".
Viacheslav changed the status of T4150: VRRP with conntrack-sync does not work from Open to In progress.
Viacheslav edited projects for T4151: IPV6 local PBR Support, added: VyOS 1.4 Sagitta; removed VyOS 1.1.x.
It requires option -6
For example:
sudo ip -6 rule add prio 10 from de:de::1 lookup 5
Show v6 rules:
vyos@r11-roll# sudo ip -6 rule show 0: from all lookup local 10: from de:de::1 lookup 5 32766: from all lookup main [edit] vyos@r11-roll#
Unknown Object (User) added a comment to T4150: VRRP with conntrack-sync does not work.
The situation has not changed in VyOS 1.4-rolling-202201070726
Jan 7 2022
Jan 7 2022
Viacheslav moved T3924: VRRP stops working with VRF from Open to Finished on the VyOS 1.4 Sagitta board.
Unknown Object (User) created T4150: VRRP with conntrack-sync does not work.
Tested in VyOS 1.4-rolling-202201060842
Works