this PR https://github.com/vyos/vyos-1x/pull/1088 only include how to enable daemon , but it doesn't add VyOS-cli commands in BGP (the daemon only allows you to enable it).
- Feed Queries
- All Stories
- Search
- Feed Search
- Transactions
- Transaction Logs
Feed All Stories
All Stories
All Stories
Jan 10 2022
Jan 10 2022
@Viacheslav / @vindenesen that is a bug I have also seen in the old iptables based implementation. Can you please file a bug report towards VyOS 1.2 and 1.3?
There is PR which includes this feature https://github.com/vyos/vyos-1x/pull/1088
GitHub <noreply@github.com> committed rVYOSONEX436805a69df3: Merge pull request #1151 from sarthurdev/firewall (authored by c-po).
sarthurdev changed the status of T4149: [Firewall-IPV6] Error delete Fw rules on VIF/INT from In progress to Needs testing.
sarthurdev changed the status of T4155: PBR: `set table main` fails in `firewall.py` with newer rolling releases , a subtask of T2199: Rewrite firewall in new XML/Python style, from Open to Needs testing.
sarthurdev changed the status of T4155: PBR: `set table main` fails in `firewall.py` with newer rolling releases from Open to Needs testing.
Thanks for catching that!
GitHub <noreply@github.com> committed rVYOSONEX4ade92549616: Merge pull request #1150 from nicolas-fort/T4161 (authored by c-po).
Nicolas Fort <nicolasfort1988@gmail.com> committed rVYOSONEX8dfde277c90c: policy: T4161: Set correct description for local-preference.
sarthurdev changed the status of T4149: [Firewall-IPV6] Error delete Fw rules on VIF/INT from Open to In progress.
Previous example was expanded, in order to test filtering between native bridge interface and vlans interface on bridge.
Filtering rules:
- Filter traffic from vlan br0.55 to br0.66
- Filter traffic from vlan1 to br0.55
- Allow all
I'm experiencing this with a custom ISO built from the stable 1.3 sources. Haven't done further debugging yet, a bgpd restart helped every time.
Unknown Object (User) added a comment to T4100: Firewall increase maximum number of rules.
In 1.3 (VyOS 1.3-rolling-202201030317) the rules are handled correctly (except for the numbers in description).
Viacheslav moved T3299: Allow the web proxy service to listen on all IP addresses from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.
Viacheslav changed the status of T3299: Allow the web proxy service to listen on all IP addresses from Unknown Status to Resolved.
Viacheslav committed rVYOSONEXaa438129337c: squid: T3299: Add listen address 0.0.0.0 (authored by sever-sever <v.gletenko@vyos.io>).
GitHub <noreply@github.com> committed rVYOSONEX1ddbbe90b32e: Merge pull request #1146 from sever-sever/T3299-equ (authored by c-po).
Ah! ok, I will close this. Looking at the man pages, seems like open nhrp doesn't have a no-unique registration feature?
We don’t use frr nhrpd, more details T2326
We use opennhrp
johannrichard added a comment to T4159: Empty firewall group (address, network & port) generates invalid nftables config, commit fails.
I just realize it's getting more complicated as python/vyos/firewall.py will later write out the rules for these empty groups and when reading-them in, nftables will complain (again) when trying to resolve them, e.g.
Pythonic reimplementation complete. Now only the XML op-mode definition and the auto-complete script remain.
johannrichard renamed T4159: Empty firewall group (address, network & port) generates invalid nftables config, commit fails from Rewrite firewall in new XML/Python style: Empty firewall group (address, network & port) generate invalid nftables config, commit fails to Empty firewall group (address, network & port) generates invalid nftables config, commit fails.
johannrichard added a comment to T4159: Empty firewall group (address, network & port) generates invalid nftables config, commit fails.
To my understanding, the template data/templates/firewall/nftables.tmpl is probably the culprit, as it doesn't check whether group_conf.address (and similarly the others) has any elements at all and introduces the offending white-space:
Jan 9 2022
Jan 9 2022
GitHub <noreply@github.com> committed rVYOSONEXa9033074f6d7: Merge pull request #1149 from tacerus/pip (authored by dmbaturin).
GitHub <noreply@github.com> committed rVYOSONEXdfb2b58e00ea: Merge pull request #1143 from sever-sever/T1972 (authored by c-po).
In ISC dhcpd this corresponds to the boot-size option http://www.ipamworldwide.com/ipam/isc-dhcpv4-options.html
c-po moved T3924: VRRP stops working with VRF from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.
c-po moved T4141: Set high-availability vrrp sync-group without members error from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.
c-po moved T4128: keepalived: Upgrade package to add VRF support from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.
c-po added a project to T4128: keepalived: Upgrade package to add VRF support: VyOS 1.3 Equuleus ( 1.3.1).
Package upgraded
c-po moved T3914: VRRP rfc3768-compatibility doesn't work with unicast peers from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.
c-po edited projects for T3914: VRRP rfc3768-compatibility doesn't work with unicast peers, added: VyOS 1.3 Equuleus ( 1.3.1); removed VyOS 1.3 Equuleus (1.3.0).
GitHub <noreply@github.com> committed rVYOSONEX897510fe6fdf: Merge pull request #1142 from sever-sever/T4150 (authored by c-po).
GitHub <noreply@github.com> committed rVYOSONEX17ea91accc4b: Merge pull request #1145 from sever-sever/T4152 (authored by c-po).
Viacheslav updated subscribers of T4155: PBR: `set table main` fails in `firewall.py` with newer rolling releases .
Viacheslav changed the subtype of T4155: PBR: `set table main` fails in `firewall.py` with newer rolling releases from "Task" to "Bug".
Filtering tested on version 1.4-rolling-202201060842
I revisited this in: https://github.com/vyos/vyos-1x/pull/1147
johannrichard updated the task description for T4155: PBR: `set table main` fails in `firewall.py` with newer rolling releases .
aha added a comment to T4110: [IPV6-SSH/DNS} enable IPv6 link local adresses as listen-address %eth0.
@Viacheslav Yes, You're right.
in.tftpd got started (but only a few seconds).
Scenario proposed by @NikolayP gives next content in table ip filter:
A simple check works fine:
Set 20% quota for snmpd
And check it with script:
#!/usr/bin/env bashViacheslav changed the status of T3774: atop logs are not limited in size from In progress to Needs testing.
Viacheslav closed T3822: OpenVPN processes do not have permission to read key files generated with `run generate openvpn key` as Resolved.
It was fixed in above commits, wrong testing form my site.
Viacheslav added a comment to T4110: [IPV6-SSH/DNS} enable IPv6 link local adresses as listen-address %eth0.
@aha As I see tftp can't bind ipv6 link local address:
Viacheslav edited projects for T3299: Allow the web proxy service to listen on all IP addresses, added: VyOS 1.3 Equuleus ( 1.3.1); removed VyOS 1.3 Equuleus (1.3.0).
Cherry-pick PR https://github.com/vyos/vyos-1x/pull/1146
It requires checking for 1.3 as it was changed and it uses the old backend on Perl (links above).
vyos@vyos# run show config comm | grep fire set firewall name FOO default-action 'accept' set firewall name FOO rule 10 action 'accept' set firewall name FOO rule 10 source address '198.51.100.0/24' set firewall name FOO rule 999997 action 'drop' set firewall name FOO rule 999997 source address '203.0.113.0/24' [edit]
It seems -V option:
Viacheslav moved T4142: Input ifbX interfaces not displayed in op-mode from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.
PR for 1.3 https://github.com/vyos/vyos-nhrp/pull/7
PR for 1.4 https://github.com/vyos/vyos-1x/pull/1145
Viacheslav changed the status of T4152: NHRP shortcut-target holding-time does not work from Open to In progress.
Check a real generated firewall iptables/nftables config
As 10000 it is the latest default rule, so your rules can be applied after default action with seq 10000
Viacheslav changed the status of T4087: IPsec IKE-group proposals limit of 10 pieces from Open to Needs testing.
Viacheslav added a project to T4087: IPsec IKE-group proposals limit of 10 pieces : VyOS 1.4 Sagitta.
Could you also create a pr for 1.4?
Or 1.4 doesn’t have such limits?
Does it work with vlan bridges T3115?