Hello @Viacheslav, thanks for reply, so, if you'll bridge vtun94 and eth0.94 to br94 will it work in L2 level?
Did you push this update to nightbuild?
- Feed Queries
- All Stories
- Search
- Feed Search
- Transactions
- Transaction Logs
Feed All Stories
All Stories
All Stories
Jan 19 2022
Jan 19 2022
Jan 19 2022, 3:39 AM · Bugs, VyOS 1.5 Circinus, VyOS 1.4 Sagitta (1.4.1), Restricted Project, openvpn
Unknown Object (User) created T4194: prefix-list no check for duplicate entries.
Jan 18 2022
Jan 18 2022
Some details in T4193
GitHub <noreply@github.com> committed rVYOSONEXc77369761f9c: Merge pull request #1178 from sarthurdev/firewall_T4188 (authored by c-po).
Resolved in T3873
sarthurdev changed the status of T4188: Firewall does not correctly handle conntracking from In progress to Needs testing.
johannrichard awarded T3560: Ability to create groups of MAC addresses a Like token.
sarthurdev changed the status of T3560: Ability to create groups of MAC addresses, a subtask of T2199: Rewrite firewall in new XML/Python style, from Open to Needs testing.
sarthurdev changed the status of T3560: Ability to create groups of MAC addresses from Open to Needs testing.
sarthurdev renamed T4188: Firewall does not correctly handle conntracking from Firewall does not match ICMPv6 packets to Firewall does not correctly handle conntracking.
sarthurdev changed the status of T4188: Firewall does not correctly handle conntracking from Open to In progress.
Okay, thanks for the update. I have found a conntrack issue in the code. Will have a fix in shortly.
Unknown Object (User) added a comment to T3522: policy based routing not working.
Looks like I see the same issue for 1.3.0. Reproducing steps:
set interfaces ethernet eth1 address 'dhcp' set protocols static table 1 route 0.0.0.0/0 dhcp-interface eth1
Thanks, this does fix the ICMP issue, however rule 10 which is supposed to accept packets with related/established states (say a HTTP response following a request), doesn't seem to match any packets, and the packets get dropped by the default rule.
TCP Flags seems to be working on firewall filter config.
Tested on VyOS 1.4-rolling-202201180317 and working as expected
sarthurdev closed T4155: PBR: `set table main` fails in `firewall.py` with newer rolling releases , a subtask of T2199: Rewrite firewall in new XML/Python style, as Resolved.
sarthurdev closed T3286: Switch the firewall from iptables to nftables, a subtask of T2199: Rewrite firewall in new XML/Python style, as Resolved.
sarthurdev changed the status of T1292: Issues while deleting all rules from a firewall, a subtask of T2199: Rewrite firewall in new XML/Python style, from Open to Needs testing.
sarthurdev changed the status of T1292: Issues while deleting all rules from a firewall from Open to Needs testing.
Fixed in 1.4 PR: https://github.com/vyos/vyos-1x/pull/1176
@klipz In my case, the only problem is adding the wlan interface to the bridge at startup (looks like an order thing), when vyos is started (and the wlan interface is up) no problem to add it to the bridge witth the CLI.
The XDP proof of concept program that is availbale in 1.4 does not support 802.1q - those headers are not parsed and processed.
c-po changed the status of T4187: XDP broken for VLAN/vif interfaces with hardware offloading from Open to Confirmed.
What would be the use-case? We can start PDNS in one VRF context only.
c-po changed the status of T3700: Support VLAN tunnel mapping of VLAN aware bridges, a subtask of T3137: Let VLAN aware bridge approach the behavior of professional equipment, from In progress to On hold.
c-po changed the status of T3700: Support VLAN tunnel mapping of VLAN aware bridges from In progress to On hold.
Jan 17 2022
Jan 17 2022
Viacheslav added a comment to T2762: VRF: when SSHd is VRF bound all commands are executed in VRF context.
PR for ping https://github.com/vyos/vyos-1x/pull/1175
You need to remove the state new match on the rule and it'll work.
c-po moved T3164: console-server ssh does not work with RADIUS PAM auth from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.
Viacheslav closed T891: Current multi-table usage with VRF-netns tables in FRR is partially broken for PBR. as Not Applicable.
Close the task
@Watcher7 Re-test it or describe steps hot to reproduce, as since 1.2-rc2 was implemented a lot of changes regarding vrf + frr.
You can set both vrf + next-hop address
c-po renamed T3318: Update Linux Kernel to v5.4.208 / 5.10.142 from Update Linux Kernel to v5.4.171 / 5.10.91 to Update Linux Kernel to v5.4.172 / 5.10.92.
I experience the same problem of VyOS failing to add wlan0 to bridge, which persists in all 1.3-epa and 1.3-LTS versions, as well as 1.4 nightly builds.
GitHub <noreply@github.com> committed rVYOSONEX9fb2e1432209: Merge pull request #1174 from sarthurdev/firewall (authored by c-po).
Tested and working as expected on VyOS 1.4-rolling-202201150317
There are some issues with powerdns in vrf context.
Included those flags in PR: https://github.com/vyos/vyos-1x/pull/1174
Think 2 flag options should be added.
According to nft wiki these are all the flags that nft could match: tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr}
Included in PR: https://github.com/vyos/vyos-1x/pull/1174
It is a different task, it extends only the range which you can to use for rule numbers.
For example, if you want 3 rules
Rule 100, rule 1000, rule 10000 etc.
Accepting time it is another task. B.t.w firewall was rewritten in 1.4, I hope that commit time was decreased.
Unknown Object (User) added a comment to T4100: Firewall increase maximum number of rules.
I think we will have a problem with such a large number of rules. Now, if there are 1500 vyos rules, it takes 30 minutes to load. If there are 999999 rules, it will take a very long time to load.
Jan 16 2022
Jan 16 2022
sarthurdev changed the status of T3873: Zone based Firewall - Filter traffic in same zone from Open to In progress.
Thanks, will include a fix in a PR shortly
c-po moved T3164: console-server ssh does not work with RADIUS PAM auth from Open to Finished on the VyOS 1.4 Sagitta board.
c-po changed the status of T3164: console-server ssh does not work with RADIUS PAM auth from Open to Needs testing.
n.fort added a comment to T4160: Firewall - Error in rules that matches everything except something.
I can see the fix, but now trying invert selection on tcp flags doesn't work
Testing this feature in VyOS 1.4-rolling-202201100317 I'm getting some unexpected behavior.
Config:
GitHub <noreply@github.com> committed rVYOSONEX56255941e584: Merge pull request #1172 from sever-sever/T4184-equ (authored by c-po).
For full support we need this added to FRR: https://github.com/FRRouting/frr/pull/9204
Jan 15 2022
Jan 15 2022
Viacheslav moved T4184: NTP allow-clients address doesn't work it allows to use ntp server for all addresses from Open to Finished on the VyOS 1.4 Sagitta board.
PR for 1.3 https://github.com/vyos/vyos-1x/pull/1172
GitHub <noreply@github.com> committed rVYOSONEX618db51b3b4c: Merge pull request #1171 from sever-sever/T4184 (authored by c-po).
GitHub <noreply@github.com> committed rVYOSONEX31a27136a499: Merge pull request #1170 from sever-sever/T4183-equ (authored by c-po).
Viacheslav renamed T4184: NTP allow-clients address doesn't work it allows to use ntp server for all addresses from NTP allow-clients address doesn't work to NTP allow-clients address doesn't work it allows to use ntp server for all addresses.
Viacheslav changed the subtype of T4184: NTP allow-clients address doesn't work it allows to use ntp server for all addresses from "Task" to "Bug".
Viacheslav changed the status of T4184: NTP allow-clients address doesn't work it allows to use ntp server for all addresses from Open to In progress.
Viacheslav added a comment to T4110: [IPV6-SSH/DNS} enable IPv6 link local adresses as listen-address %eth0.
PR for 1.3 https://github.com/vyos/vyos-1x/pull/1170
PR for 1.3 https://github.com/vyos/vyos-1x/pull/1170
Viacheslav reopened T4110: [IPV6-SSH/DNS} enable IPv6 link local adresses as listen-address %eth0 as "In progress".
Viacheslav moved T4150: VRRP with conntrack-sync does not work from Open to Finished on the VyOS 1.4 Sagitta board.