PR for op-mode importing existing PKI files into config: https://github.com/vyos/vyos-1x/pull/1343

In T1230#123939, @panachoi wrote:

1.4 rolling does not help me, so there must be something "wrong" with my configuration. I've attached the private config, it would be awesome if someone might find what's broken.

private.cfg127 KBDownload

@panachoi If you can share the anonymized config that works in 1.2.8 that would be useful. I'd expect migrating to 1.4 to see a decent improvement in firewall load times.

30 largest packages in 1.4 dev build:

telegraf 144 MB
linux-image-5.10.109-amd64-vyos 107 MB
libwireshark14 100 MB
vyos-linux-firmware 68.8 MB
containernetworking-plugins 51.2 MB
vyos-http-api-tools 40.4 MB
podman 37.3 MB
python3-pycryptodome 36.0 MB
libicu67 33.9 MB
vim-runtime 32.9 MB
vyos-1x 29.2 MB
libperl5.32 28.5 MB
salt-common 27.9 MB
nmap-common 21.2 MB
frr 20.2 MB
libruby2.7 17.9 MB
coreutils 17.9 MB
perl-modules-5.32 17.9 MB
grub-common 17.8 MB
systemd 16.4 MB
locales 16.4 MB
libc6 13.1 MB
pmacct 13.0 MB
ieee-data 12.3 MB
vyos-intel-qat 11.7 MB
aptitude-common 10.3 MB
gdb 10.0 MB
udev 9,184 kB
grub-efi-amd64-bin 8,831 kB
squid 8,582 kB

PR: https://github.com/vyos/vyos-1x/pull/1275

Perhaps only in-use sets can be determined and loaded?

Error implies that firewall failed to configure on boot as mangle table is missing. Any logs/config trace from boot?

1.3 PR: https://github.com/vyos/vyatta-cfg-system/pull/176
1.4 PR: https://github.com/vyos/vyatta-cfg-system/pull/177

@n.fort I have been able to reproduce this, it only occurs when installing for UEFI.

sgdisk man says -n should have a partition number followed by start/end values. Looking at the code this bug is present in all versions 1.2 and above.

I think @c-po has started migrating it in T3579 but op-mode not yet complete.

PR: https://github.com/vyos/vyos-1x/pull/1206

PR: https://github.com/vyos/vyos-1x/pull/1201

Adding this issue to this task: https://forum.vyos.io/t/firewall-configuration-issue-after-upgrade/8414

PR: https://github.com/vyos/vyos-1x/pull/1199

PR: https://github.com/vyos/vyos-1x/pull/1199

PR: https://github.com/vyos/vyos-1x/pull/1199

I already have a fix for this from your comment on T4213. Will have it included in a PR shortly.

I've actually found a way to define this properly, resulting rule now looks like below:

tcp dport { 22 } add @FOO_30 { ip saddr limit rate over 4/minute burst 4 packets } counter packets 3 bytes 156 reject comment "FOO-30"
ct state { new } tcp dport { 22 } counter packets 5 bytes 260 return comment "FOO-40"

Good to hear, going to mark this as resolved.

PR: https://github.com/vyos/vyos-1x/pull/1194

In T4209#117579, @thomasjsn wrote:

In T4209#117429, @sdev wrote:

Would changing the guide to use limit rate 4/minute achieve the same target functionality?

What is the practical difference between limit rate and recent? Is it just two different ways of accomplishing the same?

I've come up with a working idea how to implement but would like feedback before submitting a PR.

Thanks for the report, I believe I know what's caused it to break. Hopefully will have a fix in for the build tomorrow.

@johannrichard Hey sorry I didn't see your comment, I suggest we move the discussion to the dedicated task: https://phabricator.vyos.net/T4209

This was included with the new firewall, going to mark as resolved.

The new firewall niw has no such restrictions on port definitions, going to close this as resolved.

This is now implemented in 1.4

Should be fixed now with https://github.com/vyos/vyos-1x/pull/1193

Above fixed in PR: https://github.com/vyos/vyos-1x/pull/1193

PR: https://github.com/vyos/vyos-1x/pull/1192

As reproducing the exact issue seems to be difficult, I'm going to instead change the install function so it catches errors and outputs the set pki ... syntax so it behaves like generate pki ... install <name> is run from op-mode anyway.

This issue is due to negated source/destination port not being handled properly in code, not validation.

It looks like it’s trying to directly install the certificate into the config from op-mode, that is only supposed to happen while you're in configure mode calling the command using run generate pki ... install <name>.

I had forgotten about the recent syntax and it was merged in a broken state (https://github.com/vyos/vyos-1x/blob/current/python/vyos/firewall.py#L164). We should try and find a remedy, or remove it from CLI.

PR + migration: https://github.com/vyos/vyos-1x/pull/1184

I can't reproduce this issue on latest rolling

PR: https://github.com/vyos/vyos-1x/pull/1178

PR: https://github.com/vyos/vyos-1x/pull/1177

Okay, thanks for the update. I have found a conntrack issue in the code. Will have a fix in shortly.

Fixed in 1.4 PR: https://github.com/vyos/vyos-1x/pull/1176

You need to remove the state new match on the rule and it'll work.

Included those flags in PR: https://github.com/vyos/vyos-1x/pull/1174

Included in PR: https://github.com/vyos/vyos-1x/pull/1174

Thanks, will include a fix in a PR shortly

PR: https://github.com/vyos/vyos-1x/pull/1167

Thanks for the report, working on the fix now.

PR: https://github.com/vyos/vyos-1x/pull/1161

Forgot that my PR for WLB was still a draft. That the jump does seem to be created properly with this PR in place.

That build at 08:11 UTC was a couple of hours before the commit was merged: https://github.com/vyos/vyos-1x/commit/f97144259335102c3d96b232cbb0af4970120d62

Seems to be working on my latest build?

Thanks, I really like the include idea and have implemented it in the attached PR. Also added a check in firewall.py to reload policy-route script to keep any group changes updated.