PR https://github.com/vyos/vyos-1x/pull/1496
vyos@r14# commit [ vpn sstp ] "tcp" port "443" is used by another service
- Feed Queries
- All Stories
- Search
- Feed Search
- Transactions
- Transaction Logs
Feed Search
Aug 25 2022
Aug 25 2022
Viacheslav changed the status of T4644: Check bind port before assign vpn sstp from Open to In progress.
Viacheslav edited projects for T1070: SWANCTL: DMVPN: ALL peers are deleted in swan when opennhrp tries to delete ONE peer, added: VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).
Aug 25 2022, 8:00 AM · Bugs, VyOS 1.3 Equuleus (1.3.9), VyOS 1.4 Sagitta (1.4.0-GA), Restricted Project
Viacheslav changed the status of T4643: Smoketest exclude either sstp or openconnect from pki-misc default listen port from Open to In progress.
Viacheslav changed the status of T4597: Check bind port before assign service HTTPS API and openconnect from In progress to Needs testing.
Viacheslav closed T4626: Error showing nat66 source and destination, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, as Resolved.
Aug 24 2022
Aug 24 2022
Viacheslav changed the status of T4626: Error showing nat66 source and destination, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, from Open to In progress.
Viacheslav changed the status of T4626: Error showing nat66 source and destination from Open to In progress.
PR https://github.com/vyos/vyos-1x/pull/1491
set nat66 destination rule 100 destination address '2001:1111:1111:1111::10' set nat66 destination rule 100 inbound-interface 'eth0' set nat66 destination rule 100 translation address 'fd00:1111:1111:1111::10' set nat66 source rule 100 destination prefix '!fd00:2222:2222:2222::/64' set nat66 source rule 100 outbound-interface 'eth0' set nat66 source rule 100 source prefix 'fd00:1111:1111:1111::/64' set nat66 source rule 100 translation address '2001:1111:1111:1111::10' set nat66 source rule 120 destination prefix '2001:db8:2222::/64' set nat66 source rule 120 outbound-interface 'eth0' set nat66 source rule 120 source prefix '2001:db8:1111::/64' set nat66 source rule 120 translation address 'masquerade' set nat66 source rule 130 destination prefix '2001:db8:2222::/64' set nat66 source rule 130 outbound-interface 'eth0' set nat66 source rule 130 source prefix '2001:db8:2244::/64' set nat66 source rule 130 translation address 'masquerade'
show
vyos@r14:~$ show nat66 source rules
Rule Source Destination Proto Out-Int Translation
------ ------------------------ ------------------------- ------- --------- -----------------------
100 fd00:1111:1111:1111::/64 !fd00:2222:2222:2222::/64 IP6 eth0 2001:1111:1111:1111::10
sport any dport any
120 2001:db8:1111::/64 2001:db8:2222::/64 IP6 eth0 masquerade
sport any dport any
130 2001:db8:2244::/64 2001:db8:2222::/64 IP6 eth0 masquerade
sport any dport any
vyos@r14:~$
vyos@r14:~$
vyos@r14:~$ show nat66 destination rules
Rule Source Destination Proto In-Int Translation
------ --------- ----------------------- ------- -------- -----------------------
100 ::/0 2001:1111:1111:1111::10 any eth0 fd00:1111:1111:1111::10
sport any dport any
vyos@r14:~$Aug 23 2022
Aug 23 2022
Viacheslav updated subscribers of T4635: Add zebra option ip nht resolve-via-default as default option.
I prefer to get this option configurable if it is possible
For IPv6 and VRFs - nice to have.
As it is used in BGP, I see something like set protocols bgp parameters next-hop-track resolve-via-default
Or, as it was mentioned in T3500
set routing-options next-hop-track resolve-via-default but it will be an additional node with only one option, needs to think
PR https://github.com/vyos/vyos-1x/pull/1489
vyos@r14:~$ show conntrack statistics CPU Found Invalid Insert Insert fail Drop Early drop Errors Search restart ----- ------- --------- -------- --------------- ------ ------------ -------- ----------------- cpu=0 found=0 invalid=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0 cpu=1 found=0 invalid=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0 cpu=2 found=0 invalid=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0 cpu=3 found=0 invalid=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=48 vyos@r14:~$
Viacheslav changed the status of T4623: Add show conntrack statistics, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, from Open to In progress.
Viacheslav added a comment to T4597: Check bind port before assign service HTTPS API and openconnect.
Check NGINX address/port before applying/committing service https
PR https://github.com/vyos/vyos-1x/pull/1488
Viacheslav moved T4618: Traffic policy not set on virtual interfaces from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.2) board.
Viacheslav added a comment to T4309: Support network/address-groups and ipv6-network/ipv6-address-groups in "conntrack ignore".
@daniil, could you check/test this PR https://github.com/vyos/vyos-1x/pull/1487 (only for IPv4)
Viacheslav moved T4206: Policy Based Routing with DHCP Interface Issue from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.2) board.
Aug 22 2022
Aug 22 2022
Viacheslav added a comment to T4636: VLAN-Aware bridge not handling local traffic (and not able to perform inter-vlan routing).
I guess it the task T4632
Viacheslav changed the status of T4634: Bgp neighbor disable-connected-check does not work from Open to In progress.
Aug 20 2022
Aug 20 2022
PR https://github.com/vyos/vyos-1x/pull/1482
set nat66 destination rule 120 description 'foo' set nat66 destination rule 120 destination port '4545' set nat66 destination rule 120 inbound-interface 'eth0' set nat66 destination rule 120 protocol 'tcp' set nat66 destination rule 120 source address '2001:db8:2222::/64' set nat66 destination rule 120 source port '8080' set nat66 destination rule 120 translation address '2001:db8:1111::1' set nat66 destination rule 120 translation port '5555'
Viacheslav added a comment to T4597: Check bind port before assign service HTTPS API and openconnect.
Viacheslav added a comment to T4597: Check bind port before assign service HTTPS API and openconnect.
There is a bug with such implementation check for openconnect
It is not possible to create the second user in another commit (as port already bonded)
vyos@r14# run show conf com | match vpn set vpn openconnect authentication local-users username foo password 'bar' set vpn openconnect authentication mode local 'password' set vpn openconnect listen-ports tcp '8443' set vpn openconnect listen-ports udp '8443' set vpn openconnect network-settings client-ip-settings subnet '100.64.0.0/24' set vpn openconnect network-settings name-server '100.64.0.1' set vpn openconnect ssl ca-certificate 'ca-ocserv' set vpn openconnect ssl certificate 'srv-ocserv' [edit] vyos@r14# commit No configuration changes to commit [edit] vyos@r14# sudo netstat -tulpn | grep 8443 tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 23880/ocserv-main tcp6 0 0 :::8443 :::* LISTEN 23880/ocserv-main udp 0 0 0.0.0.0:8443 0.0.0.0:* 23880/ocserv-main udp6 0 0 :::8443 :::* 23880/ocserv-main [edit] vyos@r14# set vpn openconnect authentication local-users username foo2 password 'bar2' [edit] vyos@r14# commit [ vpn openconnect ] "tcp" port "8443" is used by another service
Viacheslav added a comment to T4596: "show openconnect-server sessions" command does not work in the openconnect module.
It seems after this commit https://github.com/vyos/vyos-1x/commit/1b637f78b870f8ecc4971de5baf0a6fda54c40f7 for T4597
As the port already listens by ocserv itself, maybe we should revert it or change the logic to check that the port bind is not ocserv service
Aug 19 2022
Aug 19 2022
Viacheslav updated the task description for T4627: Ability to set host part IPv6 address via interface IP token.
Viacheslav changed the subtype of T4627: Ability to set host part IPv6 address via interface IP token from "Bug" to "Feature Request".
Viacheslav moved T4619: Static arp is not set if another entry is present from Open to Finished on the VyOS 1.4 Sagitta board.
There is an example of how we build ocserv for 1.3 https://github.com/vyos/vyos-build/commit/2e1eac5980720d060834540e717f4f8a1189b9b0
Aug 18 2022
Aug 18 2022
Viacheslav added a comment to T4617: VRF specification is needed for telegraf prometheus-client listen-address <address> .
Try to add some capabilities, for example, CAP_CHOWN or CAP_DAC_OVERRIDE or something else
sudo nano /etc/systemd/system/vyos-telegraf.service.d/10-override.conf
PR https://github.com/vyos/vyos-1x/pull/1478
set firewall name FOO rule 10 action 'drop' set firewall name FOO rule 10 protocol 'tcp' set firewall name FOO rule 10 tcp flags syn set firewall name FOO rule 10 tcp mss '1-500'
Viacheslav changed the status of T4622: Firewall allow drop packets by TCP MSS size from Open to In progress.
I did my internal tests and can't reproduce it
20K entries applied in 0.20 sec
root@r14:/home/vyos# cat tmp.nft | wc -l 20029 root@r14:/home/vyos# root@r14:/home/vyos# sudo time nft -f tmp.nft real 0m 0.20s user 0m 0.13s sys 0m 0.06s root@r14:/home/vyos#
200K entries in 2 sec
root@r14:/home/vyos# cat tmp.nft | wc -l 200029 root@r14:/home/vyos# root@r14:/home/vyos# sudo nft flush ruleset root@r14:/home/vyos# root@r14:/home/vyos# sudo time nft -f tmp.nft real 0m 1.91s user 0m 1.20s sys 0m 0.70s root@r14:/home/vyos#
Viacheslav added a parent task for T4623: Add show conntrack statistics: T4564: Root task for rewriting [op-mode] to vyos.opmode format.
Aug 17 2022
Aug 17 2022
Viacheslav renamed T4622: Firewall allow drop packets by TCP MSS size from Firewall allow drop packets by TCP MSS to Firewall allow drop packets by TCP MSS size.
Viacheslav changed the status of T4619: Static arp is not set if another entry is present from Open to Needs testing.
Viacheslav moved T4480: add an ability to configure squid acl safe ports and acl ssl safe ports from Open to Finished on the VyOS 1.4 Sagitta board.
Viacheslav moved T4598: nat66 - Add exclude options from Open to Finished on the VyOS 1.4 Sagitta board.
@m.korobeinikov Could you check it in 1.3
Viacheslav moved T4618: Traffic policy not set on virtual interfaces from Open to Finished on the VyOS 1.4 Sagitta board.
PR for 1.3.2 https://github.com/vyos/vyatta-cfg-qos/pull/16
The similar request T3896
Aug 16 2022
Aug 16 2022
Viacheslav changed the status of T4611: UPnP rule IP should be a prefix instead of an address from Open to In progress.
Viacheslav changed the status of T4620: UPnP does not work due to incorrect template from Open to In progress.
It seems UPnP rules doesn't work at all task T4620
@patrickli Could you send a real example? In your example, port ranges are incorrect also it is not all required UPnP configuration
If you sent all UPnP configuration, it already has been done :)
I'm not a UPnP person, so I ask for some examples.
Viacheslav changed the status of T4613: UPnP configuration without listen option fail from Open to In progress.
Viacheslav added a comment to T4617: VRF specification is needed for telegraf prometheus-client listen-address <address> .
I tried to add vrf, but it requires some permissions, service is not starting
diff --git a/data/templates/monitoring/override.conf.j2 b/data/templates/monitoring/override.conf.j2 index 9f1b4ebe..63e479af 100644 --- a/data/templates/monitoring/override.conf.j2 +++ b/data/templates/monitoring/override.conf.j2 @@ -1,7 +1,10 @@ +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} [Unit] After=vyos-router.service ConditionPathExists=/run/telegraf/vyos-telegraf.conf [Service] +ExecStart= +ExecStart={{ vrf_command }}/usr/bin/telegraf -config /run/telegraf/vyos-telegraf.conf -config-directory /etc/telegraf/telegraf.d $TELEGRAF_OPTS Environment=INFLUX_TOKEN={{ influxdb.authentication.token }} CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_ADMIN AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN diff --git a/interface-definitions/service-monitoring-telegraf.xml.in b/interface-definitions/service-monitoring-telegraf.xml.in index 36f40a53..dc014ee1 100644 --- a/interface-definitions/service-monitoring-telegraf.xml.in +++ b/interface-definitions/service-monitoring-telegraf.xml.in @@ -306,6 +306,7 @@ </leafNode> </children> </node> + #include <include/interface/vrf.xml.i> </children> </node> </children>
Viacheslav added a comment to T4617: VRF specification is needed for telegraf prometheus-client listen-address <address> .
Viacheslav changed the status of T4596: "show openconnect-server sessions" command does not work in the openconnect module, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, from In progress to Needs testing.
Viacheslav changed the status of T4596: "show openconnect-server sessions" command does not work in the openconnect module from In progress to Needs testing.
Viacheslav changed the status of T4618: Traffic policy not set on virtual interfaces from Open to In progress.
Viacheslav changed the status of T4601: dhcp : relay agent IP address issue. from Confirmed to Needs testing.
Aug 15 2022
Aug 15 2022
Viacheslav edited projects for T4082: Add op mode command to restart ldpd, added: VyOS 1.3 Equuleus; removed VyOS 1.3 Equuleus (1.3.2).
Viacheslav closed T3988: Feature Request: IPsec Multiple local/remote prefix for the tunnel as Resolved.
It is possible but with specific syntax
I found some examples:
nft insert rule ip filter VYOS_FW_FORWARD ip 'saddr & 0.255.0.255 != 0.11.0.13' counter
@patrickli nftables is not engine for iptables. It is programs to work with netfilter
That's why I ask for the real example
root@r1:/home/vyos# nft insert rule ip6 filter INPUT ip6 saddr ::dead:beef/::ffff:ffff counter
Error: syntax error, unexpected string, expecting number
insert rule ip6 filter INPUT ip6 saddr ::dead:beef/::ffff:ffff counter
^^^^^^^^^^^
root@r1:/home/vyos#