@syncer We'll add/merge it to 1.3.3 (We discussed it and agree to add it after 1.3.2 release)
- Feed Queries
- All Stories
- Search
- Feed Search
- Transactions
- Transaction Logs
Feed Search
Aug 29 2022
Aug 29 2022
Viacheslav edited projects for T3702: Policy: Allow routing by fwmark, added: VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).
Viacheslav renamed T4654: RPKI cache incorrect description from RPKI cache incorrect desctiption to RPKI cache incorrect description.
In T2044#129750, @egoistdream wrote:Hi,
Same issue on VyOS 1.4-rolling-202208240217
And when you set the rpki ips you have wrong description on the options, instead of the "rpki server ip" you have "NTP server"
router# set protocols rpki cache ?
Possible completions:
> <x.x.x.x> IP address of NTP server
> <h:h:h:h:h:h:h:h> IPv6 address of NTP server
> <hostname> Fully qualified domain name of NTP server
In the 1.4 nat translations were rewritten, but I didn't delete the old python code yet https://github.com/vyos/vyos-1x/pull/1501
Viacheslav moved T4601: dhcp : relay agent IP address issue. from Backport Candidates to Need Triage on the VyOS 1.3 Equuleus (1.3.3) board.
Viacheslav moved T4601: dhcp : relay agent IP address issue. from Open to Backport Candidates on the VyOS 1.4 Sagitta board.
Viacheslav moved T4601: dhcp : relay agent IP address issue. from Need Triage to Backport Candidates on the VyOS 1.3 Equuleus (1.3.3) board.
Viacheslav edited projects for T4601: dhcp : relay agent IP address issue., added: VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).
Aug 27 2022
Aug 27 2022
Viacheslav changed the status of T4650: Rewire show nat translation to vyos.opmode format, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, from In progress to Needs testing.
Viacheslav changed the status of T4650: Rewire show nat translation to vyos.opmode format from In progress to Needs testing.
Aug 26 2022
Aug 26 2022
Viacheslav changed the status of T4631: Add port and protocol to nat66 from In progress to Needs testing.
Viacheslav changed the status of T4650: Rewire show nat translation to vyos.opmode format, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, from Open to In progress.
Viacheslav changed the status of T4650: Rewire show nat translation to vyos.opmode format from Open to In progress.
Viacheslav added a comment to T4643: Smoketest exclude either sstp or openconnect from pki-misc default listen port.
Before fix:
06:04:21 DEBUG - FAIL: test_pki_misc (__main__.TestConfigPkiMisc) 06:04:21 DEBUG - ---------------------------------------------------------------------- 06:04:21 DEBUG - Traceback (most recent call last): 06:04:21 DEBUG - File "/usr/bin/vyos-configtest", line 50, in test_config_load 06:04:21 DEBUG - self.session.commit() 06:04:21 DEBUG - vyos.configsession.ConfigSessionError: [[service https]] failed 06:04:21 DEBUG - Commit failed 06:04:21 DEBUG - 06:04:21 DEBUG - 06:04:21 DEBUG - During handling of the above exception, another exception occurred: 06:04:21 DEBUG - 06:04:21 DEBUG - Traceback (most recent call last): 06:04:21 DEBUG - File "/usr/bin/vyos-configtest", line 53, in test_config_load 06:04:21 DEBUG - self.fail() 06:04:21 DEBUG - AssertionError: None
After fix:
vyos@r14:~$ /usr/bin/vyos-configtest Generating tests ... completed: 0.000608 test_pki_misc (__main__.TestConfigPkiMisc) ... time: 16.943 ok
Viacheslav reopened T4643: Smoketest exclude either sstp or openconnect from pki-misc default listen port as "Needs testing".
Aug 25 2022
Aug 25 2022
Viacheslav added a comment to T4202: NFT: Zone policies fail to apply when "l2tp+" is in the interface list.
We have to replace it in migration scripts if it is already not done
PR https://github.com/vyos/vyos-1x/pull/1497
vyos@r14:~$ show nat source statistics Rule Packets Bytes Interface ------ --------- ------- ----------- 100 1279 107896 eth0 120 1 60 eth1 vyos@r14:~$
Viacheslav changed the status of T4645: show nat source statistics lack argument --family from Open to In progress.
The easiest way it add vyatta-nat-translations.pl scripts to the op-mode script directory or rewrite it to the python.
Also discussed this configuration:
set service dhcp-relay <tag> interface eth0 upstream set service dhcp-relay <tag> interface eth1 downstream set service dhcp-relay <tag> server <x.x.x.x> set service dhcp-relay <tag> relay-options hop-count 1 set service dhcp-relay <tag> relay-options upsteam-port 547
Viacheslav changed the status of T4644: Check bind port before assign vpn sstp from Open to In progress.
PR https://github.com/vyos/vyos-1x/pull/1496
vyos@r14# commit [ vpn sstp ] "tcp" port "443" is used by another service
Viacheslav edited projects for T1070: SWANCTL: DMVPN: ALL peers are deleted in swan when opennhrp tries to delete ONE peer, added: VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).
Aug 25 2022, 8:00 AM · Bugs, VyOS 1.3 Equuleus (1.3.9), VyOS 1.4 Sagitta (1.4.0-GA), Restricted Project
Viacheslav changed the status of T4643: Smoketest exclude either sstp or openconnect from pki-misc default listen port from Open to In progress.
Viacheslav changed the status of T4597: Check bind port before assign service HTTPS API and openconnect from In progress to Needs testing.
Viacheslav closed T4626: Error showing nat66 source and destination, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, as Resolved.
Aug 24 2022
Aug 24 2022
Viacheslav changed the status of T4626: Error showing nat66 source and destination, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, from Open to In progress.
Viacheslav changed the status of T4626: Error showing nat66 source and destination from Open to In progress.
PR https://github.com/vyos/vyos-1x/pull/1491
set nat66 destination rule 100 destination address '2001:1111:1111:1111::10' set nat66 destination rule 100 inbound-interface 'eth0' set nat66 destination rule 100 translation address 'fd00:1111:1111:1111::10' set nat66 source rule 100 destination prefix '!fd00:2222:2222:2222::/64' set nat66 source rule 100 outbound-interface 'eth0' set nat66 source rule 100 source prefix 'fd00:1111:1111:1111::/64' set nat66 source rule 100 translation address '2001:1111:1111:1111::10' set nat66 source rule 120 destination prefix '2001:db8:2222::/64' set nat66 source rule 120 outbound-interface 'eth0' set nat66 source rule 120 source prefix '2001:db8:1111::/64' set nat66 source rule 120 translation address 'masquerade' set nat66 source rule 130 destination prefix '2001:db8:2222::/64' set nat66 source rule 130 outbound-interface 'eth0' set nat66 source rule 130 source prefix '2001:db8:2244::/64' set nat66 source rule 130 translation address 'masquerade'
show
vyos@r14:~$ show nat66 source rules
Rule Source Destination Proto Out-Int Translation
------ ------------------------ ------------------------- ------- --------- -----------------------
100 fd00:1111:1111:1111::/64 !fd00:2222:2222:2222::/64 IP6 eth0 2001:1111:1111:1111::10
sport any dport any
120 2001:db8:1111::/64 2001:db8:2222::/64 IP6 eth0 masquerade
sport any dport any
130 2001:db8:2244::/64 2001:db8:2222::/64 IP6 eth0 masquerade
sport any dport any
vyos@r14:~$
vyos@r14:~$
vyos@r14:~$ show nat66 destination rules
Rule Source Destination Proto In-Int Translation
------ --------- ----------------------- ------- -------- -----------------------
100 ::/0 2001:1111:1111:1111::10 any eth0 fd00:1111:1111:1111::10
sport any dport any
vyos@r14:~$Aug 23 2022
Aug 23 2022
Viacheslav updated subscribers of T4635: Add zebra option ip nht resolve-via-default as default option.
I prefer to get this option configurable if it is possible
For IPv6 and VRFs - nice to have.
As it is used in BGP, I see something like set protocols bgp parameters next-hop-track resolve-via-default
Or, as it was mentioned in T3500
set routing-options next-hop-track resolve-via-default but it will be an additional node with only one option, needs to think
PR https://github.com/vyos/vyos-1x/pull/1489
vyos@r14:~$ show conntrack statistics CPU Found Invalid Insert Insert fail Drop Early drop Errors Search restart ----- ------- --------- -------- --------------- ------ ------------ -------- ----------------- cpu=0 found=0 invalid=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0 cpu=1 found=0 invalid=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0 cpu=2 found=0 invalid=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0 cpu=3 found=0 invalid=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=48 vyos@r14:~$
Viacheslav changed the status of T4623: Add show conntrack statistics, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, from Open to In progress.
Viacheslav added a comment to T4597: Check bind port before assign service HTTPS API and openconnect.
Check NGINX address/port before applying/committing service https
PR https://github.com/vyos/vyos-1x/pull/1488
Viacheslav moved T4618: Traffic policy not set on virtual interfaces from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.2) board.
Viacheslav added a comment to T4309: Support network/address-groups and ipv6-network/ipv6-address-groups in "conntrack ignore".
@daniil, could you check/test this PR https://github.com/vyos/vyos-1x/pull/1487 (only for IPv4)
Viacheslav moved T4206: Policy Based Routing with DHCP Interface Issue from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.2) board.
Aug 22 2022
Aug 22 2022
Viacheslav added a comment to T4636: VLAN-Aware bridge not handling local traffic (and not able to perform inter-vlan routing).
I guess it the task T4632
Viacheslav changed the status of T4634: Bgp neighbor disable-connected-check does not work from Open to In progress.
Aug 20 2022
Aug 20 2022
PR https://github.com/vyos/vyos-1x/pull/1482
set nat66 destination rule 120 description 'foo' set nat66 destination rule 120 destination port '4545' set nat66 destination rule 120 inbound-interface 'eth0' set nat66 destination rule 120 protocol 'tcp' set nat66 destination rule 120 source address '2001:db8:2222::/64' set nat66 destination rule 120 source port '8080' set nat66 destination rule 120 translation address '2001:db8:1111::1' set nat66 destination rule 120 translation port '5555'
Viacheslav added a comment to T4597: Check bind port before assign service HTTPS API and openconnect.
Viacheslav added a comment to T4597: Check bind port before assign service HTTPS API and openconnect.
There is a bug with such implementation check for openconnect
It is not possible to create the second user in another commit (as port already bonded)
vyos@r14# run show conf com | match vpn set vpn openconnect authentication local-users username foo password 'bar' set vpn openconnect authentication mode local 'password' set vpn openconnect listen-ports tcp '8443' set vpn openconnect listen-ports udp '8443' set vpn openconnect network-settings client-ip-settings subnet '100.64.0.0/24' set vpn openconnect network-settings name-server '100.64.0.1' set vpn openconnect ssl ca-certificate 'ca-ocserv' set vpn openconnect ssl certificate 'srv-ocserv' [edit] vyos@r14# commit No configuration changes to commit [edit] vyos@r14# sudo netstat -tulpn | grep 8443 tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 23880/ocserv-main tcp6 0 0 :::8443 :::* LISTEN 23880/ocserv-main udp 0 0 0.0.0.0:8443 0.0.0.0:* 23880/ocserv-main udp6 0 0 :::8443 :::* 23880/ocserv-main [edit] vyos@r14# set vpn openconnect authentication local-users username foo2 password 'bar2' [edit] vyos@r14# commit [ vpn openconnect ] "tcp" port "8443" is used by another service
Viacheslav added a comment to T4596: "show openconnect-server sessions" command does not work in the openconnect module.
It seems after this commit https://github.com/vyos/vyos-1x/commit/1b637f78b870f8ecc4971de5baf0a6fda54c40f7 for T4597
As the port already listens by ocserv itself, maybe we should revert it or change the logic to check that the port bind is not ocserv service
Aug 19 2022
Aug 19 2022
Viacheslav updated the task description for T4627: Ability to set host part IPv6 address via interface IP token.
Viacheslav changed the subtype of T4627: Ability to set host part IPv6 address via interface IP token from "Bug" to "Feature Request".
Viacheslav moved T4619: Static arp is not set if another entry is present from Open to Finished on the VyOS 1.4 Sagitta board.
There is an example of how we build ocserv for 1.3 https://github.com/vyos/vyos-build/commit/2e1eac5980720d060834540e717f4f8a1189b9b0
Aug 18 2022
Aug 18 2022
Viacheslav added a comment to T4617: VRF specification is needed for telegraf prometheus-client listen-address <address> .
Try to add some capabilities, for example, CAP_CHOWN or CAP_DAC_OVERRIDE or something else
sudo nano /etc/systemd/system/vyos-telegraf.service.d/10-override.conf
PR https://github.com/vyos/vyos-1x/pull/1478
set firewall name FOO rule 10 action 'drop' set firewall name FOO rule 10 protocol 'tcp' set firewall name FOO rule 10 tcp flags syn set firewall name FOO rule 10 tcp mss '1-500'
Viacheslav changed the status of T4622: Firewall allow drop packets by TCP MSS size from Open to In progress.