PR: https://github.com/vyos/vyos-build/pull/377

Until the other maintainers share their ideas and thoughts I would like to add some context about FreeIPA and Active Directory, as I have the impression, that the difference between FreeIPA and Active Dirctory is not completely clear.

Comparing with other vendors thats what you use the ACL for.

The short story:

I disagree with that. Cause only why bgp is running, we don't need the port to be reachable on all interfaces or for all source IP's.

A dirty workaround would be to include a "hidden" (as in it exists in nft but not displayed in the vyos-config itself) CoPP table which includes the port(s) needed for:

It's me. I'm User! Happy to provide before (1.4-rolling-202308060317) and after (1.4-rolling-202308180646) VyOS configs and nft dumps for analysis. I can reliable reproduce/correct the issue by switching between those two images.

As seen on slack and I think on the forum.

Perhaps same workaround as firewalld is implementing through option "IPv6_rpfilter=yes" could be implemented in VyOS (both uses nft)?

Possibly the fib statement can be used through nft:

today I want test how fast firewall rules loading and changing in vyos performed. I took an vyos-1.4-rolling-202308180646-amd64.iso boot it as kvm guest.
Then I added some rules with:

Looks like the Problem still exist in 1.4. Are there any plans?

Nope, scrap the above. (Even though it would not surprise me if systemd would be able to perform such tasks in initramfs or else where.)

My guess is that a whole bunch of systemd-things are missing inside initramfs.
For example systemd-fsck-root.service has Before=local-fs.target shutdown.target & ConditionPathIsReadWrite=!/ which (to me) suggests it should be ran from inside initramfs, before your root partition is mounted.

PR https://github.com/vyos/vyos-1x/pull/2159

I ran what you suggested, but it still shows wrong block/inode count right after boot.

Looks like you would need some more extensive checking of that partition.

As I understabd FreeIPA is an alternative to ActiveDirectory? And SSSD should support authentication via LDAP only if the backend is AD.

I managed to enter initramfs on the machine running in a VM by appending break to grub. From there I manually ran a fs check, which didn't show any issues.

I have created this task regarding the fsck issues (fsck does not run during boot): https://vyos.dev/T5498

PR for 1.3 https://github.com/vyos/vyos-1x/pull/2158

Both attached files seem to be downloadable (but now viewable in browser) from the download-link in the upper right corner after clicking a file.

Thank you for taking a look on the PR.

In PR 2152:

Adding Kerberos to a router is overkill in my opinion. I'd agree on adding LDAP(s) auth support via sssd of course, but Kerberos is simply a bit beyond the scope.

Works for me without errors but I currently only have an empty ruleset:

I couldn't open those files, but it can be related our firewall refactor :

I confirm this warning message , although, on Linux doesn't affect or at least with our server/client work as expected :

The similar task https://vyos.dev/T4797

Pull request #2156 opened
https://github.com/vyos/vyos-1x/pull/2156

This error not only occurs for new settings in global-options but also for older:

PR https://github.com/vyos/vyos-1x/pull/2130

PR https://github.com/vyos/vyos-1x/pull/2155

Priority must be less than -200 https://github.com/vyos/vyos-1x/blob/08cb4f350b335d5af401f30850d410b4be38530d/data/vyos-firewall-init.conf#L23-L32
https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_connection_tracking_metainformation#notrack_-_Bypass_connection_tracking

	chain PREROUTING {
		type filter hook prerouting priority -200; policy accept;
		counter packets 6405 bytes 444828 jump VYOS_CT_IGNORE
		counter packets 6405 bytes 444828 jump VYOS_CT_TIMEOUT
		counter packets 6405 bytes 444828 jump VYOS_CT_PREROUTING_HOOK
		counter packets 6405 bytes 444828 jump FW_CONNTRACK
		notrack
	}

Tested after merging T5476 and now we see a proper DHCP release message

PR for 1.3.4 https://github.com/vyos/vyos-1x/pull/2153

Thanks @Apachez - closing

In T5160#156049, @Apachez wrote:

If there would never be such then "INVALID" wouldnt exist as an option.

Another update. I noticed that all firewall configuration was gone (apart from the groups) after a reboot.

If there would never be such then "INVALID" wouldnt exist as an option.

PR https://github.com/vyos/vyos-1x/pull/2152

I have attached both files.

PRs:

• https://github.com/vyos/vyos-1x/pull/2151
• https://github.com/vyos/vyos-build/pull/376

In T5160#156025, @Apachez wrote:

2.2: Invalid shall ALWAYS be processed BEFORE established/related/other rules otherwise it will not serve it purpose.

I will suggest to move all arm64 kernel flavour to "arm64-vyos" as "amd64-vyos" in x86_64.
It will be better not to have "LOCALVERSION=-v8" in kernel configs.

Thanks, @jestabro
Zabbix-agent really can include config directory, and if it is set and exists any *.conf file it thinks that those files related to zabbix-agent and expects specific config syntax/options.
I.e. it extends zabbix-agent with custom .confg files.
As it was a wrong format, most likely it can't start at all.

2.2: Invalid shall ALWAYS be processed BEFORE established/related/other rules otherwise it will not serve it purpose.