In T5497#161764, @Apachez wrote:I assume this will end up in config mode aswell before this task can be set to resolved?
Simply because this is a few more steps:
- Use the command
- Copy the output
- Delete current firewall
- Paste command output
- Commit
than this:
- Use the command
- Commit
- Feed Queries
- All Stories
- Search
- Feed Search
- Transactions
- Transaction Logs
Feed Search
Oct 10 2023
Oct 10 2023
Oct 8 2023
Oct 8 2023
In T5635#161656, @freebsdjlu wrote:I think it depends on nftables , https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation#Matching_by_socket_UID_.2F_GID , it is first handled by nftables and mark , then use rule .
Oct 6 2023
Oct 6 2023
PR https://github.com/vyos/vyos-1x/pull/2342
set policy local-route rule 23 destination port '222' set policy local-route rule 23 protocol 'tcp' set policy local-route rule 23 set table '123' set policy local-route rule 23 source port '8888'
Check:
vyos@r4# ip rule show prio 23 23: from all ipproto tcp sport 8888 dport 222 lookup 123 [edit] vyos@r4#
It supports uidrange https://man7.org/linux/man-pages/man8/ip-rule.8.html
is it what you want?
uidrange NUMBER-NUMBER
select the uid value to match.I don't see gid option there.
Oct 5 2023
Oct 5 2023
The similar bug with load if we change something in service https api
curl -k --location 192.168.122.11 --request POST 'https://192.168.122.11/config-file' --form data='{"op": "load", "file": "config.boot"}' --form key='foo'
{"success": false, "error": "", "data": null}Oct 4 2023
Oct 4 2023
@rherold Could you re-check it?
Viacheslav moved T5585: Fix file access mode for dynamic dns configuration from Open to Finished on the VyOS 1.4 Sagitta board.
Viacheslav moved T5585: Fix file access mode for dynamic dns configuration from Open to Finished on the VyOS 1.5 Circinus board.
@indrajitr Thanks!
Can we close it?
Can we close it?
Viacheslav changed the status of T5612: Miscellaneous improvements and fixes for dynamic DNS configuration from Open to Needs testing.
@indrajitr, Could you re-check and close if it was solved?
Viacheslav changed the status of T5615: Narrow down spurious name conflict with mdns from Open to Needs testing.
Viacheslav updated the task description for T5631: Ability to export the current configuration in JSON format.
Viacheslav moved T5632: Add jq package to parse JSON files from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.5) board.
Viacheslav moved T5632: Add jq package to parse JSON files from Open to Finished on the VyOS 1.4 Sagitta board.
Viacheslav updated the task description for T5631: Ability to export the current configuration in JSON format.
Proposed CLI:
set system syslog global service wireguard
Expected command for debug
echo "module wireguard +p" | sudo tee /sys/kernel/debug/dynamic_debug/control
To disable
echo "module wireguard -p" | sudo tee /sys/kernel/debug/dynamic_debug/control
PR https://github.com/vyos/vyos-user-utils/pull/7
vyos@r4# echo '{"system": "VyOS", "rate": 100}' | jq '.system'
"VyOS"
[edit]
vyos@r4#Viacheslav changed the status of T5632: Add jq package to parse JSON files from Open to In progress.
Try this
delete system conntrack ignore set system conntrack ignore ipv4 rule 10 source address 0.0.0.0/0
Viacheslav updated subscribers of T5631: Ability to export the current configuration in JSON format.
Oct 3 2023
Oct 3 2023
Viacheslav changed the subtype of T5629: Policy local-route bug after migration to destination node address from "Feature Request" to "Bug".
Viacheslav added a project to T5213: Accel-ppp sending accounting interim updates acct-interim-interval option: VyOS 1.3 Equuleus (1.3.5).
PR for 1.3.5 https://github.com/vyos/vyos-1x/pull/2333
Oct 2 2023
Oct 2 2023
Viacheslav added a comment to T5627: Multicast - PIM prune state timers expire with time longer to remove a mroute.
The easiest way is to add a Patch for FRR 7.5.1 if possible.
We can't migrate to FRR 9.1 for 1.3.x
Sep 30 2023
Sep 30 2023
Sep 29 2023
Sep 29 2023
Could be a cause of this bug https://forum.vyos.io/t/igmp-proxy-not-working-in-1-4-since-around-7-sept
Viacheslav changed the status of T5621: Show uncommited "commands" (compare | commands) from Resolved to Invalid.
PR migration https://github.com/vyos/vyos-1x/pull/2325
Viacheslav changed the status of T5261: Add AWS gateway load-balancing tunnel handler (gwlbtun) from In progress to Needs testing.
Viacheslav changed the subtype of T5620: "Deactivate" certain config snippets from "Task" to "Feature Request".
Sep 28 2023
Sep 28 2023
Sep 27 2023
Sep 27 2023
Add option protocol, PR https://github.com/vyos/vyos-1x/pull/2313
set policy local-route rule 100 destination '192.0.2.12' set policy local-route rule 100 protocol 'tcp' set policy local-route rule 100 set table '100'
Fixed
Sep 26 2023
Sep 26 2023
PR for 1.3 https://github.com/vyos/vyos-1x/pull/2310
In T5497#160905, @JeffWDH wrote:1.5-rolling-202309250022
Is there a reason why some global options and some address groups (not all) are included in the output? Seems unintentional to me.
We have fwmark for policy local-route
But it is only for match mark and routing decision
vyos@vyos-lns# set policy local-route rule 100 Possible completions: + destination Destination address or prefix fwmark Match fwmark value inbound-interface Inbound Interface > set Packet modifications + source Source address or prefix
Sep 23 2023
Sep 23 2023
Viacheslav added a parent task for T2115: VyOS cannot load configs when running in a container: T5613: VyOS in container bugs.
Viacheslav added a project to T2115: VyOS cannot load configs when running in a container: VyOS 1.5 Circinus.
Viacheslav changed the status of T5604: List of debian archives is out of date (non-free-firmware is missing) from Open to Needs testing.
Sep 22 2023
Sep 22 2023
Op-mode command reduce
PR https://github.com/vyos/vyos-1x/pull/2302
vyos@r4:~$ show conf com | match firew set firewall ipv4 input filter default-action 'accept' set firewall ipv4 input filter rule 1 action 'accept' set firewall ipv4 input filter rule 1 description 'Allow loopback' set firewall ipv4 input filter rule 1 inbound-interface interface-name 'lo' set firewall ipv4 input filter rule 1 source address '127.0.0.0/8' set firewall ipv4 input filter rule 2 action 'accept' set firewall ipv4 input filter rule 2 description 'Allow established/related' set firewall ipv4 input filter rule 2 state established 'enable' set firewall ipv4 input filter rule 2 state related 'enable' set firewall ipv4 input filter rule 60 action 'accept' set firewall ipv4 input filter rule 60 description 'Allow SSH from trusted networks' set firewall ipv4 input filter rule 60 destination port '22' set firewall ipv4 input filter rule 60 protocol 'tcp' set firewall ipv4 input filter rule 10000 action 'drop' set firewall ipv4 input filter rule 10000 description 'Drop everything else' vyos@r4:~$ vyos@r4:~$ produce firewall rule-resequence start 10 step 10
Sep 21 2023
Sep 21 2023
Viacheslav moved T5576: Add bgp remove-private-as all option from Open to Finished on the VyOS 1.4 Sagitta board.
Viacheslav moved T5576: Add bgp remove-private-as all option from Open to Finished on the VyOS 1.5 Circinus board.
Viacheslav moved T5590: Firewall "log enable" logs every packet from Open to Finished on the VyOS 1.5 Circinus board.
Sep 20 2023
Sep 20 2023
@Apachez It is not FQDN based
Contact our sales or ask forum
In T5601#160566, @vvinci00 wrote:Hello,
I need to reverse proxy TCP traffic.
the traffic is not HTTP/HTTPS
Viacheslav moved T5241: Support veth interfaces to working with netns from Open to Finished on the VyOS 1.5 Circinus board.
Viacheslav moved T5241: Support veth interfaces to working with netns from Finished to Backlog on the VyOS 1.4 Sagitta board.
Viacheslav closed T5238: interface virtual-etherne - error when it doesn't use a peer , a subtask of T3829: Support separated TCP/IP stack via "ip netns", as Resolved.
set netns name mgmt
set interfaces virtual-ethernet veth1 address '10.0.0.0/31'
set interfaces virtual-ethernet veth1 peer-name 'veth10'
set interfaces virtual-ethernet veth10 address '10.0.0.1/31'
set interfaces virtual-ethernet veth10 netns 'mgmt'
set interfaces virtual-ethernet veth10 peer-name 'veth1'
Viacheslav closed T5241: Support veth interfaces to working with netns, a subtask of T3829: Support separated TCP/IP stack via "ip netns", as Resolved.
PR https://github.com/vyos/vyos-1x/pull/2295
set system sysctl parameter net.ipv4.tcp_syncookies value '1' set system sysctl parameter net.ipv4.tcp_timestamps value '1'
Viacheslav changed the status of T5602: For reverse-proxy type of load-balancing feature, support "backup" option in backends configuration from Open to In progress.
Viacheslav renamed T5599: Firewall unexpectedly changes some sysctl options from Firwall unexpectedly changes some sysctl options to Firewall unexpectedly changes some sysctl options.
Viacheslav changed the status of T4502: Consider implementing (NAT/other) flow table offload from Open to Needs testing.
You do not use port 80/443, so it does not have HTTP-HEADER (in theory).
service LB_port_451 {
listen-address 10.1.1.1
mode tcp
port 451Try to change to port 80 and check if it works.
You need another solution/configuration
Sep 19 2023
Sep 19 2023
Viacheslav updated the task description for T5599: Firewall unexpectedly changes some sysctl options.
First tests unsecseful
Viacheslav changed the status of T5588: Add kernel conntrack_bridge module from Open to In progress.
Viacheslav changed the status of T5591: Cleanup of FRR daemons-file and various FRR fixes from Open to In progress.
Viacheslav changed the status of T5590: Firewall "log enable" logs every packet from In progress to Needs testing.
Sep 18 2023
Sep 18 2023
Viacheslav moved T5586: Disable by default SNMP for Keepalived VRRP from Open to Finished on the VyOS 1.4 Sagitta board.
In T5586#160073, @Apachez wrote:How does FRR/vrrpd work regarding SNMP compatability?
Im thinking if the keepalived could be replaced in favour of FRR/vrrpd?
And for now keep keepalived around only for virtual-server (unless that too can be dealt with by FRR/vrrpd)?
Viacheslav triaged T5594: VRRP - Error if using IPv6 Link Local as hello source address as High priority.
r4# show version FRRouting 9.0.1 (r4) on Linux(6.1.53-amd64-vyos)
Still has bugs
For example with redistribute
r4# conf t r4(config)# router eigrp 65001 r4(config-router)# redistribute connected % Configuration failed.