PR for 1.5 https://github.com/vyos/vyos-1x/pull/2787 which will be backported to 1.4
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed Advanced Search
Advanced Search
Advanced Search
Jan 10 2024
Jan 10 2024
c-po closed T5886: Add support for ACME protocol (LetsEncrypt), a subtask of T5894: Extend get_config_dict() with additional parameter with_pki that defaults to False, as Resolved.
c-po moved T5913: Allow for Peer-Groups in ipv4-labeled-unicast SAFI from Open to Finished on the VyOS 1.5 Circinus board.
c-po changed the status of T5913: Allow for Peer-Groups in ipv4-labeled-unicast SAFI from Open to In progress.
sarthurdev changed the status of T5814: VyOS 1.3 to 1.4 LTS Firewall ruleset migration script breaks configuration from Open to In progress.
jestabro added a comment to T5917: Restore annotations of (running)/(default boot) in select image list.
jestabro triaged T5917: Restore annotations of (running)/(default boot) in select image list as Normal priority.
jestabro lowered the priority of T3871: Resolve unexpected interface name reordering from High to Normal.
Lowering priority to normal to proceed with adding the interface-monitor daemon development, mentioned above, for 1.5.
Quick test done on a VM with 1 CPU and 1G RAM:
[email protected]# for I in {1..2542}; do set firewall ipv6 name Test rule $I action accept ; set firewall ipv6 name Test rule $I destination port $I; set firewall ipv6 name Test rule $I protocol tcp ; done [email protected]# time commit
@sempervictus Thanks for the update!
OK, the grub serial config described here got me as far as seeing the Grub selection screen at boot time.
Oh wow, this is ancient. Can definitely close this out - @zsdc and i figured out a bunch of the insanity around cloud-init since then and i've got it working in our openstacks as well as public clouds on a single config.
What to do with atop and logrorate?
This is closed now because the required functionality perfectly works with Cloud-init + NoCloud/ConfigDrive.
sarthurdev changed the status of T5787: dhcp-server allows duplicate static-mapping for the same IP address from In progress to Needs testing.
Is it still bug? @sempervictus could you re-check?
We probably need more details
Viacheslav closed T4300: Extend list of supported interfaces for Cloud-init Network Configuration as Resolved.
I guess it is already done https://github.com/vyos/vyos-cloud-init/commit/ae74804ede8fb76a7f27ca869f2b880dbe276ca2
@zsdc Can we close it or you are working on it?
n.fort changed the status of T5915: Firewall zone - Re add op-mode commands from Confirmed to In progress.
See also forum thread @ https://forum.vyos.io/t/grub-menu-fails-to-load-on-serial-only-devices-with-no-kvm/
dutty added a comment to T5814: VyOS 1.3 to 1.4 LTS Firewall ruleset migration script breaks configuration.
In T5814#171114, @Apachez wrote:On the other hand I would expect someone aka the admin who will configure an enterprise firewall such as VyOS could be called to have at least SOME basic knowledge and also some interest to read the documentation on how to configure the firewall.
In T3871#160827, @jestabro wrote:@stingalleman As mentioned above (and confirmed in discussions earlier this week), we've had few if any reports of issues with the udev approach, so we would be very interested to hear details of your case.
Cheeze_It renamed T5916: Added segment routing check for index size and SRGB size from Add protocol handler tiebreaker for Segment Routing for IS-IS and OSPF for index base values larger than label base to Added segment routing check for index size and SRGB size .
Put in the PR for this at https://github.com/vyos/vyos-1x/pull/2780
Cheeze_It changed the status of T5916: Added segment routing check for index size and SRGB size from Open to Needs testing.
Could for example be that set system options logtoram enables the feature while set system options logtoram size 32M sets the desired size where the default is 32M or whatever would be needed as a sane minimum.
Jan 9 2024
Jan 9 2024
Maybe making the size of the ramdisk configurable via CLI would be wise? I feel that there's enough variation in hardware configurations out there that hard-coding a value would cause problems.
Apachez added a comment to T5814: VyOS 1.3 to 1.4 LTS Firewall ruleset migration script breaks configuration.
On the other hand I would expect someone aka the admin who will configure an enterprise firewall such as VyOS could be called to have at least SOME basic knowledge and also some interest to read the documentation on how to configure the firewall.
dutty added a comment to T5814: VyOS 1.3 to 1.4 LTS Firewall ruleset migration script breaks configuration.
As a side comment, the new firewall system allows more granular control and sometimes may simplify configuration. It follows better the lower level logic of nftables.
sarthurdev changed the status of T5787: dhcp-server allows duplicate static-mapping for the same IP address from Open to In progress.
dutty added a comment to T5814: VyOS 1.3 to 1.4 LTS Firewall ruleset migration script breaks configuration.
Yes, I agree with that, readability will be better if everything is in order.
n.fort added a comment to T5814: VyOS 1.3 to 1.4 LTS Firewall ruleset migration script breaks configuration.
I suggest changing order just as a cosmetic fix: feels more reasonable/readable to parse first "incoming", and then "outgoing"
dutty added a comment to T5814: VyOS 1.3 to 1.4 LTS Firewall ruleset migration script breaks configuration.
@n.fort
Looks like 1) and 2) is correct, as well as 'Action=accept in vyos command shall remain as accept in nftables'.
However, the 3) is not obvious to me. As long as all rules with Action=Accept in both IN and OUT chains will migrate to Action=return, looks like there should be no difference in order, other than probably for performance reason.
I stopped using conntrack-sync before I moved to 1.3 (which I am currently running) so I can't confirm either way.
I expect it's no longer an issue though and this task can be closed.
dmbaturin closed T3513: Attempting to remove firewall rule results in error, a subtask of T2199: Rewrite firewall in new XML/Python style, as Not Applicable.
dmbaturin removed a project from T3763: wireguard checks if port already binding: VyOS 1.3 Equuleus (1.3.6).
n.fort added a comment to T5814: VyOS 1.3 to 1.4 LTS Firewall ruleset migration script breaks configuration.
Changes that seems to be needed only in migration script https://github.com/vyos/vyos-1x/blob/current/src/migration-scripts/firewall/10-to-11:
- Use accept action for base-chains (it's done, no change needed here).
- Migrate action=accept to action=return on every rule.
- fix order and ensure all "in" rules are applied first.
This issue is on and off, but mostly solved now.
dmbaturin changed the status of T3489: NUMA has been disabled for the past few years and no-one has noticed from Unknown Status to Resolved.
dmbaturin triaged T3449: Unsuccessful attempt at network boot causes packet loss on associated VLAN as High priority.
dmbaturin triaged T3430: Cloud-init failing with “Unable to render networking” on VyOS 1.3 as High priority.
dmbaturin triaged T3334: Changing serial settings from a serial console ends session abruptly as High priority.
dmbaturin triaged T3338: Some Cloud-Init configurations can prevent login on the router as High priority.
dmbaturin triaged T3011: router becomes unreachable for few minutes when vti interfaces goes down as High priority.
dmbaturin closed T3209: Load balancing rules in firewall, a subtask of T3116: Support back-end L4 level load balancing, as Invalid.
This needs to be properly worded as a feature request, if it's still relevant with the new firewall implementation.
dmbaturin triaged T3204: Performance system option destroy defined sysctl custom params as High priority.
dmbaturin edited projects for T3203: BGP unnumbered - commit fails when route-reflector-client is set, added: VyOS 1.4 Sagitta; removed VyOS 1.3 Equuleus (1.3.6).
Jan 9 2024, 8:23 PM · Restricted Project, VyOS 1.3 Equuleus (1.3.9), VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.5 Circinus
dmbaturin added a comment to T3062: Multiple Wireless SSID's on Single Wireless Card causes a crash.
Someone needs to test it on a system with a real wireless NIC.
dmbaturin triaged T3062: Multiple Wireless SSID's on Single Wireless Card causes a crash as High priority.
dmbaturin triaged T2971: Provide a CLI solution for Ingress Shaping when there is SNAT as Low priority.
dmbaturin removed a project from T2844: BGP conf_mode errors disable-send-community: VyOS 1.3 Equuleus (1.3.6).
I presume it's no longer an issue, but I'd like to confirm.
dmbaturin triaged T2770: Allow any character to be used in the SNMP community field as Low priority.
dmbaturin triaged T2762: VRF: when SSHd is VRF bound all commands are executed in VRF context as High priority.
dmbaturin triaged T2505: XCP-ng packet drops for small packets (e.g. icmp) under Xen and AWS as High priority.
dmbaturin triaged T2747: "enable-local-traffic" has no effect in load-balancing to redirect local traffic as High priority.
dmbaturin triaged T2477: Make VyOS interactively ask whether user trust remote host SSH fingerprint as Low priority.
dmbaturin changed the status of T3721: ARM64: 1.4: Fastnetmon in current is a precompiled custom "blob" and amd64 only. (blocks all arm64 builds) from Needs testing to On hold.
The original syntax is now allowed anymore.
Should be easy to do now that ipaddrcheck supports range validation.
dmbaturin closed T3587: Intel QAT support is broken on VyOS 1.4 due to a Kernel Crash as Not Applicable.