I'd prefer to integrate the Port Control Protocol (PCP) instead.
Feed Search
May 17 2024
May 17 2024
Viacheslav triaged T6360: CGNAT add the ability to exclude (bypass) the translations for specific destinations as Wishlist priority.
Viacheslav closed T6347: CGNAT external pools containing dashes cause Traceback error, a subtask of T5169: Add CGNAT Carrier-Grade NAT based on nftables, as Resolved.
Viacheslav closed T6351: CGNAT add check if external and internal pools exists, a subtask of T5169: Add CGNAT Carrier-Grade NAT based on nftables, as Resolved.
Viacheslav closed T6350: CGNAT add op-mode to get current port allocation mapping, a subtask of T5169: Add CGNAT Carrier-Grade NAT based on nftables, as Resolved.
Viacheslav triaged T6343: Firewall source validation loose end up in complete traffic block on VRF interface as Normal priority.
Viacheslav added a comment to T5835: UPnP port mapping / rule installation fails.
Viacheslav added a comment to T5835: UPnP port mapping / rule installation fails.
You can still have it in a container easily; as I mentioned, it has never worked since 2021
You do not lose anything.
Viacheslav changed the status of T6350: CGNAT add op-mode to get current port allocation mapping, a subtask of T5169: Add CGNAT Carrier-Grade NAT based on nftables, from Open to In progress.
Viacheslav changed the status of T6350: CGNAT add op-mode to get current port allocation mapping from Open to In progress.
May 16 2024
May 16 2024
Viacheslav added a comment to T6350: CGNAT add op-mode to get current port allocation mapping.
PR https://github.com/vyos/vyos-1x/pull/3466
vyos@r4:~$ show nat cgnat allocation Internal IP External IP Port range ------------- --------------- ------------ 100.64.0.0 192.168.122.222 1024-3023 100.64.0.1 192.168.122.222 3024-5023 100.64.0.2 192.168.122.222 5024-7023 100.64.0.3 192.168.122.222 7024-9023 100.64.0.4 192.168.122.222 9024-11023 100.64.0.5 192.168.122.222 11024-13023 100.64.0.6 192.168.122.222 13024-15023 100.64.0.7 192.168.122.222 15024-17023 100.64.0.8 192.168.122.222 17024-19023 100.64.0.9 192.168.122.222 19024-21023 100.64.0.10 192.168.122.222 21024-23023 100.64.0.11 192.168.122.222 23024-25023 100.64.0.12 192.168.122.222 25024-27023 100.64.0.13 192.168.122.222 27024-29023 100.64.0.14 192.168.122.222 29024-31023 100.64.0.15 192.168.122.222 31024-33023 vyos@r4:~$
Viacheslav changed the status of T6351: CGNAT add check if external and internal pools exists, a subtask of T5169: Add CGNAT Carrier-Grade NAT based on nftables, from Open to In progress.
Viacheslav changed the status of T6351: CGNAT add check if external and internal pools exists from Open to In progress.
PR https://github.com/vyos/vyos-1x/pull/3464
set nat cgnat pool external ext1 external-port-range '1024-65535' set nat cgnat pool external ext1 per-user-limit port '2000' set nat cgnat pool external ext1 range 192.168.122.222/32 set nat cgnat pool internal int1 range '100.64.0.0/28' set nat cgnat rule 10 source pool 'fake-pool' set nat cgnat rule 10 translation pool 'ext1'
Viacheslav updated the task description for T6351: CGNAT add check if external and internal pools exists.
Viacheslav added a comment to T6347: CGNAT external pools containing dashes cause Traceback error.
Viacheslav changed the status of T6347: CGNAT external pools containing dashes cause Traceback error, a subtask of T5169: Add CGNAT Carrier-Grade NAT based on nftables, from Open to In progress.
Viacheslav changed the status of T6347: CGNAT external pools containing dashes cause Traceback error from Open to In progress.
Viacheslav triaged T6350: CGNAT add op-mode to get current port allocation mapping as Wishlist priority.
Viacheslav triaged T6349: keep all workflows as reusable workflows in global .github and make vyox-1x to use from there as Normal priority.
Viacheslav updated the task description for T6348: SNAT op-mode fails with flowtable offload entries.
Viacheslav updated the task description for T6348: SNAT op-mode fails with flowtable offload entries.
Viacheslav triaged T6347: CGNAT external pools containing dashes cause Traceback error as Normal priority.
Viacheslav changed the status of T6058: Commit-Archive Save doesn't use https_proxy from Needs reporter action to Open.
Viacheslav added a comment to T6344: multiple ntp listen-address commands not working.
@molocho see the tasks T5301 T5154 and https://chrony-project.org/doc/4.3/chrony.conf.html#bindaddress
Viacheslav triaged T6345: Source NAT Port Mapping setting of Fully-Random is superfluous in Kernels 5.0 onwards as Normal priority.
May 15 2024
May 15 2024
Viacheslav moved T5900: Improve reliability of the vyos powerdns recursor implementation from Open to Finished on the VyOS 1.5 Circinus board.
Viacheslav closed T5900: Improve reliability of the vyos powerdns recursor implementation as Resolved.
Viacheslav triaged T6338: Ability to use per-user traffic shaper or policy limits based on the network as Wishlist priority.
Viacheslav triaged T6337: Upgrade from 1.3.5 fails if ssh public key name has a space in it as High priority.
May 14 2024
May 14 2024
Viacheslav added a comment to T5835: UPnP port mapping / rule installation fails.
Viacheslav added a comment to T5835: UPnP port mapping / rule installation fails.
In summary, it works with custom scripts and patches, but it still does not work from CLI (not fully integrated)
The scripts that should be involved are in the repo https://github.com/miniupnp/miniupnp/tree/miniupnpd_2_3_3/miniupnpd/netfilter_nft/scripts
Until we do not have them and they do not communicate with the firewall, the feature does not work.
A patch is attached in several posts above https://vyos.dev/T5835#174066
Viacheslav lowered the priority of T5497: Add ability to resequence rule numbers for firewall from Normal to Wishlist.
Viacheslav placed T6292: Unable to update webproxy blacklist as they use captcha up for grabs.
May 13 2024
May 13 2024
Viacheslav closed T5386: Execute VRRP transition script when `set high-availability disable` is commited as Resolved.
The original feature/bug is solved
The stop script executed is executing.
The locks are a separate task/bug.
Viacheslav triaged T6332: IPv6-only ISIS (or, in general, dual topology) is not working with other devices running frr as Normal priority.
May 10 2024
May 10 2024
Viacheslav added a comment to T5497: Add ability to resequence rule numbers for firewall.
Feel free to reopen it and update the task description, but I'm not expecting it to be implemented.
Viacheslav added a comment to T5497: Add ability to resequence rule numbers for firewall.
I think the original request was Add ability to resequence rule numbers for firewall, and we added this tool.
Auto-Apply configuration based on this tool is the wrong way. We haven't had such hacks before and probably won't implement them in the nearest feature.
All configuration changes have to be only per user commit; there should not be any auto-commits/auto applies configs. We have API for these tricks.
CLI is completely different from the cisco/arista logic.
Viacheslav edited projects for T6038: Losing default route after first reboot (cloud-init & DHCP), added: VyOS 1.4 Sagitta (1.4.0-epa3); removed VyOS 1.4 Sagitta (1.4.0-epa1).
May 9 2024
May 9 2024
Viacheslav reopened T6292: Unable to update webproxy blacklist as they use captcha as "Open".
Viacheslav added a comment to T6292: Unable to update webproxy blacklist as they use captcha.
I'm re-opening until we make a final decision
Viacheslav edited projects for T6313: Add "NAT" to "generate" command for rule resequence, added: VyOS 1.5 Circinus; removed VyOS 1.4 Sagitta.
The service webproxy is deprecated and will be removed in 1.5
Viacheslav moved T6325: Update pipfile python3 version or delete pip file for vyos-1x from Open to Finished on the VyOS 1.4 Sagitta board.
Removed in https://github.com/vyos/vyos-1x/pull/3435
Viacheslav triaged T6318: vyos-1x: WiFi Regulatory Domain should be set system-wide instead of per-device as Normal priority.
Viacheslav renamed T6325: Update pipfile python3 version or delete pip file for vyos-1x from Update pip file python3 version or delete pip file for vyos-1x to Update pipfile python3 version or delete pip file for vyos-1x.
Viacheslav triaged T6325: Update pipfile python3 version or delete pip file for vyos-1x as Normal priority.
Viacheslav added a comment to T6324: CVE-2024-2961.
For 1.4 also fixed
vyos@r1-right:~$ show version all | match "GNU C L" ii libc-bin 2.36-9+deb12u7 amd64 GNU C Library: Binaries ii libc-l10n 2.36-9+deb12u7 all GNU C Library: localization files ii libc6:amd64 2.36-9+deb12u7 amd64 GNU C Library: Shared libraries ii locales 2.36-9+deb12u7 all GNU C Library: National Language (locale) data [support] vyos@r1-right:~$ vyos@r1-right:~$ show ver Version: VyOS 1.4-stable-202405090309 Release train: sagitta
Viacheslav moved T6324: CVE-2024-2961 from Backlog to Finished on the VyOS 1.4 Sagitta (1.4.0-epa3) board.
Viacheslav added a comment to T6324: CVE-2024-2961.
Fixed
vyos@r1-right:~$ show version all | match "GNU C L" ii libc-bin 2.28-10+deb10u3 amd64 GNU C Library: Binaries ii libc-l10n 2.28-10+deb10u3 all GNU C Library: localization files ii libc6:amd64 2.28-10+deb10u3 amd64 GNU C Library: Shared libraries ii locales 2.28-10+deb10u3 all GNU C Library: National Language (locale) data [support] vyos@r1-right:~$ vyos@r1-right:~$ show version
May 8 2024
May 8 2024
Viacheslav changed the status of T6312: open-vm-tools missing in nightly-builds starting from version 1.5-rolling-202404220020 from Open to Needs testing.
Should be fixed in https://github.com/vyos/vyos-build/pull/600
Viacheslav moved T6310: Change branches for CodeQL on push from Open to Finished on the VyOS 1.5 Circinus board.
Viacheslav moved T6288: policy route ipv4 rule order behaviour from Open to Finished on the VyOS 1.5 Circinus board.
Viacheslav added a comment to T5636: Add GeoIP matching support for policy route.
Mostly impossible for policy local-route
I'm not expecting that it will be implemented at all.
May 7 2024
May 7 2024
Viacheslav renamed T6305: IPoE interface wildcard validation error in firewall rules from Firewall interface wildcard validation error to Firewall ipoe interface wildcard validation error.
Viacheslav moved T6311: Nftables build add dependency asciidoc-base from Open to Finished on the VyOS 1.5 Circinus board.
Viacheslav moved T6311: Nftables build add dependency asciidoc-base from Need Triage to Finished on the VyOS 1.4 Sagitta (1.4.0-epa3) board.
The current workaround is manual DNAT rules:
set nat destination rule 100 destination port '80' set nat destination rule 100 protocol 'tcp' set nat destination rule 100 translation redirect port '3128'
Add any rules before 100 for excluding DNAT and use "bypass"
Viacheslav added a comment to T6311: Nftables build add dependency asciidoc-base.
Viacheslav changed the status of T6311: Nftables build add dependency asciidoc-base from Open to In progress.
Viacheslav added a comment to T4811: Webproxy bypassing CLI whitelist command is missing.
Min config for old implementation with redirect (1.2):
set service webproxy listen-address 192.168.122.12 set service webproxy url-filtering squidguard block-category 'aggressive' set service webproxy url-filtering squidguard local-block 'mytest.local' set service webproxy whitelist destination-address '192.0.2.1' set service webproxy whitelist destination-address '192.0.2.2' set service webproxy whitelist source-address '192.0.2.222' set service webproxy whitelist source-address '192.0.2.223'
Viacheslav updated the task description for T6310: Change branches for CodeQL on push.
Viacheslav updated the task description for T6310: Change branches for CodeQL on push.