In T1230#123939, @panachoi wrote:

1.4 rolling does not help me, so there must be something "wrong" with my configuration. I've attached the private config, it would be awesome if someone might find what's broken.

private.cfg127 KBDownload

May 27 2022, 6:20 PM · VyOS 1.3 Equuleus (1.3.6)

May 26 2022

sarthurdev added a comment to T1230: Improving Boot Time for Large Firewall Configurations.

@panachoi If you can share the anonymized config that works in 1.2.8 that would be useful. I'd expect migrating to 1.4 to see a decent improvement in firewall load times.

May 26 2022, 10:07 AM · VyOS 1.3 Equuleus (1.3.6)

Apr 20 2022

sarthurdev closed T4345: New firewall code does not accept "rate/time interval" syntax used in old config as Resolved.

Apr 20 2022, 11:58 AM · VyOS 1.4 Sagitta

Apr 14 2022

sarthurdev added a comment to T4358: Image sizes have grown significantly in 1.4.

30 largest packages in 1.4 dev build:

telegraf 144 MB
linux-image-5.10.109-amd64-vyos 107 MB
libwireshark14 100 MB
vyos-linux-firmware 68.8 MB
containernetworking-plugins 51.2 MB
vyos-http-api-tools 40.4 MB
podman 37.3 MB
python3-pycryptodome 36.0 MB
libicu67 33.9 MB
vim-runtime 32.9 MB
vyos-1x 29.2 MB
libperl5.32 28.5 MB
salt-common 27.9 MB
nmap-common 21.2 MB
frr 20.2 MB
libruby2.7 17.9 MB
coreutils 17.9 MB
perl-modules-5.32 17.9 MB
grub-common 17.8 MB
systemd 16.4 MB
locales 16.4 MB
libc6 13.1 MB
pmacct 13.0 MB
ieee-data 12.3 MB
vyos-intel-qat 11.7 MB
aptitude-common 10.3 MB
gdb 10.0 MB
udev 9,184 kB
grub-efi-amd64-bin 8,831 kB
squid 8,582 kB

Apr 14 2022, 3:01 PM · VyOS 1.4 Sagitta

Apr 6 2022

sarthurdev committed rVYOSONEXc514cea0ad94: firewall: T4345: Fix incorrect rule limit rate syntax.

Apr 6 2022, 2:38 PM

sarthurdev changed the status of T4345: New firewall code does not accept "rate/time interval" syntax used in old config from In progress to Needs testing.

PR: https://github.com/vyos/vyos-1x/pull/1275

Apr 6 2022, 2:11 PM · VyOS 1.4 Sagitta

sarthurdev moved T4345: New firewall code does not accept "rate/time interval" syntax used in old config from Open to In Progress on the VyOS 1.4 Sagitta board.

Apr 6 2022, 12:01 PM · VyOS 1.4 Sagitta

sarthurdev changed the status of T4345: New firewall code does not accept "rate/time interval" syntax used in old config from Open to In progress.

Apr 6 2022, 12:01 PM · VyOS 1.4 Sagitta

Mar 29 2022

sarthurdev closed T3635: Add ability to use mDNS repeater with VRRP as Resolved.

Mar 29 2022, 9:30 PM · VyOS 1.4 Sagitta

Mar 18 2022

sarthurdev added a comment to T4299: Firewall - GeoIP filtering.

Perhaps only in-use sets can be determined and loaded?

Mar 18 2022, 5:36 PM · VyOS 1.4 Sagitta

sarthurdev added a comment to T4307: Policy routing anymore, Commit generating errors.

Error implies that firewall failed to configure on boot as mangle table is missing. Any logs/config trace from boot?

Mar 18 2022, 1:42 PM · VyOS 1.4 Sagitta

Feb 24 2022

sarthurdev changed the status of T4262: install image doesn't respect chosen root partition size from Confirmed to Needs testing.

1.3 PR: https://github.com/vyos/vyatta-cfg-system/pull/176
1.4 PR: https://github.com/vyos/vyatta-cfg-system/pull/177

Feb 24 2022, 12:49 PM · VyOS 1.3 Equuleus (1.3.3), VyOS 1.4 Sagitta

sarthurdev changed the status of T4262: install image doesn't respect chosen root partition size from Open to Confirmed.

@n.fort I have been able to reproduce this, it only occurs when installing for UEFI.

Feb 24 2022, 11:51 AM · VyOS 1.3 Equuleus (1.3.3), VyOS 1.4 Sagitta

Feb 20 2022

sarthurdev added a comment to T4262: install image doesn't respect chosen root partition size.

sgdisk man says -n should have a partition number followed by start/end values. Looking at the code this bug is present in all versions 1.2 and above.

Feb 20 2022, 7:51 PM · VyOS 1.3 Equuleus (1.3.3), VyOS 1.4 Sagitta

sarthurdev closed Restricted Maniphest Task, a subtask of T2816: Rewrite IPsec scripts with the new XML/Python approach, as Resolved.

Feb 20 2022, 7:21 PM · VyOS 1.4 Sagitta

Feb 15 2022

sarthurdev updated subscribers of T4145: Conntrack table not showing after firewall rewriting.

I think @c-po has started migrating it in T3579 but op-mode not yet complete.

Feb 15 2022, 7:10 PM · VyOS 1.4 Sagitta

Feb 6 2022

sarthurdev closed T3970: Add support for op-mode PKI direct install into an active config session, a subtask of T3642: PKI configuration, as Resolved.

Feb 6 2022, 12:51 PM · VyOS 1.4 Sagitta (1.4.0-epa1)

sarthurdev closed T3970: Add support for op-mode PKI direct install into an active config session as Resolved.

Feb 6 2022, 12:51 PM · VyOS 1.4 Sagitta

sarthurdev closed T3828: ipsec: Subtle change in "pfs enable" behavior from equuleus -> sagitta as Resolved.

Feb 6 2022, 12:48 PM · VyOS 1.4 Sagitta

sarthurdev closed T4164: PBR: network groups (as well as address and port groups) don't resolve in `nftables_policy.conf` as Resolved.

Feb 6 2022, 12:47 PM · VyOS 1.4 Sagitta

sarthurdev closed T4178: policy based routing tcp flags issue as Resolved.

Feb 6 2022, 12:47 PM · VyOS 1.4 Sagitta

sarthurdev closed T4216: Firewall: can't use negated groups in firewall rules as Resolved.

Feb 6 2022, 12:46 PM · VyOS 1.4 Sagitta

sarthurdev closed T4223: policy route cannot have several entries with the same table as Resolved.

Feb 6 2022, 12:45 PM · VyOS 1.4 Sagitta

Feb 5 2022

sarthurdev committed rVYOSONEX22f0794a9f19: firewall: T4209: Fix support for rule `recent` matches.

Feb 5 2022, 6:58 PM

Feb 4 2022

sarthurdev changed the status of T4209: Firewall incorrect handler for recent count and time from In progress to Needs testing.

PR: https://github.com/vyos/vyos-1x/pull/1206

Feb 4 2022, 12:51 AM · VyOS 1.4 Sagitta

Feb 3 2022

sarthurdev committed rVYOSONEX9f7f1ebb15a2: firewall: T4178: Fix only inverse matching on tcp flags.

Feb 3 2022, 7:27 AM

Feb 2 2022

sarthurdev changed the status of T4178: policy based routing tcp flags issue from In progress to Needs testing.

PR: https://github.com/vyos/vyos-1x/pull/1201

Feb 2 2022, 11:36 PM · VyOS 1.4 Sagitta

sarthurdev changed the status of T4178: policy based routing tcp flags issue from Needs testing to In progress.

Adding this issue to this task: https://forum.vyos.io/t/firewall-configuration-issue-after-upgrade/8414

Feb 2 2022, 11:07 PM · VyOS 1.4 Sagitta

Jan 31 2022

sarthurdev committed rVYOSONEXed67750b94e8: firewall: T4218: Adds a prefix to all user defined chains.

Jan 31 2022, 6:26 PM

sarthurdev committed rVYOSONEX985a9e8536cb: firewall: T4216: Add support for negated firewall groups.

Jan 31 2022, 6:26 PM

sarthurdev committed rVYOSONEX8532f2c391e8: policy: T4213: Fix duplicate commands from multiple rules with single table.

Jan 31 2022, 6:26 PM

sarthurdev committed rVYOSONEXfafd25143d46: firewall: T2199: Add constraint for tagnode names.

Jan 31 2022, 6:26 PM

sarthurdev committed rVYOSONEXff2cc45f8ba6: firewall: T2199: Fix errors when referencing an empty chain.

Jan 31 2022, 6:26 PM

sarthurdev changed the status of T4216: Firewall: can't use negated groups in firewall rules from In progress to Needs testing.

PR: https://github.com/vyos/vyos-1x/pull/1199

Jan 31 2022, 5:06 PM · VyOS 1.4 Sagitta

sarthurdev changed the status of T4218: firewall: rule name is not allowed to start with a number from In progress to Needs testing.

PR: https://github.com/vyos/vyos-1x/pull/1199

Jan 31 2022, 5:06 PM · VyOS 1.4 Sagitta

sarthurdev changed the status of T4223: policy route cannot have several entries with the same table from In progress to Needs testing.

PR: https://github.com/vyos/vyos-1x/pull/1199

Jan 31 2022, 5:05 PM · VyOS 1.4 Sagitta

sarthurdev changed the status of T4223: policy route cannot have several entries with the same table from Open to In progress.

I already have a fix for this from your comment on T4213. Will have it included in a PR shortly.

Jan 31 2022, 4:47 PM · VyOS 1.4 Sagitta

Jan 29 2022

sarthurdev changed the status of T4218: firewall: rule name is not allowed to start with a number from Open to In progress.

Jan 29 2022, 10:34 PM · VyOS 1.4 Sagitta

sarthurdev changed the status of T4216: Firewall: can't use negated groups in firewall rules from Confirmed to In progress.

Jan 29 2022, 10:34 PM · VyOS 1.4 Sagitta

sarthurdev committed rVYOSONEX1c828cc5a1dc: firewall: T4178: Fix dict_keys issue with tcp flags.

Jan 29 2022, 6:31 PM

Jan 28 2022

sarthurdev added a comment to T4209: Firewall incorrect handler for recent count and time.

I've actually found a way to define this properly, resulting rule now looks like below:

tcp dport { 22 } add @FOO_30 { ip saddr limit rate over 4/minute burst 4 packets } counter packets 3 bytes 156 reject comment "FOO-30"
ct state { new } tcp dport { 22 } counter packets 5 bytes 260 return comment "FOO-40"

Jan 28 2022, 6:00 PM · VyOS 1.4 Sagitta

sarthurdev changed the status of T4216: Firewall: can't use negated groups in firewall rules from Open to Confirmed.

Jan 28 2022, 5:02 PM · VyOS 1.4 Sagitta

Jan 27 2022

sarthurdev closed T4213: ipv6 policy routing not working anymore as Resolved.

Good to hear, going to mark this as resolved.

Jan 27 2022, 10:08 PM · VyOS 1.4 Sagitta

sarthurdev committed rVYOSONEX25e97e0b0224: policy: T4213: Fix rule creation/deletion for IPv6 policy routes.

Jan 27 2022, 9:29 PM

sarthurdev changed the status of T4213: ipv6 policy routing not working anymore from In progress to Needs testing.

PR: https://github.com/vyos/vyos-1x/pull/1194

Jan 27 2022, 9:23 PM · VyOS 1.4 Sagitta

sarthurdev added a comment to T4209: Firewall incorrect handler for recent count and time.

In T4209#117579, @thomasjsn wrote:

In T4209#117429, @sdev wrote:

Would changing the guide to use limit rate 4/minute achieve the same target functionality?

What is the practical difference between limit rate and recent? Is it just two different ways of accomplishing the same?

Jan 27 2022, 8:38 PM · VyOS 1.4 Sagitta

sarthurdev changed the status of T4209: Firewall incorrect handler for recent count and time from Open to In progress.

Jan 27 2022, 8:30 PM · VyOS 1.4 Sagitta

sarthurdev added a comment to T4209: Firewall incorrect handler for recent count and time.

I've come up with a working idea how to implement but would like feedback before submitting a PR.

Jan 27 2022, 8:29 PM · VyOS 1.4 Sagitta

sarthurdev changed the status of T4213: ipv6 policy routing not working anymore from Open to In progress.

Thanks for the report, I believe I know what's caused it to break. Hopefully will have a fix in for the build tomorrow.

Jan 27 2022, 5:19 PM · VyOS 1.4 Sagitta

sarthurdev added a comment to T2199: Rewrite firewall in new XML/Python style.

@johannrichard Hey sorry I didn't see your comment, I suggest we move the discussion to the dedicated task: https://phabricator.vyos.net/T4209

Jan 27 2022, 3:33 PM · VyOS 1.4 Sagitta (1.4.0-epa2)

sarthurdev moved T2199: Rewrite firewall in new XML/Python style from Open to In Progress on the VyOS 1.4 Sagitta board.

Jan 27 2022, 3:29 PM · VyOS 1.4 Sagitta (1.4.0-epa2)

sarthurdev closed T3762: Support network and address groups for policy ipv6-route, a subtask of T2199: Rewrite firewall in new XML/Python style, as Resolved.

Jan 27 2022, 3:28 PM · VyOS 1.4 Sagitta (1.4.0-epa2)

sarthurdev closed T3762: Support network and address groups for policy ipv6-route as Resolved.

This was included with the new firewall, going to mark as resolved.

Jan 27 2022, 3:28 PM · VyOS 1.4 Sagitta

sarthurdev closed T3495: Modernising port/protocol definitions, a subtask of T2199: Rewrite firewall in new XML/Python style, as Resolved.

Jan 27 2022, 3:25 PM · VyOS 1.4 Sagitta (1.4.0-epa2)

sarthurdev closed T3495: Modernising port/protocol definitions as Resolved.

The new firewall niw has no such restrictions on port definitions, going to close this as resolved.

Jan 27 2022, 3:25 PM · vyatta-cfg, VyOS 1.4 Sagitta

sarthurdev moved T3580: Refactoring firewall ipv6 rule icmpv6 from Open to Finished on the VyOS 1.4 Sagitta board.

Jan 27 2022, 2:45 PM · VyOS 1.4 Sagitta

sarthurdev added a comment to T3580: Refactoring firewall ipv6 rule icmpv6.

This is now implemented in 1.4

Jan 27 2022, 2:44 PM · VyOS 1.4 Sagitta

sarthurdev added a comment to T4160: Firewall - Error in rules that matches everything except something.

Should be fixed now with https://github.com/vyos/vyos-1x/pull/1193

Jan 27 2022, 2:39 PM · VyOS 1.4 Sagitta

sarthurdev committed rVYOSONEXdcabea5919e2: firewall: T4178: Fix tcp flags output when `not` isn't used.

Jan 27 2022, 2:11 PM

sarthurdev closed T4188: Firewall does not correctly handle conntracking as Resolved.

Jan 27 2022, 12:41 PM · VyOS 1.4 Sagitta

sarthurdev added a comment to T4178: policy based routing tcp flags issue.

Above fixed in PR: https://github.com/vyos/vyos-1x/pull/1193

Jan 27 2022, 12:25 PM · VyOS 1.4 Sagitta

sarthurdev closed T3560: Ability to create groups of MAC addresses, a subtask of T2199: Rewrite firewall in new XML/Python style, as Resolved.

Jan 27 2022, 11:55 AM · VyOS 1.4 Sagitta (1.4.0-epa2)

sarthurdev closed T3560: Ability to create groups of MAC addresses as Resolved.

Jan 27 2022, 11:55 AM · VyOS 1.4 Sagitta

Jan 26 2022

sarthurdev committed rVYOSONEX3523da8e4c87: pki: T4212: Catch `install_into_config` errors and output for manual command….

Jan 26 2022, 7:48 PM

sarthurdev changed the status of T4212: PermissionError when generating/installing server Certificate (generate pki certificate sign ...) from In progress to Needs testing.

PR: https://github.com/vyos/vyos-1x/pull/1192

Jan 26 2022, 4:00 PM · VyOS 1.4 Sagitta

sarthurdev changed the status of T4212: PermissionError when generating/installing server Certificate (generate pki certificate sign ...) from Open to In progress.

As reproducing the exact issue seems to be difficult, I'm going to instead change the install function so it catches errors and outputs the set pki ... syntax so it behaves like generate pki ... install <name> is run from op-mode anyway.

Jan 26 2022, 3:33 PM · VyOS 1.4 Sagitta

sarthurdev added a comment to T4210: NAT source/destination negated ports throws an error.

This issue is due to negated source/destination port not being handled properly in code, not validation.

Jan 26 2022, 10:18 AM · VyOS 1.4 Sagitta

sarthurdev added a comment to T4212: PermissionError when generating/installing server Certificate (generate pki certificate sign ...).

It looks like it’s trying to directly install the certificate into the config from op-mode, that is only supposed to happen while you're in configure mode calling the command using run generate pki ... install <name>.

Jan 26 2022, 10:14 AM · VyOS 1.4 Sagitta

Jan 25 2022

sarthurdev created T4210: NAT source/destination negated ports throws an error.

Jan 25 2022, 7:56 PM · VyOS 1.4 Sagitta

sarthurdev added a comment to T4209: Firewall incorrect handler for recent count and time.

I had forgotten about the recent syntax and it was merged in a broken state (https://github.com/vyos/vyos-1x/blob/current/python/vyos/firewall.py#L164). We should try and find a remedy, or remove it from CLI.

Jan 25 2022, 5:23 PM · VyOS 1.4 Sagitta