FRR match always mean logical AND
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
All Stories
May 20 2022
In T4350#123620, @c-po wrote:Is the fix for DMVPN hub or spoke?
May 19 2022
There is an issue with vrf device for LOCAL direction
Imagine if you have 50 interfaces in one VRF and you want to drop all traffic from one interface for example - eth2 and don't touch other interfaces
You set firewall on eth2 Local - drop all traffic for device vrf and it will be affected to another 49 interfaces as iifname VRF_DEVICE the same
Is the fix for DMVPN hub or spoke?
PR https://github.com/vyos/vyos-1x/pull/1330
set firewall name FOO default-action 'accept' set firewall name FOO description 'desc' set firewall name FOO rule 10 action 'drop' set firewall name FOO rule 10 source address '8.8.8.8' set interfaces ethernet eth0 firewall local name 'FOO' set interfaces ethernet eth0 vrf 'ONE' set vrf name ONE table '150'
Check:
table ip filter { chain VYOS_FW_LOCAL { type filter hook input priority filter; policy accept; iifname "ONE" counter packets 63 bytes 6024 jump NAME_FOO jump VYOS_POST_FW } ... chain NAME_FOO { ip saddr 8.8.8.8 counter packets 79 bytes 6636 drop comment "FOO-10" counter packets 3 bytes 984 return comment "FOO default-action accept" } }
@jjakob could you re-check it with new fix?
May 18 2022
Draft PR here:
https://github.com/vyos/vyos-1x/pull/1328
May 17 2022
Details of adding a query such as this (20 lines of meaningful code/50 of boilerplate):
https://github.com/vyos/vyos-1x/commit/b62f5df2c796d0567b370e27fcec2005a02a4cd3
An initial implementation has been provided to Andrew Moshensky for testing with the local UI.
May 16 2022
@c-po, lets run with "system-as"
The current discussion has taken place in the vyos-api-discussion channel; results will be summarized here.
Need testing:
set service pppoe-server authentication mode 'radius' set service pppoe-server authentication radius rate-limit attribute 'Mikrotik-Rate-Limit' set service pppoe-server authentication radius rate-limit enable set service pppoe-server authentication radius rate-limit multiplier '0.001' set service pppoe-server authentication radius rate-limit vendor 'Mikrotik' set service pppoe-server authentication radius server 192.0.2.1 key 'foo' set service pppoe-server client-ip-pool start '192.0.2.5' set service pppoe-server client-ip-pool stop '192.0.2.254' set service pppoe-server gateway-address '192.0.2.1' set service pppoe-server interface eth3
Or any live example
Firstly, is there any info in the logs ?
As discussed in the slack channel today, let us follow up here, as I'd like to run through some analysis, and set up a reproducer if possible.
The command works well.
vyos@vyos:~$ show version
May 15 2022
I agree that having a smoketest for WLB will be great. But, there are certain limitations/considerations:
May 13 2022
May 12 2022
It works now.
Thank you!
Fixed in https://github.com/vyos/vyos-1x/commit/d70c2b4493366c02f025f43d2a777b2bef3e1789 and works on 1.4-rolling-202205121610.
PR for docs: https://github.com/vyos/vyos-documentation/pull/771
PR for 1.3 https://github.com/vyos/vyos-1x/pull/1324
PR revert previous commit https://github.com/vyos/vyos-1x/pull/1323
May 11 2022
May 10 2022
@dmbaturin Do we really need this?
Maybe it will fix it https://github.com/sematext/oxdpus/blob/master/pkg/xdp/prog/xdp.c
Already tested config in the 1.3-rolling-202205100648 and 1.4-rolling-202205080844, behavior remains the same.
I could be wrong
1.3.0-rc6 old release
Could you check it on more actual version?
PR for 1.4 https://github.com/vyos/vyos-1x/pull/1321
@Viacheslav But in this case there is no point to use different test addresses, if the target is pinged with "interface" option.
@zedalert Tested addresses should be different, as I remember it send pings with "interface" option
So targets should be different
May 9 2022
It may be a good idea to cherry-pick this for 1.4.x branch.
Tested on the latest rolling release:
May 8 2022
Duplicate T4359