PR for equuleus (upcoming 1.3.2 release https://github.com/vyos/vyos-1x/pull/1390)
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
All Stories
Jul 4 2022
PR https://github.com/vyos/vyos-1x/pull/1389
set service dns forwarding dns64-prefix 2001:db8:aabc::/96
Or probably better:
NTP listen option not only supports IPv4/IPv6 addresses but also interface names.
Oh, if you are asking for an example of what the VyOS config setting would look like?
I've been manually adding TAYGA to VyOS (See T160) for my NAT64 capability.
@dsummers Could you provide an example of VyOS configuration and an example of what you add?
Yes, I spent quite some time trying to replicate your findings until I noticed that you used if commit_in_progress, so the truth value of a defined object that isn't None or False was trivially true.
Bug of testing
I tested commit_in_progress instead of commit_in_progress()
In T4456#125497, @Viacheslav wrote:@marekm Did you set a proper listen to address for it?
set system ntp listen-address x.x.x.x
Is there any further testing needed by me or someone else will do that?
I tested on VyOS 1.4-rolling-202207030217. The bug was resolved.
Jul 3 2022
I already tested the PR before submitting:
Jul 2 2022
Potentially slow validators:
src/validators/interface-address:ipaddrcheck --is-ipv4-host $1 || ipaddrcheck --is-ipv6-host $1 src/validators/ip-address:ipaddrcheck --is-any-single $1 src/validators/ip-cidr:ipaddrcheck --is-any-cidr $1 src/validators/ip-host:ipaddrcheck --is-any-host $1 src/validators/ip-prefix:ipaddrcheck --is-any-net $1 src/validators/ipv4:ipaddrcheck --is-ipv4 $1 src/validators/ipv4-address:ipaddrcheck --is-ipv4-single $1 src/validators/ipv4-host:ipaddrcheck --is-ipv4-host $1 src/validators/ipv4-multicast:ipaddrcheck --is-ipv4-multicast $1 && ipaddrcheck --is-ipv4-single $1 src/validators/ipv4-prefix:ipaddrcheck --is-ipv4-net $1 src/validators/ipv4-range: ipaddrcheck --is-ipv4-single ${strarr[0]} src/validators/ipv4-range: ipaddrcheck --is-ipv4-single ${strarr[1]} src/validators/ipv6:ipaddrcheck --is-ipv6 $1 src/validators/ipv6-address:ipaddrcheck --is-ipv6-single $1 src/validators/ipv6-host:ipaddrcheck --is-ipv6-host $1 src/validators/ipv6-multicast:ipaddrcheck --is-ipv6-multicast $1 && ipaddrcheck --is-ipv6-single $1 src/validators/ipv6-prefix:ipaddrcheck --is-ipv6-net $1
Inverse match PR: https://github.com/vyos/vyos-1x/pull/1386
Jul 1 2022
If the counters are visible and incrementing when checking with nft list table ip filter then I don't think this is an implementation issue. Wondering if its a problem with the syslog daemon.
I can't reproduce it in VyOS 1.3.1-S1 and VyOS 1.3-stable-202206240423
vyos@r1:~$ show conf com | match eth1 set interfaces ethernet eth1 address 'dhcp' set interfaces ethernet eth1 mtu '9000'
@a.apostoliuk Will be fixed in the next rolling release, could you re-test it?
@n.fort Could you create PR for 1.3?
I think it should be here https://github.com/vyos/vyatta-cfg-quagga/blob/d4097690c40f619bc0e78a0d674985f7880a19a3/templates/policy/route-map/node.tag/rule/node.tag/match/peer/node.def#L3-L4
The same behavior for 1.2
It seems some old/depricated pkg ipp2p
vyos@r12# set firewall ipv6-name TEST rule 1 action drop [edit] vyos@r12# set firewall ipv6-name TEST rule 1 p2p all [edit] vyos@r12# commit [ firewall ipv6-name TEST ] ip6tables v1.4.21: Couldn't load match `ipp2p':No such file or directory
@marekm Did you set a proper listen to address for it?
set system ntp listen-address x.x.x.x
Also add IPv6 link local address support to auto generate a link-local address as on any other type of interface.
With recent versions of strongSwan and XFRM interface in VyOS 1.4 this is now possible.
Jun 30 2022
In T1641#125443, @Viacheslav wrote:@trae32566 Extentd conntrack table and reduce timeouts:
for example
There is no dict if exists only one record in the https://github.com/vyos/vyos-1x/blob/cefc7ce9bfcf7750700e73edbc21864fe8ab0bee/src/op_mode/show_nat_translations.py#L103-L110
So it can't parse correctly
Maybe it depends on the version of accel-ppp.
In 1.2.8:
Cherry-pick for 1.3 https://github.com/vyos/vyos-1x/pull/1381
In T2455#68732, @dmbaturin wrote:VTI is secretly IPIP, so it doesn't support IPv6. The real issue is that we don't support the IPv6 variant of VTI yet.
@trae32566 Extentd conntrack table and reduce timeouts:
for example
set system sysctl parameter net.netfilter.nf_conntrack_generic_timeout value 60 set system sysctl parameter net.netfilter.nf_conntrack_icmp_timeout value 10 set system sysctl parameter net.netfilter.nf_conntrack_icmpv6_timeout value 10 set system sysctl parameter net.netfilter.nf_conntrack_tcp_timeout_close_wait value 20 set system sysctl parameter net.netfilter.nf_conntrack_tcp_timeout_established value 1800 set system sysctl parameter net.netfilter.nf_conntrack_tcp_timeout_fin_wait value 30 set system sysctl parameter net.netfilter.nf_conntrack_tcp_timeout_syn_recv value 30 set system sysctl parameter net.netfilter.nf_conntrack_tcp_timeout_syn_sent value 60 set system sysctl parameter net.netfilter.nf_conntrack_tcp_timeout_time_wait value 120 set system sysctl parameter net.netfilter.nf_conntrack_udp_timeout_stream value 60
@Viacheslav There is already a set interfaces bridge brN igmp node. If the default option is enabled, I think set interfaces bridge brN igmp disable-snooping would sound better.
I prefer to have IGMP snooping disabled as the default option, since improper IGMP snooping causes issues while disabling IGMP snooping doesn't.
This seems to be an issue in 1.4 as well, I have the exact same symptoms, and removing the accept-protocol fixes the issue.
Jun 29 2022
Implemented as: set service router-advert interface eth0 name-server-lifetime <value> which will be option A
PR https://github.com/vyos/vyos-1x/pull/1379 (without completion help)
Because with a rule like that I accept everything coming from nl from wan to lan, or I would need to add the source nl to every rule. That's why I did it with a deny not coming from nl on top, and then specific rules for the traffic that I want to accept.