In T3933#124952, @sandwichdoge wrote:@Viacheslav I tested your fix in my environment. The inbound filtering worked as expected after the fix. However it did not work correctly for the case we where we want both inbound and outbound firewalls on a single vrf member interface (or any case that has more than 2 directions on the same interface).
table ip filter { chain VYOS_FW_LOCAL { type filter hook input priority filter; policy accept; oifname "ONE" counter packets 63 bytes 6024 jump NAME_FOO # <<< Problem here, oifname should be eth0, not vrf name iifname "ONE" counter packets 63 bytes 6024 jump NAME_FOO jump VYOS_POST_FW } ... chain NAME_FOO { ip saddr 8.8.8.8 counter packets 79 bytes 6636 drop comment "FOO-10" counter packets 3 bytes 984 return comment "FOO default-action accept" } }
- Feed Queries
- All Stories
- Search
- Feed Search
- Transactions
- Transaction Logs
Feed All Stories
All Stories
All Stories
Jul 6 2022
Jul 6 2022
Viacheslav updated subscribers of T3933: The firewall does not filter incoming traffic on the interface with vrf..
Jul 6 2022, 12:47 PM · Bugs, VyOS 1.3 Equuleus (1.3.9), VyOS 1.4 Sagitta (1.4.0-GA), Restricted Project
Viacheslav moved T4513: Webproxy monitor commands do not work from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.2) board.
Viacheslav moved T4513: Webproxy monitor commands do not work from Open to Finished on the VyOS 1.4 Sagitta board.
GitHub <noreply@github.com> committed rVYOSONEX484350192470: Merge pull request #1396 from aapostoliuk/T4513-equuleus (authored by zdc <zdc@users.noreply.github.com>).
@a.apostoliuk Could you create PR for 1.3?
Viacheslav edited projects for T4513: Webproxy monitor commands do not work, added: VyOS 1.3 Equuleus (1.3.2); removed VyOS 1.3 Equuleus.
GitHub <noreply@github.com> committed rVYOSONEXc548d1c7bac0: Merge pull request #1395 from aapostoliuk/T4513 (authored by Viacheslav).
a.apostoliuk changed the status of T4513: Webproxy monitor commands do not work from Open to In progress.
a.apostoliuk edited projects for T4513: Webproxy monitor commands do not work, added: VyOS 1.3 Equuleus; removed VyOS 1.3 Equuleus ( 1.3.1).
I see that the pull request was accepted. I just tested it with the latest rolling and it seems to work as expected.
Thanks a lot!
Jul 5 2022
Jul 5 2022
sarthurdev closed T478: Firewall address group (multi and nesting), a subtask of T2199: Rewrite firewall in new XML/Python style, as Resolved.
GitHub <noreply@github.com> committed rVYOSONEX2010c7de9e1f: Merge pull request #1394 from sarthurdev/zone_default_log (authored by c-po).
GitHub <noreply@github.com> committed rVYOSONEXf794ed27e399: Merge pull request #1393 from sarthurdev/firewall_migrate (authored by c-po).
dsummers added a comment to T4510: set system static-host-mapping doesn't allow IPv4 and IPv6 for same name..
Confirmed that issue is resolved.
sarthurdev changed the status of T4512: enable-default-log on zone-policy from In progress to Needs testing.
Viacheslav moved T4507: IPoE-server add multiplier option for shaper from Open to Finished on the VyOS 1.4 Sagitta board.
Viacheslav added a project to T4507: IPoE-server add multiplier option for shaper: VyOS 1.3 Equuleus (1.3.2).
Viacheslav moved T4373: PPPoE-server add multiplier option for shaper from Open to Finished on the VyOS 1.4 Sagitta board.
PR for 1.3 https://github.com/vyos/vyos-1x/pull/1392
PR for 1.3 https://github.com/vyos/vyos-1x/pull/1392
Viacheslav added a project to T4373: PPPoE-server add multiplier option for shaper: VyOS 1.3 Equuleus (1.3.2).
c-po closed T4510: set system static-host-mapping doesn't allow IPv4 and IPv6 for same name. as Resolved.
c-po committed rVYOSONEXae41b2bacfe1: hosts: T2683: Allow multiple entries for static-host-mapping (authored by Viacheslav).
GitHub <noreply@github.com> committed rVYOSONEX459f8ea10227: Merge pull request #1391 from c-po/t4510-static-host-equuleus (authored by c-po).
GitHub <noreply@github.com> committed rVYOSONEX373aacd2375f: Merge pull request #1389 from sever-sever/T4509 (authored by c-po).
GitHub <noreply@github.com> committed rVYOSONEXcac6da1e3038: Merge pull request #1381 from sever-sever/T4313-eq (authored by c-po).
I dug a little deeper, it appears that calling 2 http APIs in parallel results in vyos-http-api library crash.
Jul 5 08:47:39 cxr vyos-http-api[107198]: Configuration modified via HTTP API using key 'ccube-dev' Jul 5 08:47:39 cxr vyos-http-api[107198]: INFO: None:0 - "POST /configure HTTP/1.0" 200 OK Jul 5 08:47:39 cxr netplugd[907]: br4: can't get flags: No such device Jul 5 08:47:39 cxr vyos-http-api[107198]: processing form data Jul 5 08:47:39 cxr netplugd[907]: br4: can't get flags: No such device Jul 5 08:47:39 cxr netplugd[907]: message repeated 3 times: [ br4: can't get flags: No such device] Jul 5 08:47:39 cxr netplugd[907]: br5: can't get flags: No such device Jul 5 08:47:39 cxr netplugd[907]: br4: can't get flags: No such device Jul 5 08:47:39 cxr netplugd[907]: message repeated 27 times: [ br4: can't get flags: No such device] Jul 5 08:47:40 cxr vyos-http-api[107198]: INFO: None:0 - "POST /config-file HTTP/1.0" 200 OK Jul 5 08:47:40 cxr vyos-http-api[107198]: processing form data Jul 5 08:47:40 cxr vyos-http-api[107198]: INFO: None:0 - "POST /retrieve HTTP/1.0" 400 Bad Request Jul 5 08:47:40 cxr vyos-http-api[107198]: processing form data Jul 5 08:47:40 cxr vyos-http-api[107198]: processing form data Jul 5 08:47:40 cxr ntpd[3893]: Listen normally on 87 vti1 169.254.231.46:123 Jul 5 08:47:40 cxr ntpd[3893]: new interface(s) found: waking up resolver Jul 5 08:47:41 cxr kernel: [104872.825731] vyos-http-api-s[107280]: segfault at 1020 ip 00007f792d30391d sp 00007f792dce93e0 error 4 in libvyosconfig.so.0[7f792d2ae000+10c000] Jul 5 08:47:41 cxr kernel: [104872.825745] Code: 20 48 83 c4 08 c3 e8 f2 d9 fa ff eb c6 48 83 ec 48 48 8b 40 10 48 89 44 24 18 48 8b 40 20 48 8b 58 20 48 8b 5b 20 48 8b 7b 20 <48> 8b 77 20 48 89 74 24 10 48 8b 56 20 48 89 54 24 20 48 8b 7f 08 Jul 5 08:47:41 cxr kernel: [104872.833057] net_ratelimit: 24 callbacks suppressed Jul 5 08:47:41 cxr kernel: [104872.833059] IPv4: martian source 10.10.10.18 from 10.10.10.1, on dev eth2 Jul 5 08:47:41 cxr kernel: [104872.833061] ll header: 00000000: ff ff ff ff ff ff 6a 2c d7 cd 51 fd 08 06 Jul 5 08:47:41 cxr systemd[1]: vyos-http-api.service: Main process exited, code=killed, status=11/SEGV
I'm also getting the same error when calling the https API from localhost. In my case it only happens occasionally.
GitHub <noreply@github.com> committed rVYOSONEX63b585e38dbb: Merge pull request #1379 from sever-sever/T4494 (authored by c-po).
c-po moved T4510: set system static-host-mapping doesn't allow IPv4 and IPv6 for same name. from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.2) board.
c-po changed the status of T4510: set system static-host-mapping doesn't allow IPv4 and IPv6 for same name. from Open to In progress.
c-po added a comment to T4510: set system static-host-mapping doesn't allow IPv4 and IPv6 for same name..
Will be resolved in https://github.com/vyos/vyos-1x/pull/1391
PR (backport) for 1.3 https://github.com/vyos/vyos-1x/pull/1391
c-po moved T2654: Multiple names unable to be assigned to the same static mapping from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.2) board.
c-po moved T2683: no dual stack in system static-host-mapping host-name from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.2) board.
PR for 1.3 https://github.com/vyos/vyos-1x/pull/1391
c-po edited projects for T2654: Multiple names unable to be assigned to the same static mapping, added: VyOS 1.3 Equuleus (1.3.2); removed VyOS 1.3 Equuleus (1.3.0).
Sorry just to clarify these are mostly web domains, not DCs, so there is no DNS running on them just HTTP.
Jul 4 2022
Jul 4 2022
I wanted to ask you guys if this is an appropriate change to make. Considering it's on BGP, it's going to be a change in a crucial part but I think this one is probably a good one to make just to reduce ambiguity.
GitHub <noreply@github.com> committed rVYOSONEX26506757c3d0: Merge pull request #1386 from sarthurdev/geoip_negate (authored by c-po).
c-po added a comment to T4456: NTP client in VRF tries to bind to interfaces outside VRF, logs many messages.
PR for equuleus (upcoming 1.3.2 release https://github.com/vyos/vyos-1x/pull/1390)
c-po moved T4456: NTP client in VRF tries to bind to interfaces outside VRF, logs many messages from Open to Finished on the VyOS 1.4 Sagitta board.
PR https://github.com/vyos/vyos-1x/pull/1389
set service dns forwarding dns64-prefix 2001:db8:aabc::/96
Or probably better:
c-po edited projects for T4456: NTP client in VRF tries to bind to interfaces outside VRF, logs many messages, added: VyOS 1.4 Sagitta; removed VyOS 1.3 Equuleus.
c-po added a comment to T4456: NTP client in VRF tries to bind to interfaces outside VRF, logs many messages.
NTP listen option not only supports IPv4/IPv6 addresses but also interface names.
Oh, if you are asking for an example of what the VyOS config setting would look like?
I've been manually adding TAYGA to VyOS (See T160) for my NAT64 capability.
@dsummers Could you provide an example of VyOS configuration and an example of what you add?
Viacheslav changed the status of T4378: Unable to submit wildcard ("*.example.com") A or AAAA records in dns forwarder from Open to Needs testing.
GitHub <noreply@github.com> committed rVYOSONEX7a09c9d4b3d7: Merge pull request #1382 from sever-sever/T4378 (authored by Viacheslav).
GitHub <noreply@github.com> committed rVYOSONEX9400266d8a89: Merge pull request #1388 from zdc/T4528-sagitta (authored by c-po).
zsdc added a comment to T4508: Problem with values of the same environment in different event handlers.
a.apostoliuk changed the status of T4508: Problem with values of the same environment in different event handlers from Open to In progress.
Yes, I spent quite some time trying to replicate your findings until I noticed that you used if commit_in_progress, so the truth value of a defined object that isn't None or False was trivially true.
Bug of testing
I tested commit_in_progress instead of commit_in_progress()