- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed All Stories
All Stories
All Stories
Jul 29 2022
Jul 29 2022
n.fort added a comment to T3933: The firewall does not filter incoming traffic on the interface with vrf..
Moving in from forwardto prerouting doesn't seem to be a good idea. Filtering in prerouting will also filter local traffic.
Also, as remarked in previous entry, I would try to avoid using marks in mangle, since it may lead to mayor problems/incompatibilities when PBR also present in configuration.
Jul 29 2022, 2:27 PM · Restricted Project, VyOS 1.3 Equuleus (1.3.9), VyOS 1.4 Sagitta (1.4.0-GA), Restricted Project
PR https://github.com/vyos/vyos-1x/pull/1443
vyos@r14:~$ show vrf foo
Name State MAC address Flags Interfaces
------ ------- ----------------- ------------------------ ------------
foo up aa:de:40:58:2e:dd noarp,master,up,lower_up eth1.2
vyos@r14:~$
vyos@r14:~$
vyos@r14:~$
vyos@r14:~$ /usr/libexec/vyos/op_mode/vrf.py show --name bar --raw
[
{
"ifname": "bar",
"operstate": "UP",
"address": "ce:c1:4f:e8:dc:9a",
"flags": [
"NOARP",
"MASTER",
"UP",
"LOWER_UP"
]
}
]
vyos@r14:~$Jul 28 2022
Jul 28 2022
Viacheslav changed the status of T4575: vyos.utill add new wrapper "rc_cmd" to get the return code and output from Open to In progress.
Viacheslav renamed T4575: vyos.utill add new wrapper "rc_cmd" to get the return code and output from vyos.utill add new wrapper "rc_cmd" to get te return code and output to vyos.utill add new wrapper "rc_cmd" to get the return code and output.
Viacheslav added a comment to T4575: vyos.utill add new wrapper "rc_cmd" to get the return code and output.
PR https://github.com/vyos/vyos-1x/pull/1442
>>> from vyos.util import rc_cmd
>>>
>>> rc_cmd('uname')
(0, 'Linux')
>>>
>>> rc_cmd('ip link show dev fake')
(1, 'Device "fake" does not exist.')
>>>Ex2
>>> rc, command = rc_cmd('ip link show dev eth999')
>>>
>>>
>>> print(rc)
1
>>> print(command)
Device "eth999" does not exist.
>>>Viacheslav changed the subtype of T4575: vyos.utill add new wrapper "rc_cmd" to get the return code and output from "Bug" to "Feature Request".
zsdc added a comment to T3933: The firewall does not filter incoming traffic on the interface with vrf..
True, marking packets can help. I would only be very careful because we use marks a lot for PBR, LB, etc. Not sure if they can conflict with each other. Also, the performance is the question - better to check how marking each packet on an interface affects it.
Jul 28 2022, 9:13 PM · Restricted Project, VyOS 1.3 Equuleus (1.3.9), VyOS 1.4 Sagitta (1.4.0-GA), Restricted Project
The reason I set an MTU is because I get the following error when unset:
WARNING: RFC7348 recommends VXLAN tunnels preserve a 1500 byte MTU
VyOS 1.3-stable-202207280515 is not affected and works as expected
vyos@r14:~$ show vpn ipsec sa Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal ------------------------- ------- -------- -------------- ---------------- ---------------- ----------- -------------- peer-192.0.2.2-tunnel-0 up 9s 0B/0B 0/0 192.0.2.2 N/A AES_GCM_16_256 peer-2001:db8::2-tunnel-0 up 9s 0B/0B 0/0 2001:db8::2 N/A AES_GCM_16_256 vyos@r14:~$
SAs
vyos@r14:~$ sudo swanctl -l
peer-2001:db8::2-tunnel-0: #4, ESTABLISHED, IKEv2, bae267e189f183be_i 008bf75c872ced6a_r*
local '2001:db8::1' @ 2001:db8::1[500]
remote '2001:db8::2' @ 2001:db8::2[500]
AES_GCM_16-256/PRF_HMAC_SHA2_256/MODP_2048
established 25s ago, rekeying in 85328s
peer-2001:db8::2-tunnel-0: #3, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
installed 25s ago, rekeying in 28178s, expires in 28775s
in c762627a, 0 bytes, 0 packets
out c2278f63, 0 bytes, 0 packets
local 2001:db8:1111::/64
remote 2001:db8:2222::/64
peer-192.0.2.2-tunnel-0: #3, ESTABLISHED, IKEv2, c923210fb14e11d5_i 2450ab183218d566_r*
local '192.0.2.1' @ 192.0.2.1[500]
remote '192.0.2.2' @ 192.0.2.2[500]
AES_GCM_16-256/PRF_HMAC_SHA2_256/MODP_2048
established 25s ago, rekeying in 85526s
peer-192.0.2.2-tunnel-0: #4, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
installed 25s ago, rekeying in 27722s, expires in 28775s
in c1892b7b, 0 bytes, 0 packets
out c8fbbb2f, 0 bytes, 0 packets
local 100.64.0.0/24
remote 100.64.55.0/24
vyos@r14:~$Viacheslav added a comment to T4565: vlan aware bridge not working with - Kernel: T3318: update Linux Kernel to v5.4.205 #249 .
I have it working between VyOS 1.4-rolling-202207280217 (kernel 5.10.133) and VyOS 1.3-stable-202207280515 (kernel 5.4.205)
Viacheslav added a comment to T4572: Add an option to force interface MTU to the value received from DHCP.
Will it work if you replace this https://github.com/vyos/vyos-1x/blob/4168e03721b2a9595de4090fddf1280d39ccce4c/python/vyos/ifconfig/interface.py#L1378-L1379
sudo nano -c +1385 /usr/lib/python3/dist-packages/vyos/ifconfig/interface.py
with:
Viacheslav changed the status of T4562: Rewrite show vrf to new format, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, from Open to Needs testing.
jestabro updated the task description for T4554: Implement GraphQL resolvers for standardized op-mode scripts.
Viacheslav renamed T4551: IPsec rekeying collisions bug from IPsec rekeying collisions with IPv6 peers to IPsec rekeying collisions bug.
Viacheslav changed the status of T4543: Show source nat statistics shows incorrect interface, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, from Open to In progress.
Viacheslav changed the status of T4543: Show source nat statistics shows incorrect interface from Open to In progress.
PR https://github.com/vyos/vyos-1x/pull/1441
vyos@r14:~$ show nat source statistics Rule Packets Bytes Interface ------ --------- ------- ----------- 10 5 380 eth0 20 0 0 any 30 0 0 any 40 0 0 eth0 40 0 0 eth0 vyos@r14:~$
zsdc added a comment to T4572: Add an option to force interface MTU to the value received from DHCP.
I have no proof now of any obvious negative issues. Moreover, in my personal opinion - if some protocol or interface type requires a default MTU that is not assigned to it by the kernel, this is the problem that should be solved by configuration script for that particular interface.
aserkin added a comment to T4409: route received via Framed-Route radius attribute is installed into default table when terminating connection to VRF.
Is there any chance to fix that ?
The latest version of the demo can be found here:
Viacheslav closed T4531: NAT op-mode errors with exclude rules, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, as Resolved.
Jul 27 2022
Jul 27 2022
Viacheslav changed the status of T4531: NAT op-mode errors with exclude rules, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, from In progress to Needs testing.
Viacheslav changed the status of T4531: NAT op-mode errors with exclude rules from In progress to Needs testing.
df3rry closed T4571: Sflow with vrf configured does not use vrf to validate agent-address IP from vrf-configured interfaces as Resolved.
Tested locally and receive sflow with agent IP of the configured ip/interface/vrf.
Viacheslav closed T4552: Unable to reset IPsec IPv6 peer, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, as Resolved.
Viacheslav added a comment to T4572: Add an option to force interface MTU to the value received from DHCP.
Will it affect also tunnels/openvpn/wireguard/vxlan etc?
If you get rid of the default MTU values you get more pain.
Viacheslav added a project to T4570: Exception when trying to set up VXLAN over Wireguard: VyOS 1.4 Sagitta.
Viacheslav changed the status of T4570: Exception when trying to set up VXLAN over Wireguard from Open to In progress.
zsdc changed the status of T4572: Add an option to force interface MTU to the value received from DHCP from Open to Confirmed.
I can reproduce it:
Jul 26 2022
Jul 26 2022
Here is my WG config:
set interfaces wireguard wg2 address 'REDACTED_IPV6/64' set interfaces wireguard wg2 peer mypeer address 'REDACTED_IPV4' set interfaces wireguard wg2 peer mypeer allowed-ips '::/0' set interfaces wireguard wg2 peer mypeer persistent-keepalive '60' set interfaces wireguard wg2 peer mypeer port '51820' set interfaces wireguard wg2 peer mypeer public-key 'REDACTED' set interfaces wireguard wg2 private-key 'REDACTED' set interfaces wireguard wg2 vrf 'test'
Viacheslav changed the status of T2516: vyos-container: cannot configure ethernet interface from Open to Needs testing.
Viacheslav changed the status of T4545: Rewrite show nat source rules, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, from Open to Needs testing.
Viacheslav changed the status of T4531: NAT op-mode errors with exclude rules, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, from Open to In progress.
Viacheslav changed the status of T4531: NAT op-mode errors with exclude rules from Open to In progress.
VyOS config:
set nat source rule 10 destination address '192.0.2.0/24' set nat source rule 10 exclude set nat source rule 10 outbound-interface 'any' set nat source rule 10 protocol 'all' set nat source rule 10 source address '0.0.0.0/0' set nat source rule 100 outbound-interface 'eth0' set nat source rule 100 source address '203.0.113.0/24' set nat source rule 100 translation address masquerade
The bug is still here:
vyos@r14# run show nat source rules
Traceback (most recent call last):
File "/usr/libexec/vyos/op_mode/nat.py", line 157, in <module>
res = vyos.opmode.run(sys.modules[__name__])
File "/usr/lib/python3/dist-packages/vyos/opmode.py", line 118, in run
res = func(**args)
File "/usr/libexec/vyos/op_mode/nat.py", line 152, in show_rules
return _get_formatted_output_rules(nat_rules, direction)
File "/usr/libexec/vyos/op_mode/nat.py", line 103, in _get_formatted_output_rules
sport {sport}'''
UnboundLocalError: local variable 'sport' referenced before assignment
[edit]
vyos@r14#Viacheslav changed the status of T4569: Rewrite show bridge to new format, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, from Open to In progress.
Viacheslav changed the status of T4571: Sflow with vrf configured does not use vrf to validate agent-address IP from vrf-configured interfaces from Open to Needs testing.
Viacheslav added a comment to T4565: vlan aware bridge not working with - Kernel: T3318: update Linux Kernel to v5.4.205 #249 .
It seems not related to kernel and definitely another bug
vyos@r14# run show conf com | match bri set interfaces bridge br0 enable-vlan set interfaces bridge br0 member interface eth1 allowed-vlan '5-50' set interfaces bridge br0 member interface eth1 native-vlan '5' [edit] vyos@r14# [edit] vyos@r14# run show bridge vlan port vlan-id br0 1 PVID Egress Untagged [edit] vyos@r14#
@aderouineau Describe please all steps of how to reproduce it (with commands set xxx)
I don't have any issues with it
set interfaces vxlan vxlan0 group '239.0.0.241' set interfaces vxlan vxlan0 mtu '1370' set interfaces vxlan vxlan0 port '4789' set interfaces vxlan vxlan0 source-interface 'wg0' set interfaces vxlan vxlan0 vni '123' set interfaces wireguard wg0 address '100.64.0.1/24' set interfaces wireguard wg0 peer PEER01 allowed-ips '0.0.0.0/0' set interfaces wireguard wg0 peer PEER01 public-key 'VVfR5S0yi+QPEJRLr25ZAfzFnwZM40G5WCZ/7ou7h3k=' set interfaces wireguard wg0 private-key 'yGOy08Kv8KUe8rsO6WHeo5jC7YdOAzQK0SJkDFQWlmA='
Viacheslav changed the subtype of T4570: Exception when trying to set up VXLAN over Wireguard from "Task" to "Bug".
Viacheslav moved T4495: Combine BGP reset op commands from Need Triage to Finished on the VyOS 1.4 Sagitta board.
PR https://github.com/vyos/vyos-1x/pull/1435
vyos@r14:~$ show bridge Bridge interface br0: Member State MTU Flags Prio -------- ---------- ----- ------------------------------- ------ dum0 forwarding 1500 broadcast,noarp,up,lower_up 32 eth1.30 forwarding 1500 broadcast,multicast,up,lower_up 32 eth1.55 forwarding 1500 broadcast,multicast,up,lower_up 32
aalmenar closed T4556: fastnetmon: Allow configure white_list_path and populate with hosts/networks that should be ignored. as Resolved.
Mark as resolved as a i have tested it on 1.4-rolling-202207260217 and has been merged
@n.fort source-address is useful especially when more precision is needed. At the moment its use is cumbersome as it does not provide help hint on the addresses assigned to the router, forcing an operator to first list those addresses.
aderouineau added a comment to T4492: Incorrect list of neighbors in help for "show bgp vrf VRF neighbors".
As of 1.4-rolling-202207250217 this is still not resolved.
I can confirm that at least as of version 1.4-rolling-202207250217the op commands have been merged:
vyos@vyos-lab:~$ reset bgp Possible completions: <x.x.x.x> BGP IPv4/IPv6 neighbor to clear <h:h:h:h:h:h:h:h> 1-4294967295 Reset peers with the AS number all Clear all peers external Reset all external peers ipv4 IPv4 Address Family ipv6 IPv6 Address Family l2vpn Layer 2 Virtual Private Network Address Family peer-group Reset all members of peer-group prefix Clear bestpath and re-advertise vrf Virtual Routing and Forwarding (VRF)
Jul 25 2022
Jul 25 2022
aalmenar added a comment to T4561: reset ip bgp <neighbor> allows reset bgp peer for ipv4, also it should exist one for ipv6.
@c-po which one is the new syntax?
@Viacheslav i believe this one can be closed ge and le where inverted order until i found out the error.
Viacheslav changed the status of T4556: fastnetmon: Allow configure white_list_path and populate with hosts/networks that should be ignored. from Open to In progress.
Agree that both options are not available in cli.. But, you can use source-address:
I can't reproduce it (VyOS 1.4-rolling-202207220217):
set policy prefix-list BARRA32 rule 5 action 'permit' set policy prefix-list BARRA32 rule 5 ge '32' set policy prefix-list BARRA32 rule 5 le '32' set policy prefix-list BARRA32 rule 5 prefix '0.0.0.0/0' set policy prefix-list UTRSv4s25 rule 5 action 'permit' set policy prefix-list UTRSv4s25 rule 5 le '25' set policy prefix-list UTRSv4s25 rule 5 prefix '0.0.0.0/0' set policy prefix-list6 BARRA128 rule 5 action 'permit' set policy prefix-list6 BARRA128 rule 5 ge '128' set policy prefix-list6 BARRA128 rule 5 le '128' set policy prefix-list6 BARRA128 rule 5 prefix '::/0' set policy prefix-list6 UTRSv6s49 rule 5 action 'permit' set policy prefix-list6 UTRSv6s49 rule 5 le '49' set policy prefix-list6 UTRSv6s49 rule 5 prefix '::/0'
Viacheslav closed T1233: ipsec vpn sa showing down, a subtask of T2816: Rewrite IPsec scripts with the new XML/Python approach, as Resolved.
Will be fixed with syntax migration in T4118
Viacheslav added a comment to T4271: bgp: show ipv6 bgp summary doesn't display neighbor information.
@NikolayP Try the next command: