Required version for offload hardware flag nftables 0.9.9
The current version we use 0.9.8-3.1
- Feed Queries
- All Stories
- Search
- Feed Search
- Transactions
- Transaction Logs
Feed Search
Aug 31 2022
Aug 31 2022
Viacheslav closed T4547: Show vpn ipsec sa show unexpected prefix 'B' in packets, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, as Resolved.
Viacheslav closed T4569: Rewrite show bridge to new format, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, as Resolved.
Viacheslav closed T4650: Rewire show nat translation to vyos.opmode format, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, as Resolved.
Viacheslav changed the status of T4367: NAT - Config tmp file not available from In progress to Needs testing.
Viacheslav updated the task description for T4564: Root task for rewriting [op-mode] to vyos.opmode format.
Aug 30 2022
Aug 30 2022
Viacheslav updated the task description for T4502: Consider implementing (NAT/other) flow table offload.
Viacheslav changed the status of T4606: monitor nat destination translation shows missing script from Open to In progress.
Viacheslav updated the task description for T4502: Consider implementing (NAT/other) flow table offload.
Aug 29 2022
Aug 29 2022
I have NAT working with vrf in VyOS 1.4-rolling-202208290458 + custom nat offload
set interfaces ethernet eth0 address '192.168.122.14/24' set interfaces ethernet eth1 address '192.0.2.1/24' set interfaces ethernet eth1 vrf 'foo' set protocols static route 192.0.2.0/24 interface eth1 vrf 'foo' set system conntrack set vrf name foo protocols static route 0.0.0.0/0 next-hop 192.168.122.1 interface 'eth0' set vrf name foo protocols static route 0.0.0.0/0 next-hop 192.168.122.1 vrf 'default' set vrf name foo table '1010'
Viacheslav changed the status of T4655: Firewall in 1.4 sets the default action 'accept' instead of 'drop' from Open to In progress.
Viacheslav updated the task description for T4655: Firewall in 1.4 sets the default action 'accept' instead of 'drop'.
Viacheslav added a project to T4653: Interface offload options are not applied correctly: VyOS 1.4 Sagitta.
The same for VyOS 1.4-rolling-202208290458
vyos@r14# set interfaces ethernet eth0 offload gro [edit] vyos@r14# commit
PR for 1.3 https://github.com/vyos/vyos-1x/pull/1504
This bug was in T4241, client couldn't connect to openconnect server and logs from the server site like:
Feb 16 19:46:03 r4 ocserv[2409]: main:192.168.122.1:44480 user disconnected (reason: unspecified, rx: 0, tx: 0) Feb 16 19:46:03 r4 ocserv[2409]: main:192.168.122.1:44482 user disconnected (reason: unspecified, rx: 0, tx: 0) ^C
It was tested with self-signed certificates.
Viacheslav moved T2498: Expected error when deleting vif that has dhcp-server configured from Finished to Need Triage on the VyOS 1.3 Equuleus (1.3.0) board.
@syncer It is affected also and 1.3
It should be a warning if we delete an interface (IP address of Interface) that belongs to some service.
Viacheslav changed the status of T4367: NAT - Config tmp file not available from Open to In progress.
Viacheslav changed the status of T4526: keepalived-fifo.py unable to load config from Open to Needs testing.
In T4533#126598, @c-po wrote:In T4533#126578, @Viacheslav wrote:It is operator level, that shouldn’t have permission for configurations. Only basic diagnostics (op-mode)
Operator mode is no longer supported in VyOS 1.4
Even if so - we should still try to "support" it somehow for the upcoming future when there is a true secure op-mode again.
Could you please add a new Cmnd_Alias vor VRF to /etc/sudoers.d/vyos and allow it for the %operator group?
ip vrf exec requires the CAP_SYS_ADMIN capability which somehow is more or less equal to root.
Viacheslav added a comment to T4617: VRF specification is needed for telegraf prometheus-client listen-address <address> .
It seems working:
● telegraf.service - The plugin-driven server agent for reporting metrics into InfluxDB
Loaded: loaded (/lib/systemd/system/telegraf.service; disabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/telegraf.service.d
└─10-override.conf
Active: active (running) since Mon 2022-08-29 12:51:47 EEST; 1min 7s ago
Docs: https://github.com/influxdata/telegraf
Main PID: 6740 (telegraf)
Tasks: 9 (limit: 9409)
Memory: 49.7M
CPU: 836ms
CGroup: /system.slice/telegraf.service
└─vrf
└─foo
└─6740 /usr/bin/telegraf --config /run/telegraf/telegraf.conf --config-directory /etc/telegraf/telegraf.d --pidfile /run/telegraf/telegraf.pidViacheslav moved T4654: RPKI cache incorrect description from Open to Finished on the VyOS 1.4 Sagitta board.
Viacheslav closed T4594: Rewrite op-mode IPsec to vyos.opmode format, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, as Resolved.
Viacheslav closed T4623: Add show conntrack statistics, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, as Resolved.
Viacheslav edited projects for T3702: Policy: Allow routing by fwmark, added: VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).
Viacheslav renamed T4654: RPKI cache incorrect description from RPKI cache incorrect desctiption to RPKI cache incorrect description.
In T2044#129750, @egoistdream wrote:Hi,
Same issue on VyOS 1.4-rolling-202208240217
And when you set the rpki ips you have wrong description on the options, instead of the "rpki server ip" you have "NTP server"
router# set protocols rpki cache ?
Possible completions:
> <x.x.x.x> IP address of NTP server
> <h:h:h:h:h:h:h:h> IPv6 address of NTP server
> <hostname> Fully qualified domain name of NTP server
In the 1.4 nat translations were rewritten, but I didn't delete the old python code yet https://github.com/vyos/vyos-1x/pull/1501
Viacheslav moved T4601: dhcp : relay agent IP address issue. from Backport Candidates to Need Triage on the VyOS 1.3 Equuleus (1.3.3) board.
Viacheslav moved T4601: dhcp : relay agent IP address issue. from Open to Backport Candidates on the VyOS 1.4 Sagitta board.
Viacheslav moved T4601: dhcp : relay agent IP address issue. from Need Triage to Backport Candidates on the VyOS 1.3 Equuleus (1.3.3) board.
Viacheslav edited projects for T4601: dhcp : relay agent IP address issue., added: VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).
Aug 27 2022
Aug 27 2022
Viacheslav changed the status of T4650: Rewire show nat translation to vyos.opmode format, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, from In progress to Needs testing.
Viacheslav changed the status of T4650: Rewire show nat translation to vyos.opmode format from In progress to Needs testing.
Aug 26 2022
Aug 26 2022
Viacheslav changed the status of T4631: Add port and protocol to nat66 from In progress to Needs testing.
Viacheslav changed the status of T4650: Rewire show nat translation to vyos.opmode format, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, from Open to In progress.
Viacheslav changed the status of T4650: Rewire show nat translation to vyos.opmode format from Open to In progress.
Viacheslav added a comment to T4643: Smoketest exclude either sstp or openconnect from pki-misc default listen port.
Before fix:
06:04:21 DEBUG - FAIL: test_pki_misc (__main__.TestConfigPkiMisc) 06:04:21 DEBUG - ---------------------------------------------------------------------- 06:04:21 DEBUG - Traceback (most recent call last): 06:04:21 DEBUG - File "/usr/bin/vyos-configtest", line 50, in test_config_load 06:04:21 DEBUG - self.session.commit() 06:04:21 DEBUG - vyos.configsession.ConfigSessionError: [[service https]] failed 06:04:21 DEBUG - Commit failed 06:04:21 DEBUG - 06:04:21 DEBUG - 06:04:21 DEBUG - During handling of the above exception, another exception occurred: 06:04:21 DEBUG - 06:04:21 DEBUG - Traceback (most recent call last): 06:04:21 DEBUG - File "/usr/bin/vyos-configtest", line 53, in test_config_load 06:04:21 DEBUG - self.fail() 06:04:21 DEBUG - AssertionError: None
After fix:
vyos@r14:~$ /usr/bin/vyos-configtest Generating tests ... completed: 0.000608 test_pki_misc (__main__.TestConfigPkiMisc) ... time: 16.943 ok
Viacheslav reopened T4643: Smoketest exclude either sstp or openconnect from pki-misc default listen port as "Needs testing".
Aug 25 2022
Aug 25 2022
Viacheslav added a comment to T4202: NFT: Zone policies fail to apply when "l2tp+" is in the interface list.
We have to replace it in migration scripts if it is already not done
PR https://github.com/vyos/vyos-1x/pull/1497
vyos@r14:~$ show nat source statistics Rule Packets Bytes Interface ------ --------- ------- ----------- 100 1279 107896 eth0 120 1 60 eth1 vyos@r14:~$
Viacheslav changed the status of T4645: show nat source statistics lack argument --family from Open to In progress.
The easiest way it add vyatta-nat-translations.pl scripts to the op-mode script directory or rewrite it to the python.
Also discussed this configuration:
set service dhcp-relay <tag> interface eth0 upstream set service dhcp-relay <tag> interface eth1 downstream set service dhcp-relay <tag> server <x.x.x.x> set service dhcp-relay <tag> relay-options hop-count 1 set service dhcp-relay <tag> relay-options upsteam-port 547
Viacheslav changed the status of T4644: Check bind port before assign vpn sstp from Open to In progress.
PR https://github.com/vyos/vyos-1x/pull/1496
vyos@r14# commit [ vpn sstp ] "tcp" port "443" is used by another service
Viacheslav edited projects for T1070: SWANCTL: DMVPN: ALL peers are deleted in swan when opennhrp tries to delete ONE peer, added: VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).
Aug 25 2022, 8:00 AM · Bugs, VyOS 1.3 Equuleus (1.3.9), VyOS 1.4 Sagitta (1.4.0-GA), Restricted Project
Viacheslav changed the status of T4643: Smoketest exclude either sstp or openconnect from pki-misc default listen port from Open to In progress.
Viacheslav changed the status of T4597: Check bind port before assign service HTTPS API and openconnect from In progress to Needs testing.
Viacheslav closed T4626: Error showing nat66 source and destination, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, as Resolved.
Aug 24 2022
Aug 24 2022