@jack9603301 I've tested your updated PR and it seems to work well now. Thank you for the quick response.
@sdev I've tested your PR and it seems to also fix both issues. I did not test anything beyond DNAT port only in both ip and ip6 families.
- Feed Queries
- All Stories
- Search
- Feed Search
- Transactions
- Transaction Logs
Feed All Stories
All Stories
All Stories
Sep 22 2022
Sep 22 2022
GitHub <noreply@github.com> committed rVYOSONEX7ba1f6444d1b: Merge pull request #1552 from sarthurdev/nat_refactor (authored by c-po).
GitHub <noreply@github.com> committed rVYOSONEXf3e6fb5aab6f: telegraf: T4680: fix prometheus client listen-address invalid format (authored by ServerForge).
Sep 21 2022
Sep 21 2022
GitHub <noreply@github.com> committed rVYOSONEX2921b6fbcdde: Merge pull request #1553 from nicolas-fort/return-action (authored by c-po).
n.fort renamed T4699: Firewall - Add jump action - Add return action from Firewall - Add jump action to Firewall - Add jump action - Add return action.
c-po closed T4703: accel-ppp: combine vlan-id and vlan-range into single CLI node, a subtask of T4678: Rewrite service ipoe-server to get_config_dict, as Resolved.
c-po updated the task description for T4703: accel-ppp: combine vlan-id and vlan-range into single CLI node.
Included a fix for this in NAT refactor: https://github.com/vyos/vyos-1x/pull/1552
PR for NAT included with refactor: https://github.com/vyos/vyos-1x/pull/1552
c-po changed the status of T4678: Rewrite service ipoe-server to get_config_dict from Open to In progress.
@jack9603301, your PR solves the NAT66 issue - thank you. However, the change you made to nat.py to try to solve the NAT44 issue is not complete and seem to also require a template change. I'll post additional details in the PR.
Since jump action was added, It would be good to also add "return" action
Initial PR here, https://github.com/vyos/vyos-1x/pull/1551.
Sep 20 2022
Sep 20 2022
It seems we have working ISIS segment routing:
@Netboy3 Let me modify the template to support
Sep 19 2022
Sep 19 2022
Viacheslav added a project to T4704: Allow to set metric (MED) to rtt with rtt,+rtt or -rtt: VyOS 1.4 Sagitta.
Why would you enforce an address? It is perfectly OK to have port-only DNAT66 without any destination address such as:
nft add rule ip6 nat PREROUTING iifname eth1 counter tcp dport 443 dnat to :3000
Problem is that the test logic breaks on this and spits out a wrong statement to NFT that barfs on it.
Maybe we should add check to NAT66 to enforce the given address
n.fort changed the status of T4699: Firewall - Add jump action - Add return action from In progress to Needs testing.
GitHub <noreply@github.com> committed rVYOSONEXfdfe3dabcbff: Merge pull request #1549 from sever-sever/T4118-smoketest (authored by c-po).
Sep 18 2022
Sep 18 2022
@n.fort Maybe set firewall name <name> rule <rule> ipsec match-gre? This feels a bit hacky though... Almost like match should be its own block and contain ipsec, none, or gre
GitHub <noreply@github.com> committed rVYOSONEX877047b9d36f: Merge pull request #1543 from Cheeze-It/current (authored by c-po).
Sep 17 2022
Sep 17 2022
roedie moved T4526: keepalived-fifo.py unable to load config from Open to Finished on the VyOS 1.4 Sagitta board.
roedie moved T4665: Keepalived cannot use same VRID for VRRPv2 and VRRPv3 from Open to Finished on the VyOS 1.4 Sagitta board.
It works for me (tm)
GitHub <noreply@github.com> committed rVYOSONEXdcf755594d3c: Merge pull request #1546 from nicolas-fort/fwall-jump (authored by c-po).
c-po moved T4702: Wireguard peers configuration is not synchronized with CLI from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.3) board.
PR for VyOS 1.3.3 https://github.com/vyos/vyos-1x/pull/1548
c-po moved T4703: accel-ppp: combine vlan-id and vlan-range into single CLI node from Open to In Progress on the VyOS 1.4 Sagitta board.
c-po moved T4702: Wireguard peers configuration is not synchronized with CLI from Open to Finished on the VyOS 1.4 Sagitta board.
c-po changed the status of T4702: Wireguard peers configuration is not synchronized with CLI from Confirmed to Needs testing.
c-po edited projects for T4702: Wireguard peers configuration is not synchronized with CLI, added: VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus.
Sep 16 2022
Sep 16 2022
c-po changed the status of T4703: accel-ppp: combine vlan-id and vlan-range into single CLI node from Open to In progress.
GitHub <noreply@github.com> committed rVYOSONEX748dab43b87c: Merge pull request #1463 from sever-sever/T4118 (authored by dmbaturin).
danhusan awarded T4702: Wireguard peers configuration is not synchronized with CLI a Love token.
Viacheslav added a comment to T4557: fastnetmon: allow configure limits per protocol (tcp, udp, icmp).
PR https://github.com/vyos/vyos-1x/pull/1545
PR https://github.com/vyos/vyatta-cfg-system/pull/185
set service ids ddos-protection direction 'in' set service ids ddos-protection listen-interface 'eth1' set service ids ddos-protection mode mirror set service ids ddos-protection threshold general fps '1000' set service ids ddos-protection threshold general mbps '200' set service ids ddos-protection threshold general pps '150000' set service ids ddos-protection threshold tcp fps '25' set service ids ddos-protection threshold tcp mbps '55' set service ids ddos-protection threshold tcp pps '155' set service ids ddos-protection threshold udp fps '100' set service ids ddos-protection threshold udp mbps '100' set service ids ddos-protection threshold udp pps '100' set service ids ddos-protection threshold icmp fps '200' set service ids ddos-protection threshold icmp mbps '210' set service ids ddos-protection threshold icmp pps '2040'
Expected fastnermon config entries:
# General threshold ban_for_flows = on threshold_flows = 1000 ban_for_bandwidth = on threshold_mbps = 200 ban_for_pps = on threshold_pps = 150000
zsdc raised the priority of T4702: Wireguard peers configuration is not synchronized with CLI from Normal to High.
zsdc renamed T4702: Wireguard peers configuration is not synchronized with CLI from A `disable` option does not work for Wireguard peers to Wireguard peers configuration is not synchronized with CLI.
n.fort changed the status of T4701: Firewall - Implement global option to use one single general chian from Open to In progress.
n.fort changed the status of T4700: Firewall - Add interface match criteria from Open to In progress.
n.fort changed the status of T4699: Firewall - Add jump action - Add return action from Open to In progress.
GitHub <noreply@github.com> committed rVYOSONEX79a96ee24176: Merge pull request #1544 from sever-sever/T4697 (authored by c-po).
Viacheslav changed the status of T3896: Extend ocserv support to allow for per-group configs from Open to Needs testing.
c-po changed the status of T4656: Support the listen-host config field of openconnect server from In progress to Needs testing.
GitHub <noreply@github.com> committed rVYOSONEXecb2a4077f90: ocserv: openconnect: T4656: add listen-address CLI option (authored by Demon_H).
c-po closed T4698: Drop validator name="range" and replace it with numeric, a subtask of T4669: Extend numeric.ml for inversion of values and range values, as Resolved.
Viacheslav changed the status of T4697: policy route: Generating ConfigError failes when tcp flag is missing on set tcp-mss rule commit from Open to In progress.