Feed All Stories
Sep 28 2022
Sep 28 2022
Viacheslav added a comment to T4557: fastnetmon: allow configure limits per protocol (tcp, udp, icmp).
Viacheslav added a comment to T4718: DHCP server listen-address doesn't take effect if the interface is in a VRF.
Maybe something wrong with this check https://github.com/vyos/vyos-1x/blob/f5a50135f07ac4ec8ed431a757b9c56e607d2132/src/conf_mode/dhcp_server.py#L265-L271
syncer changed the status of T4712: Collaborative Protection Profile cPP for Network Devices root task from Open to In progress.
sarthurdev changed the status of T4713: vyos@vyos:~$ show nat destination rules | doesn't work from Confirmed to Needs testing.
Viacheslav added a comment to T4713: vyos@vyos:~$ show nat destination rules | doesn't work.
Maybe incorrect parsing of port ranges (comma-separated)
rule 120 {
description "Playstation - 172.16.136.96"
destination {
port 1935,3074,3478,3479,3480
}sarthurdev changed the status of T4713: vyos@vyos:~$ show nat destination rules | doesn't work from Open to Confirmed.
William Hughes <will@willhughes.name> committed rVYOSONEX3930be3b8786: conserver: T4717: Support for setting a name for console-server devices.
GitHub <noreply@github.com> committed rVYOSONEXfe3ef62a1f35: Merge pull request #1559 from insertjokehere/console-server-names (authored by c-po).
insertjokehere added a comment to T4717: Connect to console server by name.
PRs open to implement this:
insertjokehere changed the status of T4717: Connect to console server by name from Open to In progress.
Sep 27 2022
Sep 27 2022
icyfire0573 added a comment to T4713: vyos@vyos:~$ show nat destination rules | doesn't work.
vyos@vyos:~$ show configuration
firewall {
interface eth2 {
in {
name OUTSIDE-IN
}
local {
name OUTSIDE-LOCAL
}
}
name OUTSIDE-IN {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action accept
destination {
address 172.16.135.35
port 8123
}
protocol tcp
source {
}
state {
new enable
}
}
rule 21 {
action accept
destination {
address 172.16.135.35
port 443
}
protocol tcp
state {
new enable
}
}
rule 30 {
action accept
destination {
address 172.16.136.16
port 22
}
protocol tcp
source {
address 13.90.97.251
}
state {
new enable
}
}
rule 40 {
action accept
destination {
address 172.16.136.96
port 1935,3478,3479,3480
}
protocol tcp
state {
new enable
}
}
rule 41 {
action accept
destination {
address 172.16.136.96
port 3074,3478,3479
}
protocol udp
state {
new enable
}
}
}
name OUTSIDE-LOCAL {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action accept
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
rule 30 {
action drop
destination {
port 22
}
protocol tcp
recent {
count 4
time minute
}
state {
new enable
}
}
rule 31 {
action accept
destination {
port 22
}
protocol tcp
state {
new enable
}
}
rule 40 {
action accept
destination {
address 172.16.136.35
port 8123
}
protocol tcp
state {
new enable
}
}
}}
interfaces {
ethernet eth0 {
address 172.16.136.1/24
description INSIDE
hw-id 6c:4b:90:52:32:75
}
ethernet eth2 {
address dhcp
description OUTSIDE
hw-id 7c:c2:c6:42:43:e1
}
loopback lo {
}
wireless wlan0 {
hw-id 50:5b:c2:ca:e1:03
physical-device phy0
}}
nat {
destination {
rule 10 {
description "Port Forward: SSH to 172.16.136.16"
destination {
port 22
}
inbound-interface eth2
protocol tcp
source {
address 13.90.97.251
}
translation {
address 172.16.136.16
}
}
rule 100 {
description "HomeAssistant WAN"
destination {
port 8123
}
inbound-interface eth2
protocol tcp
translation {
address 172.16.136.35
}
}
rule 110 {
description "HomeAssistant Reflection To"
destination {
port 8123
}
inbound-interface eth0
protocol tcp
translation {
address 172.16.136.35
}
}
rule 120 {
description "Playstation - 172.16.136.96"
destination {
port 1935,3074,3478,3479,3480
}
inbound-interface eth2
protocol tcp
translation {
address 172.16.136.96
}
}
}
source {
rule 100 {
outbound-interface eth2
source {
address 172.16.136.0/24
}
translation {
address masquerade
}
}
rule 110 {
description "HomeAssistant Reflection From"
destination {
address 172.16.136.0/24
}
outbound-interface eth0
protocol tcp
source {
address 172.16.136.0/24
}
translation {
address masquerade
}
}
}}
service {
dhcp-server {
shared-network-name LAN {
domain-search drutherford.com
subnet 172.16.136.0/24 {
default-router 172.16.136.1
domain-name drutherford.com
lease 86400
name-server 8.8.8.8
name-server 1.1.1.1
name-server 9.9.9.9
range 0 {
start 172.16.136.50
stop 172.16.136.90
}
static-mapping Backyard-Camera-Wireless {
ip-address 172.16.136.101
mac-address 78:66:9D:7F:D7:73
}
static-mapping Garage-Camera-Wireless {
ip-address 172.16.136.99
mac-address 5C:C3:36:4C:D3:20
}
static-mapping Green {
ip-address 172.16.136.16
mac-address DC:A6:32:6D:20:54
}
static-mapping HomeAssistant {
ip-address 172.16.136.35
mac-address B8:27:EB:81:ED:01
}
static-mapping Playstation4 {
ip-address 172.16.136.96
mac-address 00:D9:D1:FD:E3:C8
}
static-mapping Pool-Camera-Wireless {
ip-address 172.16.136.100
mac-address 78:66:9D:5B:F8:9C
}
static-mapping RasPBX {
ip-address 172.16.136.102
mac-address B8:27:EB:BA:9C:BD
}
static-mapping Roku-3 {
ip-address 172.16.136.98
mac-address B8:3E:59:B3:DF:DB
}
static-mapping Roku-Ultra {
ip-address 172.16.136.97
mac-address 88:DE:A9:C1:C0:41
}
static-mapping client1 {
ip-address 172.16.136.102
mac-address B8:27:EB:BA:9C:BD
}
}
}
}
ssh {
port 22
}}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name vyos
login {
user vyos {
authentication {
encrypted-password ****************
}
}
}
ntp {
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}}
sarthurdev added a comment to T4713: vyos@vyos:~$ show nat destination rules | doesn't work.
Can we see example destination NAT config with the issue?
icyfire0573 added a comment to T4713: vyos@vyos:~$ show nat destination rules | doesn't work.
still no good
vyos@vyos:~$ show nat destination rules
Traceback (most recent call last):
File "/usr/libexec/vyos/op_mode/nat.py", line 302, in <module> res = vyos.opmode.run(sys.modules[__name__]) File "/usr/lib/python3/dist-packages/vyos/opmode.py", line 147, in run res = func(**args) File "/usr/libexec/vyos/op_mode/nat.py", line 280, in show_rules return _get_formatted_output_rules(nat_rules, direction, family) File "/usr/libexec/vyos/op_mode/nat.py", line 112, in _get_formatted_output_rules if 'prefix' in match['right'] or 'set' in match['right']:
TypeError: argument of type 'int' is not iterable
vyos@vyos:~$ show version
Version: VyOS 1.4-rolling-202209260217
Release train: sagitta
v.huti added a comment to T4180: Support for QoS Policy Propagation via BGP (QPPB).
DEMO Notes:
=====================
1) You need to load the XDP program before starting frr so that
it can find the LPM map on plugin initialization.
To keep it simple, the VTY interface was not implemented for now.
XDP side is accessible via `bpftool`
3) I`m monitoring packets for TOS/DSCP changes to see if marking happens
But in another approach tag is associated with the packet and then
read by the TC classifier
4) These are two traffic shaping examples.
The point is that you have two options for marking:
4.1) Modifying the TOS byte and installing the u32 tc filter to match the value.
This has a limited range of possible values (8 bits) + needs to modify the packet.
4.2) Using a custom BPF classifier.
The XDP side extends the packet context and saves the value.
Afterward, the classifier may read the context and control the shaping behavior
by setting the `skb->tc_classid` or one of the fields mentioned below.Therefore, BPF programs attached to the tc BPF hook can, for instance, read or write the skb’s mark, pkt_type, protocol, priority, queue_mapping, napi_id, cb[] array, hash, tc_classid or tc_index, vlan metadata, the XDP transferred custom metadata and various other information. All members of the struct __sk_buff BPF context used in tc BPF are defined in the linux/bpf.h system header. https://docs.cilium.io/en/stable/bpf/#tc-traffic-control
Viacheslav changed the status of T4716: SSH ability to configure RekeyLimit, a subtask of T4712: Collaborative Protection Profile cPP for Network Devices root task, from Open to In progress.
Viacheslav changed the status of T4716: SSH ability to configure RekeyLimit from Open to In progress.
Viacheslav closed T4711: Ability to terminate user TTY and PTS sessions, a subtask of T4712: Collaborative Protection Profile cPP for Network Devices root task, as Resolved.
GitHub <noreply@github.com> committed rVYOSONEX53bd9fe11e44: Merge pull request #1562 from sever-sever/T4711 (authored by c-po).
GitHub <noreply@github.com> committed rVYOSONEXc22f9d76fb77: Merge pull request #1560 from nicolas-fort/T4700 (authored by c-po).
Viacheslav closed T4557: fastnetmon: allow configure limits per protocol (tcp, udp, icmp) as Resolved.
Viacheslav changed the status of T4711: Ability to terminate user TTY and PTS sessions, a subtask of T4712: Collaborative Protection Profile cPP for Network Devices root task, from Open to In progress.
Viacheslav changed the status of T4711: Ability to terminate user TTY and PTS sessions from Open to In progress.
Viacheslav added a comment to T4711: Ability to terminate user TTY and PTS sessions.
Viacheslav changed the status of T4657: op-mode scripts with type hints in `return` do not work from In progress to Needs testing.
Viacheslav added a comment to T4708: 'show nat destination rules' throwing an error.
Should be fixed in the commit https://github.com/vyos/vyos-1x/pull/1552/files#diff-9e98077e1229d7a89e26efdc517896728265a8669e8824aaf92611b113fa3516L47
T4605
Try the latest rolling
Viacheslav added a comment to T4715: Auto logout user after a period of inactivity.
Viacheslav changed the status of T4715: Auto logout user after a period of inactivity, a subtask of T4712: Collaborative Protection Profile cPP for Network Devices root task, from Open to In progress.
Viacheslav changed the status of T4715: Auto logout user after a period of inactivity from Open to In progress.
Viacheslav updated the task description for T4715: Auto logout user after a period of inactivity.
Viacheslav updated the task description for T4715: Auto logout user after a period of inactivity.
Viacheslav added a comment to T4713: vyos@vyos:~$ show nat destination rules | doesn't work.
Should be fixed in the commit https://github.com/vyos/vyos-1x/pull/1552/files#diff-9e98077e1229d7a89e26efdc517896728265a8669e8824aaf92611b113fa3516L47
T4605
Try the latest rolling
aalmenar changed Issue type from unspecified to improvement on T4704: Allow to set metric (MED) to rtt with rtt,+rtt or -rtt.
Viacheslav changed the status of T4557: fastnetmon: allow configure limits per protocol (tcp, udp, icmp) from In progress to Needs testing.
Viacheslav moved T4693: ISIS segment routing was broken... from Open to Finished on the VyOS 1.4 Sagitta board.
Sep 26 2022
Sep 26 2022
GitHub <noreply@github.com> committed rVYOSONEX2cf6275eac10: Merge pull request #1545 from sever-sever/T4557 (authored by c-po).
n.fort added a comment to T4700: Firewall - Add interface match criteria.
initramfs added a comment to T4709: TCP MSS clamping broken in equuleus.
It seems like I was wrong about the netfilter rule not working as intended (and in my testing the clamp was broken for some other reason that was an error on my part), the post has been edited to only indicate the remaining issue of an overly strict MSS clamping range.
initramfs updated the task description for T4709: TCP MSS clamping broken in equuleus.
Sep 25 2022
Sep 25 2022
Viacheslav changed the status of T4680: Telegraf prometheus-client listen-address invalid format from In progress to Needs testing.
ajgnet updated the task description for T4710: show openvpn server occasionally returns IndexError: list index out of range.
Viacheslav added a comment to T4708: 'show nat destination rules' throwing an error.
Send steps to reproduce it or “show conf com | match nat”
Viacheslav added a comment to T4710: show openvpn server occasionally returns IndexError: list index out of range.
Send steps to reproduce it or “show conf com | match openvpn ”
Sep 24 2022
Sep 24 2022
initramfs added a comment to T4709: TCP MSS clamping broken in equuleus.
See https://unix.stackexchange.com/questions/672742/why-mss-clamping-in-iptables-nft-seems-to-take-no-effect-in-nftables for additional explanation why the iptables version do not work under iptables-nft.
initramfs added a comment to T4709: TCP MSS clamping broken in equuleus.
Relevant PRs:
GitHub <noreply@github.com> committed rVYOSONEXadc59ad72d91: Merge pull request #1558 from initramfs/current-fix-tcp-mss (authored by c-po).
Sep 22 2022
Sep 22 2022
n.fort added a comment to T4699: Firewall - Add jump action - Add return action.
PR for Jump: https://github.com/vyos/vyos-1x/pull/1553
goodNETnick <pknet@ya.ru> committed rVYOSONEX19500ad11f95: system login: T874: add libpam-google-authenticator package to provide 2FA….
GitHub <noreply@github.com> committed rVYOSONEX4115503de153: Merge pull request #1541 from goodNETnick/ggl_auth (authored by c-po).
GitHub <noreply@github.com> committed rVYOSONEXb19a70c1cc38: Merge pull request #1554 from sarthurdev/nat_refactor (authored by c-po).
Unknown Object (User) added a comment to T874: Support for Two Factor Authentication for CLI access via Google Authenticator/OTP.
PR with feature request:
https://github.com/vyos/vyos-1x/pull/1555
v.huti added a comment to T4180: Support for QoS Policy Propagation via BGP (QPPB).
DEMO
===============================================
To demonstrate the feature let's look at the following topology
jack9603301 added a comment to T4706: NAT and NAT66 issues.
@sdev @Netboy3 I'll test if the new implementation is done and if the bug is fixed I'll close this PR, thanks
GitHub <noreply@github.com> committed rVYOSONEXcd1875cb1521: Merge pull request #1521 from sever-sever/T3476 (authored by c-po).
GitHub <noreply@github.com> committed rVYOSONEX7ba1f6444d1b: Merge pull request #1552 from sarthurdev/nat_refactor (authored by c-po).
GitHub <noreply@github.com> committed rVYOSONEXf3e6fb5aab6f: telegraf: T4680: fix prometheus client listen-address invalid format (authored by ServerForge).
Netboy3 added a comment to T4706: NAT and NAT66 issues.
@jack9603301 I've tested your updated PR and it seems to work well now. Thank you for the quick response.
@sdev I've tested your PR and it seems to also fix both issues. I did not test anything beyond DNAT port only in both ip and ip6 families.
Sep 21 2022
Sep 21 2022
GitHub <noreply@github.com> committed rVYOSONEX2921b6fbcdde: Merge pull request #1553 from nicolas-fort/return-action (authored by c-po).
n.fort renamed T4699: Firewall - Add jump action - Add return action from Firewall - Add jump action to Firewall - Add jump action - Add return action.