@sdev greats !!!

PR: https://github.com/vyos/vyos-1x/pull/2253

PR for 1.3.x https://github.com/vyos/vyatta-cfg-quagga/pull/102
PR for the current https://github.com/vyos/vyos-1x/pull/2252

@fernando See here: https://github.com/vyos/vyos-build/pull/297

command on 1.5 :

@Apachez note that all lb commands take --debug and --verbose: using 'lb build --debug' in scripts/build-vyos-image will output the full mksquashfs command.

@vfreex I've tested in my labs related this issues , I can confirm that it work as expected . this original zone solved the problem when there was a src-nat /dst-nat with different VRFs or leaking with them ,Thanks you for this contribution .

In T2405#159522, @Apachez wrote:

Note that command = command.lstrip() for def cmd in python/vyos/utils/process.py was reverted yesterday.

Causes funny problems during smoketests.

Note that command = command.lstrip() for def cmd in python/vyos/utils/process.py was reverted yesterday.

I created a PR for Git support here: https://github.com/vyos/vyos-1x/pull/2241

I have created a PR upstream which hopefully resolves why the logging didnt work as expected in VyOS (since the binary_rootfs in vyos-live-build isnt used by the nightly build who uses vyos-build and the deb-package of live-build from Debian 12.x (bookworm)):

op-mode: https://github.com/vyos/vyos-1x/pull/2242

100% agree. If this isn't too big of a hassle to implement, I would very much appreciate the approach/workaround of @Apachez, until nftables supports this feature ootb...

Checked with #netfilter irc-channel.

I just tested this with a firewall config with no connection tracking config enabled, still the conntrack modules are loaded and used.

The same situation as @svd135 . The passive FTP data connection now is stopped by the problem with FTP ALG.

I was thinking about N/D and personally I would prefer "None" to be listed for the various "show firewall" commands instead of N/D.

Resolved by: https://vyos.dev/T5564

This can be put to resolved when the backports are confirmed aswell.

Im a bit allergic to have stuff automatically created which clearly is not enabled by the config.

pim6reg is created by FFR's pim6d. It seems to me that it will create such as interface for each VRF. Does this interface have any functional impact on your setup?

current PR: https://github.com/vyos/vyatta-cfg-system/pull/205

PR https://github.com/vyos/vyos-1x/pull/2240

set protocols static proxy-arp 192.0.2.1 interface eth0
set protocols static proxy-arp 192.0.2.1 interface eth1
set protocols static proxy-ndp 2001:db8::1 interface eth1

I dont know if its related to this task but I noticed recently that even if I have no IPv6 configured on any interface and have IPv6 disabled for forwarding:

set system ipv6 disable-forwarding

I can in VyOS 1.5-rolling-202309080021 see an additional pim6reg interface!?

vyos@vyos:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
...
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq master MGMT state UP group default qlen 1000
...
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq master INTERNET state UP group default qlen 1000
...
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq master INTERNET state UP group default qlen 1000
...
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq master INTERNET state UP group default qlen 1000
...
6: pim6reg@NONE: <NOARP,UP,LOWER_UP> mtu 1452 qdisc noqueue state UNKNOWN group default qlen 1000
    link/pimreg 
7: INTERNET: <NOARP,MASTER,UP,LOWER_UP> mtu 65575 qdisc noqueue state UP group default qlen 1000
...
8: MGMT: <NOARP,MASTER,UP,LOWER_UP> mtu 65575 qdisc noqueue state UP group default qlen 1000
...

Its also visible when running:

monitor bandwidth interface *

table ip raw {

ct helper rpc_tcp {
        type "rpc" protocol tcp
        l3proto ip
}

Oh sorry, I missed that this commit was for LTS 1.3.x series.

@Apachez I am running kernel 6.1.49-amd64-vyos and this works fine with my local setup.
The patch is already in linux kernel since at least 4.3 (you can confirm with https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/log/include/net/netfilter/nf_conntrack_zones.h?h=linux-4.3.y), but it was added to nft command only since Feb 2017: https://git.netfilter.org/nftables/commit/src/ct.c?id=ed66d9966294a3bab6c8611e369861ba57374743

Can we see the output of sudo nft list table ip raw on an affected router?

@vfreex the referenced netfilter patch is from 2015, is that really valid for current version thats included in the Linux 6.1 LTS kernel?

You can test this approach on a running VyOS router using following commands:

I created a PR to fix this issue by using direction parameter of conntrack zones: https://github.com/vyos/vyos-1x/pull/2236
I have a very basic VRF setup and it works fine. It would be much appreciated if someone could test this with more complex VRF setup.

Sorry to bother you @sdev , the latest releases of 1.5-rolling-202309080021 and 1.4-rolling-202309070021 still have this problem.

I guess we should use the current ip neighbor xxx instead of old arp. I hope it does the same.

sudo ip neighbor add proxy 192.0.2.1 dev eth0
sudo ip -6 neigh add proxy aa::1 dev eth0

Show

vyos@r1# sudo ip neighbor show proxy
192.168.122.11 dev eth0  proxy
192.0.2.1 dev eth0  proxy
aa::1 dev eth0  proxy
[edit]
vyos@r1#

https://github.com/vyos/vyos-1x/pull/2233 to fix the smoketest.

In T5518#159341, @Apachez wrote:

Something is broken in smoketest test_protocols_pim6.py:

https://github.com/vyos/vyos-rolling-nightly-builds/actions/runs/6133954453/job/16646294279

See "Run smoketests" line 28676 and forward.

Something is broken in smoketest test_protocols_pim6.py:

PR for 1.3.x https://github.com/vyos/vyos-1x/pull/2225

PR https://github.com/vyos/vyos-1x/pull/2228

This pr breaks environment variable processing as it resets env_opt to an empty string when startting to process the labels.

Cherry-pick to 1.4 https://github.com/vyos/vyos-1x/pull/2226

PR for 1.4 https://github.com/vyos/vyos-1x/pull/2224