- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
All Stories
Apr 9 2024
PR https://github.com/vyos/vyos-1x/pull/3280
vyos@r15-left:~$ show conntrack statistics CPU Found Invalid Insert Insert fail Drop Early drop Errors Search restart ----- ------- --------- -------- ------------- ------ ------------ -------- ---------------- -- -- 0 0 280 0 1 1 0 1 0 2 0 1 0 73 0 0 0 0 126 0 1 0 vyos@r15-left:~$
Apr 8 2024
In T6099#182627, @Viacheslav wrote:@Giggum Can you check it in 1.5?
Yeah sure thing I can do that. Will I be able to roll back from the latest 1.5 to the version of 1.4 rolling I’m on after testing is complete or will the config mess up?
Rechecked - The issue exists.
After deleting and adding the firewall, it looks good
So, for some reason, the rule 10 and default action accept were applied 2 times to the firewall
chain VYOS_FORWARD_filter { type filter hook forward priority filter; policy accept; counter packets 928376 bytes 1800341472 flow add @VYOS_FLOWTABLE_FLOWTABLE comment "ipv4-FWD-filter-10" counter packets 928376 bytes 1800341472 accept comment "FWD-filter default-action accept" counter packets 0 bytes 0 flow add @VYOS_FLOWTABLE_FLOWTABLE comment "ipv4-FWD-filter-10" ct state { established, related } counter packets 0 bytes 0 flow add @VYOS_FLOWTABLE_FLOWTABLE comment "ipv4-FWD-filter-20" counter packets 0 bytes 0 accept comment "FWD-filter default-action accept" }
probably related task T5660
Apr 7 2024
@Daya @trae32566 Any updates?
@indrajitr Can we close it?
@indrajitr Can we close it?
@Giggum Can you check it on 1.5?
It is easy to add
In FRR it looks like:
r4(config-rpki)# rpki cache 192.0.2.1 8888 SSH_UNAME SSH user name preference Preference of the cache server source Configure source IP address of RPKI connection
PoC PR https://github.com/vyos/vyos-1x/pull/3274
set nat cgnat pool external ext1 external-port-range '1024-65535' set nat cgnat pool external ext1 per-user-limit port '1000' set nat cgnat pool external ext1 range 192.0.2.222/32 set nat cgnat pool internal int1 range '100.64.0.0/28' set nat cgnat rule 10 source pool 'int1' set nat cgnat rule 10 translation pool 'ext1'
For me personally this change makes sense: a router has multiple interfaces, the Source IP is selected in different ways, and especially for RPKI servers outside the network (public ones), this could even break connectivity. Vendors like Juniper had this issue and eventually added the option, which means probably VyOS will benefit too, especially since "it's just setting a value in FRR's config"™ (famous last words ;).
Yes and no. Even before I created this ticket, I tried a small test locally. Unfortunately, I was not able to get the tests to run (even without my changes).
@Loremo I think this contribution would be valuable. Have you made any progress with your PR?
Great 😃
Hi -- this works. The VTI interface is just another interface so you can add it to a firewall zone just as you would an Ethernet interface. This can be done with existing site-to-site ipsec VTIs today. I also do it with OpenVPN interfaces for remote access on some of my installations.
This would be really useful. As per: https://forum.vyos.io/t/other-than-console-how-to-pass-grub-parameter-pcie-aspm-off/14203