Page MenuHomeVyOS Platform
Feed Advanced Search

Advanced Search
Use Results
Hide Query

Feb 12 2024

n.fort added a comment to T6009: Firewall - Time not working properly when not using UTC.

PR for fix in vyos-build: https://github.com/vyos/vyos-build/pull/501
PR for smoketest (modified because of change in build): https://github.com/vyos/vyos-1x/pull/2991

Feb 12 2024, 12:44 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta

Feb 6 2024

n.fort changed the status of T6019: Bump nftables and libnftnl version from Open to In progress.
Feb 6 2024, 11:58 AM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
n.fort created T6019: Bump nftables and libnftnl version.
Feb 6 2024, 11:57 AM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus

Feb 5 2024

n.fort added a comment to T445: iptables error with policy routing.

What version? Can you upgrade to 1.4?

Feb 5 2024, 9:37 PM · VyOS 1.3 Equuleus (1.3.7), test
n.fort changed the status of T6009: Firewall - Time not working properly when not using UTC from Confirmed to In progress.
Feb 5 2024, 10:17 AM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta

Feb 2 2024

n.fort changed the status of T6009: Firewall - Time not working properly when not using UTC from Open to Confirmed.
Feb 2 2024, 11:08 AM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
n.fort updated the task description for T6009: Firewall - Time not working properly when not using UTC.
Feb 2 2024, 11:05 AM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
n.fort created T6009: Firewall - Time not working properly when not using UTC.
Feb 2 2024, 11:03 AM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta

Feb 1 2024

n.fort changed the status of T5977: nftables: Operation not supported when using match-ipsec in outbound firewall from In progress to Needs testing.
Feb 1 2024, 10:21 AM · VyOS 1.4 Sagitta (1.4.0-epa1), VyOS 1.5 Circinus

Jan 26 2024

n.fort closed T5779: custom conntrack timeout rule not applicable as Resolved.
Jan 26 2024, 7:18 PM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
n.fort closed T5957: Firewall fails to delete inbound-interface name as Resolved.
Jan 26 2024, 7:18 PM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus

Jan 23 2024

n.fort added a comment to T5977: nftables: Operation not supported when using match-ipsec in outbound firewall.

Pr for 1.5: https://github.com/vyos/vyos-1x/pull/2887

Jan 23 2024, 8:27 PM · VyOS 1.4 Sagitta (1.4.0-epa1), VyOS 1.5 Circinus
n.fort added a project to T5977: nftables: Operation not supported when using match-ipsec in outbound firewall: VyOS 1.5 Circinus.
Jan 23 2024, 11:47 AM · VyOS 1.4 Sagitta (1.4.0-epa1), VyOS 1.5 Circinus
n.fort changed the status of T5977: nftables: Operation not supported when using match-ipsec in outbound firewall from Confirmed to In progress.
Jan 23 2024, 11:47 AM · VyOS 1.4 Sagitta (1.4.0-epa1), VyOS 1.5 Circinus
n.fort changed the status of T5977: nftables: Operation not supported when using match-ipsec in outbound firewall from Open to Confirmed.
Jan 23 2024, 10:49 AM · VyOS 1.4 Sagitta (1.4.0-epa1), VyOS 1.5 Circinus

Jan 22 2024

n.fort changed the status of T5957: Firewall fails to delete inbound-interface name from In progress to Needs testing.
Jan 22 2024, 2:19 PM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
n.fort changed the status of T5779: custom conntrack timeout rule not applicable from Backport candidate to Needs testing.
Jan 22 2024, 2:19 PM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
n.fort moved T5160: Firewall refactor from Need Triage to Finished on the VyOS 1.4 Sagitta board.
Jan 22 2024, 2:12 PM · VyOS 1.4 Sagitta
n.fort closed T5160: Firewall refactor as Resolved.
Jan 22 2024, 2:09 PM · VyOS 1.4 Sagitta
n.fort changed the status of T5957: Firewall fails to delete inbound-interface name from Confirmed to In progress.
Jan 22 2024, 11:39 AM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
n.fort added a comment to T5957: Firewall fails to delete inbound-interface name.

PR: https://github.com/vyos/vyos-1x/pull/2873

Jan 22 2024, 11:39 AM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus

Jan 12 2024

n.fort added a comment to T5922: Firewall - bug in zone config.

PR: https://github.com/vyos/vyos-1x/pull/2807

Jan 12 2024, 3:03 PM · VyOS 1.5 Circinus
n.fort changed the status of T5922: Firewall - bug in zone config from Confirmed to In progress.
Jan 12 2024, 12:02 PM · VyOS 1.5 Circinus
n.fort closed T5919: Firewall - opmode for ipv6 as Resolved.
Jan 12 2024, 12:01 PM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus

Jan 11 2024

n.fort changed the status of T5922: Firewall - bug in zone config from Open to Confirmed.
Jan 11 2024, 7:40 PM · VyOS 1.5 Circinus
n.fort created T5922: Firewall - bug in zone config.
Jan 11 2024, 7:40 PM · VyOS 1.5 Circinus
n.fort closed T5896: Config Error on Boot with Podman and Firewall as Resolved.
Jan 11 2024, 11:11 AM · VyOS 1.4 Sagitta

Jan 10 2024

n.fort changed the status of T5919: Firewall - opmode for ipv6 from Open to In progress.
Jan 10 2024, 6:26 PM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
n.fort created T5919: Firewall - opmode for ipv6.
Jan 10 2024, 6:26 PM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
n.fort added a comment to T4610: Firewall with 20K entries cannot load after reboot.

Quick test done on a VM with 1 CPU and 1G RAM:

[email protected]# for I in  {1..2542}; do set firewall ipv6 name Test rule $I action accept ; set firewall ipv6 name Test rule $I destination port $I; set firewall ipv6 name Test rule $I protocol tcp ; done
[email protected]# time commit
Jan 10 2024, 3:30 PM · VyOS 1.4 Sagitta
n.fort assigned T5814: VyOS 1.3 to 1.4 LTS Firewall ruleset migration script breaks configuration to sarthurdev.
Jan 10 2024, 3:26 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
n.fort changed the status of T5915: Firewall zone - Re add op-mode commands from Confirmed to In progress.

PR: https://github.com/vyos/vyos-1x/pull/2784

Jan 10 2024, 12:14 PM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus

Jan 9 2024

n.fort added a comment to T5814: VyOS 1.3 to 1.4 LTS Firewall ruleset migration script breaks configuration.

I suggest changing order just as a cosmetic fix: feels more reasonable/readable to parse first "incoming", and then "outgoing"

Jan 9 2024, 9:37 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
n.fort added a comment to T5814: VyOS 1.3 to 1.4 LTS Firewall ruleset migration script breaks configuration.

Changes that seems to be needed only in migration script https://github.com/vyos/vyos-1x/blob/current/src/migration-scripts/firewall/10-to-11:

  • Use accept action for base-chains (it's done, no change needed here).
  • Migrate action=accept to action=return on every rule.
  • fix order and ensure all "in" rules are applied first.
Jan 9 2024, 8:54 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
n.fort changed the status of T5915: Firewall zone - Re add op-mode commands from Open to Confirmed.
Jan 9 2024, 12:07 PM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
n.fort created T5915: Firewall zone - Re add op-mode commands.
Jan 9 2024, 12:06 PM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
n.fort added a comment to T1297: Add GARP settings to VRRP/keepalived.

PR for Equuleus: https://github.com/vyos/vyos-1x/pull/2776

Jan 9 2024, 9:57 AM · VyOS 1.3 Equuleus (1.3.6), VyOS 1.4 Sagitta

Jan 8 2024

n.fort closed T5888: Firewall upgrade fails because of icmpv6 as Resolved.
Jan 8 2024, 6:42 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
n.fort changed the status of T5896: Config Error on Boot with Podman and Firewall from In progress to Needs testing.
Jan 8 2024, 6:41 PM · VyOS 1.4 Sagitta
n.fort added a comment to T5896: Config Error on Boot with Podman and Firewall.

PR: https://github.com/vyos/vyos-1x/pull/2771

Jan 8 2024, 11:11 AM · VyOS 1.4 Sagitta
n.fort changed the status of T5896: Config Error on Boot with Podman and Firewall from Confirmed to In progress.
Jan 8 2024, 10:14 AM · VyOS 1.4 Sagitta

Jan 5 2024

n.fort changed the status of T5896: Config Error on Boot with Podman and Firewall from Open to Confirmed.
Jan 5 2024, 3:53 PM · VyOS 1.4 Sagitta
n.fort added a comment to T4839: Dynamic Firewall groups.

New PR for dynamic address groups: https://github.com/vyos/vyos-1x/pull/2756

Jan 5 2024, 12:22 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta

Jan 4 2024

n.fort added a project to T4839: Dynamic Firewall groups: VyOS 1.5 Circinus.
Jan 4 2024, 12:25 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
n.fort changed the status of T4839: Dynamic Firewall groups from Open to In progress.
Jan 4 2024, 12:24 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
n.fort closed T4072: Feature Request: Firewall on bridge interfaces as Resolved.
Jan 4 2024, 10:59 AM · VyOS 1.4 Sagitta

Jan 3 2024

n.fort closed T4500: Missing firewall logs as Resolved.
Jan 3 2024, 10:13 PM · VyOS 1.4 Sagitta

Jan 2 2024

n.fort changed the status of T5888: Firewall upgrade fails because of icmpv6 from Confirmed to Needs testing.
Jan 2 2024, 7:36 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
n.fort changed the status of T5888: Firewall upgrade fails because of icmpv6 from Open to Confirmed.
Jan 2 2024, 5:47 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
n.fort created T5888: Firewall upgrade fails because of icmpv6.
Jan 2 2024, 5:46 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta

Dec 27 2023

n.fort moved T5779: custom conntrack timeout rule not applicable from Need Triage to Backport Candidates on the VyOS 1.5 Circinus board.
Dec 27 2023, 10:23 AM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
n.fort changed the status of T5779: custom conntrack timeout rule not applicable from Needs testing to Backport candidate.
Dec 27 2023, 9:58 AM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus

Dec 22 2023

n.fort closed T5804: SNAT "any" interface error as Resolved.
Dec 22 2023, 10:27 AM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
n.fort added a comment to T160: Support NAT64.

I stil haven't tried nat64, but quick config example, for nat64 for single ipv6 address is not allowed by our cli:

Dec 22 2023, 10:26 AM · VyOS 1.4 Sagitta (1.4.0-epa1)

Dec 21 2023

n.fort closed T5676: NAT66 source rule with negation source/destination prefix causes TypeError as Resolved.
Dec 21 2023, 11:09 PM · VyOS 1.5 Circinus
n.fort closed T5637: Firewall default-action log as Resolved.
Dec 21 2023, 11:33 AM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
n.fort added a comment to T5676: NAT66 source rule with negation source/destination prefix causes TypeError.

Configuration shared seems to work correctly on latest version:

Dec 21 2023, 11:31 AM · VyOS 1.5 Circinus
n.fort closed T5775: Migrated Firewall Global State Policy ineffective on latest firewall zone config as Resolved.
Dec 21 2023, 11:26 AM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
n.fort closed T5778: The show dhcp server leases operation mode command does not work as expected as Resolved.
Dec 21 2023, 11:25 AM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
n.fort closed T5807: NAT66 op-mode bugs as Resolved.
Dec 21 2023, 11:09 AM · VyOS 1.5 Circinus

Dec 11 2023

n.fort changed the status of T5778: The show dhcp server leases operation mode command does not work as expected from Confirmed to Needs testing.
Dec 11 2023, 11:08 AM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
n.fort changed the status of T5807: NAT66 op-mode bugs from Confirmed to In progress.
Dec 11 2023, 11:01 AM · VyOS 1.5 Circinus
n.fort added a comment to T5807: NAT66 op-mode bugs.

PR: https://github.com/vyos/vyos-1x/pull/2612

Dec 11 2023, 11:01 AM · VyOS 1.5 Circinus

Dec 7 2023

n.fort changed the status of T5807: NAT66 op-mode bugs from Open to Confirmed.
Dec 7 2023, 11:09 AM · VyOS 1.5 Circinus

Dec 6 2023

n.fort added a comment to T5804: SNAT "any" interface error.

PR: https://github.com/vyos/vyos-1x/pull/2611

Dec 6 2023, 2:37 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
n.fort changed the status of T5804: SNAT "any" interface error from Open to Confirmed.
Dec 6 2023, 11:48 AM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
n.fort added a comment to T5804: SNAT "any" interface error.

In the past any interface was supported, and it has been removed.

Dec 6 2023, 11:48 AM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
n.fort changed the status of T5779: custom conntrack timeout rule not applicable from In progress to Needs testing.
Dec 6 2023, 10:05 AM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
n.fort added a comment to T5804: SNAT "any" interface error.

If you want to match any interface, you can complete remove interface matcher from the rule, since it's not mandatory (as it was in the past):

delete nat source rule 110 outbound-interface
Dec 6 2023, 9:58 AM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta

Dec 5 2023

n.fort added a comment to T5779: custom conntrack timeout rule not applicable.

PR: https://github.com/vyos/vyos-1x/pull/2574

Dec 5 2023, 11:00 AM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus

Nov 29 2023

n.fort changed the status of T5779: custom conntrack timeout rule not applicable from Confirmed to In progress.
Nov 29 2023, 10:15 AM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus

Nov 28 2023

n.fort changed the status of T2737: DHCP Lease not displayed with a static map from In progress to Confirmed.
Nov 28 2023, 5:03 PM · VyOS 1.5 Circinus
n.fort added a comment to T5778: The show dhcp server leases operation mode command does not work as expected.

PR: https://github.com/vyos/vyos-1x/pull/2551

Nov 28 2023, 4:56 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
n.fort changed the status of T2737: DHCP Lease not displayed with a static map from Open to In progress.
Nov 28 2023, 2:51 PM · VyOS 1.5 Circinus
n.fort changed the status of T5775: Migrated Firewall Global State Policy ineffective on latest firewall zone config from Confirmed to In progress.
Nov 28 2023, 12:49 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
n.fort added a comment to T5775: Migrated Firewall Global State Policy ineffective on latest firewall zone config.

PR: https://github.com/vyos/vyos-1x/pull/2539

Nov 28 2023, 12:49 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta

Nov 27 2023

n.fort added a project to T5779: custom conntrack timeout rule not applicable: VyOS 1.4 Sagitta.
Nov 27 2023, 11:27 AM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
n.fort changed the status of T5779: custom conntrack timeout rule not applicable from Open to Confirmed.
Nov 27 2023, 11:23 AM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
n.fort added a comment to T5778: The show dhcp server leases operation mode command does not work as expected.

The problem is that, comparing to command output on 1.3, it only show the leases granted by the router (and doesn't contain leases granted by the second router, regardless of states primary|secondary.
So user might think synchronization between routers defined in fail-over mode is broken.
But this is not the case. As explained in the description, all information about leases, granted by both routers, is present on lease files on both routers.

Nov 27 2023, 9:49 AM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta

Nov 24 2023

n.fort changed the status of T5778: The show dhcp server leases operation mode command does not work as expected from Open to Confirmed.
Nov 24 2023, 5:54 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
n.fort added a comment to T5778: The show dhcp server leases operation mode command does not work as expected.

And going further, we may create an extra column, in order to print if the lease was granted by Local-Router or by fail-over router..
Example:

Nov 24 2023, 5:34 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
n.fort added a comment to T5778: The show dhcp server leases operation mode command does not work as expected.

Changing this line: https://github.com/vyos/vyos-1x/blob/current/src/op_mode/dhcp.py#L117C9-L117C107

Nov 24 2023, 3:43 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta

Nov 23 2023

n.fort added a comment to T5775: Migrated Firewall Global State Policy ineffective on latest firewall zone config.

We'll discuss this internally, but for sure a fix should be applied.
Thanks for such a detailed bug-report.

Nov 23 2023, 12:49 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
n.fort changed the status of T5775: Migrated Firewall Global State Policy ineffective on latest firewall zone config from Open to Confirmed.
Nov 23 2023, 10:48 AM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
n.fort claimed T5775: Migrated Firewall Global State Policy ineffective on latest firewall zone config.
Nov 23 2023, 10:30 AM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta

Nov 22 2023

n.fort closed T5590: Firewall "log enable" logs every packet as Resolved.
Nov 22 2023, 7:18 PM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
n.fort closed T5616: Firewall mark - Add capabilities for matching firewall mark as Resolved.
Nov 22 2023, 7:16 PM · VyOS 1.5 Circinus
n.fort closed T5643: NAT - Allow interface groups on nat rules as Resolved.
Nov 22 2023, 7:15 PM · VyOS 1.5 Circinus
n.fort closed T5681: Interface match - Simplified and unified cli as Resolved.
Nov 22 2023, 7:14 PM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
n.fort closed T5729: Firewall, nat and policy route - Switch to valueless as Resolved.
Nov 22 2023, 7:11 PM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
n.fort changed the status of T5637: Firewall default-action log from Confirmed to Needs testing.
Nov 22 2023, 7:07 PM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
n.fort added a comment to T5637: Firewall default-action log.

PR for bridge: https://github.com/vyos/vyos-1x/pull/2528

Nov 22 2023, 12:08 PM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus

Nov 21 2023

n.fort changed the status of T4072: Feature Request: Firewall on bridge interfaces from In progress to Needs testing.
Nov 21 2023, 5:46 PM · VyOS 1.4 Sagitta

Nov 16 2023

n.fort added a project to T5637: Firewall default-action log: VyOS 1.4 Sagitta.
Nov 16 2023, 6:01 PM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
n.fort reopened T5637: Firewall default-action log as "Confirmed".

Re-Opening. this need to be extended to bridge firewall

Nov 16 2023, 6:01 PM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
n.fort changed the status of T4072: Feature Request: Firewall on bridge interfaces from Needs testing to In progress.
Nov 16 2023, 1:20 PM · VyOS 1.4 Sagitta

Nov 14 2023

n.fort added a comment to T5729: Firewall, nat and policy route - Switch to valueless.

New patch for migration scripts in 1.5: https://github.com/vyos/vyos-1x/pull/2480

Nov 14 2023, 10:27 AM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus

Nov 13 2023

n.fort added a comment to T5729: Firewall, nat and policy route - Switch to valueless.

PR for Sagitta: https://github.com/vyos/vyos-1x/pull/2478

Nov 13 2023, 7:01 PM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
n.fort added a project to T5590: Firewall "log enable" logs every packet: VyOS 1.4 Sagitta.
Nov 13 2023, 7:00 PM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
n.fort reopened T5590: Firewall "log enable" logs every packet as "Needs testing".

PR for Sagitta: https://github.com/vyos/vyos-1x/pull/2478

Nov 13 2023, 7:00 PM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
First
Prev
Next