https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8597
- Feed Queries
- All Stories
- Search
- Feed Search
- Transactions
- Transaction Logs
Feed All Stories
All Stories
All Stories
Feb 21 2020
Feb 21 2020
c-po moved T2059: Set source-validation on bond vif don't work from Need Triage to Finished on the VyOS 1.3 Equuleus board.
c-po added a project to T2059: Set source-validation on bond vif don't work: VyOS 1.2 Crux (VyOS 1.2.5).
rherold renamed T2058: RCE in pppd and ppp client from Possible RCE in pppd and ppp client to RCE in pppd and ppp client.
Feb 20 2020
Feb 20 2020
jestabro changed the status of T2029: Switch to new syntax for config file component versions from Open to Needs testing.
jestabro updated the task description for T2029: Switch to new syntax for config file component versions.
I send a pull request to fix it:
This work overtakes T2046, as it implements the same _create/_delete interface. If merged it would replace it.
dongjunbo updated the task description for T2056: Building images using vyos-build Docker container error .
dongjunbo updated the task description for T2056: Building images using vyos-build Docker container error .
It's an upstream bug as @xrobau said. vyos dev sould upgrade https://github.com/vyos/conntrack-tools repo, and apply this patch:
https://git.netfilter.org/conntrack-tools/commit/?id=c12fa8df76752b0a011430f069677b52e4dad164
In T2036#53376, @c-po wrote:Hello @dongjunbo what are the benefits of ocserv over the other VPN Solutions already in place?
- WireGuard
- OpenVPN
- L2TP/IPSec
- PPTP
- SSTP
- IKEv2 road warrior (not yet implemented, only site2site)
c-po changed the status of T2055: Remove IPv6 router-advert options for PPPoE from Open to In progress.
c-po changed the status of T2055: Remove IPv6 router-advert options for PPPoE, a subtask of T1318: PPPoE client CLI redesign, from Open to In progress.
I tested vyos-1.3-rolling-202002200217-amd64.iso
It works now.
Thanks for help!
Feb 19 2020
Feb 19 2020
Unknown Object (User) added a comment to T2051: Throughput anomalies.
It would be useful if someone could do similar tests using GNS3 in a powerful computer.
This is dependent on T2029, PR 224, and should only be merged after that PR.
This is dependent on T2029, PR 224, and should only be merged after that PR.
Auto completion should be done on a per CLI path:
In T1838#50692, @syncer wrote:@Dmitry and i talked that it will be wise to move ipt-netflow for better performance
c-po changed the status of T1318: PPPoE client CLI redesign, a subtask of T1579: Rewrite all interface types in new XML/Python style, from Open to In progress.
jestabro triaged T2053: Update vyos-load-config.py for version string syntax change as Normal priority.
jestabro triaged T2052: Update vyos-merge-config.py for version string syntax change as Normal priority.
This PR changes the syntax of the trailing version string of the config file (cf. above), as represented during config migration, and the parsing by which configtree splits the config file into the config section proper and the version string.
We could indeed create the VRF as we parse interfaces, and auto-allocate the VRF number, removing this control from the user.
Unknown Object (User) created T2051: Throughput anomalies.
Why do we need to explicitly create the routing table? why not name the routing table entry like the VRFs name? We should try to keep the CLI as minimal as possible. More CLI nodes, more headache.
c-po changed the status of T1969: OSPF with WireGuard cause Route Inactive from Open to Needs testing.
I have just pinned the VyOS 1.3-rolling branch to the official FRR 7.3 release (https://github.com/vyos/vyos-build-frr/commit/076de23ed1d951aafd48d59f6f7ea410288b5991 - which contains your fix).
A new ISO image will be available shortly (it must be more recent then vyos-1.3-rolling-202002190217-amd64.iso. Please give it a try.
I have tested vyos 1.3-rolling-202002130217 (FRR version 7.4-dev-20200118-04-g9e1ecdbaa-0), it failed.
I tested ubuntu with frr master brnach(60092db3fdead2a72e9368aaaa1e789c741c7ce8) and dev/7.3 (df80bf16869314ec9455fb7e4db63dcf1fdba2c2). It worked.
I tested ubuntu with frr 9e1ecdbaa, It failed.
Feb 18 2020
Feb 18 2020
should for multiple routing tables:
https://andir.github.io/posts/linux-ip-vrf/
http://www.allgoodbits.org/articles/view/24
https://patchwork.ozlabs.org/patch/546171/
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
group {
network-group Private_IPs {
network 10.0.0.0/8
network 127.0.0.0/8
network 172.16.0.0/12
network 192.168.0.0/16
network 168.254.0.0/16
network 169.254.0.0/16
network 192.0.2.0/24
network 224.0.0.0/4
network 240.0.0.0/4
}
port-group NetBIOS_TCP {
port 135-139
port 445
}
port-group NetBIOS_UDP {
port 137-138
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name accept_all {
default-action accept
}
name private_to_public {
default-action accept
rule 9 {
action accept
description "Allow admin of Vigor 130"
destination {
address 192.168.5.2
port 443
}
protocol tcp
source {
address 192.168.3.100
}
}
rule 10 {
action drop
description "Stop Local Addresses traversing the WEB"
destination {
group {
network-group Private_IPs
}
}
}
rule 20 {
action drop
description "Block NetBIOS from LAN to WEB"
destination {
group {
port-group NetBIOS_TCP
}
}
protocol tcp
}
rule 21 {
action drop
description "Block NetBIOS from LAN to WEB"
destination {
group {
port-group NetBIOS_UDP
}
}
protocol udp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
state-policy {
established {
action accept
}
related {
action accept
}
}
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
address 192.168.3.1/24
duplex auto
hw-id 4c:02:89:12:16:ce
smp-affinity auto
speed auto
}
ethernet eth1 {
address 192.168.1.1/24
duplex auto
hw-id 4c:02:89:12:16:cf
smp-affinity auto
speed auto
}
ethernet eth2 {
address 192.168.4.1/24
duplex auto
hw-id 4c:02:89:12:16:d0
smp-affinity auto
speed auto
}
ethernet eth3 {
address 192.168.5.1/24
duplex auto
hw-id 4c:02:89:12:16:d1
mtu 1508
pppoe 0 {
default-route auto
mtu 1500
name-server none
password ********
user-id bthomehub@btbroadband.com
}
smp-affinity auto
speed auto
}
loopback lo {
}
}
nat {
source {
rule 10 {
outbound-interface pppoe0
translation {
address masquerade
}
}
}
}
service {
dhcp-server {
shared-network-name ETH0_Pool {
subnet 192.168.3.0/24 {
default-router 192.168.3.1
dns-server 192.168.3.1
lease 86400
range 0 {
start 192.168.3.100
stop 192.168.3.199
}
static-mapping NB0001 {
ip-address 192.168.3.100
mac-address EC:F4:BB:******
}
}
}
shared-network-name ETH1_Pool {
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
lease 86400
range 0 {
start 192.168.1.100
stop 192.168.1.199
}
static-mapping SamsungTV {
ip-address 192.168.1.103
mac-address cc:b1:1a:******
}
}
}
shared-network-name ETH2_Pool {
subnet 192.168.4.0/24 {
default-router 192.168.4.1
dns-server 192.168.4.1
lease 86400
range 0 {
start 192.168.4.100
stop 192.168.4.199
}
}
}
}
dns {
forwarding {
allow-from 0.0.0.0/0
allow-from ::/0
cache-size 150
listen-address 192.168.1.1
listen-address 192.168.3.1
listen-address 192.168.4.1
name-server 194.72.6.51
name-server 194.74.65.69
}
}
ssh {
listen-address 192.168.3.1
port 22
}
}
system {
config-management {
commit-revisions 20
}
conntrack {
expect-table-size 2048
hash-size 32768
modules {
sip {
disable
}
}
table-size 262144
}
console {
device ttyS0 {
speed 9600
}
}
host-name home-r1
login {
user stevep {
authentication {
encrypted-password ********************************************
plaintext-password ""
}
full-name "Steve Palmer"
}
user vyos {
authentication {
encrypted-password **********************************************
plaintext-password ""
}
}
}
name-server 8.8.8.8
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Europe/London
}
zone-policy {
zone local {
default-action drop
from private {
firewall {
name accept_all
}
}
local-zone
}
zone public {
default-action drop
description "Public Zone"
from private {
firewall {
name private_to_public
}
}
interface pppoe0
interface eth3
}
}thanks for reporting this. As we always want to maintain config upgrade compatibility could you please share your full config with me so I can reproduce it?
I'd love for this feature to get back into VyOS. I am available for testing if needed.
Feb 17 2020
Feb 17 2020
c-po moved T2032: Monitor bandwidth bits from Need Triage to Finished on the VyOS 1.3 Equuleus board.
c-po moved T2030: Bond doesn't survive reboot from Need Triage to Finished on the VyOS 1.3 Equuleus board.
c-po moved T2047: Update Linux Kernel to v4.19.104 from Need Triage to Finished on the VyOS 1.3 Equuleus board.
c-po moved T2048: ISO boot fails when wireless adapter is present from Need Triage to Finished on the VyOS 1.3 Equuleus board.
c-po changed the status of T2048: ISO boot fails when wireless adapter is present from Open to In progress.
thomas-mangin updated the task description for T2046: allowing sub-classes of Interface to redefine how the interface is created.
Feb 16 2020
Feb 16 2020
c-po changed the status of T1246: VyOS 1.2.0 "openvpn-options" configuration does not allow quotes in values from Unknown Status to Resolved.
c-po added a comment to T1246: VyOS 1.2.0 "openvpn-options" configuration does not allow quotes in values.
As in rolling the OpenVPN is rewritten to XML/Python the backport is not easily possible, it must be completely reimplemented in the old Perl code thus we should encourage users to migrate to 1.3 rolling to get better testing.
c-po moved T1908: Add zone option for Cloudflare DDNS from Need Triage to Finished on the VyOS 1.3 Equuleus board.
c-po added a comment to T2015: show openvpn site-to-site result in error when disabled openvpn interface exists.
Closing as no response and can not reproduce.
c-po moved T1992: Adding vlan on a bond resets all BGP connections on same bond from Need Triage to Finished on the VyOS 1.3 Equuleus board.
tested working on latest rolling. No BGP session reset occured.
c-po moved T2043: Bond VLANs can't be extended on the fly from In Progress to Finished on the VyOS 1.3 Equuleus board.
c-po moved T2043: Bond VLANs can't be extended on the fly from Need Triage to In Progress on the VyOS 1.3 Equuleus board.
Thanks for reporting this nasty issue. The fix is applied to rolling release starting with build: vyos-1.3-rolling-202002161021-amd64.iso
Feb 15 2020
Feb 15 2020
There is a faulty delta check in interfaces-bonding.py leading to the fact that physical interfaces are not enslaved. As soon as they are enslaved all works (eth2 and eth3 in my case):