- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
All Stories
Mar 17 2023
As DROP_MONITOR merged we can extend configuration to
set system sflow drop-monitor-limit 50
hsflowd.conf
dropmon { limit=50 start=on sw=on hw=off }Mar 16 2023
[Service]
LimitNOFILE=4096
LimitNOFILESoft=4096
ExecStartPre=/bin/bash -c 'mkdir -p /run/frr/config; \
echo "log syslog" > /run/frr/config/frr.conf; \ echo "log facility local7" >> /run/frr/config/frr.conf; \ chown frr:frr /run/frr/config/frr.conf; \ chmod 664 /run/frr/config/frr.conf; \ mount --bind /run/frr/config/frr.conf /etc/frr/frr.conf'
[edit]
vyos@r14#
Mar 16 12:47:29 bsp-asbr2-cm charon-systemd[45036]: authentication of 'domain1' with RSA_EMSA_PKCS1_SHA2_256 successful
Mar 16 12:47:29 bsp-asbr2-cm charon[45036]: 14[IKE] <JXNCCT|2> peer supports MOBIKE
Mar 16 12:47:29 bsp-asbr2-cm charon-systemd[45036]: peer supports MOBIKE
Mar 16 12:47:29 bsp-asbr2-cm charon[45036]: 14[IKE] <JXNCCT|2> authentication of 'domain2' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Mar 16 12:47:29 bsp-asbr2-cm charon-systemd[45036]: authentication of 'domain2' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Mar 16 12:47:29 bsp-asbr2-cm charon[45036]: 14[IKE] <JXNCCT|2> IKE_SA JXNCCT[2] established between <pubIP2>[domain2]...<pubIP1>[domain1]
Mar 16 12:47:29 bsp-asbr2-cm charon-systemd[45036]: IKE_SA JXNCCT[2] established between <pubIP2>[domain2]...<pubIP1>[domain1]
Mar 16 12:47:29 bsp-asbr2-cm charon[45036]: 14[IKE] <JXNCCT|2> scheduling rekeying in 28200s
Mar 16 12:47:29 bsp-asbr2-cm charon-systemd[45036]: scheduling rekeying in 28200s
Mar 16 12:47:29 bsp-asbr2-cm charon[45036]: 14[IKE] <JXNCCT|2> maximum IKE_SA lifetime 31080s
Mar 16 12:47:29 bsp-asbr2-cm charon-systemd[45036]: maximum IKE_SA lifetime 31080s
Mar 16 12:47:29 bsp-asbr2-cm charon[45036]: 14[CFG] <JXNCCT|2> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Mar 16 12:47:29 bsp-asbr2-cm charon-systemd[45036]: selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Mar 16 12:47:29 bsp-asbr2-cm charon[45036]: 14[KNL] <JXNCCT|2> received netlink error: Invalid argument (22)
Mar 16 12:47:29 bsp-asbr2-cm charon-systemd[45036]: received netlink error: Invalid argument (22)
Mar 16 12:47:29 bsp-asbr2-cm charon[45036]: 14[KNL] <JXNCCT|2> unable to install source route for 192.168.127.32
Mar 16 12:47:29 bsp-asbr2-cm charon-systemd[45036]: unable to install source route for 192.168.127.32
Mar 16 12:47:29 bsp-asbr2-cm charon[45036]: 14[IKE] <JXNCCT|2> CHILD_SA JXNCCT-tunnel-1{2} established with SPIs c4ba20f9_i c3ba4340_o and TS 192.168.127.32/32 === 192.168.63.32/32
Mar 16 12:47:29 bsp-asbr2-cm charon-systemd[45036]: CHILD_SA JXNCCT-tunnel-1{2} established with SPIs c4ba20f9_i c3ba4340_o and TS 192.168.127.32/32 === 192.168.63.32/32
Mar 16 12:47:29 bsp-asbr2-cm charon[45036]: 14[ENC] <JXNCCT|2> generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Mar 16 12:47:29 bsp-asbr2-cm charon-systemd[45036]: generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Mar 16 12:47:29 bsp-asbr2-cm charon[45036]: 14[NET] <JXNCCT|2> sending packet: from <pubIP2>[4500] to <pubIP1>[4500] (476 bytes)
Mar 16 12:47:29 bsp-asbr2-cm charon-systemd[45036]: sending packet: from <pubIP2>[4500] to <pubIP1>[4500] (476 bytes)
Mar 16 12:47:59 bsp-asbr2-cm charon[45036]: 06[NET] <JXNCCT|2> received packet: from <pubIP1>[4500] to <pubIP2>[4500] (76 bytes)
Mar 16 12:47:59 bsp-asbr2-cm charon-systemd[45036]: received packet: from <pubIP1>[4500] to <pubIP2>[4500] (76 bytes)
Mar 16 12:47:59 bsp-asbr2-cm charon[45036]: 06[ENC] <JXNCCT|2> parsed INFORMATIONAL request 2 [ ]
Mar 16 12:47:59 bsp-asbr2-cm charon-systemd[45036]: parsed INFORMATIONAL request 2 [ ]
Mar 16 12:47:59 bsp-asbr2-cm charon[45036]: 06[ENC] <JXNCCT|2> generating INFORMATIONAL response 2 [ ]
Mar 16 12:47:59 bsp-asbr2-cm charon-systemd[45036]: generating INFORMATIONAL response 2 [ ]
Mar 16 12:47:59 bsp-asbr2-cm charon[45036]: 06[NET] <JXNCCT|2> sending packet: from <pubIP2>[4500] to <pubIP1>[4500] (76 bytes)
Mar 16 12:47:59 bsp-asbr2-cm charon-systemd[45036]: sending packet: from <pubIP2>[4500] to <pubIP1>[4500] (76 bytes)Mar 15 2023
Agreed. I just posted my workaround as a minimal fix to highlight the issue: accessing $? after another command was ran (which can be easy to miss).
I want to mention, the reason I wrote out the $? is because it can be confusing and fragile, as this issue demonstrates in the first place.
I noticed this as well. The issue is expecting $? to refer to the exit code of minisign -V when it's actually referring to the exit code of the if [ -f ${filename}.asc ]; block which will always be 0.
PR for 1.3 https://github.com/vyos/vyos-1x/pull/1892
@marc_s thanks, it makes sense.
@Viacheslav Confirmed, that is the culprit.
To be precise: I deleted ipsec-dhclient-hook and renamed 98-vyatta-dhclient-hook back to vyatta-dhclient-hook. Then I ran a renew dhcp interface eth0 and I got a correct .lease file.
Even when the IPSec script is fixed, it might be wise to prepend all scripts in /etc/dhcp/dhclient-exit-hooks.d with a number to enforce script order execution, just like in /etc/dhcp/dhclient-enter-hooks.d.
@n.fort I was too impatient to wait for a rolling build so I ran my own build of current post-merge.
Mar 14 2023
PR for vyos1x-config:
https://github.com/vyos/vyos1x-config/pull/15
I'll work on it on the next days.
I'll keep you posted!
Will be fixed in the next rolling release
In pcap mode when sampling is set to value larger then 1 hsflowd uses kernel based sampling available on kernels starting from 3.16
I think NFLOG and TCP can be dropped for sure.
Jenkins job looks simple
git clone https://github.com/sflow/host-sflow make deb FEATURES="NFLOG PCAP TCP DBUS SYSTEMD"
Hello! We have plans to add official ARM64 builds in near future.
PR https://github.com/vyos/vyos-1x/pull/1888
set policy route-map RMAP6 rule 10 action 'deny' set policy route-map RMAP6 rule 10 match ip address prefix-len '0' set protocols ospfv3 route-map 'RMAP6'
Just adding my +1 for this feature, would be very useful.
If I get time in the coming weeks/months I will try and pick up on the analysis where @njh left off.
@n.fort A quick test of this against latest rolling looks like it's working as expected for general firewall rules:
Mar 13 2023
I agree that the Keepalivd SMTP implementation is lacking authentication.
@Viacheslav I may be on to something. It's related to the order of execution of the DHCP client exit hook scripts in /etc/dhcp/dhclient-exit-hooks.d.
PR for 1.4 https://github.com/vyos/vyos-1x/pull/1886
vyos@91800359325b# set interfaces ethernet eth0 address 192.0.2.5/24 [edit] vyos@91800359325b# commit [ interfaces ethernet eth0 ] sudo: unable to resolve host 91800359325b: System error
Actually only multihop BGP peers go down. Others are up, but the routes received from them does not go to kernel, so the connectivity drops.
Latest techsupport: https://oc.cpm.ru/index.php/s/Fg9FfoOatihBOrQ
The system was alive more than 12 hours, but crashed the same way as before.
Mar 12 2023
I don't think this ever worked as intended: see T3275#103228, vyos-build PR 185, and T3821.
Mar 11 2023
Mar 10 2023
after an internal discussion we came to the conslusion that keepalived SMTP implementation is incomplete (e.g. it lacks authentication). In order to still support your request we think we should enable support of 3rd party configurations placed in e.g. /etc/keepalived/conf.d.