Which VyOS 1.4-rolling will have the fixes made by FRRouting?
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
All Stories
Sep 13 2023
Turns out to exist an RFC for this regarding IPv6 along with a naming:
Sep 12 2023
command on 1.5 :
@Apachez note that all lb commands take --debug and --verbose: using 'lb build --debug' in scripts/build-vyos-image will output the full mksquashfs command.
@vfreex I've tested in my labs related this issues , I can confirm that it work as expected . this original zone solved the problem when there was a src-nat /dst-nat with different VRFs or leaking with them ,Thanks you for this contribution .
In T2405#159522, @Apachez wrote:Note that command = command.lstrip() for def cmd in python/vyos/utils/process.py was reverted yesterday.
Causes funny problems during smoketests.
Note that command = command.lstrip() for def cmd in python/vyos/utils/process.py was reverted yesterday.
I created a PR for Git support here: https://github.com/vyos/vyos-1x/pull/2241
I have created a PR upstream which hopefully resolves why the logging didnt work as expected in VyOS (since the binary_rootfs in vyos-live-build isnt used by the nightly build who uses vyos-build and the deb-package of live-build from Debian 12.x (bookworm)):
Sep 11 2023
100% agree. If this isn't too big of a hassle to implement, I would very much appreciate the approach/workaround of @Apachez, until nftables supports this feature ootb...
Checked with #netfilter irc-channel.
I just tested this with a firewall config with no connection tracking config enabled, still the conntrack modules are loaded and used.
The same situation as @svd135 . The passive FTP data connection now is stopped by the problem with FTP ALG.
I was thinking about N/D and personally I would prefer "None" to be listed for the various "show firewall" commands instead of N/D.
Resolved by: https://vyos.dev/T5564
This can be put to resolved when the backports are confirmed aswell.
N/D == not defined
In T5564#159459, @Apachez wrote:Confirmed working with VyOS 1.5-rolling-202309110651
A question before setting this to resolved:
What does N/D mean?
Shouldnt it be N/A instead?
Confirmed working with VyOS 1.5-rolling-202309110651
Im a bit allergic to have stuff automatically created which clearly is not enabled by the config.
pim6reg is created by FFR's pim6d. It seems to me that it will create such as interface for each VRF. Does this interface have any functional impact on your setup?
Sep 10 2023
PR https://github.com/vyos/vyos-1x/pull/2240
set protocols static proxy-arp 192.0.2.1 interface eth0 set protocols static proxy-arp 192.0.2.1 interface eth1 set protocols static proxy-ndp 2001:db8::1 interface eth1
I dont know if its related to this task but I noticed recently that even if I have no IPv6 configured on any interface and have IPv6 disabled for forwarding:
set system ipv6 disable-forwarding
I can in VyOS 1.5-rolling-202309080021 see an additional pim6reg interface!?
vyos@vyos:~$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 ... 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq master MGMT state UP group default qlen 1000 ... 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq master INTERNET state UP group default qlen 1000 ... 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq master INTERNET state UP group default qlen 1000 ... 5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq master INTERNET state UP group default qlen 1000 ... 6: pim6reg@NONE: <NOARP,UP,LOWER_UP> mtu 1452 qdisc noqueue state UNKNOWN group default qlen 1000 link/pimreg 7: INTERNET: <NOARP,MASTER,UP,LOWER_UP> mtu 65575 qdisc noqueue state UP group default qlen 1000 ... 8: MGMT: <NOARP,MASTER,UP,LOWER_UP> mtu 65575 qdisc noqueue state UP group default qlen 1000 ...
Its also visible when running:
monitor bandwidth interface *
table ip raw {
ct helper rpc_tcp { type "rpc" protocol tcp l3proto ip }
Oh sorry, I missed that this commit was for LTS 1.3.x series.
@Apachez I am running kernel 6.1.49-amd64-vyos and this works fine with my local setup.
The patch is already in linux kernel since at least 4.3 (you can confirm with https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/log/include/net/netfilter/nf_conntrack_zones.h?h=linux-4.3.y), but it was added to nft command only since Feb 2017: https://git.netfilter.org/nftables/commit/src/ct.c?id=ed66d9966294a3bab6c8611e369861ba57374743
Fix by @sever regarding those failing conntrack smoketest: https://github.com/vyos/vyos-1x/pull/2234
Can we see the output of sudo nft list table ip raw on an affected router?
@vfreex the referenced netfilter patch is from 2015, is that really valid for current version thats included in the Linux 6.1 LTS kernel?
You can test this approach on a running VyOS router using following commands:
I created a PR to fix this issue by using direction parameter of conntrack zones: https://github.com/vyos/vyos-1x/pull/2236
I have a very basic VRF setup and it works fine. It would be much appreciated if someone could test this with more complex VRF setup.
Sorry to bother you @sdev , the latest releases of 1.5-rolling-202309080021 and 1.4-rolling-202309070021 still have this problem.