User Details
- User Since
- May 6 2021, 3:27 PM (125 w, 19 h)
Sun, Sep 24
Not sure what to do on this one. The firewall is depending on conntrack module, which updates the conntrack related sysctls. It'd be the same if someone defines custom sysctls used by other conf scripts.
PR removing zone-policy op-mode: https://github.com/vyos/vyos-1x/pull/2304
Thu, Sep 21
This is likely also the issue causing T5376
Tue, Sep 19
Sat, Sep 16
Fixed in PR: https://github.com/vyos/vyos-1x/pull/2276
Fri, Sep 15
https://github.com/vyos/vyos-1x/pull/2272 should fix this
Wed, Sep 13
Mon, Sep 11
Sun, Sep 10
Can we see the output of sudo nft list table ip raw on an affected router?
Thu, Sep 7
Tue, Sep 5
@svd135 Can you provide a version string when you last had it working? Seeing the firewall config might also be helpful.
Mon, Sep 4
Sun, Sep 3
Thu, Aug 31
Wed, Aug 30
@csszep Yes it is expected, IPv6 has no sysctl and requires the nftables rule to function. The nftables execution is slightly slower, so there's no benefit to change it for IPv4.
Aug 27 2023
@tjjh89017 This will need to be re-evaluated. The build from your PR was taking in excess of 8 hours on the build server - the defconfig likely needs to be brought down to only the minimum required modules/drivers for successful builds on target devices.
This does still need to be addressed in 1.4. Without a version string, the 2-to-3 migrator is adding the conntrack helpers to the default config.
Duplicate T3275
The kernel modules handle tracking of those, rpc/tns are userspace helpers.
They are only defined. Only when the VYOS_CT_HELPER chain is reached will they take effect - see links in my above comment. Being in the default config will have no effect on connection tracking if bypassed by the notrack rule.
They are created but unused by default (see VYOS_CT_HELPER chain)
Thanks for following up on this issue @rayzilt
Aug 26 2023
Closing as dupe of T5080
Aug 25 2023
PR to fix indentation: https://github.com/vyos/vyos-1x/pull/2171
Aug 23 2023
Aug 22 2023
I did start writing support for this but didn't have time to build and test it at the time. If anyone wants to test it out: https://github.com/sarthurdev/vyos-1x/commit/9199b75d75ceea3b7d49f0e3d71a19175b7b1326
Aug 16 2023
Jul 27 2023
It is a bug that it’s on by default, see other task. Will be fixed after new firewall refactor is merged.
Jul 11 2023
Jul 3 2023
Jun 15 2023
Should be possible when new refactor is merged: T5160
This would have to be handled with DNS and not in the firewall. Hostnames work on firewall because they are resolved prior to use in rules.
May 4 2023
It might be a boot/slow DHCP lease issue.
May 3 2023
Apr 17 2023
Apr 14 2023
Just to clarify, it changes again to pod-networkname in https://github.com/vyos/vyos-1x/commit/2a876059826927ef204e359a40395955f27503ce (next rolling image) to avoid name constraint issues.
Apr 13 2023
Can you share container config section?
Mar 29 2023
Management Commands
Mar 22 2023
Mar 11 2023
Mar 9 2023
My bad
Discovered a couple of problems with chrony using the existing CLI.
Mar 2 2023
Have started work on migrating isc-dhcp v4/v6 server to Kea.