Page MenuHomeVyOS Platform
People sdev

sdev (Simon)
User

Projects

User Details

User Since
May 6 2021, 3:27 PM (125 w, 19 h)

Recent Activity
View All

Sun, Sep 24

sdev added a comment to T5599: Firewall unexpectedly changes some sysctl options.

Not sure what to do on this one. The firewall is depending on conntrack module, which updates the conntrack related sysctls. It'd be the same if someone defines custom sysctls used by other conf scripts.

Sun, Sep 24, 6:30 PM · VyOS 1.5 Circinus
sdev changed the status of T5614: Add conntrack helper matching on firewall from Open to In progress.
Sun, Sep 24, 2:44 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
sdev changed the status of T5606: IPSec VPN: Allow multiple CAs certificates from In progress to Needs testing.

PR: https://github.com/vyos/vyos-1x/pull/2305

Sun, Sep 24, 1:54 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
sdev moved T5606: IPSec VPN: Allow multiple CAs certificates from Need Triage to In Progress on the VyOS 1.5 Circinus board.
Sun, Sep 24, 12:17 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
sdev added a project to T5606: IPSec VPN: Allow multiple CAs certificates: VyOS 1.5 Circinus.
Sun, Sep 24, 12:17 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
sdev changed the status of T5606: IPSec VPN: Allow multiple CAs certificates from Open to In progress.
Sun, Sep 24, 12:17 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
sdev added a comment to T5160: Firewall refactor.

PR removing zone-policy op-mode: https://github.com/vyos/vyos-1x/pull/2304

Sun, Sep 24, 11:44 AM · VyOS 1.4 Sagitta
sdev changed the status of T5376: Conntrack FTP helper does not work properly from Confirmed to Needs testing.

PR: https://github.com/vyos/vyos-1x/pull/2304

Sun, Sep 24, 11:44 AM · VyOS 1.4 Sagitta
sdev changed the status of T5598: unknown parameter 'nf_conntrack_helper' ignored from Confirmed to Needs testing.

PR: https://github.com/vyos/vyos-1x/pull/2304

Sun, Sep 24, 11:44 AM · VyOS 1.5 Circinus

Thu, Sep 21

sdev changed the status of T5376: Conntrack FTP helper does not work properly from Open to Confirmed.
Thu, Sep 21, 9:49 AM · VyOS 1.4 Sagitta
sdev changed the status of T5598: unknown parameter 'nf_conntrack_helper' ignored from Open to Confirmed.

This is likely also the issue causing T5376

Thu, Sep 21, 9:49 AM · VyOS 1.5 Circinus

Tue, Sep 19

sdev added a comment to T4502: Consider implementing (NAT/other) flow table offload.
In T4502#160404, @Apachez wrote:

Perhaps a possible way to detect if the nic supports hardware flowtables or not.

Try to set sudo ethtool -K eth0 hw-tc-offload on.

If the result becomes:

Actual changes:
hw-tc-offload: off [requested on]
Could not change any device features

Then it doesnt support hardware flowtables.

Could also verify by reading the capability like so:

$ ethtool -k eth0 | grep hw-tc-offload
hw-tc-offload: off [fixed]
Tue, Sep 19, 6:27 PM · VyOS 1.4 Sagitta

Sat, Sep 16

sdev changed the status of T5571: Firewall does not delete networks from the table raw from Confirmed to Needs testing.

Fixed in PR: https://github.com/vyos/vyos-1x/pull/2276

Sat, Sep 16, 11:45 AM · VyOS 1.5 Circinus

Fri, Sep 15

sdev added a comment to T5587: Firwall can not pass the smoketest.
Fri, Sep 15, 8:48 AM · VyOS 1.5 Circinus
sdev moved T5568: Install image from live ISO always defaults boot to KVM entry from Need Triage to In Progress on the VyOS 1.4 Sagitta board.
Fri, Sep 15, 8:18 AM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
sdev added a comment to T5587: Firwall can not pass the smoketest.

https://github.com/vyos/vyos-1x/pull/2272 should fix this

Fri, Sep 15, 8:00 AM · VyOS 1.5 Circinus

Wed, Sep 13

sdev changed the status of T5571: Firewall does not delete networks from the table raw from Open to Confirmed.
Wed, Sep 13, 10:49 AM · VyOS 1.5 Circinus
sdev added a comment to T4919: TPM-backed config encryption.

@fernando See here: https://github.com/vyos/vyos-build/pull/297

Wed, Sep 13, 9:35 AM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta

Mon, Sep 11

sdev closed T5562: Smoketests fail for vyos:current (test_netns.py) as Resolved.

Builds passing: https://github.com/vyos/vyos-rolling-nightly-builds/actions/runs/6142937552

Mon, Sep 11, 8:59 AM · VyOS 1.5 Circinus

Sun, Sep 10

sdev changed the status of T5568: Install image from live ISO always defaults boot to KVM entry from In progress to Needs testing.

current PR: https://github.com/vyos/vyatta-cfg-system/pull/205

Sun, Sep 10, 11:22 PM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
sdev changed the status of T5568: Install image from live ISO always defaults boot to KVM entry from Open to In progress.
Sun, Sep 10, 10:54 PM · VyOS 1.4 Sagitta, VyOS 1.5 Circinus
sdev added a comment to T5376: Conntrack FTP helper does not work properly.

Can we see the output of sudo nft list table ip raw on an affected router?

Sun, Sep 10, 6:06 PM · VyOS 1.4 Sagitta

Thu, Sep 7

sdev changed the status of T5558: Update config test to check resulting migrations from In progress to Needs testing.

PR: https://github.com/vyos/vyos-1x/pull/2221

Thu, Sep 7, 7:36 PM · VyOS 1.5 Circinus
sdev moved T5558: Update config test to check resulting migrations from Need Triage to In Progress on the VyOS 1.5 Circinus board.
Thu, Sep 7, 5:53 PM · VyOS 1.5 Circinus
sdev changed the status of T5558: Update config test to check resulting migrations from Open to In progress.
Thu, Sep 7, 5:53 PM · VyOS 1.5 Circinus
sdev moved T5555: Fix timezone migrator (system 13-to-14) from Need Triage to In Progress on the VyOS 1.3 Equuleus (1.3.5) board.
Thu, Sep 7, 1:13 PM · VyOS 1.3 Equuleus (1.3.4), VyOS 1.5 Circinus, VyOS 1.4 Sagitta
sdev moved T5555: Fix timezone migrator (system 13-to-14) from Need Triage to In Progress on the VyOS 1.5 Circinus board.
Thu, Sep 7, 1:13 PM · VyOS 1.3 Equuleus (1.3.4), VyOS 1.5 Circinus, VyOS 1.4 Sagitta
sdev moved T5555: Fix timezone migrator (system 13-to-14) from Need Triage to In Progress on the VyOS 1.4 Sagitta board.
Thu, Sep 7, 1:13 PM · VyOS 1.3 Equuleus (1.3.4), VyOS 1.5 Circinus, VyOS 1.4 Sagitta
sdev changed the status of T5555: Fix timezone migrator (system 13-to-14) from In progress to Needs testing.

current PR: https://github.com/vyos/vyos-1x/pull/2217
1.4 PR: https://github.com/vyos/vyos-1x/pull/2218
1.3 PR: https://github.com/vyos/vyos-1x/pull/2219

Thu, Sep 7, 12:54 PM · VyOS 1.3 Equuleus (1.3.4), VyOS 1.5 Circinus, VyOS 1.4 Sagitta
sdev changed the status of T5555: Fix timezone migrator (system 13-to-14) from Open to In progress.
Thu, Sep 7, 12:29 PM · VyOS 1.3 Equuleus (1.3.4), VyOS 1.5 Circinus, VyOS 1.4 Sagitta
sdev created T5555: Fix timezone migrator (system 13-to-14).
Thu, Sep 7, 12:29 PM · VyOS 1.3 Equuleus (1.3.4), VyOS 1.5 Circinus, VyOS 1.4 Sagitta

Tue, Sep 5

sdev added a comment to T5376: Conntrack FTP helper does not work properly.

@svd135 Can you provide a version string when you last had it working? Seeing the firewall config might also be helpful.

Tue, Sep 5, 7:31 PM · VyOS 1.4 Sagitta
sdev changed the status of T5550: Source validation on interface does not work properly from In progress to Needs testing.

PR: https://github.com/vyos/vyos-1x/pull/2208

Tue, Sep 5, 6:36 PM · VyOS 1.4 Sagitta
sdev changed the status of T5550: Source validation on interface does not work properly from Open to In progress.
Tue, Sep 5, 2:06 PM · VyOS 1.4 Sagitta
sdev claimed T5550: Source validation on interface does not work properly.
Tue, Sep 5, 10:48 AM · VyOS 1.4 Sagitta

Mon, Sep 4

sdev changed the status of T4903: conntrack ignore does not suppotr IPv6 addresses from In progress to Needs testing.

PR: https://github.com/vyos/vyos-1x/pull/2199

Mon, Sep 4, 10:50 AM · VyOS 1.4 Sagitta
sdev changed the status of T4309: Support network/address-groups and ipv6-network/ipv6-address-groups in conntrack ignore from In progress to Needs testing.

PR: https://github.com/vyos/vyos-1x/pull/2199

Mon, Sep 4, 10:50 AM · VyOS 1.4 Sagitta
sdev changed the status of T4309: Support network/address-groups and ipv6-network/ipv6-address-groups in conntrack ignore from Open to In progress.
Mon, Sep 4, 9:38 AM · VyOS 1.4 Sagitta
sdev changed the status of T4903: conntrack ignore does not suppotr IPv6 addresses from Open to In progress.
Mon, Sep 4, 9:38 AM · VyOS 1.4 Sagitta

Sun, Sep 3

sdev closed T4612: Support arbitrary netmasks in firewall rules as Resolved.
Sun, Sep 3, 10:37 AM · VyOS 1.4 Sagitta

Thu, Aug 31

sdev changed the status of T4782: Allow multiple CA certificates (on e.g. EAPoL) from In progress to Needs testing.

PR: https://github.com/vyos/vyos-1x/pull/2190

Thu, Aug 31, 10:02 AM · VyOS 1.4 Sagitta

Wed, Aug 30

sdev changed the status of T4782: Allow multiple CA certificates (on e.g. EAPoL) from Confirmed to In progress.
Wed, Aug 30, 11:24 PM · VyOS 1.4 Sagitta
sdev closed T4485: OpenVPN: Allow multiple CAs certificates as Resolved.
Wed, Aug 30, 8:50 PM · VyOS 1.4 Sagitta
sdev added a comment to T3509: No BCP38 for IPv6 on VyOS.

@csszep Yes it is expected, IPv6 has no sysctl and requires the nftables rule to function. The nftables execution is slightly slower, so there's no benefit to change it for IPv4.

Wed, Aug 30, 8:49 PM · VyOS 1.4 Sagitta

Aug 27 2023

sdev closed T1097: Make firewall groups work everywhere that's appropropriate, a subtask of T2199: Rewrite firewall in new XML/Python style, as Resolved.
Aug 27 2023, 7:19 PM · VyOS 1.4 Sagitta
sdev closed T1097: Make firewall groups work everywhere that's appropropriate as Resolved.
Aug 27 2023, 7:19 PM · VyOS 1.4 Sagitta
sdev closed T4759: domain-group on policy route not working as Resolved.
Aug 27 2023, 7:13 PM · VyOS 1.4 Sagitta
sdev added a comment to T5499: initial arm64 support for RPI4 and QEMU VM.

@tjjh89017 This will need to be re-evaluated. The build from your PR was taking in excess of 8 hours on the build server - the defconfig likely needs to be brought down to only the minimum required modules/drivers for successful builds on target devices.

Aug 27 2023, 4:23 PM · VyOS 1.4 Sagitta
sdev added a comment to T3275: Disable conntrack helpers by default.

This does still need to be addressed in 1.4. Without a version string, the 2-to-3 migrator is adding the conntrack helpers to the default config.

Aug 27 2023, 10:58 AM · VyOS 1.4 Sagitta, VyOS 1.3 Equuleus (1.3.0-epa1)
sdev closed T5515: Conntrack helpers should be disabled by default as Invalid.

Duplicate T3275

Aug 27 2023, 10:56 AM · VyOS 1.4 Sagitta
sdev added a comment to T5479: Helper leftovers found in nftables (firewall) even with all helpers disabled.

The kernel modules handle tracking of those, rpc/tns are userspace helpers.

Aug 27 2023, 10:14 AM · VyOS 1.4 Sagitta
sdev added a comment to T5479: Helper leftovers found in nftables (firewall) even with all helpers disabled.

They are only defined. Only when the VYOS_CT_HELPER chain is reached will they take effect - see links in my above comment. Being in the default config will have no effect on connection tracking if bypassed by the notrack rule.

Aug 27 2023, 8:48 AM · VyOS 1.4 Sagitta
sdev changed the status of T5080: Conntrack enabled by default, a subtask of T5160: Firewall refactor, from In progress to Needs testing.
Aug 27 2023, 8:22 AM · VyOS 1.4 Sagitta
sdev changed the status of T5080: Conntrack enabled by default from In progress to Needs testing.

PR: https://github.com/vyos/vyos-1x/pull/2176

Aug 27 2023, 8:22 AM · VyOS 1.4 Sagitta
sdev closed T5479: Helper leftovers found in nftables (firewall) even with all helpers disabled as Invalid.

They are created but unused by default (see VYOS_CT_HELPER chain)

Aug 27 2023, 8:14 AM · VyOS 1.4 Sagitta
sdev changed the status of T5511: Cleanup of unused directories (and files) in order to shrink image-size from Open to Needs testing.
Aug 27 2023, 8:07 AM · VyOS 1.4 Sagitta
sdev changed the status of T5018: Redirect to IFB removed after change in qos policy from Confirmed to Needs testing.

Thanks for following up on this issue @rayzilt

Aug 27 2023, 12:13 AM · VyOS 1.4 Sagitta

Aug 26 2023

sdev closed T5039: Can't add new local user as Resolved.
Aug 26 2023, 9:42 PM · VyOS 1.4 Sagitta
sdev closed T5023: PKI commit fails to update dependents as Resolved.
Aug 26 2023, 9:40 PM · VyOS 1.4 Sagitta
sdev closed T4512: enable-default-log on zone-policy as Resolved.
Aug 26 2023, 9:39 PM · VyOS 1.4 Sagitta
sdev closed T5003: Upgrade base system to Debian 12 "Bookworm" as Resolved.
Aug 26 2023, 9:38 PM · VyOS 1.4 Sagitta
sdev closed T5404: Ability to completely disable firewall/conntrack as Invalid.

Closing as dupe of T5080

Aug 26 2023, 9:36 PM · VyOS 1.4 Sagitta
sdev changed the status of T5080: Conntrack enabled by default, a subtask of T5160: Firewall refactor, from Open to In progress.
Aug 26 2023, 9:35 PM · VyOS 1.4 Sagitta
sdev changed the status of T5080: Conntrack enabled by default from Open to In progress.
Aug 26 2023, 9:35 PM · VyOS 1.4 Sagitta
sdev changed the status of T3509: No BCP38 for IPv6 on VyOS from In progress to Needs testing.
Aug 26 2023, 5:40 PM · VyOS 1.4 Sagitta

Aug 25 2023

sdev added a comment to T5463: Containers allow publish IPv6 address port.

PR to fix indentation: https://github.com/vyos/vyos-1x/pull/2171

Aug 25 2023, 1:46 PM · VyOS 1.4 Sagitta

Aug 23 2023

sdev claimed T3509: No BCP38 for IPv6 on VyOS.

Draft PR: https://github.com/vyos/vyos-1x/pull/2163

Aug 23 2023, 11:52 PM · VyOS 1.4 Sagitta

Aug 22 2023

sdev added a comment to T3509: No BCP38 for IPv6 on VyOS.

I did start writing support for this but didn't have time to build and test it at the time. If anyone wants to test it out: https://github.com/sarthurdev/vyos-1x/commit/9199b75d75ceea3b7d49f0e3d71a19175b7b1326

Aug 22 2023, 6:34 PM · VyOS 1.4 Sagitta

Aug 16 2023

sdev added a comment to T5160: Firewall refactor.
In T5160#156025, @Apachez wrote:

2.2: Invalid shall ALWAYS be processed BEFORE established/related/other rules otherwise it will not serve it purpose.

Aug 16 2023, 9:57 AM · VyOS 1.4 Sagitta

Jul 27 2023

sdev added a comment to T5404: Ability to completely disable firewall/conntrack.

It is a bug that it’s on by default, see other task. Will be fixed after new firewall refactor is merged.

Jul 27 2023, 9:31 AM · VyOS 1.4 Sagitta

Jul 11 2023

sdev added a comment to T5080: Conntrack enabled by default.

@syncer Will address this after T5160 is merged

Jul 11 2023, 9:33 PM · VyOS 1.4 Sagitta
sdev moved T5275: Add op mode commands for exporting certificates to PEM files with correct headers from Need Triage to In Progress on the VyOS 1.4 Sagitta board.
Jul 11 2023, 9:26 PM · VyOS 1.3 Equuleus (1.3.5), VyOS 1.4 Sagitta
sdev changed the status of T5275: Add op mode commands for exporting certificates to PEM files with correct headers from Open to Needs testing.

PR: https://github.com/vyos/vyos-1x/pull/2087

Jul 11 2023, 9:25 PM · VyOS 1.3 Equuleus (1.3.5), VyOS 1.4 Sagitta

Jul 3 2023

sdev claimed T5275: Add op mode commands for exporting certificates to PEM files with correct headers.
Jul 3 2023, 8:48 PM · VyOS 1.3 Equuleus (1.3.5), VyOS 1.4 Sagitta

Jun 15 2023

sdev added a comment to T5293: Support for Floating Rules (Global Firewall-Rules that are automatically applied before all other Zone Rules).

Should be possible when new refactor is merged: T5160

Jun 15 2023, 5:43 PM · VyOS 1.4 Sagitta
sdev added a comment to T5294: Wildcard Domains / TLDs in Firewall-Rules (and perhaps groups).

This would have to be handled with DNS and not in the firewall. Hostnames work on firewall because they are resolved prior to use in rules.

Jun 15 2023, 5:42 PM · VyOS 1.4 Sagitta

May 4 2023

sdev added a comment to T5200: Static routing tables are not created with dhcp route.

It might be a boot/slow DHCP lease issue.

May 4 2023, 9:54 AM · VyOS 1.4 Sagitta

May 3 2023

sdev renamed T5200: Static routing tables are not created with dhcp route from Static routing tables are not created to Static routing tables are not created with dhcp route.
May 3 2023, 10:46 PM · VyOS 1.4 Sagitta
sdev created T5200: Static routing tables are not created with dhcp route.
May 3 2023, 10:36 PM · VyOS 1.4 Sagitta

Apr 17 2023

sdev added a comment to T3316: Use Kea DHCP(v6) instead of ISC DHCP(v6).

Draft PR: https://github.com/vyos/vyos-1x/pull/1960

Apr 17 2023, 1:20 PM · VyOS 1.5 Circinus

Apr 14 2023

sdev changed the status of T5162: Invalid json in configd-include.json from Open to Needs testing.
Apr 14 2023, 11:02 PM
sdev added a comment to T5157: Containers are inaccessable on vyos-1.4-rolling-202304070317.

Just to clarify, it changes again to pod-networkname in https://github.com/vyos/vyos-1x/commit/2a876059826927ef204e359a40395955f27503ce (next rolling image) to avoid name constraint issues.

Apr 14 2023, 8:23 AM

Apr 13 2023

sdev added a comment to T5157: Containers are inaccessable on vyos-1.4-rolling-202304070317.

Can you share container config section?

Apr 13 2023, 9:29 PM

Mar 29 2023

sdev added a comment to T5101: VYOS 1.4 release no longer displayes output for 'sudo ipsec statusall'.
Management Commands
Mar 29 2023, 9:30 PM · VyOS 1.4 Sagitta

Mar 22 2023

sdev changed the status of T5018: Redirect to IFB removed after change in qos policy from In progress to Needs testing.
Mar 22 2023, 4:18 PM · VyOS 1.4 Sagitta

Mar 11 2023

sdev claimed T5080: Conntrack enabled by default.
Mar 11 2023, 3:40 PM · VyOS 1.4 Sagitta
sdev created T5080: Conntrack enabled by default.
Mar 11 2023, 3:39 PM · VyOS 1.4 Sagitta

Mar 9 2023

sdev added a comment to T5018: Redirect to IFB removed after change in qos policy.

PR: https://github.com/vyos/vyos-1x/pull/1881

Mar 9 2023, 5:09 PM · VyOS 1.4 Sagitta
sdev changed the status of T5018: Redirect to IFB removed after change in qos policy from Confirmed to In progress.
Mar 9 2023, 4:26 PM · VyOS 1.4 Sagitta
sdev closed T5075: QoS removes interface mirror/redirect rules as Invalid.

My bad

Mar 9 2023, 3:23 PM · VyOS 1.4 Sagitta
sdev changed the status of T5075: QoS removes interface mirror/redirect rules from Open to In progress.
Mar 9 2023, 3:15 PM · VyOS 1.4 Sagitta
sdev created T5075: QoS removes interface mirror/redirect rules.
Mar 9 2023, 3:15 PM · VyOS 1.4 Sagitta
sdev added a comment to T3008: Migrate from ntpd to chronyd.

Discovered a couple of problems with chrony using the existing CLI.

Mar 9 2023, 12:25 PM · VyOS 1.4 Sagitta

Mar 2 2023

sdev changed the status of T5039: Can't add new local user from In progress to Needs testing.

PR: https://github.com/vyos/vyos-1x/pull/1863

Mar 2 2023, 2:46 PM · VyOS 1.4 Sagitta
sdev changed the status of T5039: Can't add new local user from Open to In progress.
Mar 2 2023, 2:06 PM · VyOS 1.4 Sagitta
sdev changed the status of T3316: Use Kea DHCP(v6) instead of ISC DHCP(v6), a subtask of T3315: Supports dhcpv6 agent execution from pppoe0 interface, from Open to In progress.
Mar 2 2023, 1:41 PM · VyOS 1.3 Equuleus (1.3.5), VyOS 1.4 Sagitta
sdev changed the status of T3316: Use Kea DHCP(v6) instead of ISC DHCP(v6) from Open to In progress.

Have started work on migrating isc-dhcp v4/v6 server to Kea.

Mar 2 2023, 1:41 PM · VyOS 1.5 Circinus

Feb 22 2023

sdev changed the status of T5023: PKI commit fails to update dependents from In progress to Needs testing.

PR: https://github.com/vyos/vyos-1x/pull/1840

Feb 22 2023, 9:03 AM · VyOS 1.4 Sagitta
sdev changed the status of T5023: PKI commit fails to update dependents from Open to In progress.
Feb 22 2023, 8:54 AM · VyOS 1.4 Sagitta
sdev created T5023: PKI commit fails to update dependents.
Feb 22 2023, 8:54 AM · VyOS 1.4 Sagitta