VyOS VRRP
Details
Jul 2 2024
Apr 12 2024
Apr 11 2024
Apr 9 2024
https://conntrack-tools.netfilter.org/manual.html#sync-aa
conntrackd allows you to deploy an symmetric Active-Active setup based on a static approach. For example, assume that you have two virtual IPs, vIP1 and vIP2, and two firewall replicas, FW1 and FW2. You can give the virtual vIP1 to the firewall FW1 and the vIP2 to the FW2.
Jan 19 2024
@I-n-d-y Try to get it working without VyOS CLI.
Provide the required contrack config. As I'm not sure that it will work correctly at all.
Nov 16 2023
I have a similar setup where I have two VyOS VMs used as VPN routers with some firewalling enabled. Since I use OSPF for dynamic routing I am not able to synchronize the sessions between both routers so in case one VPN router fails the other one can't take over flawlessly. Having conntrack-sync configuration separated from VRRP would be a great benefit.
Nov 15 2023
Nov 23 2022
Oct 30 2022
Oct 10 2022
@florin If this is needed I'll make a pull request coming week.
Oct 9 2022
I think this needs to be backported to 1.3 too
Sep 17 2022
Sep 8 2022
I've tested this and it seems to work correctly.
Aug 29 2022
Aug 22 2022
I've create a PR which does the retry part. It retries 10 time every 0.5 seconds until it succeeds or it's out of retries.
This is what I did (forgot to write it here) with the difference that my sleep timer is 60s as my config has many lines.
Would be good to have this fixed properly.
The problem here seems to be that keepalived is started before the complete commit is finished. So conf.get_config_dict() fails to get the config.
Jul 11 2022
Nov 23 2020
Oct 19 2020
vyos@r4-roll# run show version
Jun 20 2020
Picking up on the build issue
Jun 14 2020
Apr 10 2020
It's best if we just use packages targeted for buster, not another debian release. I suggest you create PRs for all pathches needed (in addition to the one you already submitted) in Debian's PTS for buster's conntrack-tools, and then ask them to make a new release with those patches included.
The new conntract package depend in newer libnetfilter. but you dont need to rebuild the package, just download the debs.
Apr 8 2020
There was a new upstream release 1.4.6 7 days ago, but that shouldn't make it to debian stable (buster). Only the patch done by elbandi via PR could get released as 1.4.5-3, but it hasn't been yet. We could make a backport of 1.4.6 into buster-backports and add a custom apt pin for the package. (I'd rather not go the backport route, as that means the backporter needs to always update the upload for security fixes, rather I'd add all patches for bugs into 1.4.5 for buster and ask for a new buster release).
Mar 19 2020
I opened the PR for our custom build of the package in vyos-build as well: https://github.com/vyos/vyos-build/pulls. I was waiting on testing results from anyone, but I went and tested it myself. The basic functionality works, I couldn't test the above bug. If it's merged and the new package build is added to CI, the above debian PR isn't needed (or our custom build isn't).
Mar 17 2020
https://salsa.debian.org/pkg-netfilter-team/pkg-conntrack-tools/-/merge_requests/1
if he merge the PR, we can use it!
Mar 16 2020
Reopened, confirmed broken again.
Mar 1 2020
https://github.com/jjakob/vyos-build/tree/conntrack-tools-wip builds conntrack-tools from upstream git snapshot 20200301.
Feb 28 2020
@cpo I think you need to add it to CI in addition to vyos-build
That's bad, because debian stable (=buster) is fixing security bugs only. They will not fix/add this patches to conntrack package, they leave conntrack buggy. So you sould build an own conntrack-tools package for 1.3 too :( If not, vyos will be less good software.
Upstream still hasn't made a release with this patch: https://git.netfilter.org/conntrack-tools/commit/?id=c12fa8df76752b0a011430f069677b52e4dad164
So we could wait on upstream to release it and debian to package it, or build our own as we used to in 1.2.
It would be better to ask upstream to make a release as there's less work for us.
We don't build conntrack-tools in 1.3 (current/equuleus) any more, upstream Debian Buster conntrack and conntrackd packages are used. So as upstream gets patched, we'll pull in those patches automatically.
If I see things correctly, there are references to conntrack-tools in the build scripts that still need to be removed.
Feb 20 2020
It's an upstream bug as @xrobau said. vyos dev sould upgrade https://github.com/vyos/conntrack-tools repo, and apply this patch:
https://git.netfilter.org/conntrack-tools/commit/?id=c12fa8df76752b0a011430f069677b52e4dad164
Feb 2 2020
Confirmed here as well, I had a working config back on 1.2.3 and it broke when I upgraded to 1.3. This is what happens when I try to commit:
Jan 24 2020
Confirming that I also report this on 1.3-rolling-202001240217. Just upgraded this morning and I see the same unknown layer 3 protocol error as reported.
This issue is still present in 1.3-rolling-202001240217