Page MenuHomeVyOS Platform
Projects Known issue

Known issueBugs
ActivePublic
Watch Project

Members

  • This project does not have any members.
  • View All

Watchers

  • This project does not have any watchers.
  • View All

Recent Activity
View All

Nov 1 2024

syncer merged task T6699: Router practically becomes unusable due to accel-pppd producing constant out of memory into T2567: accel-ppp eats all memory with a small sstp config.
Nov 1 2024, 7:59 PM · VyOS Rolling, Bugs, Known issue
syncer edited projects for T6699: Router practically becomes unusable due to accel-pppd producing constant out of memory, added: VyOS Rolling; removed VyOS 1.5 Circinus.
Nov 1 2024, 7:58 PM · VyOS Rolling, Bugs, Known issue

Oct 30 2024

n.fort added a comment to T3989: Firewall - Can't delete rule in firewall entry and leave just default-action when firewall entry is in used.

No. It's not applicable for 1.4/1.5

Oct 30 2024, 10:28 AM
syncer removed a project from T3989: Firewall - Can't delete rule in firewall entry and leave just default-action when firewall entry is in used: VyOS 1.3 Equuleus (1.3.8).

@n.fort, is this applicable to 1.4/1,5?

Oct 30 2024, 8:57 AM

Oct 10 2024

dmbaturin closed T4478: Firewall ipv6 p2p option failed as Wontfix.

Firewall is completely rewritten in 1.4 and p2p in its old form is not there.

Oct 10 2024, 5:00 PM · Known issue, VyOS 1.3 Equuleus (1.3.0)

Oct 8 2024

dmbaturin merged T2567: accel-ppp eats all memory with a small sstp config into T6699: Router practically becomes unusable due to accel-pppd producing constant out of memory.
Oct 8 2024, 8:54 PM · VyOS Rolling, Bugs, Known issue

Sep 15 2024

dmbaturin added a project to T3989: Firewall - Can't delete rule in firewall entry and leave just default-action when firewall entry is in used: Bugs.
Sep 15 2024, 5:04 PM
dmbaturin added a project to T5547: ISIS: The L1-2 router cannot advertise L1 routes into L2: Bugs.
Sep 15 2024, 5:04 PM · Bugs, VyOS 1.4 Sagitta (1.4.0-GA), Known issue
dmbaturin added a project to T6699: Router practically becomes unusable due to accel-pppd producing constant out of memory: Bugs.
Sep 15 2024, 5:03 PM · VyOS Rolling, Bugs, Known issue

Sep 5 2024

Viacheslav added a project to T6699: Router practically becomes unusable due to accel-pppd producing constant out of memory: Known issue.
Sep 5 2024, 6:43 AM · VyOS Rolling, Bugs, Known issue

May 13 2024

syncer edited projects for T3989: Firewall - Can't delete rule in firewall entry and leave just default-action when firewall entry is in used, added: VyOS 1.3 Equuleus (1.3.8); removed VyOS 1.3 Equuleus (1.3.7).
May 13 2024, 7:33 PM

May 7 2024

syncer edited projects for T5547: ISIS: The L1-2 router cannot advertise L1 routes into L2, added: VyOS 1.4 Sagitta (1.4.0-GA); removed VyOS 1.4 Sagitta.
May 7 2024, 8:04 AM · Bugs, VyOS 1.4 Sagitta (1.4.0-GA), Known issue

Mar 4 2024

Viacheslav added a comment to T3655: NAT doesn't work correctly with VRF.

@paigeadelethompson it is another issue, open a separate bug report

Mar 4 2024, 7:21 AM · VyOS 1.4 Sagitta (1.4.0-epa3)
paigeadelethompson added a comment to T3655: NAT doesn't work correctly with VRF.
table inet vrf_zones {
        map ct_iface_map {
                typeof iifname : ct zone
                elements = { "HE" : 132,
                             "WAN" : 128,
                             "eth0" : 128,
                             "tun0" : 132,
                             "eth1" : 256,
                             "eth2" : 384,
                             "veth0" : 132,
                             "veth1" : 256,
                             "VMNET" : 256,
                             "FASTNETMON" : 384 }
        }
Mar 4 2024, 4:20 AM · VyOS 1.4 Sagitta (1.4.0-epa3)

Feb 10 2024

syncer edited projects for T3989: Firewall - Can't delete rule in firewall entry and leave just default-action when firewall entry is in used, added: VyOS 1.3 Equuleus (1.3.7); removed VyOS 1.3 Equuleus (1.3.6).
Feb 10 2024, 9:19 AM

Jan 20 2024

Viacheslav triaged T5547: ISIS: The L1-2 router cannot advertise L1 routes into L2 as Low priority.
Jan 20 2024, 1:14 PM · Bugs, VyOS 1.4 Sagitta (1.4.0-GA), Known issue
Viacheslav triaged T3989: Firewall - Can't delete rule in firewall entry and leave just default-action when firewall entry is in used as Low priority.
Jan 20 2024, 2:38 AM
Viacheslav closed T3906: [Traffic Control] Invalid Port Configuration Still Commits as Invalid.
Jan 20 2024, 2:25 AM · Known issue, VyOS 1.4 Sagitta

Dec 17 2023

syncer edited projects for T3989: Firewall - Can't delete rule in firewall entry and leave just default-action when firewall entry is in used, added: VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus (1.3.5).
Dec 17 2023, 11:40 PM

Oct 4 2023

fernando closed T3655: NAT doesn't work correctly with VRF as Resolved.
Oct 4 2023, 7:54 PM · VyOS 1.4 Sagitta (1.4.0-epa3)
Viacheslav added a comment to T3655: NAT doesn't work correctly with VRF.

@rherold Could you re-check it?

Oct 4 2023, 7:54 PM · VyOS 1.4 Sagitta (1.4.0-epa3)
fernando added a comment to T3655: NAT doesn't work correctly with VRF.

for me , it's ok . I didn't see another issue related it . we can close

Oct 4 2023, 7:44 PM · VyOS 1.4 Sagitta (1.4.0-epa3)
Viacheslav added a comment to T3655: NAT doesn't work correctly with VRF.

Can we close it?

Oct 4 2023, 7:29 PM · VyOS 1.4 Sagitta (1.4.0-epa3)

Sep 14 2023

vfreex added a comment to T3655: NAT doesn't work correctly with VRF.

@fernando This is really nice. Thank you for the testing!

Sep 14 2023, 7:02 AM · VyOS 1.4 Sagitta (1.4.0-epa3)

Sep 12 2023

fernando reopened T3655: NAT doesn't work correctly with VRF as "Needs testing".
Sep 12 2023, 6:59 PM · VyOS 1.4 Sagitta (1.4.0-epa3)
fernando added a comment to T3655: NAT doesn't work correctly with VRF.

command on 1.5 :

Sep 12 2023, 6:36 PM · VyOS 1.4 Sagitta (1.4.0-epa3)
fernando closed T3655: NAT doesn't work correctly with VRF as Unknown Status.
Sep 12 2023, 4:17 PM · VyOS 1.4 Sagitta (1.4.0-epa3)
fernando updated subscribers of T3655: NAT doesn't work correctly with VRF.

@vfreex I've tested in my labs related this issues , I can confirm that it work as expected . this original zone solved the problem when there was a src-nat /dst-nat with different VRFs or leaking with them ,Thanks you for this contribution .

Sep 12 2023, 4:16 PM · VyOS 1.4 Sagitta (1.4.0-epa3)

Sep 10 2023

Apachez added a comment to T3655: NAT doesn't work correctly with VRF.

Oh sorry, I missed that this commit was for LTS 1.3.x series.

Sep 10 2023, 7:13 PM · VyOS 1.4 Sagitta (1.4.0-epa3)
vfreex added a comment to T3655: NAT doesn't work correctly with VRF.

@Apachez I am running kernel 6.1.49-amd64-vyos and this works fine with my local setup.
The patch is already in linux kernel since at least 4.3 (you can confirm with https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/log/include/net/netfilter/nf_conntrack_zones.h?h=linux-4.3.y), but it was added to nft command only since Feb 2017: https://git.netfilter.org/nftables/commit/src/ct.c?id=ed66d9966294a3bab6c8611e369861ba57374743

Sep 10 2023, 6:17 PM · VyOS 1.4 Sagitta (1.4.0-epa3)
Apachez added a comment to T3655: NAT doesn't work correctly with VRF.

@vfreex the referenced netfilter patch is from 2015, is that really valid for current version thats included in the Linux 6.1 LTS kernel?

Sep 10 2023, 6:05 PM · VyOS 1.4 Sagitta (1.4.0-epa3)
vfreex added a comment to T3655: NAT doesn't work correctly with VRF.

You can test this approach on a running VyOS router using following commands:

Sep 10 2023, 5:32 PM · VyOS 1.4 Sagitta (1.4.0-epa3)
vfreex added a comment to T3655: NAT doesn't work correctly with VRF.

I created a PR to fix this issue by using direction parameter of conntrack zones: https://github.com/vyos/vyos-1x/pull/2236
I have a very basic VRF setup and it works fine. It would be much appreciated if someone could test this with more complex VRF setup.

Sep 10 2023, 5:04 PM · VyOS 1.4 Sagitta (1.4.0-epa3)

Aug 25 2023

syncer edited projects for T3989: Firewall - Can't delete rule in firewall entry and leave just default-action when firewall entry is in used, added: VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).
Aug 25 2023, 9:33 PM

Jul 12 2023

syncer edited projects for T3989: Firewall - Can't delete rule in firewall entry and leave just default-action when firewall entry is in used, added: VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).
Jul 12 2023, 10:32 PM

Jun 22 2023

NeilHanlon added a comment to T3655: NAT doesn't work correctly with VRF.

I'm also encountering this issue on the latest rolling release.

Jun 22 2023, 12:51 PM · VyOS 1.4 Sagitta (1.4.0-epa3)

Jun 8 2023

gusbourg added a comment to T3655: NAT doesn't work correctly with VRF.

I have been able to get NAT to work with VRFs with 1.4-rolling-202306080317. However:

Jun 8 2023, 6:55 PM · VyOS 1.4 Sagitta (1.4.0-epa3)

May 17 2023

fernando added a comment to T3655: NAT doesn't work correctly with VRF.

I've done test , regarding the original issues that it was nat+route-leaking (default + foo) , which is working on the last rolling (VyOS 1.4-rolling-202305140317). however, I've tried some test using two vrf+route-leaking and NAT , I can replicated the issue:

May 17 2023, 3:19 PM · VyOS 1.4 Sagitta (1.4.0-epa3)

May 16 2023

diodep added a comment to T3655: NAT doesn't work correctly with VRF.
In T3655#148609, @bbabich wrote:
In T3655#131502, @Viacheslav wrote:

I have NAT working with vrf in VyOS 1.4-rolling-202208290458 + custom nat offload

set interfaces ethernet eth0 address '192.168.122.14/24'
set interfaces ethernet eth1 address '192.0.2.1/24'
set interfaces ethernet eth1 vrf 'foo'
set protocols static route 192.0.2.0/24 interface eth1 vrf 'foo'
set system conntrack
set vrf name foo protocols static route 0.0.0.0/0 next-hop 192.168.122.1 interface 'eth0'
set vrf name foo protocols static route 0.0.0.0/0 next-hop 192.168.122.1 vrf 'default'
set vrf name foo table '1010'

Nftables

root@r14:/home/vyos# cat nat.nft 
flush ruleset

table ip filter {
	flowtable fastnat {
		hook ingress priority filter
		devices = { eth0, eth1 }
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		ip protocol { tcp, udp } flow add @fastnat
	}
}
table ip nat {
	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 192.0.2.0/24 oif "eth0" snat to 192.168.122.14 persistent
	}

	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
	}
}

Conntrack table

vyos@r14:~$ sudo conntrack -F
conntrack v1.4.6 (conntrack-tools): connection tracking table has been emptied.
vyos@r14:~$ 
vyos@r14:~$ sudo conntrack -L
tcp      6 431999 ESTABLISHED src=192.168.122.14 dst=192.168.122.1 sport=22 dport=44462 src=192.168.122.1 dst=192.168.122.14 sport=44462 dport=22 [ASSURED] mark=0 use=1
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=33018 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=33018 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=37517 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=37517 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=59794 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=59794 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=39288 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=39288 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=39616 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=39616 [OFFLOAD] mark=0 use=2
icmp     1 29 src=192.0.2.2 dst=1.1.1.1 type=8 code=0 id=12387 src=1.1.1.1 dst=192.168.122.14 type=0 code=0 id=12387 mark=0 use=1
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=41155 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=41155 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=39829 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=39829 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=33655 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=33655 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=44835 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=44835 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=40213 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=40213 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=33729 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=33729 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=48344 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=48344 [OFFLOAD] mark=0 use=2
conntrack v1.4.6 (conntrack-tools): 14 flow entries have been shown.
vyos@r14:~$

This works for me too on current rolling releases from Jan-2023 to now.

May 16 2023, 6:57 AM · VyOS 1.4 Sagitta (1.4.0-epa3)

May 12 2023

bbabich added a comment to T3655: NAT doesn't work correctly with VRF.
In T3655#131502, @Viacheslav wrote:

I have NAT working with vrf in VyOS 1.4-rolling-202208290458 + custom nat offload

set interfaces ethernet eth0 address '192.168.122.14/24'
set interfaces ethernet eth1 address '192.0.2.1/24'
set interfaces ethernet eth1 vrf 'foo'
set protocols static route 192.0.2.0/24 interface eth1 vrf 'foo'
set system conntrack
set vrf name foo protocols static route 0.0.0.0/0 next-hop 192.168.122.1 interface 'eth0'
set vrf name foo protocols static route 0.0.0.0/0 next-hop 192.168.122.1 vrf 'default'
set vrf name foo table '1010'

Nftables

root@r14:/home/vyos# cat nat.nft 
flush ruleset

table ip filter {
	flowtable fastnat {
		hook ingress priority filter
		devices = { eth0, eth1 }
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		ip protocol { tcp, udp } flow add @fastnat
	}
}
table ip nat {
	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 192.0.2.0/24 oif "eth0" snat to 192.168.122.14 persistent
	}

	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
	}
}

Conntrack table

vyos@r14:~$ sudo conntrack -F
conntrack v1.4.6 (conntrack-tools): connection tracking table has been emptied.
vyos@r14:~$ 
vyos@r14:~$ sudo conntrack -L
tcp      6 431999 ESTABLISHED src=192.168.122.14 dst=192.168.122.1 sport=22 dport=44462 src=192.168.122.1 dst=192.168.122.14 sport=44462 dport=22 [ASSURED] mark=0 use=1
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=33018 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=33018 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=37517 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=37517 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=59794 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=59794 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=39288 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=39288 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=39616 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=39616 [OFFLOAD] mark=0 use=2
icmp     1 29 src=192.0.2.2 dst=1.1.1.1 type=8 code=0 id=12387 src=1.1.1.1 dst=192.168.122.14 type=0 code=0 id=12387 mark=0 use=1
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=41155 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=41155 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=39829 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=39829 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=33655 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=33655 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=44835 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=44835 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=40213 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=40213 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=33729 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=33729 [OFFLOAD] mark=0 use=2
udp      17 src=192.0.2.2 dst=1.1.1.1 sport=48344 dport=53 src=1.1.1.1 dst=192.168.122.14 sport=53 dport=48344 [OFFLOAD] mark=0 use=2
conntrack v1.4.6 (conntrack-tools): 14 flow entries have been shown.
vyos@r14:~$
May 12 2023, 2:24 PM · VyOS 1.4 Sagitta (1.4.0-epa3)

May 8 2023

diodep added a comment to T3655: NAT doesn't work correctly with VRF.
In T3655#143947, @fernando wrote:

it doesn't seem the same problem as here, this logic that was applied over this version was vrf not on the table . Could you share full configuration ? there is some point over vrfs / vrf default /leaking that are not clear. So I can replicate the scenery and we see what is going on .

May 8 2023, 7:41 AM · VyOS 1.4 Sagitta (1.4.0-epa3)

Mar 7 2023

diodep added a comment to T3655: NAT doesn't work correctly with VRF.
In T3655#143947, @fernando wrote:

it doesn't seem the same problem as here, this logic that was applied over this version was vrf not on the table . Could you share full configuration ? there is some point over vrfs / vrf default /leaking that are not clear. So I can replicate the scenery and we see what is going on .

Mar 7 2023, 4:36 PM · VyOS 1.4 Sagitta (1.4.0-epa3)

Mar 4 2023

diodep added a comment to T3655: NAT doesn't work correctly with VRF.
In T3655#143947, @fernando wrote:

it doesn't seem the same problem as here, this logic that was applied over this version was vrf not on the table . Could you share full configuration ? there is some point over vrfs / vrf default /leaking that are not clear. So I can replicate the scenery and we see what is going on .

Mar 4 2023, 2:52 AM · VyOS 1.4 Sagitta (1.4.0-epa3)

Mar 3 2023

fernando added a comment to T3655: NAT doesn't work correctly with VRF.

it doesn't seem the same problem as here, this logic that was applied over this version was vrf not on the table . Could you share full configuration ? there is some point over vrfs / vrf default /leaking that are not clear. So I can replicate the scenery and we see what is going on .

Mar 3 2023, 3:14 PM · VyOS 1.4 Sagitta (1.4.0-epa3)
diodep added a comment to T3655: NAT doesn't work correctly with VRF.

I have almost same problem here. Can't NAT between two VRFs correctly. The outgoing packet has been NATed correctly but the incoming packet seems be dropped, can't reach the source, it seems the return packet can't be tracked correctly.

Mar 3 2023, 6:21 AM · VyOS 1.4 Sagitta (1.4.0-epa3)

Feb 28 2023

SrividyaA placed T3989: Firewall - Can't delete rule in firewall entry and leave just default-action when firewall entry is in used up for grabs.
Feb 28 2023, 11:58 AM

Feb 21 2023

Charlie-Root added a comment to T3655: NAT doesn't work correctly with VRF.
Feb 21 2023, 1:45 PM · VyOS 1.4 Sagitta (1.4.0-epa3)

Oct 3 2022

n.fort added a comment to T3655: NAT doesn't work correctly with VRF.

At least on my lab, with one of the latest 1.4, this is working for me:

Oct 3 2022, 2:21 PM · VyOS 1.4 Sagitta (1.4.0-epa3)

Oct 1 2022

aohanian added a comment to T3655: NAT doesn't work correctly with VRF.

Is there a way to isolate a NAT rule to operate within a VRF?

Oct 1 2022, 2:31 PM · VyOS 1.4 Sagitta (1.4.0-epa3)

Aug 30 2022

Viacheslav added a comment to T3655: NAT doesn't work correctly with VRF.
Aug 30 2022, 6:33 AM · VyOS 1.4 Sagitta (1.4.0-epa3)