Page MenuHomeVyOS Platform

commit-archive source-address broken for IPv6 addresses
Needs testing, LowPublicBUG

Description

For some time now commit-archive has failed to actually use the address specified by source-address. Here's the router I'm configuring for commit-archive:

trae@cr01a-vyos# set system config-management commit-archive source-address 'fd52:d62e:8011:fffe:192:168:253:6'                                                                              
[edit]
trae@cr01a-vyos# commit
Using source address fd52:d62e:8011:fffe:192:168:253:6
Archiving config...
  sftp://stor01z-cs.int.trae32566.org:/dal13/cr01a-vyos curl: (7) Failed to connect to stor01z-cs.int.trae32566.org port 22: Connection timed out                                            
 Failed!

Here's the switch with ACLs for the source address specified above:

ir01(config)#show ipv6 access-lists EXTSTOR_OUT-V6 | i fffe
        110 permit tcp fd52:d62e:8011:fffe::/64 host fd52:d62e:8011:46:192:168:9:254 eq ssh
ir01(config)#show log all | i EXTSTOR_OUT-V6
Mar  2 00:41:03 ir01 Acl: %ACL-6-IP6ACCESS: egress list EXTSTOR_OUT-V6 Vlan70 denied tcp fd52:d62e:8011:1397::1(38572) -> fd52:d62e:8011:46:192:168:9:254(22)
Mar  2 00:41:18 ir01 Acl: message repeated 4 times: [ %ACL-6-IP6ACCESS: egress list EXTSTOR_OUT-V6 Vlan70 denied tcp fd52:d62e:8011:1397::1(38572) -> fd52:d62e:8011:46:192:168:9:254(22)]
Mar  2 00:41:31 ir01 Acl: %ACL-6-IP6ACCESS: egress list EXTSTOR_OUT-V6 Vlan70 denied tcp fd52:d62e:8011:13d0::2(37198) -> fd52:d62e:8011:46:192:168:9:254(22)
Mar  2 00:41:32 ir01 Acl: %ACL-6-IP6ACCESS: egress list EXTSTOR_OUT-V6 Vlan70 denied tcp fd52:d62e:8011:13d0::2(37198) -> fd52:d62e:8011:46:192:168:9:254(22)
Mar  2 00:41:34 ir01 Acl: %ACL-6-IP6ACCESS: egress list EXTSTOR_OUT-V6 Vlan70 denied tcp fd52:d62e:8011:1397::1(38572) -> fd52:d62e:8011:46:192:168:9:254(22)
Mar  2 00:42:08 ir01 Acl: %ACL-6-IP6ACCESS: egress list EXTSTOR_OUT-V6 Vlan70 denied tcp fd52:d62e:8011:1397::1(38572) -> fd52:d62e:8011:46:192:168:9:254(22)

You can see here it works fine when I specify the source using ssh manually:

trae@cr01a-vyos# ssh -b fd52:d62e:8011:fffe:192:168:253:6 stor01z-cs.int
The authenticity of host 'stor01z-cs.int (fd52:d62e:8011:46:192:168:9:254)' can't be established.
ECDSA key fingerprint is SHA256:hIdI/80WQLKKCsoO/nLW4+yxXCUOFxDdfkLhfPypsOw.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'stor01z-cs.int,fd52:d62e:8011:46:192:168:9:254' (ECDSA) to the list of known hosts.
First Factor: 

[edit]

Details

Difficulty level
Unknown (require assessment)
Version
1.3-beta-202103010443
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

This is possibly a problem on curl's end but funnily enough, there's a similar problem with the native implementation over T3563. Once that's solved, this bug will be rendered moot.

erkin changed the task status from Open to Needs testing.Tue, Jun 8, 2:31 PM
erkin triaged this task as Low priority.

This is resolved for 1.4. Do you still have this problem in 1.3 as of RC4? If so, I'll need to backport the changes.

I have a similar problem, but different, in T3563. I've reopened it and added information, but basically 1.4 still has the issue reported in that bug report.

erkin renamed this task from commit-archive source-address Broken to commit-archive source-address broken for IPv6 addresses.Mon, Jun 21, 3:38 PM
erkin changed the subtype of this task from "Task" to "Bug".
erkin removed a subscriber: Active contributors.