Page MenuHomeVyOS Platform
Feed Advanced Search

Jan 28 2022

johannrichard added a comment to T4209: Firewall incorrect handler for recent count and time.

I‘m no expert here nor extremely strong opiniated. My thoughts though: if theres no exact equivalent, why try to re-implement the recent functionality with nftables at „all“ cost?

Jan 28 2022, 1:02 PM · VyOS 1.4 Sagitta

Jan 27 2022

johannrichard added a comment to T478: Firewall address group (multi and nesting).

With nftables, this should in principle be possible with nested variables, and the firewall groups are based on these now.

Jan 27 2022, 12:16 PM · VyOS 1.4 Sagitta

Jan 18 2022

johannrichard awarded T3560: Ability to create groups of MAC addresses a Like token.
Jan 18 2022, 5:46 PM · VyOS 1.4 Sagitta

Jan 14 2022

johannrichard added a comment to T2199: Rewrite firewall in new XML/Python style.

@sdev: in your original commit for this task, recent rules are somehow semi-discarded (the time/counter condition will not be written out; however, the action will be written out) because of an apparent problem with nftables in this area.

Jan 14 2022, 10:10 AM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta

Jan 13 2022

johannrichard added a comment to T4155: PBR: `set table main` fails in `firewall.py` with newer rolling releases .

See comment in T4164: is working now.

Jan 13 2022, 4:52 PM · VyOS 1.4 Sagitta
johannrichard added a comment to T4159: Empty firewall group (address, network & port) generates invalid nftables config, commit fails.

See comment in T4164: my config runs through easily now.

Jan 13 2022, 4:52 PM · VyOS 1.4 Sagitta
johannrichard added a comment to T4164: PBR: network groups (as well as address and port groups) don't resolve in `nftables_policy.conf`.

@sdev this (and the other fixes) look promising: after upgrading to the latest rolling release from 13.1.2022, both the example provided in the ticket as well as my config (a copy of my production setup with rules covering PBR, empty groups, references to "defines" in PBR rules) ran through easily. My production config created no errors when loading the config after the update.

Jan 13 2022, 4:49 PM · VyOS 1.4 Sagitta
johannrichard added a comment to T4164: PBR: network groups (as well as address and port groups) don't resolve in `nftables_policy.conf`.
In T4164#116547, @mTx87 wrote:

seems like policy based routing not working.

Jan 13 2022, 11:38 AM · VyOS 1.4 Sagitta

Jan 10 2022

johannrichard updated the task description for T4164: PBR: network groups (as well as address and port groups) don't resolve in `nftables_policy.conf`.
Jan 10 2022, 9:34 PM · VyOS 1.4 Sagitta
johannrichard created T4164: PBR: network groups (as well as address and port groups) don't resolve in `nftables_policy.conf`.
Jan 10 2022, 9:22 PM · VyOS 1.4 Sagitta
johannrichard added a comment to T4159: Empty firewall group (address, network & port) generates invalid nftables config, commit fails.

I just realize it's getting more complicated as python/vyos/firewall.py will later write out the rules for these empty groups and when reading-them in, nftables will complain (again) when trying to resolve them, e.g.

Jan 10 2022, 3:06 AM · VyOS 1.4 Sagitta
johannrichard renamed T4159: Empty firewall group (address, network & port) generates invalid nftables config, commit fails from Rewrite firewall in new XML/Python style: Empty firewall group (address, network & port) generate invalid nftables config, commit fails to Empty firewall group (address, network & port) generates invalid nftables config, commit fails.
Jan 10 2022, 2:25 AM · VyOS 1.4 Sagitta
johannrichard added a comment to T4159: Empty firewall group (address, network & port) generates invalid nftables config, commit fails.

To my understanding, the template data/templates/firewall/nftables.tmpl is probably the culprit, as it doesn't check whether group_conf.address (and similarly the others) has any elements at all and introduces the offending white-space:

Jan 10 2022, 2:25 AM · VyOS 1.4 Sagitta
johannrichard added a subtask for T2199: Rewrite firewall in new XML/Python style: T4159: Empty firewall group (address, network & port) generates invalid nftables config, commit fails.
Jan 10 2022, 2:12 AM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta
johannrichard added a parent task for T4159: Empty firewall group (address, network & port) generates invalid nftables config, commit fails: T2199: Rewrite firewall in new XML/Python style.
Jan 10 2022, 2:12 AM · VyOS 1.4 Sagitta
johannrichard created T4159: Empty firewall group (address, network & port) generates invalid nftables config, commit fails.
Jan 10 2022, 2:12 AM · VyOS 1.4 Sagitta

Jan 9 2022

johannrichard added a subtask for T2199: Rewrite firewall in new XML/Python style: T4155: PBR: `set table main` fails in `firewall.py` with newer rolling releases .
Jan 9 2022, 7:59 PM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta
johannrichard added a parent task for T4155: PBR: `set table main` fails in `firewall.py` with newer rolling releases : T2199: Rewrite firewall in new XML/Python style.
Jan 9 2022, 7:59 PM · VyOS 1.4 Sagitta
johannrichard updated the task description for T4155: PBR: `set table main` fails in `firewall.py` with newer rolling releases .
Jan 9 2022, 6:32 PM · VyOS 1.4 Sagitta
johannrichard created T4155: PBR: `set table main` fails in `firewall.py` with newer rolling releases .
Jan 9 2022, 6:30 PM · VyOS 1.4 Sagitta

Dec 28 2021

johannrichard added a comment to T4014: Add “command” and “arg” configuration options for containers.

@Viacheslav, appreciate your question, and yes, there is:

Dec 28 2021, 7:18 PM · VyOS 1.4 Sagitta

Nov 22 2021

johannrichard renamed T4014: Add “command” and “arg” configuration options for containers from Add “command” and “arg” configuration options to Add “command” and “arg” configuration options for containers.
Nov 22 2021, 7:47 PM · VyOS 1.4 Sagitta
johannrichard added a subtask for T2216: Containerized third-party applications for VyOS: T4014: Add “command” and “arg” configuration options for containers.
Nov 22 2021, 7:46 PM · VyOS 1.3 Equuleus (1.3.0)
johannrichard added a parent task for T4014: Add “command” and “arg” configuration options for containers: T2216: Containerized third-party applications for VyOS.
Nov 22 2021, 7:46 PM · VyOS 1.4 Sagitta
johannrichard updated the task description for T4014: Add “command” and “arg” configuration options for containers.
Nov 22 2021, 7:41 PM · VyOS 1.4 Sagitta
johannrichard updated the task description for T4014: Add “command” and “arg” configuration options for containers.
Nov 22 2021, 7:40 PM · VyOS 1.4 Sagitta
johannrichard renamed T4014: Add “command” and “arg” configuration options for containers from T4014: Add “command” and “arg” configuration options to Add “command” and “arg” configuration options.
Nov 22 2021, 7:34 PM · VyOS 1.4 Sagitta
johannrichard renamed T4014: Add “command” and “arg” configuration options for containers from Add “command” and “arg” configuration options to T4014: Add “command” and “arg” configuration options.
Nov 22 2021, 7:34 PM · VyOS 1.4 Sagitta
johannrichard created T4014: Add “command” and “arg” configuration options for containers.
Nov 22 2021, 7:32 PM · VyOS 1.4 Sagitta

Oct 31 2021

johannrichard added a comment to T3916: Add additional Linux capabilities to container configuration.

WIll be added in the next rolling release, @johannrichard could you test it?

Oct 31 2021, 8:45 PM · VyOS 1.4 Sagitta

Oct 19 2021

johannrichard renamed T3916: Add additional Linux capabilities to container configuration from Add additional capabilities to Add additional Linux capabilities to container configuration.
Oct 19 2021, 6:18 PM · VyOS 1.4 Sagitta
johannrichard created T3916: Add additional Linux capabilities to container configuration.
Oct 19 2021, 6:17 PM · VyOS 1.4 Sagitta