Page MenuHomeVyOS Platform
Feed Advanced Search

Jan 8 2019

zsdc added a comment to T1135: "firewall send-redirects enable" works only after switching from disabled state on running system.

By default, more optimal will be leaving send_redirects in enabled state.
I think, that better will be preventing to commit something in vpn ipsec if send_redirects is enabled for any interface, as we can't predict at 100% from which interface will be received traffic, that need to be encrypted with IPSec.
Per-interface option can help in any case, definitely. But we need to leave at least warning to user, where will be clearly said, that with enabled send_redirects some of traffic from interface with this option can be leaked through unencrypted channels.

Jan 8 2019, 8:29 PM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-EPA3)
zsdc added a comment to T1137: 'sh ip bgp sum' being truncated.

Can you reproduce this with some other emulator, except SecureCRT and make video with this bug?

Jan 8 2019, 8:55 AM · VyOS 1.3 Equuleus (1.3.0-epa1)

Jan 7 2019

zsdc changed the status of T1141: Conntrack helpers are no longer active by default from Needs testing to Confirmed.

OK. So, for now, anyone can use workarounds provided in T1011 or here. And wait for permanent fix in further builds.

Jan 7 2019, 2:04 PM · VyOS 1.2 Crux (VyOS 1.2.0-EPA3), VyOS-1.2.0-GA
zsdc added a comment to T1137: 'sh ip bgp sum' being truncated.

Hi, @knozzle !
Provide, please, output of next command, executed in the same terminal as defected show ip bgp summary:

tput cols ; tput lines
Jan 7 2019, 1:53 PM · VyOS 1.3 Equuleus (1.3.0-epa1)
zsdc added a comment to T1140: Policy Route Not Work.

Hi, @rizkidtn!
Policy route wouldn't work if it will be assigned to any other interface, except those from which incoming traffic will be received.
Why do you can't set policy to eth1.2400 interface? Is there some problems or errors related with this occurs?

Jan 7 2019, 1:42 PM · VyOS 1.3 Equuleus (1.3.0-epa1)

Dec 30 2018

zsdc added a comment to T1141: Conntrack helpers are no longer active by default.

I can confirm, that problem with connection tracking is exist. Reason in this change in Linux kernel. Now, by default, all connection helpers is disabled. You may try to search in your log files something like:

kernel: nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.

If you want, you may read more about this here.
So, we need to add all helpers by hand. You may try next workaround. Add this to /config/scripts/vyatta-postconfig-bootup.script:

sleep 10
iptables -t raw -I VYATTA_CT_HELPER 1 -p tcp --dport 1723 -j CT --helper pptp
iptables -t raw -I VYATTA_CT_HELPER 2 -p tcp --dport 21 -j CT --helper ftp

Then reboot or, if you want tot apply it without rebooting, just execute all commands in root shell.

Dec 30 2018, 2:43 AM · VyOS 1.2 Crux (VyOS 1.2.0-EPA3), VyOS-1.2.0-GA

Dec 28 2018

zsdc added a comment to T1135: "firewall send-redirects enable" works only after switching from disabled state on running system.

I've made some tests...
I have build a lab with next configuration:

T1135_IPSec_tunnel_ICMP_redirects.png (341×962 px, 15 KB)

In test PC gateway to 10.2.1.0/24 is R2.
In R2 we have next routing tables:

vyos@vyos:~$ show ip route 
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route
Dec 28 2018, 10:45 PM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-EPA3)

Dec 27 2018

zsdc added a comment to T1135: "firewall send-redirects enable" works only after switching from disabled state on running system.

I found. This is VPN settings.
Based on information from Linux IP stack flow diagrams, IPSec policy applying after route decision, and ICMP redirects doing before this. So we can't leave send_redirects=1 on interface, where we receive unencrypted traffic for IPSec.
But, we can:

  1. Check for firewall send-redirects 'enable' and prevent to commiting vpn ipsec options, when send_redirects is enabled.
  2. Disable send_redirects only on interfaces, where we expect incoming unencrypted IPSec traffic.

I'm not sure, what is better.

Dec 27 2018, 4:43 PM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-EPA3)

Dec 25 2018

zsdc added a comment to T1135: "firewall send-redirects enable" works only after switching from disabled state on running system.

If you just enable and reboot it works too? I've seen this problem at different routers with RC3, RC11 and rolling, but I can't find obvious reason for it.

Dec 25 2018, 6:21 AM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-EPA3)

Dec 24 2018

zsdc added a comment to T1135: "firewall send-redirects enable" works only after switching from disabled state on running system.

Hi @hagbard!
Config in attachment.

Dec 24 2018, 9:29 PM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-EPA3)
zsdc created T1135: "firewall send-redirects enable" works only after switching from disabled state on running system.
Dec 24 2018, 2:43 PM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-EPA3)

Dec 18 2018

zsdc created T1118: Obsolete "utc" option in time selector in firewall.
Dec 18 2018, 2:53 PM · VyOS 1.3 Equuleus (1.3.7)

Dec 17 2018

zsdc created T1113: Unwanted/broken "disable" option in firewall state.
Dec 17 2018, 10:06 PM · VyOS 1.3 Equuleus (1.3.6), test
zsdc updated the task description for T1111: Misbehaviour of "recent" options in firewall rules.
Dec 17 2018, 9:21 PM · VyOS-1.2.0-GA, VyOS 1.2 Crux ( VyOS 1.2.0-rc11)
zsdc created T1111: Misbehaviour of "recent" options in firewall rules.
Dec 17 2018, 9:19 PM · VyOS-1.2.0-GA, VyOS 1.2 Crux ( VyOS 1.2.0-rc11)

Dec 14 2018

zsdc added a comment to T1102: Disabling rp_filter don't work.

Here what I mean.
Before enabling rp_filter:

net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.eth2.rp_filter = 0
net.ipv4.conf.l2tpeth1.rp_filter = 0
net.ipv4.conf.lo.rp_filter = 0

After enabling:

net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.eth0.rp_filter = 2
net.ipv4.conf.eth1.rp_filter = 2
net.ipv4.conf.eth2.rp_filter = 2
net.ipv4.conf.l2tpeth1.rp_filter = 2
net.ipv4.conf.lo.rp_filter = 2

After disabling:

net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.eth0.rp_filter = 2
net.ipv4.conf.eth1.rp_filter = 2
net.ipv4.conf.eth2.rp_filter = 2
net.ipv4.conf.l2tpeth1.rp_filter = 2
net.ipv4.conf.lo.rp_filter = 2
Dec 14 2018, 3:12 PM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-GA)

Dec 13 2018

zsdc updated the task description for T1102: Disabling rp_filter don't work.
Dec 13 2018, 10:44 AM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-GA)
zsdc created T1102: Disabling rp_filter don't work.
Dec 13 2018, 10:42 AM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-GA)

Dec 5 2018

zsdc created T1083: Implement persistent/random address and port mapping options for NAT rules.
Dec 5 2018, 9:27 AM · VyOS 1.2 Crux (VyOS 1.2.9), VyOS 1.3 Equuleus (1.3.0), test, VyOS 1.4 Sagitta

Dec 4 2018

zsdc added a comment to T1000: Broken 6rd tunnel implementation.

Tested with 1.2.0-rolling+201812010337. Still many bugs, very hard to diagnostic it properly.
Minimal list TODO, for we can continue testing:

Dec 4 2018, 3:24 PM
zsdc added a comment to T1025: Command "show routing table XX" don't work (FRRouting bug).

Checked in 1.2.0-rolling+201812010337, all works fine.
Vtysh:

root@vyos:/home/vyos# vtysh
Dec 4 2018, 10:00 AM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-rc9)

Dec 3 2018

zsdc created T1078: Problems in RED/WRED implementation (QoS).
Dec 3 2018, 2:43 PM · VyOS 1.3 Equuleus (1.3.7), test

Nov 26 2018

zsdc created T1050: Wrong queue-limit for fair-queue.
Nov 26 2018, 9:01 PM · VyOS 1.2 Crux (VyOS 1.2.0-EPA3)

Nov 20 2018

zsdc added a comment to T1000: Broken 6rd tunnel implementation.

I will check fix soon.
By creating tunnels without remote side I mean something like:

ip tunnel add sit1 mode sit local 192.168.20.20 ttl 64

This is "vanilla way", as I understand.

Nov 20 2018, 9:44 PM

Nov 18 2018

zsdc created T1025: Command "show routing table XX" don't work (FRRouting bug).
Nov 18 2018, 12:31 PM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-rc9)

Nov 15 2018

zsdc created T1018: Incorrect (obsoleted) option "dynamic" for NTP server.
Nov 15 2018, 10:05 PM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-rc8)

Nov 11 2018

zsdc created T1000: Broken 6rd tunnel implementation.
Nov 11 2018, 11:15 PM

Oct 28 2018

zsdc added a comment to T945: Unable to change configuration after changing it from script (vbash + script-template).

@dmbaturin after some thinking about this problem I think that doing sg for all script is not a very good idea. There can be a situations, when we wan't to run it from other groups.
By now, I see two ways:

  • add additional parameter to executable option, that will define using script vbash with template or not;
  • move setting up right group to /opt/vyatta/etc/functions/script-template.

Second way seems more practical and easy for configuration migrations.

Oct 28 2018, 8:02 PM · VyOS 1.3 Equuleus (1.3.0-epa1)
zsdc added a comment to T945: Unable to change configuration after changing it from script (vbash + script-template).

@syncer, thanks for hint. Works with:

[edit]
vyos@vyos# show system task-scheduler 
 task testtask01 {
     crontab-spec @reboot
     executable {
         arguments "vyattacfg /config/scripts/testscript01.script"
         path /usr/bin/sg
     }
 }
[edit]
vyos@vyos#

But this workaround is ugly a little bit (if we want to use arguments for example).
Maybe, better will be if VyOS will do this under the hood, without end-user engagement?

Oct 28 2018, 7:43 PM · VyOS 1.3 Equuleus (1.3.0-epa1)
zsdc created T945: Unable to change configuration after changing it from script (vbash + script-template).
Oct 28 2018, 7:13 PM · VyOS 1.3 Equuleus (1.3.0-epa1)