@primoz Adding staticd to the daemons config fixes the issue reproducibly on affected systems, even after reboot?
Thu, Feb 14
Sat, Feb 2
Fri, Feb 1
@jmlccdmd Ok, I'll re-test with in/out then.
Sun, Jan 27
Since this is a trivial cosmetic issue, we are about to freeze 1.2.0, and the installer is due for a rework in 1.3.0, I'm going to ignore this for now.
Works for me in the latest build.
vyos@vyos-test-2# set protocols static route6 ::/0 blackhole distance 10  vyos@vyos-test-2# commit  vyos@vyos-test-2# run show ipv6 route ::/0 Routing entry for ::/0 Known via "static", distance 10, metric 0, best Last update 00:00:10 ago * unreachable (blackhole)
Sat, Jan 26
Looks like the issue with the same host displayed multiple times is fixed in the latest FRR.
Ok, I've re-tested everything one more time to be sure. I can confirm the somewhat strange (though technically correct) behaviour of blackhole routes: they become ECMP routes if there's another route of the same distance. I would expect normal routes to override them in that case, but the kernel is following its hard and fast rule that two routes with the same distance automatically become ECMP routes, that behaviour is counter-intuitive but consistent.
@jmlccdmd I've been testing it with EPA3 and friday's nightly build.
I've built lldpd 1.0.3, much newer than that from jessie. Luckily, the maintainer keep Debian packaging in the official repository, so it wasn't much effort to do.
Ok, more interesting than that. In the latest image, the setup just works as described with RFC-compliant VRRP:
This problem is specific to RFC-compliant VRRP setups. Firewall design in VyOS is rather unfortunate in that rulesets are bound to interfaces. If you assign it to eth0, a rule with -i eth0 -j MyRuleset is created. RFC-compliant (shared MAC) VRRP uses those eth0v1 etc. interfaces, but since from netfilter's point of view eth0 and eth0v1 are different interfaces, those rules are never reached.
This issue uncovered more. The parser was written under an assumption that "bare" leaf and tag nodes at the top level are not allowed. In fact, while VyOS config never have them, it's by convention rather than by design, if you create a command definition for one (set foo bar), it works just fine. So, to be consistent with the original parser, the new parser should allow them.
I've removed the restriction on the grammar to allow them (see https://github.com/vyos/libvyosconfig/commit/1dd05b330f3adfe828ba3ca4c71db2e12b8968f6), and now run show configuration commands seems to work with "partial" configs just fine. The change appears to have no ill effects on parsing "normal" config, according to my testing.
Fri, Jan 25
Wed, Jan 23
I suppose I can port the fix for |commands to it.
Jan 14 2019
Jan 12 2019
Jan 5 2019
Jan 3 2019
I noticed the issue but didn't get to fixing it, applied your fix now.
Jan 2 2019
Jan 1 2019
Dec 31 2018
FRR people fixed it rather quickly!
Ok, ignore it, I decided not to be a lazy butt and test it myself. ;)
Reload is not enough, restart is needed, so the fix should be complete.
I've added SNMP restart on hostname change, it will be in the next nightly build.
Oh, you forgot metric and route-map options. Extending your patch to support them wasn's hard though, most of the work was already done.
Hey @Merijn, sorry for late reply and thanks for the patch! I've merged it in and it will be in the next nightly build.
I could reproduce it in today's FRR master. I'm reporting the issue to FRR maintainers.
I've changed it to handle the situation gracefully. Actual display of connecting SAs is another story of course... The fix will be in the next nightly build.
@zsdc The fix for T1011 should have fixed this, but there's a crucial and annoying detail: apparently when the nf_conntrack module is (re)loaded without nf_conntrack_helper=1 option, the sysctl value gets overwritten.
Yes, seems it's just forgotten sync-group. A sync-group is required for it to work, in the current implementation. The error message is confusing and bug-like though, as of me.
Dec 29 2018
Dec 26 2018
@m.cremers The fix will be in the next nightly build, please re-test.
Dec 21 2018
Dec 17 2018
Thanks for catching this! I've fixed it in the upcoming rc11.
Dec 16 2018
If we are planning firewall overhaul, the old design issues should not get in the way. It's planned for 1.3 though
That command works for me in the upcoming rc, so I assume they fixed it.