Page MenuHomePhabricator
Feed All Stories

Sep 11 2019

isithran awarded T31: Add VRF support a Like token.
Sep 11 2019, 4:34 PM · VyOS 1.3 Equuleus
Dmitry added a comment to T1545: IPSEC vti issue.

Helo, @MarcSim. I want reproduce your issue in lab, can you provide your ipsec configuration from Central VyOS and one of site

show configuration commands | match ipsec | strip-private
Sep 11 2019, 4:09 PM · VyOS 1.3 Equuleus
zsdc changed the status of T1654: sFlow: multiple "sflow server" not work, and "disable-imt" could break configuration from Open to Confirmed.
Sep 11 2019, 4:07 PM · VyOS 1.2 Crux (VyOS 1.2.4), VyOS 1.3 Equuleus
zsdc created T1654: sFlow: multiple "sflow server" not work, and "disable-imt" could break configuration.
Sep 11 2019, 4:06 PM · VyOS 1.2 Crux (VyOS 1.2.4), VyOS 1.3 Equuleus
hagbard added a comment to T1600: Convert 'ping' operation from vyatta-op to new syntax.

@alkersan I think you need to create the link via Makefile in vyos-1x. At least I don't know of any possibility doing that within the xml.

Sep 11 2019, 3:24 PM · VyOS 1.3 Equuleus
hagbard added a comment to T534: VPN/IPSEC/BGP/DPD - unknown bug, tunnel and interfaces up, but no traffic.

Thanks for your response, did you test a newer image already? There was a lot of work done meanwhile.

Sep 11 2019, 2:56 PM · Rejected
mario added a comment to T534: VPN/IPSEC/BGP/DPD - unknown bug, tunnel and interfaces up, but no traffic.

tried with the first version 1.2, problem was still present. After that, decided to get us a physical router/fw because ipsec would stopped without any obvious reason.
It was a long time ago, almost year and a half...

Sep 11 2019, 6:54 AM · Rejected

Sep 10 2019

hagbard triaged T1652: vyos-xe-guestutilities sync upstream as Low priority.
Sep 10 2019, 10:46 PM · VyOS 1.3 Equuleus
hagbard claimed T1652: vyos-xe-guestutilities sync upstream.
Sep 10 2019, 10:32 PM · VyOS 1.3 Equuleus
hagbard created T1652: vyos-xe-guestutilities sync upstream.
Sep 10 2019, 10:31 PM · VyOS 1.3 Equuleus
hagbard moved T1597: /usr/sbin/rsyslogd after deleting "system syslog" from Need Triage to In Progress on the VyOS 1.3 Equuleus board.
Sep 10 2019, 10:12 PM · VyOS 1.2 Crux (VyOS 1.2.4), VyOS 1.3 Equuleus
hagbard moved T1597: /usr/sbin/rsyslogd after deleting "system syslog" from Needs Triage to Backlog on the VyOS 1.2 Crux (VyOS 1.2.4) board.
Sep 10 2019, 10:12 PM · VyOS 1.2 Crux (VyOS 1.2.4), VyOS 1.3 Equuleus
hagbard claimed T534: VPN/IPSEC/BGP/DPD - unknown bug, tunnel and interfaces up, but no traffic.

@mario Did you manage to upgrade to 1.2 and if so, do you still have that issue?

Sep 10 2019, 10:05 PM · Rejected
hagbard changed the status of T1597: /usr/sbin/rsyslogd after deleting "system syslog" from Open to Needs testing.

https://github.com/vyos/vyos-1x/commit/d34fd745438951d55c5c4899b2b3c7bfa5d08026

Sep 10 2019, 9:59 PM · VyOS 1.2 Crux (VyOS 1.2.4), VyOS 1.3 Equuleus
hagbard claimed T1597: /usr/sbin/rsyslogd after deleting "system syslog".
Sep 10 2019, 9:26 PM · VyOS 1.2 Crux (VyOS 1.2.4), VyOS 1.3 Equuleus
hagbard changed the status of T1395: Improve boot time for instances with a big count of DHCP servers from In progress to On hold.
Sep 10 2019, 9:02 PM · VyOS 1.3 Equuleus
hagbard added a comment to T1572: Wireguard keyPair per interface.

https://downloads.vyos.io/rolling/current/amd64/vyos-1.2-rolling-201909102147-amd64.iso or later

Sep 10 2019, 8:59 PM · VyOS 1.3 Equuleus
hagbard closed T1649: feature documentation different keypairs per interface as Resolved.

https://vyos.readthedocs.io/en/latest/vpn/wireguard.html

Sep 10 2019, 7:45 PM · VyOS 1.3 Equuleus
hagbard closed T1649: feature documentation different keypairs per interface , a subtask of T1572: Wireguard keyPair per interface, as Resolved.
Sep 10 2019, 7:45 PM · VyOS 1.3 Equuleus
hagbard closed T1650: implement wireguard default key removal, a subtask of T1572: Wireguard keyPair per interface, as Resolved.
Sep 10 2019, 6:44 PM · VyOS 1.3 Equuleus
hagbard closed T1650: implement wireguard default key removal as Resolved.

https://github.com/vyos/vyos-1x/commit/db07e6fa76d90eaf80a06729753fb89266437674

Sep 10 2019, 6:44 PM · VyOS 1.3 Equuleus
hagbard changed the status of T1650: implement wireguard default key removal, a subtask of T1572: Wireguard keyPair per interface, from Open to In progress.
Sep 10 2019, 6:12 PM · VyOS 1.3 Equuleus
hagbard changed the status of T1650: implement wireguard default key removal from Open to In progress.
Sep 10 2019, 6:12 PM · VyOS 1.3 Equuleus
hagbard claimed T1650: implement wireguard default key removal.
Sep 10 2019, 5:59 PM · VyOS 1.3 Equuleus
hagbard created T1650: implement wireguard default key removal.
Sep 10 2019, 5:59 PM · VyOS 1.3 Equuleus
hagbard changed the status of T1649: feature documentation different keypairs per interface , a subtask of T1572: Wireguard keyPair per interface, from Open to In progress.
Sep 10 2019, 5:33 PM · VyOS 1.3 Equuleus
hagbard changed the status of T1649: feature documentation different keypairs per interface from Open to In progress.
Sep 10 2019, 5:33 PM · VyOS 1.3 Equuleus
hagbard closed T1648: add cli command 'delete wireguard named-key <key>', a subtask of T1572: Wireguard keyPair per interface, as Resolved.
Sep 10 2019, 5:33 PM · VyOS 1.3 Equuleus
hagbard closed T1648: add cli command 'delete wireguard named-key <key>' as Resolved.
Sep 10 2019, 5:33 PM · VyOS 1.3 Equuleus
hagbard changed the status of T1572: Wireguard keyPair per interface from In progress to Needs testing.

https://github.com/vyos/vyos-1x/commit/1017c8103f12ebd6db4f250d8a154571fff32db1
Will be available in tomorrows rolling release for testing. Documentation is underway.

Sep 10 2019, 5:32 PM · VyOS 1.3 Equuleus
c-po added a comment to T1648: add cli command 'delete wireguard named-key <key>'.

Why can I not delete the default key? If I wan‘t to drop WireGuard on a device I also wan’t to remove that key.

Sep 10 2019, 5:30 PM · VyOS 1.3 Equuleus
hagbard changed the status of T1648: add cli command 'delete wireguard named-key <key>', a subtask of T1572: Wireguard keyPair per interface, from Open to In progress.
Sep 10 2019, 5:16 PM · VyOS 1.3 Equuleus
hagbard changed the status of T1648: add cli command 'delete wireguard named-key <key>' from Open to In progress.

The default keys can only be overwritten, named-keys can be removed.

Sep 10 2019, 5:16 PM · VyOS 1.3 Equuleus
hagbard claimed T1649: feature documentation different keypairs per interface .
Sep 10 2019, 4:05 PM · VyOS 1.3 Equuleus
hagbard created T1649: feature documentation different keypairs per interface .
Sep 10 2019, 4:05 PM · VyOS 1.3 Equuleus
trystan added a comment to T921: Encrypted DNS.

Just adding a suggestion since cloudflared (argo tunnel) is open source : https://github.com/cloudflare/cloudflared

Sep 10 2019, 3:22 PM · VyOS 1.3 Equuleus
hagbard claimed T1648: add cli command 'delete wireguard named-key <key>'.
Sep 10 2019, 3:13 PM · VyOS 1.3 Equuleus
hagbard created T1648: add cli command 'delete wireguard named-key <key>'.
Sep 10 2019, 3:13 PM · VyOS 1.3 Equuleus
Dmitry triaged T1647: event-handler configurable syslog.pipe level as Wishlist priority.
Sep 10 2019, 11:28 AM · eventwatchd
syncer renamed T1646: - from How do i resolve HP printer driver is unavailable on windows 10 to -.
Sep 10 2019, 9:25 AM · Invalid
Unknown Object (User) created T1646: -.
Sep 10 2019, 9:24 AM · Invalid
Dmitry added a comment to T1417: IPv6 zone based firewall rules can't be modified.

This behavior not only for ipv6 and appears after task T484

Sep 10 2019, 9:05 AM · VyOS 1.3 Equuleus
Unknown Object (User) updated the task description for T1645: Ammoboard.
Sep 10 2019, 4:20 AM
Unknown Object (User) created T1645: Ammoboard.
Sep 10 2019, 4:20 AM
hagbard closed T1644: Wireguard listen ports lower than 1024 as Wontfix.

I think encapsulate the udp based traffic into tcp is more than counter productive and makes it an easy DoS target.

Sep 10 2019, 3:36 AM · VyOS 1.2 Crux
Asteroza added a comment to T1644: Wireguard listen ports lower than 1024.

Actually somebody made a nifty websocket tunnel named wstunnel (similar to stunnel conceptually, but websockets is more natural for tunneling generic binary protocols thanks to webRTC...) that seems to work alright for Wireguard.

Sep 10 2019, 1:06 AM · VyOS 1.2 Crux
trystan added a comment to T1644: Wireguard listen ports lower than 1024.

I was thinking some more along the lines of stunnel and wrapping wireguard that way but it would require additional packaging and integration on the vyos side. Luckily whatever outbound filtering is in place for this specific implementation seems to be relatively basic and limited to port blocking/whitelisting.

Sep 10 2019, 12:51 AM · VyOS 1.2 Crux
Asteroza added a comment to T1644: Wireguard listen ports lower than 1024.

As long as the local nginx is not listening on the external interface on udp/443, functionally there should be no limitation to running wireguard on 443 there. A convoluted script to check that the current config has no existing 443 mapping is one solution, but that seems a bit fragile, and wouldn't really tell you where in the config the blocking 443 instance is.

Sep 10 2019, 12:30 AM · VyOS 1.2 Crux

Sep 9 2019

hagbard added a comment to T1644: Wireguard listen ports lower than 1024.

Why not using ports higher 1024? Port 80 and 443 are so called privileged ports, not sure if that is really required. Port udp/80, udp/443 for instance may interfere in the future with QUIC.

Sep 9 2019, 9:49 PM · VyOS 1.2 Crux
trystan added a comment to T1644: Wireguard listen ports lower than 1024.

Yes, I understand that. The primary request is to be able to set a listen port lower than 1024 without having to create a destination NAT rule to get the same result.

Sep 9 2019, 9:29 PM · VyOS 1.2 Crux
hagbard added a comment to T1644: Wireguard listen ports lower than 1024.

That is listen port. endpoints are peer specific, if you have multiple peers on the same interface, each one has of course it's own endpoint if you want to initiate the connections. Otherwise, once the other peer connected to your gateway (assuming the handshake was successful), this information is taken from the header.

Sep 9 2019, 9:24 PM · VyOS 1.2 Crux
trystan added a comment to T1644: Wireguard listen ports lower than 1024.
set interfaces wireguard wg1 port 443
Sep 9 2019, 9:14 PM · VyOS 1.2 Crux
hagbard added a comment to T1644: Wireguard listen ports lower than 1024.

@trystan Listen or endpoint? The listen port had been limited to avoid issues with IANA assigned ports.
udp/80 or udp/443 might not m=be the best option anyway.

Sep 9 2019, 8:57 PM · VyOS 1.2 Crux
hagbard claimed T1644: Wireguard listen ports lower than 1024.
Sep 9 2019, 8:50 PM · VyOS 1.2 Crux
trystan created T1644: Wireguard listen ports lower than 1024.
Sep 9 2019, 7:54 PM · VyOS 1.2 Crux
kroy updated the task description for T1643: Deleting all firewall zones failed and locked out box.
Sep 9 2019, 6:34 PM · VyOS 1.2 Crux
kroy created T1643: Deleting all firewall zones failed and locked out box.
Sep 9 2019, 6:33 PM · VyOS 1.2 Crux
hagbard closed T1639: wireguard pubkey change error as Resolved.

https://github.com/vyos/vyos-1x/commit/f7456361b5b94f3c69f8fa0f34f8bff0ef68f9aa

Sep 9 2019, 4:51 PM · VyOS 1.3 Equuleus
hagbard reopened T1639: wireguard pubkey change error as "Open".
Sep 9 2019, 3:40 PM · VyOS 1.3 Equuleus
dmbaturin claimed T1642: BGP configuration error when using remove-private-as.
Sep 9 2019, 12:31 PM · VyOS 1.3 Equuleus, VyOS 1.2 Crux (VyOS 1.2.3)
dmbaturin edited projects for T1642: BGP configuration error when using remove-private-as, added: VyOS 1.2 Crux (VyOS 1.2.3); removed VyOS 1.2 Crux.
Sep 9 2019, 12:31 PM · VyOS 1.3 Equuleus, VyOS 1.2 Crux (VyOS 1.2.3)
rcit created T1642: BGP configuration error when using remove-private-as.
Sep 9 2019, 12:16 PM · VyOS 1.3 Equuleus, VyOS 1.2 Crux (VyOS 1.2.3)

Sep 8 2019

Daya added a comment to T1641: VRRP conntrack-sync dropping packets passing through the router.

Thanks for that, What I am suspecting is once the maximum value is reached the router is starting to drop packets, rather clearing the stale connections.

Sep 8 2019, 11:54 PM · VyOS 1.2 Crux (VyOS 1.2.2)
Dmitry added a comment to T1641: VRRP conntrack-sync dropping packets passing through the router.

Hello @Daya , you can set custom kernel params for nf_conntrack

set system sysctl custom net.netfilter.nf_conntrack_max value 786432
set system sysctl custom net.nf_conntrack_max value 786432
Sep 8 2019, 4:37 PM · VyOS 1.2 Crux (VyOS 1.2.2)
Daya renamed T1641: VRRP conntrack-sync dropping packets passing through the router from VRRP conntrack-sync dropping packet to VRRP conntrack-sync dropping packets passing through the router.
Sep 8 2019, 10:49 AM · VyOS 1.2 Crux (VyOS 1.2.2)
Daya created T1641: VRRP conntrack-sync dropping packets passing through the router.
Sep 8 2019, 10:49 AM · VyOS 1.2 Crux (VyOS 1.2.2)

Sep 7 2019

c-po updated the task description for T1640: Update Linux Kernel to v4.19.70.
Sep 7 2019, 10:21 PM · VyOS 1.3 Equuleus
c-po closed T1640: Update Linux Kernel to v4.19.70 as Resolved.
Sep 7 2019, 10:19 PM · VyOS 1.3 Equuleus
c-po created T1640: Update Linux Kernel to v4.19.70.
Sep 7 2019, 10:17 PM · VyOS 1.3 Equuleus
jjakob added a comment to T1604: equuleus: buster: vbash: tab completion breaks.

It still fails in config mode:

vyos@vyos# ls <TAB>
  Configuration path [-o] is not valid
  Set failed
Sep 7 2019, 9:12 PM · VyOS 1.3 Equuleus
jjakob added a comment to T1604: equuleus: buster: vbash: tab completion breaks.

This PR fixes it for me: https://github.com/vyos/vyatta-op/pull/29

Sep 7 2019, 8:19 PM · VyOS 1.3 Equuleus
runar added a comment to T945: Unable to change configuration after changing it from script (vbash + script-template).

As a workaround could this be added as the first lines of the bash script?
This will check the primary group the script executes via and respawn as the vyattacfg group if it's something else before continuing.

if [ $(id -gn) != vyattacfg ]; then
    exec sg vyattacfg "$0 $*"
fi

NB! the if is necessary because the script should not execute the exec when you respawn as correct group.
You will end in a exec loop if its not there .. :)
i've not tested this on vyos, but have helped me on other systems

Sep 7 2019, 7:21 PM · VyOS 1.3 Equuleus
jestabro changed the status of T1424: Rewrite the config load script from On hold to In progress.
Sep 7 2019, 3:59 PM · VyOS 1.3 Equuleus
lluu131 added a comment to T1020: OSPF Stops distributing default route after a while.

Using 1.2.3-eap1 frr version 7.2-dev-10290718, there is still a problem that the default route disappears between 30 minutes and 40 minutes.

Sep 7 2019, 2:33 PM · VyOS 1.3 Equuleus

Sep 6 2019

hagbard closed T1639: wireguard pubkey change error as Resolved.

https://github.com/vyos/vyos-1x/commit/189ae4f7096abf7ca7100a4a31e038ce9e3e19c2

Sep 6 2019, 9:52 PM · VyOS 1.3 Equuleus
hagbard claimed T1639: wireguard pubkey change error .
Sep 6 2019, 9:35 PM · VyOS 1.3 Equuleus
hagbard created T1639: wireguard pubkey change error .
Sep 6 2019, 9:35 PM · VyOS 1.3 Equuleus
hagbard changed the status of T1572: Wireguard keyPair per interface from On hold to In progress.
Sep 6 2019, 8:24 PM · VyOS 1.3 Equuleus
hagbard changed the status of T770: Bonded interfaces get updated with incorrect hw-id in config. from In progress to Confirmed.
Sep 6 2019, 7:05 PM · VyOS 1.2 Crux, VyOS 1.3 Equuleus
hagbard added a project to T770: Bonded interfaces get updated with incorrect hw-id in config.: VyOS 1.2 Crux.
Sep 6 2019, 7:04 PM · VyOS 1.2 Crux, VyOS 1.3 Equuleus
hagbard changed the status of T770: Bonded interfaces get updated with incorrect hw-id in config. from On hold to In progress.
Sep 6 2019, 7:03 PM · VyOS 1.2 Crux, VyOS 1.3 Equuleus
hagbard added a comment to T770: Bonded interfaces get updated with incorrect hw-id in config..

Confirmed, same issue in 1.2.2

Sep 6 2019, 6:51 PM · VyOS 1.2 Crux, VyOS 1.3 Equuleus
hagbard changed the status of T770: Bonded interfaces get updated with incorrect hw-id in config. from In progress to On hold.
Sep 6 2019, 6:44 PM · VyOS 1.2 Crux, VyOS 1.3 Equuleus
dmbaturin closed T1624: Failed to set up config session as Resolved.

Works in the latest image for me.

Sep 6 2019, 5:40 PM · VyOS 1.3 Equuleus
dmbaturin closed T1623: Systemd reports dependency cycle during boot, a subtask of T1598: New implementation of the resolv.conf and hosts update mechanism, as Resolved.
Sep 6 2019, 5:39 PM · VyOS 1.2 Crux (VyOS 1.2.3), VyOS 1.3 Equuleus
dmbaturin closed T1623: Systemd reports dependency cycle during boot as Resolved.

It should have been fixed by https://github.com/vyos/vyos-1x/commit/ff05e2a90edf8af5d7b8ad5c69cae2dd40af2c8d It works for me in post-Sep 01 images and I don't see the error in the latest one, but I'm not sure why it would appear in the Sep 01 image if the commit is from Aug 30.

Sep 6 2019, 5:39 PM · VyOS 1.2 Crux (VyOS 1.2.3), VyOS 1.3 Equuleus
dmbaturin closed T1616: 'renew dhcpv6 interface <interfaceName>' command fails, but work within config session as Resolved.

@nirmal The full fix is a bit more complicated. There are two cases: when it's called from conf mode at commit time, it needs to use the value from the proposed config (that's returnValue). However, in op mode, it also re-generates the config, so your fix would make the send dhcp6.client-id option disappear from the config when a user runs renew dhcpv6 interface .... A full fix needs to handle both cases and use returnEffectiveValue in op mode.

Sep 6 2019, 5:27 PM · VyOS 1.2 Crux (VyOS 1.2.3), VyOS 1.3 Equuleus
dmbaturin closed T1478: libvyosconfig parser does not support escaped quotes inside single-quoted strings as Resolved.
Sep 6 2019, 5:00 PM · VyOS 1.3 Equuleus
dmbaturin closed T1479: libvyosconfig error reporting doesn't include line numbers as Resolved.
Sep 6 2019, 4:59 PM · VyOS 1.3 Equuleus
dmbaturin added a comment to T1479: libvyosconfig error reporting doesn't include line numbers.
>>> s="""
... foo {
...   bar {
...     baz quux foo
...   }
... }
... """
>>> import vyos.configtree
>>> c = vyos.configtree.ConfigTree(s)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3/dist-packages/vyos/configtree.py", line 167, in __init__
    raise ValueError("Failed to parse config: {0}".format(msg))
ValueError: Failed to parse config: Syntax error on line 4, character 14: Invalid syntax.
Sep 6 2019, 4:46 PM · VyOS 1.3 Equuleus
dmbaturin closed T1360: DNS nameservers from dhcp not set, a subtask of T1598: New implementation of the resolv.conf and hosts update mechanism, as Resolved.
Sep 6 2019, 4:22 PM · VyOS 1.2 Crux (VyOS 1.2.3), VyOS 1.3 Equuleus
dmbaturin closed T1360: DNS nameservers from dhcp not set as Resolved.

It was indeed a bug, caused by the same issue as all other subtasks of T1598: lack of proper synchronization.
If it re-appears, please reopen of course.

Sep 6 2019, 4:22 PM · VyOS 1.2 Crux (VyOS 1.2.3), VyOS 1.3 Equuleus
dmbaturin added a parent task for T1360: DNS nameservers from dhcp not set: T1598: New implementation of the resolv.conf and hosts update mechanism.
Sep 6 2019, 4:21 PM · VyOS 1.2 Crux (VyOS 1.2.3), VyOS 1.3 Equuleus
dmbaturin added a subtask for T1598: New implementation of the resolv.conf and hosts update mechanism: T1360: DNS nameservers from dhcp not set.
Sep 6 2019, 4:21 PM · VyOS 1.2 Crux (VyOS 1.2.3), VyOS 1.3 Equuleus
dmbaturin added a project to T1360: DNS nameservers from dhcp not set: VyOS 1.2 Crux (VyOS 1.2.3).
Sep 6 2019, 4:21 PM · VyOS 1.2 Crux (VyOS 1.2.3), VyOS 1.3 Equuleus
dmbaturin edited projects for T1616: 'renew dhcpv6 interface <interfaceName>' command fails, but work within config session, added: VyOS 1.2 Crux (VyOS 1.2.3); removed VyOS 1.2 Crux (VyOS 1.2.4).
Sep 6 2019, 4:20 PM · VyOS 1.2 Crux (VyOS 1.2.3), VyOS 1.3 Equuleus
dmbaturin edited projects for T1540: Static-host-mappings disappear from /etc/hosts after a while, added: VyOS 1.2 Crux (VyOS 1.2.3); removed VyOS 1.3 Equuleus.
Sep 6 2019, 4:19 PM · VyOS 1.2 Crux (VyOS 1.2.3)
dmbaturin closed T1540: Static-host-mappings disappear from /etc/hosts after a while, a subtask of T1598: New implementation of the resolv.conf and hosts update mechanism, as Resolved.
Sep 6 2019, 4:19 PM · VyOS 1.2 Crux (VyOS 1.2.3), VyOS 1.3 Equuleus
dmbaturin closed T1540: Static-host-mappings disappear from /etc/hosts after a while as Resolved.

Disappearing entries should no longer be a problem, but if it re-appears due to a missing case, please reopen.

Sep 6 2019, 4:19 PM · VyOS 1.2 Crux (VyOS 1.2.3)
dmbaturin renamed T1316: Support for IS-IS from Support for ISIS to Support for IS-IS .
Sep 6 2019, 4:17 PM · VyOS 1.3 Equuleus