Sep 16 2022
set service ids ddos-protection direction 'in' set service ids ddos-protection listen-interface 'eth1' set service ids ddos-protection mode mirror set service ids ddos-protection threshold general fps '1000' set service ids ddos-protection threshold general mbps '200' set service ids ddos-protection threshold general pps '150000' set service ids ddos-protection threshold tcp fps '25' set service ids ddos-protection threshold tcp mbps '55' set service ids ddos-protection threshold tcp pps '155' set service ids ddos-protection threshold udp fps '100' set service ids ddos-protection threshold udp mbps '100' set service ids ddos-protection threshold udp pps '100' set service ids ddos-protection threshold icmp fps '200' set service ids ddos-protection threshold icmp mbps '210' set service ids ddos-protection threshold icmp pps '2040'
Expected fastnermon config entries:
# General threshold ban_for_flows = on threshold_flows = 1000 ban_for_bandwidth = on threshold_mbps = 200 ban_for_pps = on threshold_pps = 150000
Added a new pull request to make ISIS segment routing work again.
Sep 15 2022
Will it work with 1.4 ?
Jool is still being maintained for bugfixes etc. and it has all the features we're looking for, then it sounds fairly ideal. If no new features are being added to it, it's less likely to break in future releases too
I re-reviewed this PR and the following commit from @c-po
Ok now its working. Thanks. My bad.
Changes on the FRR side:
- Convert xdp helper library to an optional plugin + bgp hook
- Minor fixes + cleanups
- Figured out most of the permission problems
Changes on the XDP side:
- Convert mappings from legacy iproute format to the latest libbpf one
- New mappings improve debugging experience by implementing pretty-printing for XDP map dumping
- Added an xdp-loader for xdp-tools repo
PR adding libpam-google-authenticator package to VyOS:
It seems that we have two constraints here.
Made a fix and now we have:
Let me see if I can fix it.
Doing further testing, it seems adding the explicit-null broke the configuration:
Good news. It seems the patch worked properly. Here we show MPLS labels generated via segment routing for the prefix command:
Sep 14 2022
As I mentioned above, use it before the configuration, it described in the doc
Interesting article on how and when to match ipsec options: https://thermalcircle.de/doku.php?id=blog:linux:nftables_demystifying_ipsec_expressions
PR for 1.3 https://github.com/vyos/vyos-1x/pull/1539
Do you have a proposed cli format?
Added a pull request for this fix.
Nope, i use CLI for configuration and script for vrrp (wireguard interface enable/disable)
Sep 13 2022
Fix for 1.3 https://github.com/vyos/vyos-build/pull/261
This is also an issue on the 1.3.x builds due to a similar issue. See https://github.com/jordansissel/fpm/issues/1923
set firewall interface ethXvX
It seems you use some custom scripts for configuration
You have to use
if [ "$(id -g -n)" != 'vyattacfg' ] ; then exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) [email protected]" fi
before your configuration script
Sep 12 2022
Refactor PR: https://github.com/vyos/vyos-1x/pull/1534
PR for filter tables: https://github.com/vyos/vyos-1x/pull/1534
Should be fixed in https://github.com/vyos/vyatta-cfg-firewall/pull/34