PR for Jump: https://github.com/vyos/vyos-1x/pull/1553
Feed All Stories
Sep 22 2022
Sep 22 2022
n.fort added a comment to T4699: Firewall - Add jump action - Add return action.
Unknown Object (User) added a comment to T874: Support for Two Factor Authentication for CLI access via Google Authenticator/OTP.
PR with feature request:
https://github.com/vyos/vyos-1x/pull/1555
v.huti added a comment to T4180: Support for QoS Policy Propagation via BGP (QPPB).
DEMO
===============================================
To demonstrate the feature let's look at the following topology
jack9603301 added a comment to T4706: NAT and NAT66 issues.
@sdev @Netboy3 I'll test if the new implementation is done and if the bug is fixed I'll close this PR, thanks
Netboy3 added a comment to T4706: NAT and NAT66 issues.
@jack9603301 I've tested your updated PR and it seems to work well now. Thank you for the quick response.
@sdev I've tested your PR and it seems to also fix both issues. I did not test anything beyond DNAT port only in both ip and ip6 families.
Sep 21 2022
Sep 21 2022
n.fort renamed T4699: Firewall - Add jump action - Add return action from Firewall - Add jump action to Firewall - Add jump action - Add return action.
c-po closed T4703: accel-ppp: combine vlan-id and vlan-range into single CLI node, a subtask of T4678: Rewrite service ipoe-server to get_config_dict, as Resolved.
c-po updated the task description for T4703: accel-ppp: combine vlan-id and vlan-range into single CLI node.
sarthurdev added a comment to T4706: NAT and NAT66 issues.
Included a fix for this in NAT refactor: https://github.com/vyos/vyos-1x/pull/1552
sarthurdev added a comment to T4605: Firewall change default table names.
PR for NAT included with refactor: https://github.com/vyos/vyos-1x/pull/1552
c-po changed the status of T4678: Rewrite service ipoe-server to get_config_dict from Open to In progress.
Netboy3 added a comment to T4706: NAT and NAT66 issues.
@jack9603301, your PR solves the NAT66 issue - thank you. However, the change you made to nat.py to try to solve the NAT44 issue is not complete and seem to also require a template change. I'll post additional details in the PR.
n.fort added a comment to T4699: Firewall - Add jump action - Add return action.
Since jump action was added, It would be good to also add "return" action
jack9603301 added a comment to T4706: NAT and NAT66 issues.
Cheeze_It added a comment to T4707: Enable OSPF segment routing.
Initial PR here, https://github.com/vyos/vyos-1x/pull/1551.
Sep 20 2022
Sep 20 2022
Cheeze_It added a comment to T4693: ISIS segment routing was broken....
It seems we have working ISIS segment routing:
jack9603301 added a comment to T4706: NAT and NAT66 issues.
@Netboy3 Let me modify the template to support
Sep 19 2022
Sep 19 2022
Viacheslav added a project to T4704: Allow to set metric (MED) to rtt with rtt,+rtt or -rtt: VyOS 1.4 Sagitta.
Netboy3 added a comment to T4706: NAT and NAT66 issues.
Why would you enforce an address? It is perfectly OK to have port-only DNAT66 without any destination address such as:
nft add rule ip6 nat PREROUTING iifname eth1 counter tcp dport 443 dnat to :3000
Problem is that the test logic breaks on this and spits out a wrong statement to NFT that barfs on it.
jack9603301 added a comment to T4706: NAT and NAT66 issues.
Maybe we should add check to NAT66 to enforce the given address
n.fort changed the status of T4699: Firewall - Add jump action - Add return action from In progress to Needs testing.
Sep 18 2022
Sep 18 2022
jmarmorato added a comment to T4694: Allow VyOS Firewall to Match Outbound IPSec Traffic.
@n.fort Maybe set firewall name <name> rule <rule> ipsec match-gre? This feels a bit hacky though... Almost like match should be its own block and contain ipsec, none, or gre
Sep 17 2022
Sep 17 2022
roedie moved T4526: keepalived-fifo.py unable to load config from Need Triage to Finished on the VyOS 1.4 Sagitta board.
roedie moved T4665: Keepalived cannot use same VRID for VRRPv2 and VRRPv3 from Need Triage to Finished on the VyOS 1.4 Sagitta board.
It works for me (tm)
c-po moved T4702: Wireguard peers configuration is not synchronized with CLI from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.3) board.
c-po added a comment to T4702: Wireguard peers configuration is not synchronized with CLI.
PR for VyOS 1.3.3 https://github.com/vyos/vyos-1x/pull/1548
c-po moved T4703: accel-ppp: combine vlan-id and vlan-range into single CLI node from Need Triage to In Progress on the VyOS 1.4 Sagitta board.
c-po moved T4702: Wireguard peers configuration is not synchronized with CLI from Need Triage to Finished on the VyOS 1.4 Sagitta board.
c-po changed Why the issue appeared? from none to implementation-mistake on T4702: Wireguard peers configuration is not synchronized with CLI.
c-po changed the status of T4702: Wireguard peers configuration is not synchronized with CLI from Confirmed to Needs testing.
c-po edited projects for T4702: Wireguard peers configuration is not synchronized with CLI, added: VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus.
jack9603301 added a comment to T4689: Support RFS(Receive Flow Steering).
Sep 16 2022
Sep 16 2022
c-po changed the status of T4703: accel-ppp: combine vlan-id and vlan-range into single CLI node from Open to In progress.
n.fort added a comment to T4699: Firewall - Add jump action - Add return action.
danhusan awarded T4702: Wireguard peers configuration is not synchronized with CLI a Love token.
Viacheslav added a comment to T4557: fastnetmon: allow configure limits per protocol (tcp, udp, icmp).
PR https://github.com/vyos/vyos-1x/pull/1545
PR https://github.com/vyos/vyatta-cfg-system/pull/185
set service ids ddos-protection direction 'in' set service ids ddos-protection listen-interface 'eth1' set service ids ddos-protection mode mirror set service ids ddos-protection threshold general fps '1000' set service ids ddos-protection threshold general mbps '200' set service ids ddos-protection threshold general pps '150000' set service ids ddos-protection threshold tcp fps '25' set service ids ddos-protection threshold tcp mbps '55' set service ids ddos-protection threshold tcp pps '155' set service ids ddos-protection threshold udp fps '100' set service ids ddos-protection threshold udp mbps '100' set service ids ddos-protection threshold udp pps '100' set service ids ddos-protection threshold icmp fps '200' set service ids ddos-protection threshold icmp mbps '210' set service ids ddos-protection threshold icmp pps '2040'
Expected fastnermon config entries:
# General threshold ban_for_flows = on threshold_flows = 1000 ban_for_bandwidth = on threshold_mbps = 200 ban_for_pps = on threshold_pps = 150000
zsdc raised the priority of T4702: Wireguard peers configuration is not synchronized with CLI from Normal to High.
zsdc renamed T4702: Wireguard peers configuration is not synchronized with CLI from A `disable` option does not work for Wireguard peers to Wireguard peers configuration is not synchronized with CLI.
n.fort changed the status of T4701: Firewall - Implement global option to use one single general chian from Open to In progress.
n.fort changed the status of T4700: Firewall - Add interface match criteria from Open to In progress.
n.fort changed the status of T4699: Firewall - Add jump action - Add return action from Open to In progress.
Viacheslav changed the status of T3896: Extend ocserv support to allow for per-group configs from Open to Needs testing.
c-po changed the status of T4656: Support the listen-host config field of openconnect server from In progress to Needs testing.
c-po closed T4698: Drop validator name="range" and replace it with numeric, a subtask of T4669: Extend numeric.ml for inversion of values and range values, as Resolved.
Viacheslav changed the status of T4697: policy route: Generating ConfigError failes when tcp flag is missing on set tcp-mss rule commit from Open to In progress.
c-po changed Why the issue appeared? from none to other on T4698: Drop validator name="range" and replace it with numeric.
Cheeze_It added a comment to T4693: ISIS segment routing was broken....
Added a new pull request to make ISIS segment routing work again.
Sep 15 2022
Sep 15 2022
vishvas added a comment to T1973: Allow route-map to match on BGP local preference value.
Dear Sir
Will it work with 1.4 ?
BR
Vishvas
Sophie added a comment to T160: Support NAT64.
Jool is still being maintained for bugfixes etc. and it has all the features we're looking for, then it sounds fairly ideal. If no new features are being added to it, it's less likely to break in future releases too
syncer moved T4695: Add 'es' and 'jp106' keymap option keyboard-layout from Need Triage to In Progress on the VyOS 1.4 Sagitta board.
jack9603301 updated subscribers of T4689: Support RFS(Receive Flow Steering).
I re-reviewed this PR and the following commit from @c-po
xPakrikx added a comment to T4687: Canot change configuration after image update from 202207220217 to 202209090217.
Ok now its working. Thanks. My bad.
v.huti added a comment to T4180: Support for QoS Policy Propagation via BGP (QPPB).
Changes on the FRR side:
- Convert xdp helper library to an optional plugin + bgp hook
- Minor fixes + cleanups
- Figured out most of the permission problems
Changes on the XDP side:
- Convert mappings from legacy iproute format to the latest libbpf one
- New mappings improve debugging experience by implementing pretty-printing for XDP map dumping
- Added an xdp-loader for xdp-tools repo