Page MenuHomePhabricator

Watcher7 (Watcher7)
User

Projects

User does not belong to any projects.

User Details

User Since
Apr 2 2018, 11:24 PM (28 w, 6 d)

Recent Activity

Fri, Oct 12

Watcher7 added a comment to T891: Current multi-table usage with VRF-netns tables in FRR is partially broken for PBR..

I had already created a task for a new syntax and linked it as a related task, would you like me to create a new separate one?

Fri, Oct 12, 8:37 PM · VyOS 1.2.x (VyOS 1.2.0-rc4)

Thu, Oct 11

Watcher7 added a comment to T891: Current multi-table usage with VRF-netns tables in FRR is partially broken for PBR..

You're probably right. I thought I had a potential conflict if it started first, but now I can't think of what it was. Maybe there wasn't a conflict to begin with.
Being able to apply both an interface and next hop to the same route would still be extremely useful though, but could be slated for later I guess.
There is still the question of why FRR can't figure out what to do with separate interface routes in the same table.

Thu, Oct 11, 5:04 PM · VyOS 1.2.x (VyOS 1.2.0-rc4)
Watcher7 added a comment to T891: Current multi-table usage with VRF-netns tables in FRR is partially broken for PBR..

@UnicronNL
Yes. It's a double issue actually. Hopefully this explains it better:

  1. The next-hop based routes in the alternate routing tables seem to be unaware of interface routes in the same table.
  2. VyOS command syntax cannot currently specify both a next-hop and interface for the same static route, despite FRR being able to do so.
    • FRR will attempt to add an interface to a next-hop route (based on which interface has a subnet that includes of the next hop) automatically, but this information is not preserved in the VyOS config file.
    • Since FRR starts prior to VRRP (keepalived); interfaces with ONLY 'virtual' addresses will not receive FRR's automatic interface detection because they do not have a subnet when the route is created. This renders the routes unreachable and FRR does not refresh their status.
Thu, Oct 11, 4:56 PM · VyOS 1.2.x (VyOS 1.2.0-rc4)
Watcher7 added a comment to T891: Current multi-table usage with VRF-netns tables in FRR is partially broken for PBR..

Further examination of this issue indicates that some of the behavior may be caused by FRR starting prior to VRRP on boot, and backup VRRP routers with VIP only interfaces.

Thu, Oct 11, 5:56 AM · VyOS 1.2.x (VyOS 1.2.0-rc4)
Watcher7 added a subtask for T891: Current multi-table usage with VRF-netns tables in FRR is partially broken for PBR.: T611: Static route syntax should reflect `ip` command routing capabilities, if possible..
Thu, Oct 11, 5:20 AM · VyOS 1.2.x (VyOS 1.2.0-rc4)
Watcher7 added a parent task for T611: Static route syntax should reflect `ip` command routing capabilities, if possible.: T891: Current multi-table usage with VRF-netns tables in FRR is partially broken for PBR..
Thu, Oct 11, 5:20 AM · VyOS 1.3.x
Watcher7 created T891: Current multi-table usage with VRF-netns tables in FRR is partially broken for PBR..
Thu, Oct 11, 5:20 AM · VyOS 1.2.x (VyOS 1.2.0-rc4)

Aug 30 2018

Watcher7 added a comment to T814: Issue with VRRP preempt-delay..

Pull request: https://github.com/vyos/vyos-1x/pull/47

Aug 30 2018, 10:10 PM · VyOS-1.2.0-LTS, VyOS 1.2.x (VyOS 1.2.0-rc1)
Watcher7 claimed T814: Issue with VRRP preempt-delay..
Aug 30 2018, 10:05 PM · VyOS-1.2.0-LTS, VyOS 1.2.x (VyOS 1.2.0-rc1)
Watcher7 created T814: Issue with VRRP preempt-delay..
Aug 30 2018, 9:57 PM · VyOS-1.2.0-LTS, VyOS 1.2.x (VyOS 1.2.0-rc1)
Watcher7 closed T813: VRRP VRID duplication check has wrong conditional logic as Resolved.
Aug 30 2018, 7:52 PM · VyOS-1.2.0-LTS, VyOS 1.2.x (VyOS 1.2.0-rc1)
Watcher7 added a comment to T427: Wireguard support.

I believe /usr/share/vyos/interface-types.json needs to be patched to handle wireguard interfaces so that they show up in show interfaces. Scratch that, it's there, but they don't seem to appear in show interfaces.

Aug 30 2018, 6:59 PM · VyOS-1.2.0-LTS, VyOS 1.2.x (VyOS 1.2.0-rc1)
Watcher7 created T813: VRRP VRID duplication check has wrong conditional logic.
Aug 30 2018, 6:48 PM · VyOS-1.2.0-LTS, VyOS 1.2.x (VyOS 1.2.0-rc1)

Aug 24 2018

Watcher7 added a comment to T427: Wireguard support.

Fantastic, thank you for your hard work.
It seems wireguard will handle MTU changes beyond the default 1420 on its interfaces cleanly. Can I suggest that the MTU be made modifiable under set interfaces wireguard wg0 mtu <size>? This would be nice for situations where fragmentation between wireguard peer connections is acceptable.

Aug 24 2018, 3:13 AM · VyOS-1.2.0-LTS, VyOS 1.2.x (VyOS 1.2.0-rc1)

May 11 2018

Watcher7 added a comment to T628: StrongSwan requires configuration change for proper routing over VTI..

With install_routes disabled so that VTI works I've managed to recreate the route for prefix based tunnels using iproute2.
ex: ip route add <remote_prefix> via <default_route> dev <ipsec_interface> table 220 proto static src <local_prefix_addr>
It seems we already have all the required information to manually create the routes outside of strongswan.
This would mean that VTI and other IPSec tunnels could co-exist.

May 11 2018, 9:09 PM · VyOS-1.2.0-LTS, VyOS 1.2.x (VyOS 1.2.0-rc1)

May 10 2018

Watcher7 added a comment to T628: StrongSwan requires configuration change for proper routing over VTI..

@c-po install_routes = 0 can be added to any strongswan.conf (/etc/strongswan.conf, /etc/strongswan.d/*) file as long as it's inside the charon section I believe.

May 10 2018, 2:06 PM · VyOS-1.2.0-LTS, VyOS 1.2.x (VyOS 1.2.0-rc1)
Watcher7 triaged T628: StrongSwan requires configuration change for proper routing over VTI. as High priority.
May 10 2018, 4:03 AM · VyOS-1.2.0-LTS, VyOS 1.2.x (VyOS 1.2.0-rc1)
Watcher7 updated the task description for T628: StrongSwan requires configuration change for proper routing over VTI..
May 10 2018, 2:20 AM · VyOS-1.2.0-LTS, VyOS 1.2.x (VyOS 1.2.0-rc1)
Watcher7 created T628: StrongSwan requires configuration change for proper routing over VTI..
May 10 2018, 2:20 AM · VyOS-1.2.0-LTS, VyOS 1.2.x (VyOS 1.2.0-rc1)
Watcher7 updated the task description for T627: IPSec configuration directive deletion fails, causes bad IPSec state on reboot. .
May 10 2018, 2:09 AM · VyOS 1.2.x (VyOS 1.2.0-rc4)
Watcher7 created T627: IPSec configuration directive deletion fails, causes bad IPSec state on reboot. .
May 10 2018, 2:08 AM · VyOS 1.2.x (VyOS 1.2.0-rc4)

May 5 2018

Watcher7 created T621: Allow image pruning by list index..
May 5 2018, 11:02 PM · VyOS 1.3.x

Apr 29 2018

Watcher7 updated the task description for T611: Static route syntax should reflect `ip` command routing capabilities, if possible..
Apr 29 2018, 8:29 PM · VyOS 1.3.x
Watcher7 updated the task description for T611: Static route syntax should reflect `ip` command routing capabilities, if possible..
Apr 29 2018, 3:44 PM · VyOS 1.3.x
Watcher7 created T611: Static route syntax should reflect `ip` command routing capabilities, if possible..
Apr 29 2018, 3:41 PM · VyOS 1.3.x

Apr 3 2018

Watcher7 closed T595: System flow-accounting seems to be broken. as Resolved.
Apr 3 2018, 10:34 AM · VyOS-1.2.0-LTS, VyOS 1.2.x (VyOS 1.2.0-rc1)
Watcher7 added a comment to T595: System flow-accounting seems to be broken..

Initial observation was wrong. Field headers do not seem to match to values.

Apr 3 2018, 6:12 AM · VyOS-1.2.0-LTS, VyOS 1.2.x (VyOS 1.2.0-rc1)
Watcher7 changed the status of T595: System flow-accounting seems to be broken. from Open to In progress.
Apr 3 2018, 6:08 AM · VyOS-1.2.0-LTS, VyOS 1.2.x (VyOS 1.2.0-rc1)
Watcher7 added a comment to T595: System flow-accounting seems to be broken..

Decided to take an actual look at the script. Seems to be a change in pmacct's output, specifically new fields between TOS ($tos) and PACKETS ($pkts).

Apr 3 2018, 2:47 AM · VyOS-1.2.0-LTS, VyOS 1.2.x (VyOS 1.2.0-rc1)

Apr 2 2018

Watcher7 created T595: System flow-accounting seems to be broken..
Apr 2 2018, 11:51 PM · VyOS-1.2.0-LTS, VyOS 1.2.x (VyOS 1.2.0-rc1)