Page MenuHomeVyOS Platform
Create Task
Maniphest T1247

WAN load-balancing fail when !<x.x.x.x/x> configured in rules
Closed, ResolvedPublicBUG
Actions

Description

Hello!

If in load-balancing add rule with inverse selection WANLOADBALANCE_PRE chain becomes empty. Example:

[edit load-balancing wan]
vyos@test-01# show rule 10
 inbound-interface eth2
 interface eth0 {
     weight 10
 }
 interface eth1 {
     weight 10
 }
 protocol all
[edit load-balancing wan]
vyos@test-01# sudo iptables -t mangle -L WANLOADBALANCE_PRE -n -v 
Chain WANLOADBALANCE_PRE (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ISP_eth0   all  --  eth2   *       0.0.0.0/0            0.0.0.0/0            state NEW statistic mode random probability 0.50000000000
    0     0 ISP_eth1   all  --  eth2   *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 CONNMARK   all  --  eth2   *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore
[edit load-balancing wan]
vyos@test-01# set rule 10 destination address !192.168.0.0/16
[edit load-balancing wan]
vyos@test-01# commit
[edit load-balancing wan]
vyos@test-01# sudo iptables -t mangle -L WANLOADBALANCE_PRE -n -v 
Chain WANLOADBALANCE_PRE (1 references)
 pkts bytes target     prot opt in     out     source               destination         
[edit load-balancing wan]

The same situation will be if add source address !192.168.0.0/16.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0-rolling+201902140337
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

zsdc created this task.Feb 14 2019, 9:26 PM
hagbard added a subscriber: hagbard.EditedFeb 14 2019, 9:48 PM

Happens in /opt/vyatta/sbin/wan_lb.

https://github.com/vyos/vyatta-wanloadbalance/blob/current/src/lbdecision.cc

hagbard changed the task status from Open to Confirmed.Feb 14 2019, 10:54 PM
hagbard claimed this task.
hagbard added a comment.Feb 14 2019, 11:06 PM

LBDecision::execute(): applying command to system: iptables -t mangle -A WANLOADBALANCE_PRE -i eth1 --proto all --destination ! 192.168.0.0/16 -m state --state NEW -j ISP_eth1
Bad argument `192.168.0.0/16'
Try `iptables -h' or 'iptables --help' for more information.
LBDecision::execute(): applying command to system: iptables -t mangle -A WANLOADBALANCE_PRE -i eth1 --proto all --destination ! 192.168.0.0/16 -j CONNMARK --restore-mark
Bad argument `192.168.0.0/16'
Try `iptables -h' or 'iptables --help' for more information.

There we go. So it's a syntax issue when calling iptables.

hagbard added a comment.EditedFeb 14 2019, 11:37 PM

@zsdc All right, http://dev.packages.vyos.net/repositories/current/vyos/pool/main/v/vyatta-wanloadbalance/vyatta-wanloadbalance_0.13.70+vyos2+current1_amd64.deb should solve the issue you are seeing. The code of the binary is good for another dozen bug tickets =)
Pls let me know if it works as expected, since I only tested your particular use case.

hagbard changed the task status from Confirmed to Needs testing.Feb 14 2019, 11:37 PM
hagbard triaged this task as Normal priority.
hagbard added a comment.Feb 15 2019, 5:29 PM

@zsdc Is it working for you with the package above?

hagbard moved this task from Need Triage to In Progress on the VyOS 1.2 Crux board.Feb 15 2019, 9:36 PM
oleksandr.ovsiannikov added a subscriber: oleksandr.ovsiannikov.Feb 19 2019, 8:56 AM

@hagbardIt fixes the issue with WANLOADBALANCE_PRE chain, but we still observe unexpected behavior.
I will write a little bit more letter.

oleksandr.ovsiannikov added a comment.Feb 19 2019, 10:29 AM

http://dev.packages.vyos.net/repositories/current/vyos/pool/main/v/vyatta-wanloadbalance/vyatta-wanloadbalance_0.13.70+vyos2+current1_amd64.deb
solving the issue
it may be closed

hagbard closed this task as Resolved.Feb 19 2019, 4:18 PM
syncer reopened this task as In progress.Feb 19 2019, 4:20 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.1), VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.
syncer moved this task from Needs Triage to In Progress on the VyOS 1.2 Crux (VyOS 1.2.1) board.
hagbard added a comment.Feb 19 2019, 4:22 PM
In T1247#32887, @oleksandr.ovsiannikov wrote:

@hagbardIt fixes the issue with WANLOADBALANCE_PRE chain, but we still observe unexpected behavior.
I will write a little bit more letter.

Just open a new bug ticket and we go from there.

hagbard added a comment.Feb 22 2019, 9:14 PM

@oleksandr.ovsiannikov any updates?

oleksandr.ovsiannikov added a comment.Feb 25 2019, 8:55 AM

@hagbard last rolling has no issue.
everything works as expected

hagbard closed this task as Resolved.EditedFeb 25 2019, 5:08 PM

Awesome, thx.

syncer moved this task from In Progress to Finished on the VyOS 1.2 Crux (VyOS 1.2.1) board.Apr 17 2019, 7:31 PM
dmbaturin removed a project: VyOS 1.3 Equuleus.Sep 10 2021, 6:38 AM
dmbaturin set Is it a breaking change? to Unspecified (possibly destroys the router).
dmbaturin set Issue type to Unspecified (please specify).