Page MenuHomePhabricator

WAN load-balancing fail when !<x.x.x.x/x> configured in rules
Closed, ResolvedPublicBUG

Description

Hello!

If in load-balancing add rule with inverse selection WANLOADBALANCE_PRE chain becomes empty. Example:

[edit load-balancing wan]
vyos@test-01# show rule 10
 inbound-interface eth2
 interface eth0 {
     weight 10
 }
 interface eth1 {
     weight 10
 }
 protocol all
[edit load-balancing wan]
vyos@test-01# sudo iptables -t mangle -L WANLOADBALANCE_PRE -n -v 
Chain WANLOADBALANCE_PRE (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ISP_eth0   all  --  eth2   *       0.0.0.0/0            0.0.0.0/0            state NEW statistic mode random probability 0.50000000000
    0     0 ISP_eth1   all  --  eth2   *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 CONNMARK   all  --  eth2   *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore
[edit load-balancing wan]
vyos@test-01# set rule 10 destination address !192.168.0.0/16
[edit load-balancing wan]
vyos@test-01# commit
[edit load-balancing wan]
vyos@test-01# sudo iptables -t mangle -L WANLOADBALANCE_PRE -n -v 
Chain WANLOADBALANCE_PRE (1 references)
 pkts bytes target     prot opt in     out     source               destination         
[edit load-balancing wan]

The same situation will be if add source address !192.168.0.0/16.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0-rolling+201902140337
Why the issue appeared?
Will be filled on close

Event Timeline

zsdc created this task.Feb 14 2019, 9:26 PM
hagbard claimed this task.Feb 14 2019, 10:54 PM
hagbard changed the task status from Open to Confirmed.

LBDecision::execute(): applying command to system: iptables -t mangle -A WANLOADBALANCE_PRE -i eth1 --proto all --destination ! 192.168.0.0/16 -m state --state NEW -j ISP_eth1
Bad argument `192.168.0.0/16'
Try `iptables -h' or 'iptables --help' for more information.
LBDecision::execute(): applying command to system: iptables -t mangle -A WANLOADBALANCE_PRE -i eth1 --proto all --destination ! 192.168.0.0/16 -j CONNMARK --restore-mark
Bad argument `192.168.0.0/16'
Try `iptables -h' or 'iptables --help' for more information.

There we go. So it's a syntax issue when calling iptables.

hagbard added a comment.EditedFeb 14 2019, 11:37 PM

@zsdc All right, http://dev.packages.vyos.net/repositories/current/vyos/pool/main/v/vyatta-wanloadbalance/vyatta-wanloadbalance_0.13.70+vyos2+current1_amd64.deb should solve the issue you are seeing. The code of the binary is good for another dozen bug tickets =)
Pls let me know if it works as expected, since I only tested your particular use case.

hagbard changed the task status from Confirmed to Needs testing.Feb 14 2019, 11:37 PM
hagbard triaged this task as Normal priority.

@zsdc Is it working for you with the package above?

@hagbardIt fixes the issue with WANLOADBALANCE_PRE chain, but we still observe unexpected behavior.
I will write a little bit more letter.

hagbard closed this task as Resolved.Feb 19 2019, 4:18 PM
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.
syncer moved this task from Needs Triage to In Progress on the VyOS 1.2 Crux (VyOS 1.2.1) board.
syncer reopened this task as In progress.

@hagbardIt fixes the issue with WANLOADBALANCE_PRE chain, but we still observe unexpected behavior.
I will write a little bit more letter.

Just open a new bug ticket and we go from there.

@hagbard last rolling has no issue.
everything works as expected

hagbard closed this task as Resolved.EditedFeb 25 2019, 5:08 PM

Awesome, thx.