Page MenuHomePhabricator

Error when creating QinQ interface without earlier sets firewall name, if it used
Closed, ResolvedPublic

Description

Add interface refering to non existent firewall rule

set interfaces ethernet eth0 vif-s 100 description 'S-VLAN'
set interfaces ethernet eth0 vif-s 100 ethertype '0x8100'
set interfaces ethernet eth0 vif-s 100 vif-c 200 description 'C-VLAN'
set interfaces ethernet eth0 vif-s 100 firewall in name 'test'
commit

[ interfaces ethernet eth0 vif-s 100 firewall in name test ]
Configuration error: Rule set "test" is not configured

[[interfaces ethernet eth0 vif-s 100]] failed
[[interfaces ethernet eth0 vif-s 100 vif-c 200]] failed
Commit failed

Add missing firewall rules

set firewall name test default-action drop
set firewall name test rule 1010 action accept
set firewall name test rule 1010 state established enable

commit


[ interfaces ethernet eth0 vif-s 100 ]
RTNETLINK answers: File exists
Error creating VLAN device eth0.100

[[interfaces ethernet eth0 vif-s 100]] failed
[[interfaces ethernet eth0 vif-s 100 vif-c 200]] failed
Commit failed

As we can see, interface eth0.100 was created.

vyos@vyos-rtr01# sudo ifconfig -a

eth0.100  Link encap:Ethernet  HWaddr 00:0c:29:44:06:c7  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

I think need adding additional check or delete created interfaces on fail.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0
Why the issue appeared?
Will be filled on close

Event Timeline

Dmitry created this task.Tue, Jul 30, 9:44 AM
Dmitry created this object in space S1 VyOS Public.
syncer assigned this task to c-po.Wed, Aug 7, 6:11 PM
syncer triaged this task as Normal priority.
pasik added a subscriber: pasik.Wed, Aug 7, 7:37 PM
c-po changed Version from - to 1.2.0.Tue, Aug 13, 1:42 PM
c-po updated the task description. (Show Details)Tue, Aug 13, 1:45 PM
c-po updated the task description. (Show Details)
c-po added a comment.EditedTue, Aug 13, 2:01 PM

I have no experience with Q-in-Q but does it even make sense to apply a firewall to the outer side of a Q-in-Q link? I understand to apply a firewall to the vif-c interface inside vif-s (as this can be trated as any regular vlan interface) but a firewall on the encapsulated interface?

Does this link even see "IP addresses"?

c-po changed the task status from Open to Backport candidate.Tue, Aug 13, 2:18 PM

Sometimes vif-s used for management and may contain not encapsulated traffic which need prepare with firewall.

c-po added a comment.Tue, Aug 13, 6:36 PM

Okay. Please test with latest rolling so we can possibly backport this to crux

c-po closed this task as Resolved.Sat, Aug 17, 12:40 AM
c-po moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.3) board.
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.