Unable to remove rule from prefix list
Closed, ResolvedPublic

Description

# show policy prefix-list uniwerek-reject 
 rule 100 {
     action permit
     prefix 85.194.244.0/22
 }
 rule 200 {
     action permit
     prefix 195.114.1.0/24
 }
 rule 300 {
     action permit
     prefix 118.123.20.0/23
 }
 rule 400 {
     action permit
     prefix 46.248.160.0/19
 }
 rule 500 {
     action permit
     prefix 91.192.0.0/22
 }
 rule 600 {
     action permit
     prefix 46.248.160.0/19
 }
 rule 700 {
     action permit
     prefix 46.248.160.0/19
 }
[edit]

And after trying to remove rule 600 and 700:

# delete policy prefix-list uniwerek-reject rule 600
[edit]
# delete policy prefix-list uniwerek-reject rule 700
[edit]
# show policy prefix-list uniwerek-reject 
 rule 100 {
     action permit
     prefix 85.194.244.0/22
 }
 rule 200 {
     action permit
     prefix 195.114.1.0/24
 }
 rule 300 {
     action permit
     prefix 118.123.20.0/23
 }
 rule 400 {
     action permit
     prefix 46.248.160.0/19
 }
 rule 500 {
     action permit
     prefix 91.192.0.0/22
 }
-rule 600 {
-    action permit
-    prefix 46.248.160.0/19
-}
-rule 700 {
-    action permit
-    prefix 46.248.160.0/19
-}
[edit]
# commit
[ policy prefix-list uniwerek-reject rule 600 ]
% Can't find specified prefix-list

[[policy prefix-list uniwerek-reject]] failed
Commit failed
[edit]

Details

Difficulty level
Easy (less than an hour)
Version
1.1.7
paszczus created this task.Mar 24 2016, 1:05 PM

What happens if you delete the prefix entry first and then delete the rule?

Something like:

  1. delete policy prefix-list uniwerek-reject rule 600 prefix 46.248.160.0/19
  2. commit
  3. delete policy prefix-list uniwerek-reject rule 600
  4. commit

I was trying that before but you cannot leave rule without prefix or action:

# delete policy prefix-list uniwerek-reject rule 600 prefix 46.248.160.0/19
[edit]
# commit
[ policy prefix-list uniwerek-reject rule 600 ]
You must specify a prefix

[[policy prefix-list uniwerek-reject]] failed
Commit failed
murmaider added a comment.EditedMar 26 2016, 7:15 AM

I was able to replicate this on my side in a lab.

The issue occurs when duplicate IP's are entered in 2 different prefix rules and commited at the same time, it doesn't make it's way into the quagga prefix_list for the seq number of the duplicate.

vyos@vyos# set policy prefix-list uniwerek-reject rule 600 action permit
[edit]
vyos@vyos# set policy prefix-list uniwerek-reject rule 600 prefix 46.248.160.0/19
[edit]
vyos@vyos# set policy prefix-list uniwerek-reject rule 700 action permit
[edit]
vyos@vyos# set policy prefix-list uniwerek-reject rule 700 prefix 46.248.160.0/19
[edit]
vyos@vyos# commit
[ policy prefix-list uniwerek-reject rule 700 ]
% Insertion failed - prefix-list entry exists:
   seq 600 permit 46.248.160.0/19

[edit]
vyos@vyos# delete policy prefix-list uniwerek-reject rule 700
[edit]
vyos@vyos# commit
[ policy prefix-list uniwerek-reject rule 700 ]
% Can't find specified prefix-list

[[policy prefix-list uniwerek-reject]] failed
Commit failed
[edit]
vyos@vyos:~$ show ip prefix-list
ZEBRA: ip prefix-list uniwerek-reject: 1 entries
   seq 600 permit 46.248.160.0/19
RIP: ip prefix-list uniwerek-reject: 1 entries
   seq 600 permit 46.248.160.0/19
OSPF: ip prefix-list uniwerek-reject: 1 entries
   seq 600 permit 46.248.160.0/19
BGP: ip prefix-list uniwerek-reject: 1 entries
   seq 600 permit 46.248.160.0/19

Solution to remove them:

  1. See which seq number the prefix is listed on in "show ip prefix_list" (in the above example, it's 600).
  2. Change the prefix of the duplicate rule that isn't showing in the "show ip prefix_list" (in the above example it's 700). This will install a valid prefix into the quagga prefix_list.
  3. commit
  4. delete the duplicate prefix_list
  5. commit
vyos@vyos# delete policy prefix-list uniwerek-reject rule 700
[edit]
vyos@vyos# commit
[ policy prefix-list uniwerek-reject rule 700 ]
% Can't find specified prefix-list

[[policy prefix-list uniwerek-reject]] failed
Commit failed
[edit]
vyos@vyos# set policy prefix-list uniwerek-reject rule 700 prefix 46.248.160.0/24
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# delete policy prefix-list uniwerek-reject rule 700
[edit]
vyos@vyos# commit
[edit]

Thank you. That workaround helped for that case but i have simmilar problem in route-map with that prefix-list too:

# show policy route-map uniwerek-in
 rule 5 {
     action permit
     set {
         local-preference 400
     }
 }
 rule 10 {
     action deny
     match {
         ip {
             address {
                 prefix-list uniwerek-reject
             }
         }
     }
 }
 rule 6000 {
     action permit
     match {
         ip {
             address {
                 prefix-list peer-in
             }
         }
     }
 }
[edit]

# delete policy route-map uniwerek-in rule 10
[edit]

# show policy route-map uniwerek-in
 rule 5 {
     action permit
     set {
         local-preference 400
     }
 }
-rule 10 {
-    action deny
-    match {
-        ip {
-            address {
-                prefix-list uniwerek-reject
-            }
-        }
-    }
-}
 rule 6000 {
     action permit
     match {
         ip {
             address {
                 prefix-list peer-in
             }
         }
     }
 }
[edit]

# commit
[ policy route-map uniwerek-in rule 10 match ip address prefix-list uniwerek-reject ]
% Can't find rule.

[[policy route-map uniwerek-in]] failed
Commit failed
[edit]

Is there any workaround for that route-map too?

syncer added a subscriber: syncer.

Updating project tags
@paszczus have you solved your issue?
@murmaider do you believe that some workaround for route-map can be found in this case?

The entire issue is a ripple effect of allowing the duplicate prefix into the same prefix list.
If we can prevent that, the route-map issue shouldn't occur.

The full work around for the above is remove the entire uniwerek-reject prefix list and redo it.

UnicronNL closed this task as Resolved.Apr 30 2017, 6:48 PM
UnicronNL claimed this task.
UnicronNL added a subscriber: UnicronNL.

exit 1 if prefix already exists so it gets not put in config.
https://github.com/vyos/vyatta-cfg-quagga/commit/888c927fc526b112da3b94d8edc73fa50a24988b