Page MenuHomeVyOS Platform

PBR doesn't work with VRRP
Open, Requires assessmentPublicBUG


Policy Based Routing doesn't work on VRRP interfaces.

PBR rules are applied to origin interface while VRRP creates another one for itself purposes.

I'm going to apply routing policy to incoming interface with VRRP feature. Let's imagine it's eth1:

high-availability {
    vrrp {
        group vrrp.1 {
            interface eth1
            priority 220
            vrid 1
interfaces {
    ethernet eth1 {
        hw-id 50:00:00:01:00:01
        policy {
            route pbr.TEST

In result, it creates a rule in predefined hook:

Chain VYATTA_FW_IN_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   21  1448 pbr.TEST   all  --  eth1   *  

But, in fact, VRRP creates another interface - eth1v1:

Name    Interface      VRID  State    Last Transition
------  -----------  ------  -------  -----------------
vrrp.1  eth1v1            1  MASTER   10m26s

As result, the rule above doesn't affect to real traffic flow and there is no way to add policy to the eth1v1 directly:

set interfaces ethernet eth1v1 policy route pbr.TEST 

  interface ethernet eth1v1: not a valid name
  Value validation failed
  Set failed

I can add the next rule manually and it will work:

sudo iptables -t mangle -A VYATTA_FW_IN_HOOK -i eth1v1 -j pbr.TEST

Proposed solutions (both aren't mutually exclusive):

  1. The internal logic should check if there are PBR and VRRP on the same parent interface. If yes, additional changes in iptables' rules must be applied.
  2. There should be a possibility to add policy directly to VRRP interface.

P.S. I see slightly different behavior on 1.2.5 and 1.3, when last one doesn't propose to specify eth1v1 in the set interfaces ethernet command white the first one (1.2.5) does. Anyway, there is no rule to handle the traffic on the both versions.


Difficulty level
Unknown (require assessment)
1.2.5, 1.3
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Behavior change
Issue type
Bug (incorrect behavior)

Event Timeline

erkin set Issue type to Bug (incorrect behavior).Aug 29 2021, 1:36 PM
erkin removed a subscriber: Active contributors.

If to use modified Regex --regex \'^((eth|lan)[0-9]+|(eth)[0-9]v.+|(eno|ens|enp|enx).+)$\'

It stops with driver check:

vyos@r1-roll# compare 
[edit interfaces]
+ethernet eth1v10 {
+    policy {
+        route FOO
+    }


Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/", line 199, in <module>
  File "/usr/libexec/vyos/conf_mode/", line 76, in verify
    ethtool = Ethtool(ifname)
  File "/usr/lib/python3/dist-packages/vyos/", line 60, in __init__
    raise ValueError(f'Could not determine driver for interface {ifname}!')
ValueError: Could not determine driver for interface eth1v10!

[[interfaces ethernet eth1v10]] failed
[[interfaces ethernet eth1v10 policy route]] failed
Commit failed