Page MenuHomePhabricator

Can't delete vti interface due to incorrect directory name in /proc
Closed, ResolvedPublicBUG

Description

I created a vti interface, and now I can't delete it.

vyos@VyOS-IPSEC-DMZ1# show interfaces vti

vti vti0 {
    ip {
        source-validation disable
    }
}

[edit]
vyos@VyOS-IPSEC-DMZ1# delete interfaces vti vti0 ip
[edit]
vyos@VyOS-IPSEC-DMZ1# commit
[ interfaces vti vti0 ip source-validation disable ]
sh: /proc/sys/net/ipv4/conf/vti0/rp_filter: No such file or directory

delete [ interfaces vti vti0 ip ] failed
Commit failed
[edit]

Looking for what it is erroring on, /proc/sys/net/ipv4/conf/vti0/rp_filter doesn't exist on the system. However, I do see a:
/proc/sys/net/ipv4/conf/ip_vti0/rp_filter

Details

Commits
Restricted Diffusion Commit
Difficulty level
Normal (likely a few hours)
Version
1.1.7
Why the issue appeared?
Will be filled on close
ethomas created this task.Jul 26 2017, 3:37 PM

Found my workaround.

In file: /opt/vyatta/share/vyatta-cfg/templates/interfaces/vti/node.tag/ip/source-validation/node.def
I commented out the commend under "delete:"
sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/$VAR(../../@)/rp_filter"

The rp_filter under the ip_vti0 directory was already set to 0 anyway.

syncer assigned this task to dmbaturin.Aug 1 2017, 2:52 AM
syncer triaged this task as Normal priority.
syncer reassigned this task from dmbaturin to UnicronNL.Aug 21 2017, 3:31 AM
syncer edited projects, added VyOS 1.1.x (1.1.8); removed VyOS 1.1.x.
syncer added subscribers: dmbaturin, syncer.

this one is simple,
Kim please check

syncer reassigned this task from UnicronNL to c-po.Aug 29 2017, 11:08 AM
syncer added a subscriber: UnicronNL.

Hey Christian,
assigning it to you

c-po added a comment.Aug 29 2017, 2:47 PM
This comment was removed by c-po.
c-po added a comment.EditedAug 29 2017, 7:54 PM

@ethomas could you please provide a full configuration for my tests? The only thing I see is:

cpo@CR1# delete  interfaces vti vti1 ip source-validation
[edit]

cpo@CR1# commit
Warning: priority inversion [interfaces vti vti1 ip source-validation](500) <= [interfaces vti vti1 ip](901)
         changing [interfaces vti vti1 ip source-validation] to (902)

Using VyOS 999.201708272137 and adding an "interface vti1" and binding this to an IPsec peer I see:

root@CR1:/home/cpo# ls -al /proc/sys/net/ipv4/conf/
total 0
dr-xr-xr-x 1 root root 0 Aug 29 19:51 .
dr-xr-xr-x 1 root root 0 Aug 29 19:51 ..
dr-xr-xr-x 1 root root 0 Aug 29 19:51 all
dr-xr-xr-x 1 root root 0 Aug 29 19:51 default
dr-xr-xr-x 1 root root 0 Aug 29 19:51 eth0
dr-xr-xr-x 1 root root 0 Aug 29 19:53 ip_vti0
dr-xr-xr-x 1 root root 0 Aug 29 19:52 lo
dr-xr-xr-x 1 root root 0 Aug 29 19:53 vti1

Starting all off with "vti0" instead of "vti1" gives a different result. Did we hit another BUG?

root@CR1:/home/cpo# ls -al /proc/sys/net/ipv4/conf/
total 0
dr-xr-xr-x 1 root root 0 Aug 29 19:56 .
dr-xr-xr-x 1 root root 0 Aug 29 19:56 ..
dr-xr-xr-x 1 root root 0 Aug 29 19:56 all
dr-xr-xr-x 1 root root 0 Aug 29 19:56 default
dr-xr-xr-x 1 root root 0 Aug 29 19:56 eth0
dr-xr-xr-x 1 root root 0 Aug 29 19:56 ip_vti0
dr-xr-xr-x 1 root root 0 Aug 29 19:56 lo
dr-xr-xr-x 1 root root 0 Aug 29 19:56 vti0

@c-po I don't have any of that in my configuration any longer. As I said in my last comment, I found a work-around to delete the bit that was causing the problem. I ended up not using vti interfaces in my system.

For some reason, /proc/sys/net/ipv4/conf/$VAR(../../@)/rp_filter was resolving to /proc/sys/net/ipv4/conf/vti0/rp_filter, instead of /proc/sys/net/ipv4/conf/ip_vti0/rp_filter, but I don't know why.

c-po added a comment.Aug 29 2017, 8:29 PM

I double checked with VyOS 1.1.7 where I can not reproduce the error. Is version 1.1.7 correct in this BUG report?

vyos@vyos# delete interfaces vti vti0 ip source-validation
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# save
Saving configuration to '/config/config.boot'...

Example configuration used: https://wiki.vyos.net/wiki/VTI_with_Palo_Alto

@c-po try to delete upper node

delete interfaces vti vti0 ip

reproducible like that

vyos@vyos-adminor-rtr-primary# set interfaces vti vti0 ip source-validation disable 
[edit]
vyos@vyos-adminor-rtr-primary# commit
[ interfaces vti vti0 ]
Warning: Interface vti0 is not referenced in vpn configuration.

[ interfaces vti vti0 ip source-validation disable ]
sh: /proc/sys/net/ipv4/conf/vti0/rp_filter: No such file or directory

[[interfaces vti vti0 ip]] failed
Commit failed
[edit]
c-po added a comment.Aug 30 2017, 9:19 AM

Using VyOS 999.201708292137 I'm able to reproduce this.

cpo@CR3# set interfaces vti vti0 ip source-validation disable 
[edit]
cpo@CR3# commit
Warning: priority inversion [interfaces vti vti0 ip source-validation](500) <= [interfaces vti vti0 ip](901)
         changing [interfaces vti vti0 ip source-validation] to (902)
[ interfaces vti vti0 ip source-validation disable ]
sh: /proc/sys/net/ipv4/conf/vti0/rp_filter: No such file or directory

[[interfaces vti vti0 ip source-validation]] failed
Commit failed
[edit]
cpo@CR3#

I see the following in " /proc/sys/net/ipv4/conf/"

dr-xr-xr-x 1 root root 0 Aug 30 09:16 all
dr-xr-xr-x 1 root root 0 Aug 30 09:16 default
dr-xr-xr-x 1 root root 0 Aug 30 09:16 eth0
dr-xr-xr-x 1 root root 0 Aug 30 09:16 ip_vti0
dr-xr-xr-x 1 root root 0 Aug 30 09:16 lo
dr-xr-xr-x 1 root root 0 Aug 30 09:16 vti0

The weird thing I see is that we now have vti0 and ip_vti0 but both only appear if you have an IPSec peer configured. I'll have to double check with VyOS 1.1.7 if we also have two nodes here.

c-po added a comment.Aug 30 2017, 2:28 PM

VyOS 1.1.7 also has two interfaces (vti0 and ip_vti0)

c-po changed the task status from Open to In progress.Sep 3 2017, 7:59 AM
c-po added a project: VyOS 1.2.x.
c-po changed Difficulty level from Unknown (require assessment) to Normal (likely a few hours).
c-po moved this task from Need Triage to In Progress on the VyOS 1.2.x board.
c-po reassigned this task from c-po to syncer.Sep 7 2017, 12:22 PM
c-po added a subscriber: c-po.
syncer reassigned this task from syncer to dmbaturin.Sep 7 2017, 12:23 PM

Daniil, can you kindly review and merge
Thanks

c-po closed this task as Resolved by committing Restricted Diffusion Commit.Sep 8 2017, 10:32 AM
c-po added a commit: Restricted Diffusion Commit.