It appears that on VyOS 1.3, unsupported port configurations still commit to the configuration, but produce an error:
trae@cr01a-vyos# commit [ traffic-policy limiter PUBLIC_IN ] Argument "51820-51821" isn't numeric in numeric le (<=) at /opt/vyatta/share/perl5/Vyatta/Qos/Match.pm line 28. Argument "51820-51821" isn't numeric in numeric le (<=) at /opt/vyatta/share/perl5/Vyatta/Qos/Match.pm line 28. [ traffic-policy limiter PUBLIC_IN ] Argument "51820-51821" isn't numeric in numeric le (<=) at /opt/vyatta/share/perl5/Vyatta/Qos/Match.pm line 28. Argument "51820-51821" isn't numeric in numeric le (<=) at /opt/vyatta/share/perl5/Vyatta/Qos/Match.pm line 28. Using source address fd52:d62e:8011:fffe:192:168:253:14 Archiving config... sftp://stor01z-rh8.int.trae32566.org:/wdc07/cr01a-vyos ^C Failed! [edit]
Config:
+traffic-policy { + limiter PUBLIC_IN { + class 10 { + bandwidth 20Gbit + description "Backbone tunnels" + match WG_DAL13 { + ip { + destination { + address 169.62.15.10/32 + port 51820-51821 + } + source { + address 169.48.124.58/29 + port 51823 + } + } + } + match WG_DAL13-V6 { + ipv6 { + destination { + address 2607:f0d0:3a01:a5::6/128 + port 51820-51821 + } + source { + address 2607:f0d0:2701:a3::/64 + port 51823 + } + } + } + priority 0 + } + default { + bandwidth 20Gbit + } + } +}
Obviously if I try to apply this to an interface and commit again, it explodes fantastically:
trae@cr01b-vyos# set interfaces bonding bond1 traffic-policy in PUBLIC_IN [edit] trae@cr01b-vyos# commit [ interfaces bonding bond1 traffic-policy in PUBLIC_IN ] Argument "51820-51821" isn't numeric in numeric le (<=) at /opt/vyatta/share/perl5/Vyatta/Qos/Match.pm line 28. Argument "51820-51821" isn't numeric in numeric le (<=) at /opt/vyatta/share/perl5/Vyatta/Qos/Match.pm line 28. Illegal "match" Command failed -:3 TC command failed. at /opt/vyatta/sbin/vyatta-qos.pl line 236. qdisc add dev bond1 handle ffff: ingress filter add dev bond1 parent ffff: prio 255 protocol all basic action police rate 20000000000 conform-exceed drop burst 15k flowid ffff:15 filter add dev bond1 parent ffff: prio 0 protocol all u32 match ip src 169.48.124.58/29 match ip sport 51824 0xffff match ip dst 169.62.15.11/32 match ip dport 51820-51821 0xffff action police rate 20000000000 conform-exceed drop burst 15k flowid ffff:a filter add dev bond1 parent ffff: prio 0 protocol all u32 match ip6 src 2607:f0d0:2701:a3::/64 match ip6 sport 51824 0xffff match ip6 dst 2607:f0d0:3a01:a5::2/128 match ip6 dport 51820-51821 0xffff action polic e rate 20000000000 conform-exceed drop burst 15k flowid ffff:a filter add dev bond1 parent ffff: prio 20 protocol all u32 match ip dst 169.48.111.9/32 match ip dport 443 0xffff action police rate 5000000000 conform-exceed drop burst 256MB flowid ffff:14 filter add dev bond1 parent ffff: prio 20 protocol all u32 match ip6 dst 2607:f0d0:2701:1ad:169:48:111:9/128 match ip6 dport 443 0xffff action police rate 5000000000 conform-exceed drop burst 256MB flowid ffff: 14 filter add dev bond1 parent ffff: prio 20 protocol all u32 match ip dst 169.61.88.17/32 match ip dport 443 0xffff action police rate 5000000000 conform-exceed drop burst 256MB flowid ffff:14 filter add dev bond1 parent ffff: prio 20 protocol all u32 match ip6 dst 2607:f0d0:3a01:2:168:61:88:17/128 match ip6 dport 443 0xffff action police rate 5000000000 conform-exceed drop burst 256MB flowid ffff:14 [[interfaces bonding bond1]] failed Commit failed [edit]
It may be of benefit to just go ahead and implement T2798 instead of fixing the issue here, since you'd just be adding support instead.