Page MenuHomeVyOS Platform

[Traffic Control] Invalid Port Configuration Still Commits
Open, Requires assessmentPublicBUG

Description

It appears that on VyOS 1.3, unsupported port configurations still commit to the configuration, but produce an error:

trae@cr01a-vyos# commit
[ traffic-policy limiter PUBLIC_IN ]
Argument "51820-51821" isn't numeric in numeric le (<=) at /opt/vyatta/share/perl5/Vyatta/Qos/Match.pm line 28.                                                                                                   
Argument "51820-51821" isn't numeric in numeric le (<=) at /opt/vyatta/share/perl5/Vyatta/Qos/Match.pm line 28.                                                                                                   

[ traffic-policy limiter PUBLIC_IN ]
Argument "51820-51821" isn't numeric in numeric le (<=) at /opt/vyatta/share/perl5/Vyatta/Qos/Match.pm line 28.                                                                                                   
Argument "51820-51821" isn't numeric in numeric le (<=) at /opt/vyatta/share/perl5/Vyatta/Qos/Match.pm line 28.                                                                                                   

Using source address fd52:d62e:8011:fffe:192:168:253:14
Archiving config...
  sftp://stor01z-rh8.int.trae32566.org:/wdc07/cr01a-vyos
^C Failed!
[edit]

Config:

+traffic-policy {
+    limiter PUBLIC_IN {
+        class 10 {
+            bandwidth 20Gbit
+            description "Backbone tunnels"
+            match WG_DAL13 {
+                ip {
+                    destination {
+                        address 169.62.15.10/32
+                        port 51820-51821
+                    }
+                    source {
+                        address 169.48.124.58/29
+                        port 51823
+                    }
+                }
+            }
+            match WG_DAL13-V6 {
+                ipv6 {
+                    destination {
+                        address 2607:f0d0:3a01:a5::6/128
+                        port 51820-51821
+                    }
+                    source {
+                        address 2607:f0d0:2701:a3::/64
+                        port 51823
+                    }
+                }
+            }
+            priority 0
+        }
+        default {
+            bandwidth 20Gbit
+        }
+    }
+}

Obviously if I try to apply this to an interface and commit again, it explodes fantastically:

trae@cr01b-vyos# set interfaces bonding bond1 traffic-policy in PUBLIC_IN
[edit]
trae@cr01b-vyos# commit

[ interfaces bonding bond1 traffic-policy in PUBLIC_IN ]
Argument "51820-51821" isn't numeric in numeric le (<=) at /opt/vyatta/share/perl5/Vyatta/Qos/Match.pm line 28.                                                                                                   
Argument "51820-51821" isn't numeric in numeric le (<=) at /opt/vyatta/share/perl5/Vyatta/Qos/Match.pm line 28.                                                                                                   
Illegal "match"
Command failed -:3
TC command failed. at /opt/vyatta/sbin/vyatta-qos.pl line 236.
qdisc add dev bond1 handle ffff: ingress
filter add dev bond1 parent ffff: prio 255 protocol all basic  action police rate 20000000000 conform-exceed drop burst 15k flowid ffff:15                                                                        
filter add dev bond1 parent ffff: prio 0 protocol all u32 match ip src 169.48.124.58/29 match ip sport 51824 0xffff match ip dst 169.62.15.11/32 match ip dport 51820-51821 0xffff  action police rate 20000000000
conform-exceed drop burst 15k flowid ffff:a
filter add dev bond1 parent ffff: prio 0 protocol all u32 match ip6 src 2607:f0d0:2701:a3::/64 match ip6 sport 51824 0xffff match ip6 dst 2607:f0d0:3a01:a5::2/128 match ip6 dport 51820-51821 0xffff  action polic
e rate 20000000000 conform-exceed drop burst 15k flowid ffff:a
filter add dev bond1 parent ffff: prio 20 protocol all u32 match ip dst 169.48.111.9/32 match ip dport 443 0xffff  action police rate 5000000000 conform-exceed drop burst 256MB flowid ffff:14                   
filter add dev bond1 parent ffff: prio 20 protocol all u32 match ip6 dst 2607:f0d0:2701:1ad:169:48:111:9/128 match ip6 dport 443 0xffff  action police rate 5000000000 conform-exceed drop burst 256MB flowid ffff:
14
filter add dev bond1 parent ffff: prio 20 protocol all u32 match ip dst 169.61.88.17/32 match ip dport 443 0xffff  action police rate 5000000000 conform-exceed drop burst 256MB flowid ffff:14                   
filter add dev bond1 parent ffff: prio 20 protocol all u32 match ip6 dst 2607:f0d0:3a01:2:168:61:88:17/128 match ip6 dport 443 0xffff  action police rate 5000000000 conform-exceed drop burst 256MB flowid ffff:14

[[interfaces bonding bond1]] failed
Commit failed
[edit]

It may be of benefit to just go ahead and implement T2798 instead of fixing the issue here, since you'd just be adding support instead.

Details

Difficulty level
Unknown (require assessment)
Version
1.3-epa1
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

The real bug is it shouldn't allow port-range values as it is not implemented.
Or just add this feature T2798