Page MenuHomeVyOS Platform

PBR: network groups (as well as address and port groups) don't resolve in `nftables_policy.conf`
Needs testing, Requires assessmentPublicBUG

Description

PBR rules can reference firewall groups, similar to normal firewall rules. However, with the change to nftables, these names currently don't resolve in the policy code.

Here's an example for a network-group:

set firewall group network-group RFC1918 network '192.168.0.0/16'
set firewall group network-group RFC1918 network '10.0.0.0/8'
set firewall group network-group RFC1918 network '172.16.0.0/12'
set policy route BEAR rule 1 destination group network-group RFC1918 
commit

this fails with

[ policy route BEAR ]
Failed to apply policy based routing

[[policy route BEAR]] failed
Commit failed

Running nft -c -f /run/nftables_policy.conf reveals that the named network group RFC1918 (which is defined as a variable in /run/nftables.conf) is not known:

/run/nftables_policy.conf:11:19-27: Error: unknown identifier 'N_RFC1918'
        ip daddr $N_RFC1918 counter return comment "BEAR-1"
                  ^^^^^^^^^

I am uncertain whether moving all the define stuff from nftables.conf into a separate file and then including it in nftables*.conf would work, but theoretically, it should, e.g. with something like this:

#!/usr/sbin/nft -f

# include a single file using an absolute path
include "/run/nftables_defines.conf"

Details

Difficulty level
Unknown (require assessment)
Version
1.4-rolling-202201090317
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

sdev changed the task status from Open to Needs testing.Tue, Jan 11, 2:51 PM
sdev claimed this task.

PR: https://github.com/vyos/vyos-1x/pull/1158

Thanks, I really like the include idea and have implemented it in the attached PR. Also added a check in firewall.py to reload policy-route script to keep any group changes updated.

moved my comment to a new bug request to keep this one here clean.

In T4164#116547, @mTx87 wrote:

seems like policy based routing not working.

@mTx87 from your description it looks like this is a new (different) error from my original bug report. Also, it is not clear which (rolling) VyOS version you were testing this with?

Do you think it would be possible for you to open a new bug report to keep the different issues properly separated?

@sdev this (and the other fixes) look promising: after upgrading to the latest rolling release from 13.1.2022, both the example provided in the ticket as well as my config (a copy of my production setup with rules covering PBR, empty groups, references to "defines" in PBR rules) ran through easily. My production config created no errors when loading the config after the update.