Page MenuHomeVyOS Platform
Create Task
Maniphest T4164

PBR: network groups (as well as address and port groups) don't resolve in `nftables_policy.conf`
Closed, ResolvedPublicBUG
Actions

Description

PBR rules can reference firewall groups, similar to normal firewall rules. However, with the change to nftables, these names currently don't resolve in the policy code.

Here's an example for a network-group:

set firewall group network-group RFC1918 network '192.168.0.0/16'
set firewall group network-group RFC1918 network '10.0.0.0/8'
set firewall group network-group RFC1918 network '172.16.0.0/12'
set policy route BEAR rule 1 destination group network-group RFC1918 
commit

this fails with

[ policy route BEAR ]
Failed to apply policy based routing

[[policy route BEAR]] failed
Commit failed

Running nft -c -f /run/nftables_policy.conf reveals that the named network group RFC1918 (which is defined as a variable in /run/nftables.conf) is not known:

/run/nftables_policy.conf:11:19-27: Error: unknown identifier 'N_RFC1918'
        ip daddr $N_RFC1918 counter return comment "BEAR-1"
                  ^^^^^^^^^

I am uncertain whether moving all the define stuff from nftables.conf into a separate file and then including it in nftables*.conf would work, but theoretically, it should, e.g. with something like this:

#!/usr/sbin/nft -f

# include a single file using an absolute path
include "/run/nftables_defines.conf"

Details

Difficulty level
Unknown (require assessment)
Version
1.4-rolling-202201090317
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

johannrichard created this task.Jan 10 2022, 9:21 PM
johannrichard updated the task description. (Show Details)Jan 10 2022, 9:34 PM
sarthurdev changed the task status from Open to Needs testing.Jan 11 2022, 2:51 PM
sarthurdev claimed this task.

PR: https://github.com/vyos/vyos-1x/pull/1158

Thanks, I really like the include idea and have implemented it in the attached PR. Also added a check in firewall.py to reload policy-route script to keep any group changes updated.

pasik added a subscriber: pasik.Jan 11 2022, 4:24 PM
sarthurdev moved this task from Need Triage to In Progress on the VyOS 1.4 Sagitta board.Jan 12 2022, 10:13 AM
mTx87 added a subscriber: mTx87.EditedJan 13 2022, 9:41 AM

moved my comment to a new bug request to keep this one here clean.

johannrichard added a comment.Jan 13 2022, 11:38 AM
In T4164#116547, @mTx87 wrote:

seems like policy based routing not working.

@mTx87 from your description it looks like this is a new (different) error from my original bug report. Also, it is not clear which (rolling) VyOS version you were testing this with?

Do you think it would be possible for you to open a new bug report to keep the different issues properly separated?

johannrichard added a comment.Jan 13 2022, 4:49 PM

@sdev this (and the other fixes) look promising: after upgrading to the latest rolling release from 13.1.2022, both the example provided in the ticket as well as my config (a copy of my production setup with rules covering PBR, empty groups, references to "defines" in PBR rules) ran through easily. My production config created no errors when loading the config after the update.

johannrichard mentioned this in T4159: Empty firewall group (address, network & port) generates invalid nftables config, commit fails.Jan 13 2022, 4:52 PM
johannrichard mentioned this in T4155: PBR: `set table main` fails in `firewall.py` with newer rolling releases .
sarthurdev closed this task as Resolved.Feb 6 2022, 12:47 PM