Page MenuHomeVyOS Platform

PBR: network groups (as well as address and port groups) don't resolve in `nftables_policy.conf`
Closed, ResolvedPublicBUG


PBR rules can reference firewall groups, similar to normal firewall rules. However, with the change to nftables, these names currently don't resolve in the policy code.

Here's an example for a network-group:

set firewall group network-group RFC1918 network ''
set firewall group network-group RFC1918 network ''
set firewall group network-group RFC1918 network ''
set policy route BEAR rule 1 destination group network-group RFC1918 

this fails with

[ policy route BEAR ]
Failed to apply policy based routing

[[policy route BEAR]] failed
Commit failed

Running nft -c -f /run/nftables_policy.conf reveals that the named network group RFC1918 (which is defined as a variable in /run/nftables.conf) is not known:

/run/nftables_policy.conf:11:19-27: Error: unknown identifier 'N_RFC1918'
        ip daddr $N_RFC1918 counter return comment "BEAR-1"

I am uncertain whether moving all the define stuff from nftables.conf into a separate file and then including it in nftables*.conf would work, but theoretically, it should, e.g. with something like this:

#!/usr/sbin/nft -f

# include a single file using an absolute path
include "/run/nftables_defines.conf"


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

sdev changed the task status from Open to Needs testing.Jan 11 2022, 2:51 PM
sdev claimed this task.


Thanks, I really like the include idea and have implemented it in the attached PR. Also added a check in to reload policy-route script to keep any group changes updated.

moved my comment to a new bug request to keep this one here clean.

In T4164#116547, @mTx87 wrote:

seems like policy based routing not working.

@mTx87 from your description it looks like this is a new (different) error from my original bug report. Also, it is not clear which (rolling) VyOS version you were testing this with?

Do you think it would be possible for you to open a new bug report to keep the different issues properly separated?

@sdev this (and the other fixes) look promising: after upgrading to the latest rolling release from 13.1.2022, both the example provided in the ticket as well as my config (a copy of my production setup with rules covering PBR, empty groups, references to "defines" in PBR rules) ran through easily. My production config created no errors when loading the config after the update.