Page MenuHomeVyOS Platform

Policy route and firewall - error when using undefined group
Needs testing, Requires assessmentPublicBUG

Description

Add policy match not existing group:

set policy route PBR rule 10 destination group port-group 'NOGROUP' 
set policy route PBR rule 10 protocol 'tcp'
set interfaces ethernet eth4 policy route PBR

Commit erros:

[email protected]# commit
[ policy route PBR ]
Invalid port-group "NOGROUP" on policy route rule

[[policy route PBR]] failed
[ interfaces ethernet eth4 policy ]
VyOS had an issue completing a command.

Report time:      2022-05-20 16:13:24
Image version:    VyOS 1.4-rolling-202205200217
Release train:    sagitta

Built by:         [email protected]
Built on:         Fri 20 May 2022 02:17 UTC
Build UUID:       710f6def-46af-4eaf-9aaa-6e8261414b78
Build commit ID:  69f82f599dcd07

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (i440FX + PIIX, 1996)
Hardware S/N:     
Hardware UUID:    eb1c36f5-4f71-45c9-b4c7-39a74285ea0f

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/policy-route-interface.py", line 117, in <module>
    apply(c)
  File "/usr/libexec/vyos/conf_mode/policy-route-interface.py", line 97, in apply
    cmd(f'nft insert rule ip mangle {route_chain} iifname {ifname} counter jump {name}')
  File "/usr/lib/python3/dist-packages/vyos/util.py", line 161, in cmd
    raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: nft insert rule ip mangle VYOS_PBR_PREROUTING iifname eth4 counter jump VYOS_PBR_PBR
returned: 
exit code: 1

noteworthy:
cmd 'nft insert rule ip mangle VYOS_PBR_PREROUTING iifname eth4 counter jump VYOS_PBR_PBR'
returned (out):

returned (err):
Error: Could not process rule: No such file or directory
insert rule ip mangle VYOS_PBR_PREROUTING iifname eth4 counter jump VYOS_PBR_PBR
                                                                    ^^^^^^^^^^^^

[[interfaces ethernet eth4 policy]] failed
Commit failed
[edit]
[email protected]#

Required extra checks

Details

Difficulty level
Normal (likely a few hours)
Version
VyOS 1.4-rolling-202205200217
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

Viacheslav renamed this task from Policy route without definded port-group erros to Policy route without defined port-group error.May 20 2022, 4:16 PM
Viacheslav created this task.

Extra checks are needed not only when attaching a policy route to an interface, but also when attaching firewall.
For example:

[email protected]# set firewall name FOO rule 10 action accept 
[edit]
[email protected]# set firewall name FOO rule 10 destination group address-group NOAG
[edit]
[email protected]# commit

Invalid address-group "NOAG" on firewall rule

[[firewall]] failed
Commit failed
[edit]


## So Far, it's OK
## But
[email protected]# set int eth eth3 firewall in name FOO 
[edit]
[email protected]# compare
+firewall {
+    name FOO {
+        rule 10 {
+            action accept
+            destination {
+                group {
+                    address-group NOAG
+                }
+            }
+        }
+    }
+}
[edit interfaces ethernet eth3]
+firewall {
+    in {
+        name FOO
+    }
+}
[edit]
[email protected]# 
[edit]
[email protected]# commit

Invalid address-group "NOAG" on firewall rule

[[firewall]] failed
Commit failed

## Commit fails as expected, but interfaces config was commited properly:
[email protected]# run show config comm | grep fire
set interfaces ethernet eth3 firewall in name 'FOO'
n.fort renamed this task from Policy route without defined port-group error to Policy route and firewall - error when using undefined group.Sat, Jun 11, 11:19 AM
sdev changed the task status from Open to Needs testing.Wed, Jun 15, 9:15 PM
sdev claimed this task.
sdev moved this task from Need Triage to In Progress on the VyOS 1.4 Sagitta board.
sdev added a subscriber: sdev.