iptables error with policy routing
Open, HighPublicBUG

Description

Error:

iptables v1.4.20: Couldn't load target `VYATTA_PBR_2':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
Use of uninitialized value $rule_strs[1] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 642.
Use of uninitialized value $rule_strs[2] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 642.
Use of uninitialized value $rule_strs[3] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 642.
Use of uninitialized value $rule_strs[4] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 642.
Use of uninitialized value $rule_strs[5] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 642.
iptables error: No such file or directory - -m comment --comment "VPNROUTING-12"   -p all   -m set  --match-set GROUP1 src   --destination 0.0.0.0/0  -j VYATTA_PBR_2       at /opt/vyatta/sbin/vyatta-firewall.pl line 642.

Configuration and steps to reproduce
1 - LAN, 1 - WAN, 2 - OpenVPN Interfaces
2 static interface routes in table 1 and 2 (for each VPN Interface)

table 1 {
    interface-route 0.0.0.0/0 {
        next-hop-interface vtun0 {
        }
    }
}
table 2 {
    interface-route 0.0.0.0/0 {
        next-hop-interface vtun1 {
        }
    }

Route Policy for LAN Interface like this

route VPNROUTING {
    rule 1 {
        destination {
            group {
                address-group Real_IP
            }
        }
        protocol all
        set {
            table main
        }
    }
    rule 11 {
        destination {
            address 0.0.0.0/0
        }
        protocol all
        set {
            table 1
        }
        source {
            group {
                address-group AGROUP1
            }
        }
    }
    rule 12 {
        destination {
            address 0.0.0.0/0
        }
        protocol all
        set {
            table 2
        }
        source {
            group {
                address-group AGROUP2
            }
        }
    }
}

When changing routing table number in rule 11 or 12, become error.

The second error:
On policy delete command:

iptables: Index of deletion too big.
iptables error: No such file or directory - 12 at /opt/vyatta/sbin/vyatta-firewall.pl line 634.

Details

Difficulty level
Unknown (require assessment)
Version
1.1.8-rc2
Why the issue appeared?
Will be filled on close
lbv2rus created this task.Mon, Nov 6, 10:20 PM
dmbaturin triaged this task as High priority.Mon, Nov 13, 8:50 AM
dmbaturin edited projects, added VyOS 1.2.x; removed VyOS 1.1.x (1.1.8).
dmbaturin added a subscriber: dmbaturin.

I could reproduce the bug. This doesn't appear to be an easy fix though.

The actual reproducing steps for the reference:

  1. Create a PBR rule, commit
  2. Create a new routing table, or pick an existing table that is not yet used in any rule
  3. Change the table in the rule to the table from the point #2

The root cause is that the chain associated with routing table in the iptables mangle table that is used by PBR rules is only created at the rule creation time, and if you try to reference a routing table that is not used by any rule already, it cannot load because the mangle table chain doesn't get created.

The best fix for this would be to finally switch to using iptables-restore instead of inserting rules one by one.

There's a simple workaround though: delete the rule and re-create it with the new table. To make it easier, copy the commands from 'run show configuration commands'.