Page MenuHomePhabricator

iptables error with policy routing
Open, NormalPublicBUG

Description

Error:

iptables v1.4.20: Couldn't load target `VYATTA_PBR_2':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
Use of uninitialized value $rule_strs[1] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 642.
Use of uninitialized value $rule_strs[2] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 642.
Use of uninitialized value $rule_strs[3] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 642.
Use of uninitialized value $rule_strs[4] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 642.
Use of uninitialized value $rule_strs[5] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 642.
iptables error: No such file or directory - -m comment --comment "VPNROUTING-12"   -p all   -m set  --match-set GROUP1 src   --destination 0.0.0.0/0  -j VYATTA_PBR_2       at /opt/vyatta/sbin/vyatta-firewall.pl line 642.

Configuration and steps to reproduce
1 - LAN, 1 - WAN, 2 - OpenVPN Interfaces
2 static interface routes in table 1 and 2 (for each VPN Interface)

table 1 {
    interface-route 0.0.0.0/0 {
        next-hop-interface vtun0 {
        }
    }
}
table 2 {
    interface-route 0.0.0.0/0 {
        next-hop-interface vtun1 {
        }
    }

Route Policy for LAN Interface like this

route VPNROUTING {
    rule 1 {
        destination {
            group {
                address-group Real_IP
            }
        }
        protocol all
        set {
            table main
        }
    }
    rule 11 {
        destination {
            address 0.0.0.0/0
        }
        protocol all
        set {
            table 1
        }
        source {
            group {
                address-group AGROUP1
            }
        }
    }
    rule 12 {
        destination {
            address 0.0.0.0/0
        }
        protocol all
        set {
            table 2
        }
        source {
            group {
                address-group AGROUP2
            }
        }
    }
}

When changing routing table number in rule 11 or 12, become error.

The second error:
On policy delete command:

iptables: Index of deletion too big.
iptables error: No such file or directory - 12 at /opt/vyatta/sbin/vyatta-firewall.pl line 634.

Details

Difficulty level
Hard (possibly days)
Version
1.1.8-rc2
Why the issue appeared?
Design mistake
lbv2rus created this task.Nov 6 2017, 10:20 PM
dmbaturin triaged this task as High priority.Nov 13 2017, 8:50 AM
dmbaturin edited projects, added VyOS 1.2 Crux; removed VyOS 1.1.x (1.1.8).
dmbaturin added a subscriber: dmbaturin.

I could reproduce the bug. This doesn't appear to be an easy fix though.

The actual reproducing steps for the reference:

  1. Create a PBR rule, commit
  2. Create a new routing table, or pick an existing table that is not yet used in any rule
  3. Change the table in the rule to the table from the point #2

The root cause is that the chain associated with routing table in the iptables mangle table that is used by PBR rules is only created at the rule creation time, and if you try to reference a routing table that is not used by any rule already, it cannot load because the mangle table chain doesn't get created.

The best fix for this would be to finally switch to using iptables-restore instead of inserting rules one by one.

There's a simple workaround though: delete the rule and re-create it with the new table. To make it easier, copy the commands from 'run show configuration commands'.

pasik added a subscriber: pasik.Nov 22 2017, 7:47 PM
syncer assigned this task to dmbaturin.Sep 25 2018, 2:30 PM
dmbaturin lowered the priority of this task from High to Normal.Nov 25 2018, 8:15 PM
dmbaturin changed Difficulty level from Unknown (require assessment) to Hard (possibly days).
dmbaturin changed Why the issue appeared? from Will be filled on close to Design mistake.

Since the fix is far from trivial, a workaround exists, and the entire PBR subsystem is due for a rewrite in the next release, I'm moving this to 1.3.x.