Also the subsequent commit after reverting the "set table" fails as the previous delete change was already applied at the failed commit and not reverted. This means that the running config and iptables state become desynchronised and any subsequent commit will fail even after discarding the config session.
vyos@vyos# show policy
route WAN-IP2-DHCP {
rule 117 {
set {
table 11
}
source {
group {
network-group Guest-1
}
}
}
rule 118 {
set {
table 11
}
source {
group {
network-group Guest-2
}
}
}
rule 9000 {
description "fall through"
set {
table main
}
}
}
vyos@vyos# set policy route WAN-IP2-DHCP rule 118 set table 12
[edit]
vyos@vyos# delete policy route WAN-IP2-DHCP rule 9000
[edit]
vyos@vyos# compare
[edit policy route WAN-IP2-DHCP rule 118 set]
>table 12
[edit policy route WAN-IP2-DHCP]
-rule 9000 {
- description "fall through"
- set {
- table main
- }
-}
[edit]
vyos@vyos# set protocols static table 12 interface-route 0.0.0.0/0 next-hop-interface peth02
[edit]
vyos@vyos# show protocols static
...
+table 12 {
+ interface-route 0.0.0.0/0 {
+ next-hop-interface peth02 {
+ }
+ }
+}
[edit]
vyos@vyos# commit
[ policy route WAN-IP2-DHCP ]
iptables v1.4.21: Couldn't load target `VYATTA_PBR_12':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
Use of uninitialized value $rule_strs[1] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 742.
Use of uninitialized value $rule_strs[2] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 742.
Use of uninitialized value $rule_strs[3] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 742.
Use of uninitialized value $rule_strs[4] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 742.
Use of uninitialized value $rule_strs[5] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 742.
iptables error: No such file or directory - -m comment --comment "WAN-IP2-DHCP-118" -m set --match-set Guest-1 src -j VYATTA_PBR_12 at /opt/vyatta/sbin/vyatta-firewall.pl line 742.
[[policy route WAN-IP2-DHCP]] failed
Commit failed
/* setting the table back to 11 as it was previously */
vyos@vyos# set policy route WAN-IP2-DHCP rule 118 set table 11
[edit]
vyos@vyos# commit
[ policy route WAN-IP2-DHCP ]
iptables: Index of deletion too big.
iptables error: No such file or directory - 9000 at /opt/vyatta/sbin/vyatta-firewall.pl line 753.
[[policy route WAN-IP2-DHCP]] failed
Commit failed
[edit]
vyos@vyos# discard
Changes have been discarded
[edit]
vyos@vyos# exit
exit
vyos@vyos:~$ configure
[edit]
vyos@vyos# delete policy route WAN-IP2-DHCP rule 9000
[edit]
vyos@vyos# commit
[ policy route WAN-IP2-DHCP ]
iptables: Index of deletion too big.
iptables error: No such file or directory - 9000 at /opt/vyatta/sbin/vyatta-firewall.pl line 753.
[[policy route WAN-IP2-DHCP]] failed
Commit failed
[edit]
vyos@vyos# run show policy
------------------------
Firewall Global Settings
------------------------
Firewall state-policy for all IPv4 and Ipv6 traffic
state action log
----- ------ ---
invalid drop enabled
established accept disabled
related accept disabled
-----------------------------
Rulesets Information
-----------------------------
IPv4 Policy Route "WAN-IP2-DHCP":
Active on (bond0.117,ROUTE) (bond0.118,ROUTE)
rule action proto packets bytes
---- ------ ----- ------- -----
10 set all 4954 390161
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-set private dst
117 set all 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-set Guest-1 src
118 set all 1376 116385
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-set Guest-2 src
splice() offset past end of array at /opt/vyatta/bin/vyatta-show-firewall.pl line 356.
Use of uninitialized value $string_words_part2[1] in concatenation (.) or string at /opt/vyatta/bin/vyatta-show-firewall.pl line 368.
Use of uninitialized value $string_words_part2[0] in concatenation (.) or string at /opt/vyatta/bin/vyatta-show-firewall.pl line 369.
Use of uninitialized value $string_words_part1[3] in string at /opt/vyatta/bin/vyatta-show-firewall.pl line 400.
Use of uninitialized value $string_words_part1[0] in string at /opt/vyatta/bin/vyatta-show-firewall.pl line 400.
Use of uninitialized value $string_words_part1[1] in string at /opt/vyatta/bin/vyatta-show-firewall.pl line 400.
9000 set
condition - saddr daddr
splice() offset past end of array at /opt/vyatta/bin/vyatta-show-firewall.pl line 356.
Use of uninitialized value $string_words_part2[1] in concatenation (.) or string at /opt/vyatta/bin/vyatta-show-firewall.pl line 368.
Use of uninitialized value $string_words_part2[0] in concatenation (.) or string at /opt/vyatta/bin/vyatta-show-firewall.pl line 369.
Use of uninitialized value $string_words_part1[3] in string at /opt/vyatta/bin/vyatta-show-firewall.pl line 400.
Use of uninitialized value $string_words_part1[0] in string at /opt/vyatta/bin/vyatta-show-firewall.pl line 400.
Use of uninitialized value $string_words_part1[1] in string at /opt/vyatta/bin/vyatta-show-firewall.pl line 400.
10000 drop
condition - saddr daddr
[edit]