Page MenuHomeVyOS Platform
Create Task
Maniphest T1634

Commit fails when changing policy route "set table" and adding the table at the same time, results in config deadlock
Resolved (N/A)Public
Actions

Description

Also the subsequent commit after reverting the "set table" fails as the previous delete change was already applied at the failed commit and not reverted. This means that the running config and iptables state become desynchronised and any subsequent commit will fail even after discarding the config session.

vyos@vyos# show policy 
 route WAN-IP2-DHCP {
     rule 117 {
         set {
             table 11
         }
         source {
             group {
                 network-group Guest-1
             }
         }
     }
     rule 118 {
         set {
             table 11
         }
         source {
             group {
                 network-group Guest-2
             }
         }
     }
     rule 9000 {
         description "fall through"
         set {
             table main
         }
     }
 }
vyos@vyos# set policy route WAN-IP2-DHCP rule 118 set table 12
[edit]
vyos@vyos# delete policy route WAN-IP2-DHCP rule 9000
[edit]
vyos@vyos# compare 
[edit policy route WAN-IP2-DHCP rule 118 set]
>table 12
[edit policy route WAN-IP2-DHCP]
-rule 9000 {
-    description "fall through"
-    set {
-        table main
-    }
-}
[edit]

vyos@vyos# set protocols static table 12 interface-route 0.0.0.0/0 next-hop-interface peth02 
[edit]
vyos@vyos# show protocols static 
 ...
+table 12 {
+    interface-route 0.0.0.0/0 {
+        next-hop-interface peth02 {
+        }
+    }
+}
[edit]

vyos@vyos# commit
[ policy route WAN-IP2-DHCP ]
iptables v1.4.21: Couldn't load target `VYATTA_PBR_12':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
Use of uninitialized value $rule_strs[1] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 742.
Use of uninitialized value $rule_strs[2] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 742.
Use of uninitialized value $rule_strs[3] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 742.
Use of uninitialized value $rule_strs[4] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 742.
Use of uninitialized value $rule_strs[5] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 742.
iptables error: No such file or directory - -m comment --comment "WAN-IP2-DHCP-118"   -m set  --match-set Guest-1 src   -j VYATTA_PBR_12       at /opt/vyatta/sbin/vyatta-firewall.pl line 742.

[[policy route WAN-IP2-DHCP]] failed
Commit failed

/* setting the table back to 11 as it was previously */
vyos@vyos# set policy route WAN-IP2-DHCP rule 118 set table 11
[edit]
vyos@vyos# commit
[ policy route WAN-IP2-DHCP ]
iptables: Index of deletion too big.
iptables error: No such file or directory - 9000 at /opt/vyatta/sbin/vyatta-firewall.pl line 753.

[[policy route WAN-IP2-DHCP]] failed
Commit failed
[edit]
vyos@vyos# discard

  Changes have been discarded

[edit]
vyos@vyos# exit
exit
vyos@vyos:~$ configure 
[edit]
vyos@vyos# delete policy route WAN-IP2-DHCP rule 9000 
[edit]
vyos@vyos# commit
[ policy route WAN-IP2-DHCP ]
iptables: Index of deletion too big.
iptables error: No such file or directory - 9000 at /opt/vyatta/sbin/vyatta-firewall.pl line 753.

[[policy route WAN-IP2-DHCP]] failed
Commit failed
[edit]
vyos@vyos# run show policy 

------------------------
Firewall Global Settings
------------------------

Firewall state-policy for all IPv4 and Ipv6 traffic

state           action   log     
-----           ------   ---     
invalid         drop     enabled 
established     accept   disabled
related         accept   disabled

-----------------------------
Rulesets Information
-----------------------------
IPv4 Policy Route "WAN-IP2-DHCP":

 Active on (bond0.117,ROUTE) (bond0.118,ROUTE)

rule  action   proto     packets  bytes                                   
----  ------   -----     -------  -----                                   
10    set      all       4954     390161                                  
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-set private dst             

117   set      all       0        0                                       
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-set Guest-1 src            

118   set      all       1376     116385                                  
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-set Guest-2 src            
splice() offset past end of array at /opt/vyatta/bin/vyatta-show-firewall.pl line 356.
Use of uninitialized value $string_words_part2[1] in concatenation (.) or string at /opt/vyatta/bin/vyatta-show-firewall.pl line 368.
Use of uninitialized value $string_words_part2[0] in concatenation (.) or string at /opt/vyatta/bin/vyatta-show-firewall.pl line 369.
Use of uninitialized value $string_words_part1[3] in string at /opt/vyatta/bin/vyatta-show-firewall.pl line 400.
Use of uninitialized value $string_words_part1[0] in string at /opt/vyatta/bin/vyatta-show-firewall.pl line 400.
Use of uninitialized value $string_words_part1[1] in string at /opt/vyatta/bin/vyatta-show-firewall.pl line 400.

9000  set                                                                 
  condition - saddr  daddr                                                      
splice() offset past end of array at /opt/vyatta/bin/vyatta-show-firewall.pl line 356.
Use of uninitialized value $string_words_part2[1] in concatenation (.) or string at /opt/vyatta/bin/vyatta-show-firewall.pl line 368.
Use of uninitialized value $string_words_part2[0] in concatenation (.) or string at /opt/vyatta/bin/vyatta-show-firewall.pl line 369.
Use of uninitialized value $string_words_part1[3] in string at /opt/vyatta/bin/vyatta-show-firewall.pl line 400.
Use of uninitialized value $string_words_part1[0] in string at /opt/vyatta/bin/vyatta-show-firewall.pl line 400.
Use of uninitialized value $string_words_part1[1] in string at /opt/vyatta/bin/vyatta-show-firewall.pl line 400.

10000 drop                                                                
  condition - saddr  daddr                                                      

[edit]

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.2.0-rolling+201906231514
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

jjakob created this task.Sep 4 2019, 3:59 PM
jjakob created this object in space S1 VyOS Public.
pasik added a subscriber: pasik.Sep 4 2019, 8:05 PM
dmbaturin assigned this task to erkin.May 29 2021, 7:10 AM
dmbaturin added projects: VyOS 1.2 Crux, VyOS 1.3 Equuleus.
dmbaturin edited projects, added test, VyOS 1.2 Crux (VyOS 1.2.9); removed VyOS 1.2 Crux.Jul 29 2021, 12:32 PM
erkin set Issue type to Bug (incorrect behavior).Aug 31 2021, 6:51 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0-epa1); removed test, VyOS 1.3 Equuleus.Sep 5 2021, 7:06 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus (1.3.0-epa1).Nov 1 2021, 10:09 PM
erkin changed the task status from Open to In progress.Nov 11 2021, 2:31 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).Aug 29 2022, 7:05 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).Jul 12 2023, 9:44 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:30 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus (1.3.5).Dec 17 2023, 11:38 PM
dmbaturin closed this task as Resolved N/A.Jan 9 2024, 3:46 PM
dmbaturin removed projects: VyOS 1.3 Equuleus (1.3.6), VyOS 1.2 Crux (VyOS 1.2.9).
dmbaturin added a subscriber: dmbaturin.

The new firewall implementation solved it.