Also the subsequent commit after reverting the "set table" fails as the previous delete change was already applied at the failed commit and not reverted. This means that the running config and iptables state become desynchronised and any subsequent commit will fail even after discarding the config session.
[email protected]# show policy route WAN-IP2-DHCP { rule 117 { set { table 11 } source { group { network-group Guest-1 } } } rule 118 { set { table 11 } source { group { network-group Guest-2 } } } rule 9000 { description "fall through" set { table main } } } [email protected]# set policy route WAN-IP2-DHCP rule 118 set table 12 [edit] [email protected]# delete policy route WAN-IP2-DHCP rule 9000 [edit] [email protected]# compare [edit policy route WAN-IP2-DHCP rule 118 set] >table 12 [edit policy route WAN-IP2-DHCP] -rule 9000 { - description "fall through" - set { - table main - } -} [edit] [email protected]# set protocols static table 12 interface-route 0.0.0.0/0 next-hop-interface peth02 [edit] [email protected]# show protocols static ... +table 12 { + interface-route 0.0.0.0/0 { + next-hop-interface peth02 { + } + } +} [edit] [email protected]# commit [ policy route WAN-IP2-DHCP ] iptables v1.4.21: Couldn't load target `VYATTA_PBR_12':No such file or directory Try `iptables -h' or 'iptables --help' for more information. Use of uninitialized value $rule_strs[1] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 742. Use of uninitialized value $rule_strs[2] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 742. Use of uninitialized value $rule_strs[3] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 742. Use of uninitialized value $rule_strs[4] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 742. Use of uninitialized value $rule_strs[5] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 742. iptables error: No such file or directory - -m comment --comment "WAN-IP2-DHCP-118" -m set --match-set Guest-1 src -j VYATTA_PBR_12 at /opt/vyatta/sbin/vyatta-firewall.pl line 742. [[policy route WAN-IP2-DHCP]] failed Commit failed /* setting the table back to 11 as it was previously */ [email protected]# set policy route WAN-IP2-DHCP rule 118 set table 11 [edit] [email protected]# commit [ policy route WAN-IP2-DHCP ] iptables: Index of deletion too big. iptables error: No such file or directory - 9000 at /opt/vyatta/sbin/vyatta-firewall.pl line 753. [[policy route WAN-IP2-DHCP]] failed Commit failed [edit] [email protected]# discard Changes have been discarded [edit] [email protected]# exit exit [email protected]:~$ configure [edit] [email protected]# delete policy route WAN-IP2-DHCP rule 9000 [edit] [email protected]# commit [ policy route WAN-IP2-DHCP ] iptables: Index of deletion too big. iptables error: No such file or directory - 9000 at /opt/vyatta/sbin/vyatta-firewall.pl line 753. [[policy route WAN-IP2-DHCP]] failed Commit failed [edit] [email protected]# run show policy ------------------------ Firewall Global Settings ------------------------ Firewall state-policy for all IPv4 and Ipv6 traffic state action log ----- ------ --- invalid drop enabled established accept disabled related accept disabled ----------------------------- Rulesets Information ----------------------------- IPv4 Policy Route "WAN-IP2-DHCP": Active on (bond0.117,ROUTE) (bond0.118,ROUTE) rule action proto packets bytes ---- ------ ----- ------- ----- 10 set all 4954 390161 condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-set private dst 117 set all 0 0 condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-set Guest-1 src 118 set all 1376 116385 condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-set Guest-2 src splice() offset past end of array at /opt/vyatta/bin/vyatta-show-firewall.pl line 356. Use of uninitialized value $string_words_part2[1] in concatenation (.) or string at /opt/vyatta/bin/vyatta-show-firewall.pl line 368. Use of uninitialized value $string_words_part2[0] in concatenation (.) or string at /opt/vyatta/bin/vyatta-show-firewall.pl line 369. Use of uninitialized value $string_words_part1[3] in string at /opt/vyatta/bin/vyatta-show-firewall.pl line 400. Use of uninitialized value $string_words_part1[0] in string at /opt/vyatta/bin/vyatta-show-firewall.pl line 400. Use of uninitialized value $string_words_part1[1] in string at /opt/vyatta/bin/vyatta-show-firewall.pl line 400. 9000 set condition - saddr daddr splice() offset past end of array at /opt/vyatta/bin/vyatta-show-firewall.pl line 356. Use of uninitialized value $string_words_part2[1] in concatenation (.) or string at /opt/vyatta/bin/vyatta-show-firewall.pl line 368. Use of uninitialized value $string_words_part2[0] in concatenation (.) or string at /opt/vyatta/bin/vyatta-show-firewall.pl line 369. Use of uninitialized value $string_words_part1[3] in string at /opt/vyatta/bin/vyatta-show-firewall.pl line 400. Use of uninitialized value $string_words_part1[0] in string at /opt/vyatta/bin/vyatta-show-firewall.pl line 400. Use of uninitialized value $string_words_part1[1] in string at /opt/vyatta/bin/vyatta-show-firewall.pl line 400. 10000 drop condition - saddr daddr [edit]