Page MenuHomeVyOS Platform

VRF and bridge membership isn’t mutually exclusive
Not ApplicablePublicBUG

Description

It’s possible to commit a config where an interface is both a member of a VRF and a bridge, whitout getting an error message.

Any combination, where adding VRF and bridge memberships are done in seperate commits and where the bridge commit is the last will produce this bug.

I think this might be part of T2241, if not it should be.

To reproduce:
Add interface to VRF
Commit
Add interface to bridge
Commit

Cause:
Since the VRF/bridge exclusivity checking is done on the interface and not the bridge, no checking is done when adding the interface to the bridge, once it’s been added to the VRF in a previous commit.

This is probably true for bond membership as well.

Possible solutions:
Force all bridgable interfaces to be checked on commit (if bridge interface has changed)
Put check for VRF on the bridge as well.
Move the config bridge membership to the interface (like VRF)

Details

Version
1.3
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

This comment was removed by c-po.

Can you share some config snippets with real set commands? Sounds like a problem with the bridge validator.

First create a vrf and bridge interface and add eth1 to the bridge:

[edit]
vyos@vyos# set vrf name vrf1 table 100
[edit]
vyos@vyos# set interfaces bridge br1 
[edit]
vyos@vyos# set interfaces bridge br1 member interfaces eth1
[edit]
vyos@vyos# commit

This commit succeeds.
Now try to add eth1 to vrf1:

vyos@vyos# set interfaces ethernet eth1 vrf vrf1 
[edit]
vyos@vyos# commit
[ interfaces ethernet eth1 ]
Interface "eth1" cannot be member of VRF "vrf1" and "br1" at the same time!

[[interfaces ethernet eth1]] failed
Commit failed

This commit fails. We're not allowed to have an interface in both a bridge and a vrf.
Remove eth1 from the bridge to fix commit failure:

[edit]
vyos@vyos# delete intfaces bridge br1 member 
[edit]
vyos@vyos# commit

Commit suceeds.
Now add interface back into bridge:

[edit]
vyos@vyos# set interfaces bridge br1 member interface eth1
[edit]
vyos@vyos# commit

Commit succeeds as well, with the same config that produced a failure before! We now have our interface in both the bridge and the vrf.
I havn't checked it for bond intefaces, but I assume the same is true there.

erkin set Issue type to Bug (incorrect behavior).Aug 29 2021, 12:59 PM
erkin removed a subscriber: Global Notifications.
Viacheslav claimed this task.
Viacheslav subscribed.

Fixed VyOS 1.3-stable-202308240442

vyos@r1# show interfaces ethernet eth2
 description LAN
 hw-id 52:54:00:6c:c7:ac
 vrf foo
[edit]
vyos@r1# compare 
[edit interfaces bridge br11]
+member {
+    interface eth2 {
+    }
+}
[edit]
vyos@r1# 
[edit]
vyos@r1# commit
[ interfaces bridge br11 ]
Can not add interface "eth2" to bridge, it has a VRF assigned!

[[interfaces bridge br11]] failed
Commit failed
[edit]
vyos@r1#
Viacheslav changed the task status from Resolved to Not Applicable.Aug 29 2023, 7:52 AM