Page MenuHomeVyOS Platform

Using 'set src' in a route-map invalidates it as part of a subsequent boot-up
Closed, ResolvedPublicBUG

Description

It appears firewall configuration migration checks are matching on route-maps where we attempt to set the preferred IPv6 source address.

Running VyOS 1.3-rolling-202009050118

Enter the following configuration statements to reproduce the problem:

set interfaces bridge br0 address '2001:db8::dead:beef/64'
set interfaces bridge br0 member interface eth0.15
set interfaces ethernet eth0 vif 15
set policy route-map bgp-in rule 10 action 'permit'
set policy route-map bgp-in rule 10 set src '2001:db8::dead:beef'

This works as expected, until reboot. During boot we observe the following error:

vyos-router[xxx]: Started watchfrr.
vyos-router[xxx]: Mounting VyOS Config...done.
vyos-router[xxx]: Starting VyOS router: migrate rl-system firewall configure failed!
vyos-router[xxx]: Configuration error

Running 'show configuration commands', after boot up, subsequently shows the 'bgp-in' route map entries having disappeared...

Details

Version
1.3-rolling-202009050118
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

Reproduced the issue in the rolling release VyOS 1.3-rolling-202009300117 and the route-map configuration wiped out after the reboot with the error as mentioned in the problem description and happens only when the bridge address is added for src and not for other interface types.

Tested configuration:

set interfaces bridge br1 address '100.64.0.1/24'
set interfaces bridge br1 address '2001:db8::dead/64'
set interfaces bridge br1 member interface eth1.100
set interfaces ethernet eth1 vif 100
set policy route-map bgp-in rule 10 action 'permit'
set policy route-map bgp-in rule 10 set src '2001:db8::dead'

When this configuration is committed all at once, then the following error is received:

[edit]
vyos@vyos# commit
[ policy route-map bgp-in rule 10 set src 2001:db8::dead ]
% not a local address

[[policy route-map bgp-in]] failed
Commit failed
[edit]

The second commit works without any issue. This error is received both for ipv4 and ipv6 address.

Before reboot:

vyos@vyos:~$ vtysh

Hello, this is FRRouting (version 7.3.1-20200909-01-g92ff9d1b5).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

vyos# show route-map
ZEBRA:
route-map: bgp-in Invoked: 0
 permit, sequence 10 Invoked 0
  Match clauses:
  Set clauses:
    src 2001:db8::dead
  Call clause:
  Action:
    Exit routemap

After reboot:

vyos# show route-map
ZEBRA:
route-map: bgp-in Invoked: 0
 permit, sequence 10 Invoked 0
  Match clauses:
  Set clauses:
  Call clause:
  Action:
    Exit routemap

vyos@vyos:~$ sh conf comm | grep route-map
vyos@vyos:~$

This seemed to be an issue with priorty set for the node on how early, it has to be executed in the commit process.

Current priority order:

image.png (182×316 px, 12 KB)

Changed the priority to 400, now the

issue is not seen for ipv4 address but still seen for ipv6

.

[edit interfaces]
+bridge br1 {
+    address 100.64.0.1/24
+    address 2001:db8::dead/64
+    member {
+        interface eth1.100 {
+        }
+    }
+}
[edit interfaces ethernet eth1]
+vif 100 {
+}
[edit policy]
+route-map bgp-in {
+    rule 10 {
+        action permit
+        set {
+            src 100.64.0.1
+        }
+    }
+}
[edit]
vyos@vyos# commit
[edit]

vyos@vyos# run sh conf comm | grep route-map
set policy route-map bgp-in rule 10 action 'permit'
set policy route-map bgp-in rule 10 set src '100.64.0.1'
[edit]
vyos@vyos# run sh date
Fri 02 Oct 2020 10:40:49 AM UTC


Oct  2 10:36:42 vyos systemd[1]: opt-vyatta-config-tmp-new_config_989.mount: Succeeded.
Oct  2 10:36:42 vyos vyos-router[620]: Starting VyOS router: migrate rl-system firewall configure.
Oct  2 10:36:42 vyos systemd[1]: Reloading.
Oct  2 10:36:43 vyos vyos-config[673]: Configuration success
Oct  2 10:36:44 vyos ntpd[1343]: Listen normally on 13 br1 100.64.0.1:123

There are 2 issues:

  1. Priority when the system boot. Bridge interface created after policy route-map
  2. Commit adds the policy before the bridge is created.

Check policy

sudo /opt/vyatta/sbin/priority.pl | match "interface|policy"

The first issue can be fixed with change priority for bridge

sudo nano -c +3 /opt/vyatta/share/vyatta-cfg/templates/interfaces/bridge/node.def

And change priority to 320

Workaround for the second issue add "sleep 3" before creating route-map

sudo nano -c +9 /opt/vyatta/share/vyatta-cfg/templates/policy/route-map/node.tag/rule/node.tag/set/src/node.def

And replace

update: vtysh -c "configure terminal" \

to

update: sleep 3 && vtysh -c "configure terminal" \

Check

vyos@r6-roll:~$ conf
[edit]
vyos@r6-roll# delete policy
[edit]
vyos@r6-roll# delete interfaces bridge br0
[edit]
vyos@r6-roll# commit
[edit]
vyos@r6-roll# set interfaces bridge br0 address '2001:db8::dead:beef/64'
[edit]
vyos@r6-roll# set interfaces bridge br0 member interface eth1
[edit]
vyos@r6-roll# set policy route-map bgp-in rule 10 action 'permit'
[edit]
vyos@r6-roll# set policy route-map bgp-in rule 10 set src '2001:db8::dead:beef'
[edit]
vyos@r6-roll# commit
[edit]
vyos@r6-roll#

Why is the policy route-map being applied before the interface bridge is created?

erkin set Issue type to Bug (incorrect behavior).Aug 29 2021, 12:54 PM
erkin removed a subscriber: Global Notifications.