This error happens from time to time, but not always.
It is part of the CI test procedure and can also be retriggered on a local buid:
Calling commit a second time makes this go away
c-po | |
Apr 3 2021, 5:43 PM |
F1304635: image.png | |
Apr 3 2021, 5:43 PM |
This error happens from time to time, but not always.
It is part of the CI test procedure and can also be retriggered on a local buid:
Calling commit a second time makes this go away
Restricted Diffusion Commit |
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | sarthurdev | T2199 Rewrite firewall in new XML/Python style | |||
Resolved | BUG | c-po | T3456 firewall: rules that should be deleted seem to be still in use |
It is a priority for configurations
When the system load, the firewall should have configuration, and after configuration is applied to the interface.
So I think we can't delete it in one commit, it tried to delete the firewall before detaching the firewall from the interface.
vyos@r4-roll:~$ /opt/vyatta/sbin/priority.pl | match "firewall|/ethernet" 199 firewall 200 firewall/group/address-group 200 firewall/group/ipv6-address-group 200 firewall/group/ipv6-network-group 200 firewall/group/network-group 200 firewall/group/port-group 200 firewall/state-policy 210 firewall/ipv6-name 210 firewall/name 250 zone-policy # after firewall, content-inspection 318 interfaces/ethernet
So we need to commit 2 times
vyos@vyos# delete firewall [edit] vyos@vyos# delete interfaces ethernet eth0 vif 15 firewall [edit] vyos@vyos# commit [ firewall ipv6-name WAN-TO-VLAN15-6 ] Firewall configuration error: Cannot delete rule set "WAN-TO-VLAN15-6" (still in use) delete [ firewall ipv6-name WAN-TO-VLAN15-6 ] failed [ firewall name WAN-TO-VLAN15-4 ] Firewall configuration error: Cannot delete rule set "WAN-TO-VLAN15-4" (still in use) delete [ firewall name WAN-TO-VLAN15-4 ] failed delete [ firewall ] failed Commit failed [edit] vyos@vyos# commit [edit] vyos@vyos#
What we can do with this?
Usually on delete, the firewall should be detached from the interface first as the logic should go from the highest priority to the lowest one.
But only an "echo" from within the node.def files could confirm this. You have a way to reproduce it with simple "set" commands?
To reproduce it add firewall and attach it to interface
set firewall name FOO rule 10 action 'accept' set interfaces ethernet eth0 firewall local name 'FOO' commit
Then delete the firewall itself and firewall from interface
vyos@r4-roll# delete firewall [edit] vyos@r4-roll# delete interfaces ethernet eth0 firewall [edit] vyos@r4-roll# commit [ firewall name FOO ] Firewall configuration error: Cannot delete rule set "FOO" (still in use) delete [ firewall name FOO ] failed delete [ firewall ] failed Commit failed [edit] vyos@r4-roll#
From here https://github.com/vyos/vyatta-cfg-firewall/blob/849d40f57eab839745c3828ae3ecbcabdae38929/scripts/firewall/vyatta-firewall.pl#L566-L569
And reference https://github.com/vyos/vyatta-cfg-firewall/blob/849d40f57eab839745c3828ae3ecbcabdae38929/lib/Vyatta/IpTables/Mgr.pm#L326-L339
The same with "policy" /usr/libexec/vyos/tests/config/dialup-router-medium-vpn
set interfaces ethernet eth1 policy route 'LAN-POLICY-BASED-ROUTING' set policy route LAN-POLICY-BASED-ROUTING rule 10 destination set policy route LAN-POLICY-BASED-ROUTING rule 10 disable set policy route LAN-POLICY-BASED-ROUTING rule 10 set table '10' set policy route LAN-POLICY-BASED-ROUTING rule 10 source address '192.168.0.119/32' set policy route LAN-POLICY-BASED-ROUTING rule 20 destination set policy route LAN-POLICY-BASED-ROUTING rule 20 set table '100' set policy route LAN-POLICY-BASED-ROUTING rule 20 source address '192.168.0.240'
Delete
vyos@vyos# delete policy [edit] vyos@vyos# delete interfaces ethernet eth1 policy [edit] vyos@vyos# commit [ policy route LAN-POLICY-BASED-ROUTING ] Firewall configuration error: Cannot delete rule set "LAN-POLICY-BASED-ROUTING" (still in use) delete [ policy route LAN-POLICY-BASED-ROUTING ] failed [[]] failed Commit failed copy failed [/opt/vyatta/config/tmp/tmp_7724/work/.unionfs-fuse][/opt/vyatta/config/tmp/new_config_7724/.unionfs-fuse] Failed to generate committed config [edit] vyos@vyos#
This bug also persists in VyOS 1.2.7
Assigning the "interface policy" part a priority higher then the base interface (ethernet for instance) it's called properly
Adding priority: 320 to: /opt/vyatta/share/vyatta-cfg/templates/interfaces/ethernet/node.tag/policy/route/node.def
set interfaces ethernet eth1 policy route 'LAN-POLICY-BASED-ROUTING' set policy route LAN-POLICY-BASED-ROUTING rule 10 destination set policy route LAN-POLICY-BASED-ROUTING rule 10 disable set policy route LAN-POLICY-BASED-ROUTING rule 10 set table '10' set policy route LAN-POLICY-BASED-ROUTING rule 10 source address '192.168.0.119/32' set policy route LAN-POLICY-BASED-ROUTING rule 20 destination set policy route LAN-POLICY-BASED-ROUTING rule 20 set table '100' set policy route LAN-POLICY-BASED-ROUTING rule 20 source address '192.168.0.240' commit
delete policy delete interfaces ethernet eth1 policy commit