Page MenuHomeVyOS Platform

PBR: `set table main` fails in `firewall.py` with newer rolling releases
Closed, ResolvedPublicBUG

Description

In the latest rolling releases, setting table main fails with an error in firewall.py:

set policy route PBR rule 1 destination address 1.1.1.1 #you could omit that but for completeness' sake
set policy route PBR rule 1 set table main

When committing this, I get the following error:

[ policy route PBR ]
VyOS had an issue completing a command.

We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):
- Contact us using the online help desk if you have a subscription:
  https://support.vyos.io/
- Make sure you are running the latest version of VyOS available at:
  https://vyos.net/get/
- Consult the community forum to see how to handle this issue:
  https://forum.vyos.io
- Join us on Slack where our users exchange help and advice:
  https://vyos.slack.com

When reporting problems, please include as much information as possible:
- do not obfuscate any data (feel free to contact us privately if your 
  business policy requires it)
- and include all the information presented below

Report time:      2022-01-09 19:14:09
Image version:    VyOS 1.4-rolling-202201090317
Release train:    sagitta

Built by:         [email protected]
Built on:         Sun 09 Jan 2022 03:17 UTC
Build UUID:       4f3a0bcc-1f6c-4979-a4e5-8f187b3fb7eb
Build commit ID:  301d432afab62f

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Badass Firewall
Hardware S/N:     42
Hardware UUID:    Unknown

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/policy-route.py", line 150, in <module>
    generate(c)
  File "/usr/libexec/vyos/conf_mode/policy-route.py", line 97, in generate
    render(nftables_conf, 'firewall/nftables-policy.tmpl', policy)
  File "/usr/lib/python3/dist-packages/vyos/template.py", line 118, in render
    rendered = render_to_string(template, content, formater, location)
  File "/usr/lib/python3/dist-packages/vyos/template.py", line 87, in render_to_string
    rendered = template.render(content)
  File "/usr/lib/python3/dist-packages/jinja2/environment.py", line 1090, in render
    self.environment.handle_exception()
  File "/usr/lib/python3/dist-packages/jinja2/environment.py", line 832, in handle_exception
    reraise(*rewrite_traceback_stack(source=source))
  File "/usr/lib/python3/dist-packages/jinja2/_compat.py", line 28, in reraise
    raise value.with_traceback(tb)
  File "/usr/share/vyos/templates/firewall/nftables-policy.tmpl", line 17, in top-level template code
    {{ rule_conf | nft_rule(route_text, rule_id, 'ip') }}
  File "/usr/lib/python3/dist-packages/vyos/template.py", line 517, in nft_rule
    return parse_rule(rule_conf, fw_name, rule_id, ip_name)
  File "/usr/lib/python3/dist-packages/vyos/firewall.py", line 157, in parse_rule
    output.append(parse_policy_set(rule_conf['set'], def_suffix))
  File "/usr/lib/python3/dist-packages/vyos/firewall.py", line 212, in parse_policy_set
    mark = 0x7FFFFFFF - int(set_conf['table'])
ValueError: invalid literal for int() with base 10: 'main'



[[policy route PBR]] failed
Commit failed

I can reproduce this both on a fresh (live) install and an upgraded box I had running with quite a few PBR rules for a while. I didn't test out many rolling releases, but could reproduce it at least on the two following:

  • 1.4-rolling-202201090317; and
  • 1.4-rolling-202201010920

As far as I understand the code in python/vyos/firewall.py, line 212 should probably read table directly instead of set_conf['table']:

if 'table' in set_conf:
    table = set_conf['table']
    if table == 'main':
        table = '254'
    mark = 0x7FFFFFFF - int(table)

instead of the current one:

if 'table' in set_conf:
    table = set_conf['table']
    if table == 'main':
        table = '254'
    mark = 0x7FFFFFFF - int(set_conf['table'])

Otherwise the assignment above doesn't make sense.

Details

Difficulty level
Unknown (require assessment)
Version
1.4-rolling-202201090317
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)