In the latest rolling releases, setting table main fails with an error in firewall.py:
set policy route PBR rule 1 destination address 1.1.1.1 #you could omit that but for completeness' sake set policy route PBR rule 1 set table main
When committing this, I get the following error:
[ policy route PBR ]
VyOS had an issue completing a command.
We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):
- Contact us using the online help desk if you have a subscription:
https://support.vyos.io/
- Make sure you are running the latest version of VyOS available at:
https://vyos.net/get/
- Consult the community forum to see how to handle this issue:
https://forum.vyos.io
- Join us on Slack where our users exchange help and advice:
https://vyos.slack.com
When reporting problems, please include as much information as possible:
- do not obfuscate any data (feel free to contact us privately if your
business policy requires it)
- and include all the information presented below
Report time: 2022-01-09 19:14:09
Image version: VyOS 1.4-rolling-202201090317
Release train: sagitta
Built by: autobuild@vyos.net
Built on: Sun 09 Jan 2022 03:17 UTC
Build UUID: 4f3a0bcc-1f6c-4979-a4e5-8f187b3fb7eb
Build commit ID: 301d432afab62f
Architecture: x86_64
Boot via: installed image
System type: KVM guest
Hardware vendor: QEMU
Hardware model: Badass Firewall
Hardware S/N: 42
Hardware UUID: Unknown
Traceback (most recent call last):
File "/usr/libexec/vyos/conf_mode/policy-route.py", line 150, in <module>
generate(c)
File "/usr/libexec/vyos/conf_mode/policy-route.py", line 97, in generate
render(nftables_conf, 'firewall/nftables-policy.tmpl', policy)
File "/usr/lib/python3/dist-packages/vyos/template.py", line 118, in render
rendered = render_to_string(template, content, formater, location)
File "/usr/lib/python3/dist-packages/vyos/template.py", line 87, in render_to_string
rendered = template.render(content)
File "/usr/lib/python3/dist-packages/jinja2/environment.py", line 1090, in render
self.environment.handle_exception()
File "/usr/lib/python3/dist-packages/jinja2/environment.py", line 832, in handle_exception
reraise(*rewrite_traceback_stack(source=source))
File "/usr/lib/python3/dist-packages/jinja2/_compat.py", line 28, in reraise
raise value.with_traceback(tb)
File "/usr/share/vyos/templates/firewall/nftables-policy.tmpl", line 17, in top-level template code
{{ rule_conf | nft_rule(route_text, rule_id, 'ip') }}
File "/usr/lib/python3/dist-packages/vyos/template.py", line 517, in nft_rule
return parse_rule(rule_conf, fw_name, rule_id, ip_name)
File "/usr/lib/python3/dist-packages/vyos/firewall.py", line 157, in parse_rule
output.append(parse_policy_set(rule_conf['set'], def_suffix))
File "/usr/lib/python3/dist-packages/vyos/firewall.py", line 212, in parse_policy_set
mark = 0x7FFFFFFF - int(set_conf['table'])
ValueError: invalid literal for int() with base 10: 'main'
[[policy route PBR]] failed
Commit failedI can reproduce this both on a fresh (live) install and an upgraded box I had running with quite a few PBR rules for a while. I didn't test out many rolling releases, but could reproduce it at least on the two following:
- 1.4-rolling-202201090317; and
- 1.4-rolling-202201010920
As far as I understand the code in python/vyos/firewall.py, line 212 should probably read table directly instead of set_conf['table']:
if 'table' in set_conf: table = set_conf['table'] if table == 'main': table = '254' mark = 0x7FFFFFFF - int(table)
instead of the current one:
if 'table' in set_conf: table = set_conf['table'] if table == 'main': table = '254' mark = 0x7FFFFFFF - int(set_conf['table'])
Otherwise the assignment above doesn't make sense.