In the latest rolling releases, setting table main fails with an error in firewall.py:
set policy route PBR rule 1 destination address 1.1.1.1 #you could omit that but for completeness' sake set policy route PBR rule 1 set table main
When committing this, I get the following error:
[ policy route PBR ] VyOS had an issue completing a command. We are sorry that you encountered a problem while using VyOS. There are a few things you can do to help us (and yourself): - Contact us using the online help desk if you have a subscription: https://support.vyos.io/ - Make sure you are running the latest version of VyOS available at: https://vyos.net/get/ - Consult the community forum to see how to handle this issue: https://forum.vyos.io - Join us on Slack where our users exchange help and advice: https://vyos.slack.com When reporting problems, please include as much information as possible: - do not obfuscate any data (feel free to contact us privately if your business policy requires it) - and include all the information presented below Report time: 2022-01-09 19:14:09 Image version: VyOS 1.4-rolling-202201090317 Release train: sagitta Built by: [email protected] Built on: Sun 09 Jan 2022 03:17 UTC Build UUID: 4f3a0bcc-1f6c-4979-a4e5-8f187b3fb7eb Build commit ID: 301d432afab62f Architecture: x86_64 Boot via: installed image System type: KVM guest Hardware vendor: QEMU Hardware model: Badass Firewall Hardware S/N: 42 Hardware UUID: Unknown Traceback (most recent call last): File "/usr/libexec/vyos/conf_mode/policy-route.py", line 150, in <module> generate(c) File "/usr/libexec/vyos/conf_mode/policy-route.py", line 97, in generate render(nftables_conf, 'firewall/nftables-policy.tmpl', policy) File "/usr/lib/python3/dist-packages/vyos/template.py", line 118, in render rendered = render_to_string(template, content, formater, location) File "/usr/lib/python3/dist-packages/vyos/template.py", line 87, in render_to_string rendered = template.render(content) File "/usr/lib/python3/dist-packages/jinja2/environment.py", line 1090, in render self.environment.handle_exception() File "/usr/lib/python3/dist-packages/jinja2/environment.py", line 832, in handle_exception reraise(*rewrite_traceback_stack(source=source)) File "/usr/lib/python3/dist-packages/jinja2/_compat.py", line 28, in reraise raise value.with_traceback(tb) File "/usr/share/vyos/templates/firewall/nftables-policy.tmpl", line 17, in top-level template code {{ rule_conf | nft_rule(route_text, rule_id, 'ip') }} File "/usr/lib/python3/dist-packages/vyos/template.py", line 517, in nft_rule return parse_rule(rule_conf, fw_name, rule_id, ip_name) File "/usr/lib/python3/dist-packages/vyos/firewall.py", line 157, in parse_rule output.append(parse_policy_set(rule_conf['set'], def_suffix)) File "/usr/lib/python3/dist-packages/vyos/firewall.py", line 212, in parse_policy_set mark = 0x7FFFFFFF - int(set_conf['table']) ValueError: invalid literal for int() with base 10: 'main' [[policy route PBR]] failed Commit failed
I can reproduce this both on a fresh (live) install and an upgraded box I had running with quite a few PBR rules for a while. I didn't test out many rolling releases, but could reproduce it at least on the two following:
- 1.4-rolling-202201090317; and
- 1.4-rolling-202201010920
As far as I understand the code in python/vyos/firewall.py, line 212 should probably read table directly instead of set_conf['table']:
if 'table' in set_conf: table = set_conf['table'] if table == 'main': table = '254' mark = 0x7FFFFFFF - int(table)
instead of the current one:
if 'table' in set_conf: table = set_conf['table'] if table == 'main': table = '254' mark = 0x7FFFFFFF - int(set_conf['table'])
Otherwise the assignment above doesn't make sense.