iptables error with policy routing
Open, NormalPublicBUG
Actions

Assigned To

Authored By

	lbv2rus
	Nov 6 2017, 10:20 PM

Description

Error:

iptables v1.4.20: Couldn't load target `VYATTA_PBR_2':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
Use of uninitialized value $rule_strs[1] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 642.
Use of uninitialized value $rule_strs[2] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 642.
Use of uninitialized value $rule_strs[3] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 642.
Use of uninitialized value $rule_strs[4] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 642.
Use of uninitialized value $rule_strs[5] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 642.
iptables error: No such file or directory - -m comment --comment "VPNROUTING-12"   -p all   -m set  --match-set GROUP1 src   --destination 0.0.0.0/0  -j VYATTA_PBR_2       at /opt/vyatta/sbin/vyatta-firewall.pl line 642.

Configuration and steps to reproduce
1 - LAN, 1 - WAN, 2 - OpenVPN Interfaces
2 static interface routes in table 1 and 2 (for each VPN Interface)

table 1 {
    interface-route 0.0.0.0/0 {
        next-hop-interface vtun0 {
        }
    }
}
table 2 {
    interface-route 0.0.0.0/0 {
        next-hop-interface vtun1 {
        }
    }

Route Policy for LAN Interface like this

route VPNROUTING {
    rule 1 {
        destination {
            group {
                address-group Real_IP
            }
        }
        protocol all
        set {
            table main
        }
    }
    rule 11 {
        destination {
            address 0.0.0.0/0
        }
        protocol all
        set {
            table 1
        }
        source {
            group {
                address-group AGROUP1
            }
        }
    }
    rule 12 {
        destination {
            address 0.0.0.0/0
        }
        protocol all
        set {
            table 2
        }
        source {
            group {
                address-group AGROUP2
            }
        }
    }
}

When changing routing table number in rule 11 or 12, become error.

The second error:
On policy delete command:

iptables: Index of deletion too big.
iptables error: No such file or directory - 12 at /opt/vyatta/sbin/vyatta-firewall.pl line 634.

Details

Difficulty level: Hard (possibly days)
Version: 1.1.8-rc2
Why the issue appeared?: Design mistake
Is it a breaking change?: Unspecified (possibly destroys the router)

Event Timeline

lbv2rus created this task.Nov 6 2017, 10:20 PM

I could reproduce the bug. This doesn't appear to be an easy fix though.

The actual reproducing steps for the reference:

Create a PBR rule, commit
Create a new routing table, or pick an existing table that is not yet used in any rule
Change the table in the rule to the table from the point #2

The root cause is that the chain associated with routing table in the iptables mangle table that is used by PBR rules is only created at the rule creation time, and if you try to reference a routing table that is not used by any rule already, it cannot load because the mangle table chain doesn't get created.

The best fix for this would be to finally switch to using iptables-restore instead of inserting rules one by one.

There's a simple workaround though: delete the rule and re-create it with the new table. To make it easier, copy the commands from 'run show configuration commands'.

pasik added a subscriber: pasik.Nov 22 2017, 7:47 PM

syncer assigned this task to dmbaturin.Sep 25 2018, 2:30 PM

syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc4); removed VyOS 1.2 Crux.Oct 13 2018, 10:09 AM

syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc5); removed VyOS 1.2 Crux (VyOS 1.2.0-rc4).Oct 24 2018, 4:40 PM

syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc6); removed VyOS 1.2 Crux (VyOS 1.2.0-rc5).Oct 29 2018, 6:16 PM

syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc7); removed VyOS 1.2 Crux (VyOS 1.2.0-rc6).Nov 6 2018, 12:57 AM

syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc8); removed VyOS 1.2 Crux (VyOS 1.2.0-rc7).Nov 13 2018, 3:48 AM

syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc9); removed VyOS 1.2 Crux (VyOS 1.2.0-rc8).Nov 20 2018, 12:44 PM

Since the fix is far from trivial, a workaround exists, and the entire PBR subsystem is due for a rewrite in the next release, I'm moving this to 1.3.x.

anthr76 added a subscriber: anthr76.Jun 5 2021, 1:27 PM

dmbaturin added a project: test.Jul 29 2021, 12:59 PM

dmbaturin set Is it a breaking change? to Unspecified (possibly destroys the router).

syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Nov 6 2021, 11:25 AM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).Aug 29 2022, 7:06 AM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).Jul 12 2023, 9:45 PM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:31 PM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus (1.3.5).Dec 17 2023, 11:38 PM

Harliff added a subscriber: Harliff.Feb 2 2024, 8:19 AM

One of my router heavily affected by this issue, so if you will wrote a fix - you may ask me to test the fix.

What version? Can you upgrade to 1.4?

syncer edited projects, added VyOS 1.3 Equuleus (1.3.7); removed VyOS 1.3 Equuleus (1.3.6).Feb 10 2024, 9:18 AM