Page MenuHomeVyOS Platform
Create Task
Maniphest T4759

domain-group on policy route not working
Closed, ResolvedPublicBUG
Actions

Description

source|destination domain-group matcher is available in route policy, but it's not working.
Steps to reproduce error in fresh install

vyos@vyos# set firewall group domain-group dg01 address example.com
[edit]
vyos@vyos# set policy route FOO rule 10 destination group domain-group dg01
[edit]
vyos@vyos# set policy route FOO rule 10 action drop
[edit]
vyos@vyos# commit
[ policy route FOO ]
Failed to apply policy based routing

[[policy route FOO]] failed
Commit failed
[edit]
vyos@vyos# compare
[edit policy]
+route FOO {
+    rule 10 {
+        action drop
+        destination {
+            group {
+                domain-group dg01
+            }
+        }
+    }
+}
[edit]

Additional info: domain-group usage is written in the rule, but named_set is not defined in mangle table (and it's only written in vyos_filter table:

vyos@vyos# cat /run/nftables_policy.conf
#!/usr/sbin/nft -f



table ip mangle {
    chain VYOS_PBR_FOO {
        ip daddr  @D_dg01 counter drop comment "FOO-10"
    }


}


vyos@vyos# sudo nft list table ip vyos_filter
table ip vyos_filter {
        set D_dg01 {
                type ipv4_addr 
                flags interval 
        }
...

Details

Version
VyOS 1.4-rolling-202210160218
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

n.fort created this task.Oct 19 2022, 11:24 AM
sarthurdev changed the task status from Open to In progress.Nov 1 2022, 9:19 AM
sarthurdev claimed this task.
sarthurdev moved this task from Open to In Progress on the VyOS 1.4 Sagitta board.
pasik subscribed.Nov 1 2022, 10:50 AM
sarthurdev closed this task as Resolved.Aug 27 2023, 7:13 PM
sarthurdev moved this task from In Progress to Finished on the VyOS 1.4 Sagitta board.