Page MenuHomeVyOS Platform

domain-group on policy route not working
Closed, ResolvedPublicBUG

Description

source|destination domain-group matcher is available in route policy, but it's not working.
Steps to reproduce error in fresh install

vyos@vyos# set firewall group domain-group dg01 address example.com
[edit]
vyos@vyos# set policy route FOO rule 10 destination group domain-group dg01
[edit]
vyos@vyos# set policy route FOO rule 10 action drop
[edit]
vyos@vyos# commit
[ policy route FOO ]
Failed to apply policy based routing

[[policy route FOO]] failed
Commit failed
[edit]
vyos@vyos# compare
[edit policy]
+route FOO {
+    rule 10 {
+        action drop
+        destination {
+            group {
+                domain-group dg01
+            }
+        }
+    }
+}
[edit]

Additional info: domain-group usage is written in the rule, but named_set is not defined in mangle table (and it's only written in vyos_filter table:

vyos@vyos# cat /run/nftables_policy.conf
#!/usr/sbin/nft -f



table ip mangle {
    chain VYOS_PBR_FOO {
        ip daddr  @D_dg01 counter drop comment "FOO-10"
    }


}


vyos@vyos# sudo nft list table ip vyos_filter
table ip vyos_filter {
        set D_dg01 {
                type ipv4_addr 
                flags interval 
        }
...

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202210160218
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

sarthurdev changed the task status from Open to In progress.Nov 1 2022, 9:19 AM
sarthurdev claimed this task.
sarthurdev moved this task from Need Triage to In Progress on the VyOS 1.4 Sagitta board.
sarthurdev moved this task from In Progress to Finished on the VyOS 1.4 Sagitta board.