Hi team ,
In base a customer case, we've found an issue regarding PBR with VRRP using rfc3768-compatibility, these rules created by FW not can be applied over the virtual-interface created for vrrp, basic example:
set high-availability vrrp group VLAN20 advertise-interval '1' set high-availability vrrp group VLAN20 hello-source-address '10.20.20.3' set high-availability vrrp group VLAN20 interface 'bond0.20' set high-availability vrrp group VLAN20 no-preempt set high-availability vrrp group VLAN20 peer-address '10.20.20.2' set high-availability vrrp group VLAN20 priority '150' set high-availability vrrp group VLAN20 rfc3768-compatibility set high-availability vrrp group VLAN20 virtual-address 10.20.20.1/24 set high-availability vrrp group VLAN20 vrid '1' set policy route bond0-20 rule 10 action 'drop' set policy route bond0-20 rule 10 destination address '8.8.8.8' set policy route bond0-20 rule 10 source address '10.20.20.0/24' set interfaces bonding bond0 vif 20 policy route 'bond0-20' vyos# run show int | grep bond0.20 bond0.20 10.20.20.3/24 u/u bond0.20v1 10.20.20.1/24 u/u
when we see the rules on FW(however , any matching in our interfaces virtual) :
chain VYATTA_FW_IN_HOOK { iifname "bond0.20" counter packets 0 bytes 0 jump bond0-20 chain bond0-20 { ip saddr 10.20.20.0/24 ip daddr 8.8.8.8 counter packets 0 bytes 0 drop comment "bond0-20-10" counter packets 0 bytes 0 return comment "bond0-20-1000000 default-action accept" }
if we add this rule over the virtual interface created by the RFC, it starts matching with the interesting traffic:
` sudo nft add rule ip mangle VYATTA_FW_IN_HOOK iifname bond0.20v1 counter jump bond0-20 table ip mangle { ... chain VYATTA_FW_IN_HOOK { iifname "bond0.20" counter packets 0 bytes 0 jump bond0-20 iifname "bond0.20v1" counter packets 11 bytes 924 jump bond0-20 } chain bond0-20 { ip saddr 10.20.20.0/24 ip daddr 8.8.8.8 counter packets 7 bytes 588 drop comment "bond0-20-10" counter packets 4 bytes 336 return comment "bond0-20-1000000 default-action accept" } }
also it seems related with this task https://phabricator.vyos.net/T1185, that affected FW rules and rfc3768-compatibility.