PBR/FW rulesets are ignored in rfc3768-compatibility VRRP setups
Closed, WontfixPublicBUG
Actions

Assigned To

Authored By

	fernando
	Nov 16 2022, 12:42 PM

Description

Hi team ,

In base a customer case, we've found an issue regarding PBR with VRRP using rfc3768-compatibility, these rules created by FW not can be applied over the virtual-interface created for vrrp, basic example:

set high-availability vrrp group VLAN20 advertise-interval '1'
set high-availability vrrp group VLAN20 hello-source-address '10.20.20.3'
set high-availability vrrp group VLAN20 interface 'bond0.20'
set high-availability vrrp group VLAN20 no-preempt
set high-availability vrrp group VLAN20 peer-address '10.20.20.2'
set high-availability vrrp group VLAN20 priority '150'
set high-availability vrrp group VLAN20 rfc3768-compatibility
set high-availability vrrp group VLAN20 virtual-address 10.20.20.1/24
set high-availability vrrp group VLAN20 vrid '1'

set policy route bond0-20 rule 10 action 'drop'
set policy route bond0-20 rule 10 destination address '8.8.8.8'
set policy route bond0-20 rule 10 source address '10.20.20.0/24'
set interfaces bonding bond0 vif 20 policy route 'bond0-20'

vyos# run show int | grep bond0.20
bond0.20         10.20.20.3/24                     u/u  
bond0.20v1       10.20.20.1/24                     u/u

when we see the rules on FW(however , any matching in our interfaces virtual) :

 chain VYATTA_FW_IN_HOOK {
                iifname "bond0.20" counter packets 0 bytes 0 jump bond0-20

chain bond0-20 {
                ip saddr 10.20.20.0/24 ip daddr 8.8.8.8 counter packets 0 bytes 0 drop comment "bond0-20-10"
                counter packets 0 bytes 0 return comment "bond0-20-1000000 default-action accept"
        }

if we add this rule over the virtual interface created by the RFC, it starts matching with the interesting traffic:

`

sudo nft add rule ip mangle VYATTA_FW_IN_HOOK iifname bond0.20v1 counter jump bond0-20

table ip mangle {
...
        chain VYATTA_FW_IN_HOOK {
                iifname "bond0.20" counter packets 0 bytes 0 jump bond0-20
                iifname "bond0.20v1" counter packets 11 bytes 924 jump bond0-20
        }

        chain bond0-20 {
                ip saddr 10.20.20.0/24 ip daddr 8.8.8.8 counter packets 7 bytes 588 drop comment "bond0-20-10"
                counter packets 4 bytes 336 return comment "bond0-20-1000000 default-action accept"
        }
}

also it seems related with this task https://phabricator.vyos.net/T1185, that affected FW rules and rfc3768-compatibility.