QoS class with multiple matches generates one filter rule but expects several rules.
To reproduce, use several matches per class:
set qos interface eth0 egress 'test' set qos policy shaper test bandwidth '300mbit' set qos policy shaper test class 23 bandwidth '150mbit' set qos policy shaper test class 23 match 10 ip protocol 'tcp' set qos policy shaper test class 23 match 20 ip protocol 'udp' set qos policy shaper test default bandwidth '20mbit' set qos policy shaper test default queue-type 'fair-queue'
Debug:
{'bandwidth': '300mbit', 'class': {'23': {'bandwidth': '150mbit', 'burst': '15k', 'codel_quantum': '1514', 'flows': '1024', 'interval': '100', 'match': {'10': {'ip': {'protocol': 'tcp'}}, '20': {'ip': {'protocol': 'udp'}}}, 'queue_type': 'fq-codel', 'target': '5'}}, 'default': {'bandwidth': '20mbit', 'burst': '15k', 'codel_quantum': '1514', 'flows': '1024', 'interval': '100', 'priority': '20', 'queue_type': 'fair-queue', 'target': '5'}} DEBUG/QoS: tc qdisc replace dev eth0 root handle 1: htb r2q 187 default 18 DEBUG/QoS: tc class replace dev eth0 parent 1: classid 1:1 htb rate 300000000 DEBUG/QoS: tc class replace dev eth0 parent 1:1 classid 1:17 htb rate 150000000 burst 15k quantum 1514 DEBUG/QoS: tc qdisc replace dev eth0 parent 1:17 sfq DEBUG/QoS: tc class replace dev eth0 parent 1:1 classid 1:18 htb rate 20000000 burst 15k quantum 1514 prio 20 DEBUG/QoS: tc qdisc replace dev eth0 parent 1:18 sfq DEBUG/QoS: tc qdisc replace dev eth0 parent 1:17 fq_codel quantum 1514 flows 1024 interval 100 interval 100 target 5 noecn DEBUG/QoS: tc filter replace dev eth0 parent 1: protocol all u32 match ip protocol 6 0xff u32 match ip protocol 17 0xff flowid 1:17
Obviously, the latest rule is wrong.
File "/usr/lib/python3/dist-packages/vyos/util.py", line 161, in cmd raise OSError(code, feedback) PermissionError: [Errno 1] failed to run command: tc filter replace dev eth0 parent 1: protocol all u32 match ip protocol 6 0xff u32 match ip protocol 17 0xff flowid 1:17 returned: exit code: 1
It probably should be split into two rules. At least that's how it works in 1.3.
sudo filter add dev eth0 parent 1: prio 1 protocol all u32 match ip protocol 6 0xff flowid 1:17 sudo filter add dev eth0 parent 1: prio 2 protocol all u32 match ip protocol 17 0xff flowid 1:17