We should exclude reserved names like POSTROUTING from legitimate names. As we can get issues like this.
Original discussion from the forum
To reproduce:
set policy route POSTROUTING interface "eth1" set policy route POSTROUTING rule 100 destination address '192.0.2.2' set policy route POSTROUTING rule 100 set mark '200' set policy route POSTROUTING rule 201 protocol 'icmp' set policy route POSTROUTING rule 201 set mark '200' set policy route POSTROUTING rule 201 source address '192.168.0.0/24' set policy route POSTROUTING rule 300 destination address '192.0.2.5' set policy route POSTROUTING rule 300 destination port '8888' set policy route POSTROUTING rule 300 protocol 'tcp_udp' set policy route POSTROUTING rule 300 set mark '300' vyos@r14# commit [ policy route POSTROUTING ] Failed to apply policy based routing [[policy route POSTROUTING]] failed Commit failed [edit] vyos@r14#
PRB generates two same chains VYOS_PBR_POSTROUTING
Nftables:
vyos@r14# cat /run/nftables_policy.conf
#!/usr/sbin/nft -f
delete table ip vyos_mangle
delete table ip6 vyos_mangle
table ip vyos_mangle {
chain VYOS_PBR_PREROUTING {
type filter hook prerouting priority -150; policy accept;
iifname { eth1 } counter jump VYOS_PBR_POSTROUTING
}
chain VYOS_PBR_POSTROUTING {
type filter hook postrouting priority -150; policy accept;
}
chain VYOS_PBR_POSTROUTING {
ip daddr 192.0.2.2 counter meta mark set 200 return comment "POSTROUTING-100"
meta l4proto icmp ip saddr 192.168.0.0/24 counter meta mark set 200 return comment "POSTROUTING-201"
meta l4proto {tcp, udp} ip daddr 192.0.2.5 th dport {8888} counter meta mark set 300 return comment "POSTROUTING-300"
}
}
table ip6 vyos_mangle {
chain VYOS_PBR6_PREROUTING {
type filter hook prerouting priority -150; policy accept;
}
chain VYOS_PBR6_POSTROUTING {
type filter hook postrouting priority -150; policy accept;
}
}Trying to apply:
vyos@r14# sudo nft -f /run/nftables_policy.conf
/run/nftables_policy.conf:9:39-58: Error: Could not process rule: Operation not supported
iifname { eth1 } counter jump VYOS_PBR_POSTROUTING
^^^^^^^^^^^^^^^^^^^^
[edit]
vyos@r14#If we change the name of the policy, commit works fine:
set policy route my-pbr interface "eth1" set policy route my-pbr rule 100 destination address '192.0.2.2' set policy route my-pbr rule 100 set mark '200' set policy route my-pbr rule 201 protocol 'icmp' set policy route my-pbr rule 201 set mark '200' set policy route my-pbr rule 201 source address '192.168.0.0/24' set policy route my-pbr rule 300 destination address '192.0.2.5' set policy route my-pbr rule 300 destination port '8888' set policy route my-pbr rule 300 protocol 'tcp_udp' set policy route my-pbr rule 300 set mark '300'
generated rule:
vyos@r14# cat /run/nftables_policy.conf
#!/usr/sbin/nft -f
delete table ip vyos_mangle
delete table ip6 vyos_mangle
table ip vyos_mangle {
chain VYOS_PBR_PREROUTING {
type filter hook prerouting priority -150; policy accept;
iifname { eth1 } counter jump VYOS_PBR_my-pbr
}
chain VYOS_PBR_POSTROUTING {
type filter hook postrouting priority -150; policy accept;
}
chain VYOS_PBR_my-pbr {
ip daddr 192.0.2.2 counter meta mark set 200 return comment "my-pbr-100"
meta l4proto icmp ip saddr 192.168.0.0/24 counter meta mark set 200 return comment "my-pbr-201"
meta l4proto {tcp, udp} ip daddr 192.0.2.5 th dport {8888} counter meta mark set 300 return comment "my-pbr-300"
}
}
table ip6 vyos_mangle {
chain VYOS_PBR6_PREROUTING {
type filter hook prerouting priority -150; policy accept;
}
chain VYOS_PBR6_POSTROUTING {
type filter hook postrouting priority -150; policy accept;
}
}