Page MenuHomeVyOS Platform

99-ipsec-dhclient-hook prevents DHCP stateless routes from being installed in VRF table
Closed, ResolvedPublicBUG

Description

To reproduce, configure a vyos router as a dhcp server with classless static routes:

set interface ethernet eth0 address '192.168.1.1/24'
set service dhcp-server shared-network TEST subnet 192.168.1.0/16 default-router '192.168.1.1'
set service dhcp-server shared-network TEST subnet 192.168.1.0/24 lease '300'
set service dhcp-server shared-network TEST subnet 192.168.1.0/24 range 0 start '192.168.1.64'
set service dhcp-server shared-network TEST subnet 192.168.1.0/24 range 0 stop '192.168.1.250'
set service dhcp-server shared-network TEST subnet 192.168.1.0/24 subnet-parameters 'option rfc3442-static-route 0, 192, 168, 1, 1, 24, 192, 168, 116, 192, 168, 20, 1;'

Connect a vyos router as a dhcp client with vrfs:

set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 vrf vrf_eth0
set vrf name vrf_eth0 table 200

Running show ip route vrf vrf_eth0 show the routes installed as expected:

vyos@vyos:~$ show ip route vrf vrf_eth0 
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF vrf_eth0:
S>* 0.0.0.0/0 [210/0] via 192.168.1.1, eth0, weight 1, 00:02:57
C>* 192.168.1.0/24 is directly connected, eth0, 00:03:06
S   192.168.116.0/24 [210/0] via 192.168.20.1, eth0 inactive, weight 1, 00:02:57

If we disconnect and reconnect the link, wiping the vrf table, the default route and static routes are not added back:

vyos@vyos:~$ show ip route vrf vrf_eth0 
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF vrf_eth0:
C>* 192.168.1.0/24 is directly connected, eth0, 00:03:06

The culprit appears to be exit calls in 99-ipsec-dhclient-hook exiting on BOUND before the unnumbered rfc3442-classless-routes hook can be executed.

I've tested two ways of fixing the bug:

  • Remove exit statements from 99-ipsec-dhclient-hook (could still prematurely exit with bug described in https://vyos.dev/T4856).
  • Rename 99-ipsec-dhclient-hook to zz-ipsec-dhclient-hook so it runs after the default unnumbered hooks.

Details

Version
VyOS 1.4-rolling-202307120317
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)