Page MenuHomeVyOS Platform
Create Task
Maniphest T5794

Flowtable with Bond Race
Open, NormalPublicBUG
Actions

Description

On the current rolling releases for VyOS, configuring a flowtable on a bond interface is not reboot safe. On reboot the entire firewall stanza will be missing as it appears that the flowtable attempts to be created before the bond interface is available.

To reproduce, I have a bond interface with VLAN ID 100 configured. I create a flowtable with just the single interface:

set firewall flowtable test interface bond0.100

Save the config and reboot and the problem occurs. If I use a physical interface instead it becomes reboot safe.

Details

Difficulty level
Unknown (require assessment)
Version
1.5-rolling-202312010026
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Related Objects

Event Timeline

shthead created this task.Dec 1 2023, 10:09 AM
pasik added a subscriber: pasik.Dec 1 2023, 10:25 AM
Viacheslav changed the task status from Open to Needs reporter action.Jan 19 2024, 11:27 PM
Viacheslav triaged this task as Normal priority.
Viacheslav added a subscriber: Viacheslav.

@shthead add an example of "set| commands to reproduce

hsw0 added a subscriber: hsw0.Sat, Apr 13, 11:55 PM
Res added a subscriber: Res.Sun, Apr 21, 9:34 PM

I have the same issue, running a locally built 1.4-rolling-202403240547.

The config commits and works, then after reboot the entire firewall section is lost.

Here's a minimized set of commands for reproducing:

set firewall flowtable FT01 interface 'bond0'
set firewall flowtable FT01 interface 'bond0.2'
set firewall ipv4 forward filter default-action 'drop'
set firewall ipv4 forward filter rule 10 action 'offload'
set firewall ipv4 forward filter rule 10 offload-target 'FT01'
set firewall ipv4 forward filter rule 10 state 'established'
set firewall ipv4 forward filter rule 10 state 'related'
set firewall ipv4 forward filter rule 20 action 'accept'
set firewall ipv4 forward filter rule 20 state 'established'
set firewall ipv4 forward filter rule 20 state 'related'
set interfaces bonding bond0 address '192.168.1.1/24'
set interfaces bonding bond0 member interface 'eth0'
set interfaces bonding bond0 vif 2 address '192.168.2.1/24'

Also, in case this helps:
{F4275079}

Happy to provide any other details I can.

Res added a comment.EditedSun, Apr 21, 10:31 PM

Workaround

Precreate the interfaces used in the bond and the bond itself. I used the hw-id to create my interface because it seemed like the best minimal config option, not sure if it's required or not.

Example /config/scripts/vyos-preconfig-bootup.script:

#!/bin/sh
# This script is executed at boot time before VyOS configuration is applied.
# Any modifications required to work around unfixed bugs or use
# services not available through the VyOS CLI system can be placed here.

# Running this directly was causing weird errors and on my production router: "Failed to set up config session" when trying to configure  after booting.
su - vyos -c '/bin/vbash -s' <<EOF
source /opt/vyatta/etc/functions/script-template
configure
set interfaces ethernet eth0 hw-id '24:4b:fe:df:7c:fa'
commit
set interfaces bonding bond0 member interface 'eth0'
set interfaces bonding bond0 vif 2 description "Preconfig definition"
commit
exit
EOF
Viacheslav added a comment.EditedSun, Apr 21, 11:37 PM

The flowtable has to be set on ethernet interfaces only!
It does not need to set it to PPP/BOND/VLAN/WG?etc, as it will work anyway.
We need to hardcode it only for ethX interfaces, because people use it incorrect.

Viacheslav changed the task status from Needs reporter action to Open.Sun, Apr 21, 11:38 PM
Viacheslav added a comment.Thu, Apr 25, 10:47 AM

Allowing only ethernet interface task https://vyos.dev/T6265
After adding check, this task can be closed