when we want to configure a rule to match a list of protocols , it doesn't configure the right nftables rules when we are using a list , here is the example :
VyOS : set interfaces tunnel tun0 address '172.16.100.1/24' set interfaces tunnel tun0 description 'Zscaler_Pri-Washington' set interfaces tunnel tun0 encapsulation 'gre' set interfaces tunnel tun0 mtu '1400' set interfaces tunnel tun0 remote '192.2.0.1' set interfaces tunnel tun0 source-interface 'eth0' set interfaces tunnel tun1 address '172.16.102.1/24' set interfaces tunnel tun1 description 'Zscaler_Sec-New York' set interfaces tunnel tun1 encapsulation 'gre' set interfaces tunnel tun1 mtu '1400' set interfaces tunnel tun1 remote '192.2.0.2' set interfaces tunnel tun1 source-interface 'eth0' set load-balancing wan disable-source-nat set load-balancing wan flush-connections set load-balancing wan interface-health tun0 failure-count '3' set load-balancing wan interface-health tun0 nexthop '172.16.100.2' set load-balancing wan interface-health tun0 success-count '1' set load-balancing wan interface-health tun0 test 10 resp-time '5' set load-balancing wan interface-health tun0 test 10 target '10.10.10.10' set load-balancing wan interface-health tun0 test 10 ttl-limit '1' set load-balancing wan interface-health tun0 test 10 type 'ping' set load-balancing wan interface-health tun1 failure-count '3' set load-balancing wan interface-health tun1 nexthop '192.2.0.2' set load-balancing wan interface-health tun1 success-count '1' set load-balancing wan interface-health tun1 test 10 resp-time '5' set load-balancing wan interface-health tun1 test 10 target '20.20.20.20' set load-balancing wan interface-health tun1 test 10 ttl-limit '1' set load-balancing wan interface-health tun1 test 10 type 'ping' set load-balancing wan rule 10 destination port '80,443' set load-balancing wan rule 10 failover set load-balancing wan rule 10 inbound-interface 'eth0' set load-balancing wan rule 10 interface tun0 weight '2' set load-balancing wan rule 10 interface tun1 weight '1' set load-balancing wan rule 10 protocol 'tcp'
nftables :
table ip mangle { chain PREROUTING { type filter hook prerouting priority mangle; policy accept; counter packets 5 bytes 456 jump WANLOADBALANCE_PRE } chain WANLOADBALANCE_PRE { } chain ISP_tun0 { counter packets 0 bytes 0 ct mark set 0xc9 counter packets 0 bytes 0 meta mark set 0xc9 counter packets 0 bytes 0 accept } chain ISP_tun1 { counter packets 0 bytes 0 ct mark set 0xca counter packets 0 bytes 0 meta mark set 0xca counter packets 0 bytes 0 acceptshow c
However, if we create the rules for each protocol, it works as expected:
set load-balancing wan rule 10 destination port '80' set load-balancing wan rule 10 failover set load-balancing wan rule 10 inbound-interface 'eth0' set load-balancing wan rule 10 interface tun0 weight '2' set load-balancing wan rule 10 interface tun1 weight '1' set load-balancing wan rule 10 protocol 'tcp' set load-balancing wan rule 11 destination port '443' set load-balancing wan rule 11 failover set load-balancing wan rule 11 inbound-interface 'eth0' set load-balancing wan rule 11 interface tun0 weight '2' set load-balancing wan rule 11 interface tun1 weight '1' set load-balancing wan rule 11 protocol 'tcp'
nftable :
# Warning: table ip mangle is managed by iptables-nft, do not touch! table ip mangle { chain WANLOADBALANCE_PRE { iifname "eth0" tcp dport 80 ct state new counter packets 0 bytes 0 jump ISP_tun0 iifname "eth0" tcp dport 80 counter packets 0 bytes 0 meta mark set ct mark iifname "eth0" tcp dport 443 ct state new counter packets 0 bytes 0 jump ISP_tun0 iifname "eth0" tcp dport 443 counter packets 0 bytes 0 meta mark set ct mark } table ip mangle { chain PREROUTING { type filter hook prerouting priority mangle; policy accept; counter packets 5 bytes 456 jump WANLOADBALANCE_PRE } chain WANLOADBALANCE_PRE { } chain ISP_tun0 { counter packets 0 bytes 0 ct mark set 0xc9 counter packets 0 bytes 0 meta mark set 0xc9 counter packets 0 bytes 0 accept } chain ISP_tun1 { counter packets 0 bytes 0 ct mark set 0xca counter packets 0 bytes 0 meta mark set 0xca counter packets 0 bytes 0 acceptshow c
I've checked it in 1.4.rc3 and VyOS 1.5-rolling-202402220022