Page MenuHomeVyOS Platform
Create Task
Maniphest T6054

load-balancing wan - doesn't configure a list of ports
Closed, ResolvedPublicBUG
Actions

Description

when we want to configure a rule to match a list of protocols , it doesn't configure the right nftables rules when we are using a list , here is the example :

VyOS : 

set interfaces tunnel tun0 address '172.16.100.1/24'
set interfaces tunnel tun0 description 'Zscaler_Pri-Washington'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 mtu '1400'
set interfaces tunnel tun0 remote '192.2.0.1'
set interfaces tunnel tun0 source-interface 'eth0'
set interfaces tunnel tun1 address '172.16.102.1/24'
set interfaces tunnel tun1 description 'Zscaler_Sec-New York'
set interfaces tunnel tun1 encapsulation 'gre'
set interfaces tunnel tun1 mtu '1400'
set interfaces tunnel tun1 remote '192.2.0.2'
set interfaces tunnel tun1 source-interface 'eth0'
set load-balancing wan disable-source-nat
set load-balancing wan flush-connections
set load-balancing wan interface-health tun0 failure-count '3'
set load-balancing wan interface-health tun0 nexthop '172.16.100.2'
set load-balancing wan interface-health tun0 success-count '1'
set load-balancing wan interface-health tun0 test 10 resp-time '5'
set load-balancing wan interface-health tun0 test 10 target '10.10.10.10'
set load-balancing wan interface-health tun0 test 10 ttl-limit '1'
set load-balancing wan interface-health tun0 test 10 type 'ping'
set load-balancing wan interface-health tun1 failure-count '3'
set load-balancing wan interface-health tun1 nexthop '192.2.0.2'
set load-balancing wan interface-health tun1 success-count '1'
set load-balancing wan interface-health tun1 test 10 resp-time '5'
set load-balancing wan interface-health tun1 test 10 target '20.20.20.20'
set load-balancing wan interface-health tun1 test 10 ttl-limit '1'
set load-balancing wan interface-health tun1 test 10 type 'ping'
set load-balancing wan rule 10 destination port '80,443'
set load-balancing wan rule 10 failover
set load-balancing wan rule 10 inbound-interface 'eth0'
set load-balancing wan rule 10 interface tun0 weight '2'
set load-balancing wan rule 10 interface tun1 weight '1'
set load-balancing wan rule 10 protocol 'tcp'

nftables :

table ip mangle {
	chain PREROUTING {
		type filter hook prerouting priority mangle; policy accept;
		counter packets 5 bytes 456 jump WANLOADBALANCE_PRE
	}

	chain WANLOADBALANCE_PRE {
	}

	chain ISP_tun0 {
		counter packets 0 bytes 0 ct mark set 0xc9
		counter packets 0 bytes 0 meta mark set 0xc9
		counter packets 0 bytes 0 accept
	}

	chain ISP_tun1 {
		counter packets 0 bytes 0 ct mark set 0xca
		counter packets 0 bytes 0 meta mark set 0xca
		counter packets 0 bytes 0 acceptshow c

However, if we create the rules for each protocol, it works as expected:

set load-balancing wan rule 10 destination port '80'
set load-balancing wan rule 10 failover
set load-balancing wan rule 10 inbound-interface 'eth0'
set load-balancing wan rule 10 interface tun0 weight '2'
set load-balancing wan rule 10 interface tun1 weight '1'
set load-balancing wan rule 10 protocol 'tcp'
set load-balancing wan rule 11 destination port '443'
set load-balancing wan rule 11 failover
set load-balancing wan rule 11 inbound-interface 'eth0'
set load-balancing wan rule 11 interface tun0 weight '2'
set load-balancing wan rule 11 interface tun1 weight '1'
set load-balancing wan rule 11 protocol 'tcp'

nftable :

# Warning: table ip mangle is managed by iptables-nft, do not touch!
table ip mangle {
	chain WANLOADBALANCE_PRE {
		iifname "eth0" tcp dport 80 ct state new counter packets 0 bytes 0 jump ISP_tun0
		iifname "eth0" tcp dport 80 counter packets 0 bytes 0 meta mark set ct mark
		iifname "eth0" tcp dport 443 ct state new counter packets 0 bytes 0 jump ISP_tun0
		iifname "eth0" tcp dport 443 counter packets 0 bytes 0 meta mark set ct mark
	}


table ip mangle {
	chain PREROUTING {
		type filter hook prerouting priority mangle; policy accept;
		counter packets 5 bytes 456 jump WANLOADBALANCE_PRE
	}

	chain WANLOADBALANCE_PRE {
	}

	chain ISP_tun0 {
		counter packets 0 bytes 0 ct mark set 0xc9
		counter packets 0 bytes 0 meta mark set 0xc9
		counter packets 0 bytes 0 accept
	}

	chain ISP_tun1 {
		counter packets 0 bytes 0 ct mark set 0xca
		counter packets 0 bytes 0 meta mark set 0xca
		counter packets 0 bytes 0 acceptshow c

I've checked it in 1.4.rc3 and VyOS 1.5-rolling-202402220022

Details

Difficulty level
Normal (likely a few hours)
Version
VyOS 1.5-rolling-202402220022
Why the issue appeared?
Implementation mistake
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

fernando created this task.Feb 22 2024, 10:40 PM
pasik added a subscriber: pasik.Feb 23 2024, 8:13 AM
n.fort changed the task status from Open to Confirmed.Feb 23 2024, 12:31 PM
n.fort claimed this task.
n.fort triaged this task as High priority.
n.fort added a comment.Feb 23 2024, 2:16 PM

PR: https://github.com/vyos/vyos-1x/pull/3042

c-po moved this task from Need Triage to Finished on the VyOS 1.5 Circinus board.Feb 24 2024, 9:04 AM
c-po moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta (1.4.0-epa1) board.
n.fort closed this task as Resolved.Mar 4 2024, 10:06 AM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.0-epa2); removed VyOS 1.4 Sagitta (1.4.0-epa1), VyOS 1.5 Circinus.Mar 11 2024, 6:44 PM
dmbaturin changed Why the issue appeared? from Will be filled on close to Implementation mistake.
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin changed Issue type from Unspecified (please specify) to Bug (incorrect behavior).