Page MenuHomeVyOS Platform
Create Task
Maniphest T6191

Policy route set-mss option is not working correctly
Closed, ResolvedPublicBUG
Actions

Description

This bug report is filed after a troubleshooting session at the Slack channel, as requested by @Viacheslav

In 1.3.3, the following policy rule set worked for applying set-mss and setting table on 1 packet

Interfaces:
eth1.1761: LAN VLAN
tun0: a GRE tunnel to a VPS

1.3 config.boot excerpt

policy {
    route VIA-TUN {
        rule 4 {
            protocol tcp
            set {
                tcp-mss 1436
            }
            source {
                address 10.105.0.0/16
            }
            tcp {
                flags SYN
            }
        }
        rule 5 {
            destination {
                address 10.0.0.0/8
            }
            set {
                table main
            }
        }
        rule 6 {
            destination {
                address <WAN IP address>
            }
            protocol tcp_udp
            set {
                table main
            }
        }
        rule 10 {
            destination {
                address !10.0.0.0/8
            }
            set {
                table 100
            }
            source {
                address 10.105.0.0/16
            }
        }
    }
}

However, after updating to 1.4.0-epa2, the rule is no longer working

1.4.0-epa2 config.boot excerpt

policy {
    route VIA-TUN {
        interface "eth1.1761"
        rule 4 {
            protocol "tcp"
            set {
                tcp-mss "1436"
            }
            source {
                address "10.105.0.0/16"
            }
            tcp {
                flags {
                    syn
                }
            }
        }
        rule 5 {
            destination {
                address "10.0.0.0/8"
            }
            set {
                table "main"
            }
        }
        rule 6 {
            destination {
                address "<WAN IP address>"
            }
            protocol "tcp_udp"
            set {
                table "main"
            }
        }
        rule 10 {
            destination {
                address "!10.0.0.0/8"
            }
            set {
                table "100"
            }
            source {
                address "10.105.0.0/16"
            }
        }
    }
}

In order to make it work again, the following config has to be applied:

1.4.0-epa2 show policy excerpt
Rule 4 here is replaced by rule 11

policy {
    route VIA-MISAKA-HKG {
    interface eth1.1761
    rule 5 {
        destination {
            address 10.0.0.0/8
        }
        set {
            table main
        }
    }
    rule 6 {
        destination {
            address <WAN IP address>
        }
        protocol tcp_udp
        set {
            table main
        }
    }
    rule 10 {
        destination {
            address !10.0.0.0/8
        }
        disable
        protocol tcp
        set {
            table 100
            tcp-mss 1436
        }
        source {
            address 10.105.0.0/16
        }
        tcp {
            flags {
                syn
            }
        }
    }
    rule 11 {
        destination {
            address !10.0.0.0/8
        }
        set {
            table 100
        }
        source {
            address 10.105.0.0/16
        }
    }
}

Details

Version
1.4.0-epa2, 1.5-rolling-202404141045
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

rts-kotori created this task.Mar 31 2024, 10:03 AM
Viacheslav renamed this task from Policy Route Behavior Different from 1.3.x to Policy Route TCP-MSS Behavior Different from 1.3.x.Mar 31 2024, 10:24 AM
Viacheslav triaged this task as Normal priority.
Viacheslav edited projects, added VyOS 1.4 Sagitta (1.4.0-epa3); removed VyOS 1.4 Sagitta.
Viacheslav edited a custom field.
pasik subscribed.Mar 31 2024, 3:02 PM
n.fort changed the task status from Open to Confirmed.Apr 16 2024, 4:57 PM
n.fort claimed this task.
n.fort raised the priority of this task from Normal to High.
n.fort changed Version from 1.4.0-epa2 to 1.4.0-epa2, 1.5-rolling-202404141045.
n.fort added a comment.Apr 16 2024, 5:51 PM

PR: https://github.com/vyos/vyos-1x/pull/3320

Restricted Repository Identity mentioned this in rVYOSONEX24c997dee169: Merge pull request #3320 from nicolas-fort/T6191.Apr 17 2024, 3:25 AM
n.fort mentioned this in rVYOSONEX5ab8f9ac47d9: T6191: do not append action to firewall and policy route|route6 when its not….Apr 17 2024, 3:25 AM
Restricted Repository Identity mentioned this in rVYOSONEX292f4b8efe2a: T6191: do not append action to firewall and policy route|route6 when its not….Apr 17 2024, 3:26 AM
n.fort changed the task status from Confirmed to Needs testing.Apr 17 2024, 8:56 AM
Restricted Repository Identity mentioned this in rVYOSONEX0b9d2c64103a: Merge pull request #3324 from vyos/mergify/bp/sagitta/pr-3320.Apr 17 2024, 10:54 AM
n.fort closed this task as Resolved.Apr 21 2024, 6:54 PM
n.fort moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta (1.4.0-epa3) board.
n.fort moved this task from Open to Finished on the VyOS 1.5 Circinus board.
n.fort mentioned this in T6288: policy route ipv4 rule order behaviour.May 6 2024, 11:31 AM
dmbaturin renamed this task from Policy Route TCP-MSS Behavior Different from 1.3.x to Policy route set-mss option is not working correctly.May 11 2024, 6:53 PM
dmbaturin removed a project: VyOS 1.5 Circinus.
dmbaturin changed Is it a breaking change? from Behavior change to Perfectly compatible.