Page MenuHomeVyOS Platform
Create Task
Maniphest T6269

Fix policy route action/set
In progress, NormalPublicBUG
Actions

Description

After the patch submitted for T6191 in this commit , unexpected behavior was found when parsing policy routes which uses set table command

An example with latest code:

vyos@latest# run show config comm | grep policy
set policy route FOO interface 'eth1'
set policy route FOO rule 10 destination address '192.0.2.0/24'
set policy route FOO rule 10 set table '100'
set policy route FOO rule 10 source address '198.51.100.0/24'
set policy route FOO rule 20 destination address '192.0.2.0/24'
set policy route FOO rule 20 set table '20'
[edit]
vyos@latest# sudo nft list chain ip vyos_mangle VYOS_PBR_UD_FOO
table ip vyos_mangle {
        chain VYOS_PBR_UD_FOO {
                ip daddr 192.0.2.0/24 ip saddr 198.51.100.0/24 counter packets 0 bytes 0 meta mark set 0x7fffff9b comment "ipv4-route-FOO-10"
                ip daddr 192.0.2.0/24 counter packets 0 bytes 0 meta mark set 0x7fffffeb comment "ipv4-route-FOO-20"
        }
}
[edit]
vyos@latest#

So, in this case, traffic from host 198.51.100.X to 192.0.2.X will go through both entries, and it will end up using table 20 (second mark will over-write first mark).

In older versions, such as Equuleus, a terminate action accept is added if set table command is used
Same config on Equuleus:

vyos@Equuleus# run show config comm | grep policy
set policy route FOO rule 10 destination address '192.0.2.0/24'
set policy route FOO rule 10 set table '100'
set policy route FOO rule 10 source address '198.51.100.0/24'
set policy route FOO rule 20 destination address '192.0.2.0/24'
set policy route FOO rule 20 set table '20'
[edit]
vyos@Equuleus# sudo nft list table ip mangle | tail -20

        chain VYATTA_FW_LOCALOUT_HOOK {
        }

        chain FOO {
                ip saddr 198.51.100.0/24 ip daddr 192.0.2.0/24 counter packets 0 bytes 0 jump VYATTA_PBR_100 comment "FOO-10"
                ip daddr 192.0.2.0/24 counter packets 0 bytes 0 jump VYATTA_PBR_20 comment "FOO-20"
                counter packets 0 bytes 0 return comment "FOO-1000000 default-action accept"
        }

        chain VYATTA_PBR_100 {
                counter packets 0 bytes 0 meta mark set 0x80000063 
                counter packets 0 bytes 0 accept
        }

        chain VYATTA_PBR_20 {
                counter packets 0 bytes 0 meta mark set 0x80000013 
                counter packets 0 bytes 0 accept
        }
}
[edit]
vyos@Equuleus#

Details

Difficulty level
Unknown (require assessment)
Version
1.5-rolling-202404250020
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects