Page MenuHomeVyOS Platform
Create Task
Maniphest T6269

Polixy route "set table" option is not working correctly
Closed, ResolvedPublicBUG
Actions

Description

After the patch submitted for T6191 in this commit , unexpected behavior was found when parsing policy routes which uses set table command

An example with latest code:

vyos@latest# run show config comm | grep policy
set policy route FOO interface 'eth1'
set policy route FOO rule 10 destination address '192.0.2.0/24'
set policy route FOO rule 10 set table '100'
set policy route FOO rule 10 source address '198.51.100.0/24'
set policy route FOO rule 20 destination address '192.0.2.0/24'
set policy route FOO rule 20 set table '20'
[edit]
vyos@latest# sudo nft list chain ip vyos_mangle VYOS_PBR_UD_FOO
table ip vyos_mangle {
        chain VYOS_PBR_UD_FOO {
                ip daddr 192.0.2.0/24 ip saddr 198.51.100.0/24 counter packets 0 bytes 0 meta mark set 0x7fffff9b comment "ipv4-route-FOO-10"
                ip daddr 192.0.2.0/24 counter packets 0 bytes 0 meta mark set 0x7fffffeb comment "ipv4-route-FOO-20"
        }
}
[edit]
vyos@latest#

So, in this case, traffic from host 198.51.100.X to 192.0.2.X will go through both entries, and it will end up using table 20 (second mark will over-write first mark).

In older versions, such as Equuleus, a terminate action accept is added if set table command is used
Same config on Equuleus:

vyos@Equuleus# run show config comm | grep policy
set policy route FOO rule 10 destination address '192.0.2.0/24'
set policy route FOO rule 10 set table '100'
set policy route FOO rule 10 source address '198.51.100.0/24'
set policy route FOO rule 20 destination address '192.0.2.0/24'
set policy route FOO rule 20 set table '20'
[edit]
vyos@Equuleus# sudo nft list table ip mangle | tail -20

        chain VYATTA_FW_LOCALOUT_HOOK {
        }

        chain FOO {
                ip saddr 198.51.100.0/24 ip daddr 192.0.2.0/24 counter packets 0 bytes 0 jump VYATTA_PBR_100 comment "FOO-10"
                ip daddr 192.0.2.0/24 counter packets 0 bytes 0 jump VYATTA_PBR_20 comment "FOO-20"
                counter packets 0 bytes 0 return comment "FOO-1000000 default-action accept"
        }

        chain VYATTA_PBR_100 {
                counter packets 0 bytes 0 meta mark set 0x80000063 
                counter packets 0 bytes 0 accept
        }

        chain VYATTA_PBR_20 {
                counter packets 0 bytes 0 meta mark set 0x80000013 
                counter packets 0 bytes 0 accept
        }
}
[edit]
vyos@Equuleus#

Details

Version
1.5-rolling-202404250020
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

n.fort created this task.Apr 26 2024, 12:43 PM
n.fort changed the task status from Open to In progress.
n.fort claimed this task.
Viacheslav triaged this task as Normal priority.Apr 26 2024, 12:47 PM
n.fort added a comment.Apr 26 2024, 2:21 PM

PR: https://github.com/vyos/vyos-1x/pull/3367

pasik subscribed.Apr 26 2024, 3:00 PM
Restricted Repository Identity mentioned this in rVYOSONEX958e9ac4d1eb: Merge pull request #3367 from nicolas-fort/T6269.May 2 2024, 5:43 AM
n.fort mentioned this in rVYOSONEXd518386d74ab: T6269: policy: ensure correct rule parsing when using, and when not using <set….May 2 2024, 5:43 AM
Restricted Repository Identity mentioned this in rVYOSONEX389a26b2af89: T6269: policy: ensure correct rule parsing when using, and when not using <set….May 2 2024, 5:44 AM
Restricted Repository Identity mentioned this in rVYOSONEXdd92f14b9d70: Merge pull request #3394 from vyos/mergify/bp/sagitta/pr-3367.May 2 2024, 6:43 PM
n.fort mentioned this in T6288: policy route ipv4 rule order behaviour.May 6 2024, 11:31 AM
n.fort closed this task as Resolved.May 8 2024, 4:20 PM
n.fort moved this task from Open to Finished on the VyOS 1.5 Circinus board.
dmbaturin renamed this task from Fix policy route action/set to Polixy route "set table" option is not working correctly.May 11 2024, 8:05 PM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.0-epa3); removed VyOS 1.5 Circinus.
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.