Page MenuHomeVyOS Platform
Create Task
Maniphest T7213

pbr fwmark seems not working correctly
Open, NormalPublicBUG
Actions

Description

route tproxy {

rule 100 {
    mark 1
    set {
        table 200
    }
}

}
[edit]
vyos@router-01# ip rule
200: from all fwmark 0x7fffff37 lookup 200

even I changed the mark value , it is still fwmark 0x7fffff37.

Pls have a double check ,thanks .

Details

Version
1.5
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

freebsdjlu created this task.Mar 3 2025, 5:05 AM
pasik subscribed.Mar 3 2025, 7:11 AM
Viacheslav triaged this task as Normal priority.Mar 3 2025, 7:26 AM
Viacheslav subscribed.

Add set of commands to reproduce.

freebsdjlu added a comment.Mar 3 2025, 8:53 AM

set policy route tproxy rule 100 mark '2'
set policy route tproxy rule 100 set table '200'

then check the ip rule result .

Viacheslav added a comment.EditedMar 3 2025, 9:15 AM
vyos@r14# sudo nft list table ip vyos_mangle
table ip vyos_mangle {
	chain VYOS_PBR_PREROUTING {
		type filter hook prerouting priority mangle; policy accept;
		iifname "eth1" counter packets 0 bytes 0 jump VYOS_PBR_UD_tproxy
	}

	chain VYOS_PBR_POSTROUTING {
		type filter hook postrouting priority mangle; policy accept;
	}

	chain VYOS_PBR_UD_tproxy {
		meta mark 0x00000002 counter packets 0 bytes 0 meta mark set 0x7fffff37 return comment "ipv4-route-tproxy-100"
	}
}

All match marks 2 set mark 0x7fffff37 and used in the table 200

vyos@r14# ip rule
0:	from all lookup local
200:	from all fwmark 0x7fffff37 lookup 200
32766:	from all lookup main
32767:	from all lookup default
[edit]
vyos@r14#

What is wrong here?

freebsdjlu added a comment.Mar 3 2025, 9:49 AM

sorry , I thought the function should be "match mark 2 and use route table 200" , there is some misunderstanding , but if I only want route based on the mark ,not to change it , how to do it ?

freebsdjlu added a comment.Mar 3 2025, 10:12 AM

btw , could we add a feature to support tproxy when do pbr ?

Viacheslav added a comment.Mon, Mar 3, 4:42 PM
In T7213#217158, @freebsdjlu wrote:

sorry , I thought the function should be "match mark 2 and use route table 200" , there is some misunderstanding , but if I only want route based on the mark ,not to change it , how to do it ?

Ask on the forum.