Page MenuHomeVyOS Platform
Create Task
Maniphest T7625

WAN load balancer always has nftables limit configured
Closed, ResolvedPublicBUG
Actions

Description

WAN load balancer configurations always add a default 5 packet/sec limit to the nftables rules, despite code being present to remove them.

Configuration:

matthew@VyOS# compare
+ load-balancing {
+     wan {
+         flush-connections
+         interface-health eth1 {
+             failure-count "5"
+             nexthop "dhcp"
+             test 10 {
+                 target "1.1.1.1"
+                 type "ping"
+             }
+             test 20 {
+                 target "8.8.8.8"
+                 type "ping"
+             }
+         }
+         interface-health eth2 {
+             failure-count "5"
+             nexthop "dhcp"
+             test 10 {
+                 target "1.1.1.1"
+                 type "ping"
+             }
+             test 20 {
+                 target "8.8.8.8"
+                 type "ping"
+             }
+         }
+         interface-health eth3.666 {
+             failure-count "5"
+             nexthop "dhcp"
+             test 10 {
+                 target "1.1.1.1"
+                 type "ping"
+             }
+             test 20 {
+                 target "8.8.8.8"
+                 type "ping"
+             }
+         }
+         rule 10 {
+             destination {
+                 address "!192.168.0.0/16"
+             }
+             inbound-interface "eth4.10"
+             interface eth1 {
+             }
+             interface eth2 {
+             }
+         }
+         rule 20 {
+             destination {
+                 address "!192.168.0.0/16"
+             }
+             inbound-interface "eth4.50"
+             interface eth1 {
+             }
+             interface eth2 {
+             }
+         }
+         rule 110 {
+             destination {
+                 address "!192.168.0.0/16"
+             }
+             inbound-interface "eth4.10"
+             interface eth3.666 {
+             }
+         }
+         rule 120 {
+             destination {
+                 address "!192.168.0.0/16"
+             }
+             inbound-interface "eth4.50"
+             interface eth3.666 {
+             }
+         }
+         sticky-connections {
+             inbound
+         }
+     }
+ }

nftables:

matthew@VyOS:~$ show wan-load-balance status
iifname "eth1" ct state new ct mark set 0x000000c9
iifname "eth2" ct state new ct mark set 0x000000ca
iifname "eth3.666" ct state new ct mark set 0x000000cb
iifname "eth4.10" ip daddr != 192.168.0.0/16 ct state new limit rate 5/second burst 5 packets counter packets 25 bytes 1602 jump wlb_mangle_isp_eth1
iifname "eth4.50" ip daddr != 192.168.0.0/16 ct state new limit rate 5/second burst 5 packets counter packets 0 bytes 0 jump wlb_mangle_isp_eth1
iifname "eth4.10" ip daddr != 192.168.0.0/16 ct state new limit rate 5/second burst 5 packets counter packets 25 bytes 1608 jump wlb_mangle_isp_eth3.666
iifname "eth4.50" ip daddr != 192.168.0.0/16 ct state new limit rate 5/second burst 5 packets counter packets 0 bytes 0 jump wlb_mangle_isp_eth3.666

Details

Version
Rolling
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

MattK created this task.Jul 13 2025, 9:26 AM
MattK updated the task description. (Show Details)Jul 13 2025, 9:43 AM
MattK updated the task description. (Show Details)Jul 13 2025, 9:51 AM
MattK updated the task description. (Show Details)
MattK updated the task description. (Show Details)
MattK updated the task description. (Show Details)Jul 13 2025, 10:26 AM
pasik subscribed.Jul 13 2025, 11:46 AM
Viacheslav triaged this task as Normal priority.Jul 13 2025, 3:24 PM
MattK added a comment.Jul 14 2025, 5:18 AM
This comment was removed by MattK.
MattK added a comment.Jul 14 2025, 7:54 AM

https://github.com/vyos/vyos-1x/pull/4605

Viacheslav changed the task status from Open to In progress.Jul 14 2025, 11:02 AM
Viacheslav assigned this task to MattK.
MattK mentioned this in T7629: Remove defaults for limit config in WAN load balancer.Jul 15 2025, 3:41 AM
MattK mentioned this in rVYOSONEX42897120a6b2: T7625: load-balancing: prune limit key if not configured.Jul 16 2025, 9:36 AM
MattK mentioned this in rVYOSONEX71e08a181250: T7625: smoketest: test limit config separately.
Restricted Repository Identity mentioned this in rVYOSONEX115fe85c726f: Merge pull request #4605 from MattKobayashi/T7625.Jul 16 2025, 9:36 AM
Viacheslav changed the task status from In progress to Needs testing.Jul 16 2025, 10:18 AM
dmbaturin closed this task as Resolved.Jul 31 2025, 12:12 AM
dmbaturin added a project: VyOS 1.5 Circinus (1.5-stream-2025-Q3).
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin moved this task from Open to Finished on the VyOS 1.5 Circinus (1.5-stream-2025-Q3) board.
dmbaturin moved this task from Need Triage to Completed on the VyOS Rolling board.
dmbaturin edited projects, added VyOS 1.5 Circinus (2025.11); removed VyOS 1.5 Circinus (1.5-stream-2025-Q3), VyOS Rolling.Thu, Nov 13, 2:26 AM