Page MenuHomeVyOS Platform
Create Task
Maniphest T7685

WAN load balancing rule fails when using comma-separated ports
Closed, ResolvedPublicBUG
Actions

Description

Appears to be the same issue as T7414.

Aug  4 09:27:20 001 python3[33977]: ERROR: Failed to apply WLB nftables config
Aug  4 09:27:20 001 python3[33977]: Output: /run/nftables_wlb.conf:15:114-117: Error: Basetype of type internet network service is not bitmask
Aug  4 09:27:20 001 python3[33977]:        iifname "eth4.10" meta l4proto  { tcp, udp } ip saddr  192.168.0.10 ip daddr != 192.168.0.0/16 th dport  http,https ct state new counter jump wlb_mangle_isp_eth1
Aug  4 09:27:20 001 python3[33977]:                                                                                                                 ^^^^
Aug  4 09:27:20 001 python3[33977]: /run/nftables_wlb.conf:16:114-117: Error: Basetype of type internet network service is not bitmask
Aug  4 09:27:20 001 python3[33977]:        iifname "eth4.10" meta l4proto  { tcp, udp } ip saddr  192.168.0.10 ip daddr != 192.168.0.0/16 th dport  http,https counter meta mark set ct mark
Aug  4 09:27:20 001 python3[33977]:                                                                                                                 ^^^^
Aug  4 09:27:20 001 python3[33977]: INFO: State change: eth1 -> True
Aug  4 09:27:20 001 python3[33977]: ERROR: Failed to apply WLB nftables config
Aug  4 09:27:20 001 python3[33977]: Output: /run/nftables_wlb.conf:16:114-117: Error: Basetype of type internet network service is not bitmask
Aug  4 09:27:20 001 python3[33977]:        iifname "eth4.10" meta l4proto  { tcp, udp } ip saddr  192.168.0.10 ip daddr != 192.168.0.0/16 th dport  http,https ct state new counter jump wlb_mangle_isp_eth1
Aug  4 09:27:20 001 python3[33977]:                                                                                                                 ^^^^
Aug  4 09:27:20 001 python3[33977]: /run/nftables_wlb.conf:17:114-117: Error: Basetype of type internet network service is not bitmask
Aug  4 09:27:20 001 python3[33977]:        iifname "eth4.10" meta l4proto  { tcp, udp } ip saddr  192.168.0.10 ip daddr != 192.168.0.0/16 th dport  http,https counter meta mark set ct mark
Aug  4 09:27:20 001 python3[33977]:                                                                                                                 ^^^^

Works fine when the ports are split into two rules:

iifname "eth4.10" meta l4proto { tcp, udp } ip saddr 192.168.0.10 ip daddr != 192.168.0.0/16 th dport 80 ct state new counter packets 40 bytes 2400 jump wlb_mangle_isp_eth1
iifname "eth4.10" meta l4proto { tcp, udp } ip saddr 192.168.0.10 ip daddr != 192.168.0.0/16 th dport 443 ct state new counter packets 48 bytes 2880 jump wlb_mangle_isp_eth1

Details

Version
Rolling
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

MattK created this task.Aug 4 2025, 9:58 AM
MattK updated the task description. (Show Details)Aug 4 2025, 10:09 AM
dmbaturin triaged this task as High priority.Aug 4 2025, 10:23 AM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
MattK updated the task description. (Show Details)Aug 4 2025, 10:26 AM
MattK added a comment.Aug 4 2025, 2:48 PM

https://github.com/vyos/vyos-1x/pull/4643

pasik subscribed.Aug 5 2025, 6:48 AM
MattK mentioned this in rVYOSONEXd54b9445672a: T7685: load-balancing: fix rules with multiple ports.Aug 5 2025, 1:42 PM
Restricted Repository Identity mentioned this in rVYOSONEX11efbfa0eab5: Merge pull request #4643 from MattKobayashi/T7685.Aug 5 2025, 1:42 PM
dmbaturin added a project: VyOS 1.5 Circinus (1.5-stream-2025-Q3).Aug 28 2025, 12:36 PM
Viacheslav closed this task as Resolved.Aug 28 2025, 4:35 PM
Viacheslav assigned this task to MattK.
Viacheslav moved this task from Need Triage to Completed on the VyOS Rolling board.
Viacheslav moved this task from Open to Finished on the VyOS 1.5 Circinus (1.5-stream-2025-Q3) board.
dmbaturin edited projects, added VyOS 1.5 Circinus (2025.11); removed VyOS 1.5 Circinus (1.5-stream-2025-Q3), VyOS Rolling.Thu, Nov 13, 1:32 AM