User Details
- User Since
- Jun 22 2022, 7:12 AM (123 w, 5 d)
Jul 5 2022
I dug a little deeper, it appears that calling 2 http APIs in parallel results in vyos-http-api library crash.
Jul 5 08:47:39 cxr vyos-http-api[107198]: Configuration modified via HTTP API using key 'ccube-dev' Jul 5 08:47:39 cxr vyos-http-api[107198]: INFO: None:0 - "POST /configure HTTP/1.0" 200 OK Jul 5 08:47:39 cxr netplugd[907]: br4: can't get flags: No such device Jul 5 08:47:39 cxr vyos-http-api[107198]: processing form data Jul 5 08:47:39 cxr netplugd[907]: br4: can't get flags: No such device Jul 5 08:47:39 cxr netplugd[907]: message repeated 3 times: [ br4: can't get flags: No such device] Jul 5 08:47:39 cxr netplugd[907]: br5: can't get flags: No such device Jul 5 08:47:39 cxr netplugd[907]: br4: can't get flags: No such device Jul 5 08:47:39 cxr netplugd[907]: message repeated 27 times: [ br4: can't get flags: No such device] Jul 5 08:47:40 cxr vyos-http-api[107198]: INFO: None:0 - "POST /config-file HTTP/1.0" 200 OK Jul 5 08:47:40 cxr vyos-http-api[107198]: processing form data Jul 5 08:47:40 cxr vyos-http-api[107198]: INFO: None:0 - "POST /retrieve HTTP/1.0" 400 Bad Request Jul 5 08:47:40 cxr vyos-http-api[107198]: processing form data Jul 5 08:47:40 cxr vyos-http-api[107198]: processing form data Jul 5 08:47:40 cxr ntpd[3893]: Listen normally on 87 vti1 169.254.231.46:123 Jul 5 08:47:40 cxr ntpd[3893]: new interface(s) found: waking up resolver Jul 5 08:47:41 cxr kernel: [104872.825731] vyos-http-api-s[107280]: segfault at 1020 ip 00007f792d30391d sp 00007f792dce93e0 error 4 in libvyosconfig.so.0[7f792d2ae000+10c000] Jul 5 08:47:41 cxr kernel: [104872.825745] Code: 20 48 83 c4 08 c3 e8 f2 d9 fa ff eb c6 48 83 ec 48 48 8b 40 10 48 89 44 24 18 48 8b 40 20 48 8b 58 20 48 8b 5b 20 48 8b 7b 20 <48> 8b 77 20 48 89 74 24 10 48 8b 56 20 48 89 54 24 20 48 8b 7f 08 Jul 5 08:47:41 cxr kernel: [104872.833057] net_ratelimit: 24 callbacks suppressed Jul 5 08:47:41 cxr kernel: [104872.833059] IPv4: martian source 10.10.10.18 from 10.10.10.1, on dev eth2 Jul 5 08:47:41 cxr kernel: [104872.833061] ll header: 00000000: ff ff ff ff ff ff 6a 2c d7 cd 51 fd 08 06 Jul 5 08:47:41 cxr systemd[1]: vyos-http-api.service: Main process exited, code=killed, status=11/SEGV
I'm also getting the same error when calling the https API from localhost. In my case it only happens occasionally.
Jun 24 2022
@Viacheslav As for your other concern, you can filter the actual inbound interface (eth4 in this my case) in mangle-PREROUTING. Maybe you could try packet marking in mangle-PREROUTING, then filter them later in VYOS_FW_FORWARD/VYOS_FW_LOCAL in the filter table?
Something like this:
Jun 23 2022
@Viacheslav I tested your fix in my environment. The inbound filtering worked as expected after the fix. However it did not work correctly for the case we where we want both inbound and outbound firewalls on a single vrf member interface (or any case that has more than 2 directions on the same interface).