I think there’s a bug on policy section. When i issue command ‘show policy route POSTROUTING’, a keyError notification shows up so i try to add the interface name where this policy have to be attached, i get commit failed error.
You can see details on the image i attached below.
HI!
Can you please share the show version
Thank you
Ok… Actually it’s the current rolling release, i just updated it this morning. On rolling release date 20230627 this bug was also existed.
Version: VyOS 1.4-rolling-202306280317
Release train: current
Built by: [email protected]
Built on: Wed 28 Jun 2023 03:17 UTC
Build UUID: d0de07bc-4c20-4b10-83f0-5bbe1d176dc3
Build commit ID: 35dec9e1bc7240
Architecture: x86_64
Boot via: installed image
System type: bare metal
Hardware vendor: Hewlett-Packard
Hardware model: Presario V3700 Notebook PC
Copyright: VyOS maintainers and contributors
Can you share configuration?
Here’s the policy route config,
route POSTROUTING {
rule 200 {
description “DOH traffics”
destination {
group {
address-group DOH_ADDR
}
}
set {
mark 200
}
}
rule 201 {
description “ICMP traffics”
protocol icmp
set {
mark 200
}
source {
address 192.168.0.0/24
}
}
rule 300 {
description “WA, telegram & other”
destination {
group {
port-group WA_TGRAM_PORT
}
}
protocol tcp_udp
set {
mark 300
}
}
}
Just tell me if you need full config.
Hi @ebedtang , please change the rule set name “POSTROUTING” for the meantime to fix the issue.
Issue #1: Show policy route is not working when no interface is configured.
Remarks: Created a bug report ⚓ T5332 Show policy route not working when no interface is configured
Issue #2: Configuring an interface for policy routes that are using rule set names that are the same for existing chains POSTROUTING, PREROUTING, FORWARD is not working.
Remarks: Doing this in version 1.3 is also not allowed but maybe in 1.4 @n.fort has some workaround.
vyos@vyos# set policy route PREROUTING interface eth1
[edit]
vyos@vyos# commit
[ policy route PREROUTING ]
Failed to apply policy based routing
[[policy route PREROUTING]] failed
Commit failed
[edit]
vyos@vyos# set policy route POSTROUTING interface eth1
[edit]
vyos@vyos# commit
[ policy route PREROUTING ]
Failed to apply policy based routing
[[policy route PREROUTING]] failed
[ policy route POSTROUTING ]
Failed to apply policy based routing
[[policy route POSTROUTING]] failed
Commit failed
[edit]
vyos@vyos# set policy route FORWARD interface eth1
[edit]
vyos@vyos# commit
[ policy route FORWARD ]
Failed to apply policy based routing
[[policy route FORWARD]] failed
[ policy route POSTROUTING ]
Failed to apply policy based routing
[[policy route POSTROUTING]] failed
[ policy route PREROUTING ]
Failed to apply policy based routing
[[policy route PREROUTING]] failed
Commit failed
[edit]
vyos@vyos#
Hi j.landichi,
That’s ok. Just because set Mark wont work if i change policy route name so i set it in POSTROUTING chains. I need set mark to work better than show policy. If you can show me how to make it work in a new policy route name other than POSTROUTING, PREROUTING or FORWARD i will definitely try it. Thank you for the advice.
Policy route works only for inbound traffic
So names could be any
Ok. That’s why i’m using POSTROUTING… As it works fine in POSTROUTING.
You are right, the mark is not working, no mark sign in the log. But why in tc qdisc the statistic is counted to each class as a sign that traffic goes into its class. Is it another bug or something?
In my thought that inbound traffic from lan is outbound to wan.
For 1.4 it is a separate bug, I created a bug report T5333
You shouldn’t rely on the name of policy if there you see some packets then it is a bug but not expected behavior.
Marking outgoing packets will be available in the next releases after firewall rewriting.
Ok thank you so much
