NFTables - String exceeds maximum length of 16 oifname (VRF Firewalling | Stream-2025-Q2)

Soarin · November 9, 2025, 12:15am

Hello,

I was going to see about posting this to Phabricator though my account is disabled, not sure why.

I noticed, when I have multiple interfaces in a VRF then try to add that VRF to a zone- I will get an error that prevents from committing.

I notice I get these errors on both my routers, though they both run VyOS 1.5-Stream-2025-Q2. The errors disappear when I have less interfaces tied within my VRF that is being added to a firewall zone (or overall, names that equal <16 characters)

VRF Interfaces

vyos@SP-C1# show interfaces bonding bond10 vif 201
 address 141.235.61.3/24
 description "Vultr Edge MI"
 vrf Vultr-Edge-MI
[edit]


vyos@SP-C1# show interfaces wireguard wg201
 address 10.18.31.15/31
 description "Edge-MI01 wg10"
 ip {
     adjust-mss 1380
 }
 peer ArkTech-Edge-MI01 {
     address #####
     allowed-ips 0.0.0.0/0
     port 44513
     public-key ######
 }
 port 9954
 private-key ############
 vrf Vultr-Edge-MI
[edit]

FIREWALL ZONE

show firewall zone VPN members
/** Snipped for Brevity **/ 
member {
     interface wg27
     interface wg182
     interface wg183
     interface wg75
     interface wg23147
     interface wg300
     interface wg899
+    vrf Vultr-Edge-MI
 }

ERROR

Unknown firewall error detected: /run/nftables.conf:580:19-36: Error:
String exceeds maximum length of 16         oifname { "wg201,bond10.201"
} counter jump VZONE_VPN                   ^^^^^^^^^^^^^^^^^^
/run/nftables.conf:666:19-36: Error: String exceeds maximum length of 16
oifname { "wg201,bond10.201" } counter jump NAME_Local-VPN
^^^^^^^^^^^^^^^^^^ /run/nftables.conf:667:19-36: Error: String exceeds
maximum length of 16         oifname { "wg201,bond10.201" } counter
return                   ^^^^^^^^^^^^^^^^^^
/run/nftables.conf:790:19-36: Error: String exceeds maximum length of 16
oifname { "wg201,bond10.201" } counter jump VZONE_VPN
^^^^^^^^^^^^^^^^^^
[[firewall]] failed
Commit failed

Version

vyos@SP-C1:~$ show version 
Version:          VyOS 1.5-stream-2025-Q2
Release train:    circinus
Release flavor:   generic

Built by:         autobuild@vyos.net
Built on:         Thu 10 Jul 2025 00:09 UTC
Build UUID:       141037c5-126a-4fbf-bd87-406253347924
Build commit ID:  be16c8588264f3-dirty

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal

Hardware vendor:  Supermicro
Hardware model:   X9SCL/X9SCM
Hardware S/N:     0123456789
Hardware UUID:    a5902500-12fd-0706-0025-90a5fd120e0f

Copyright:        VyOS maintainers and contributors

L0crian · November 9, 2025, 1:12am

The obvious issue is that this:

{ "wg201,bond10.201" }

Should be this:

{ "wg201", "bond10.201" }

I’m unable to receate your issue on Q2, can you provide your full firewall config in ‘set’ format?

Soarin · November 9, 2025, 2:07am

Hi,

Thanks for the reply, that’s interesting it did not present its issue to you. When there’s multiple interfaces for me it starts to act up, though does not happen with one or two if the interface names are short.

Here’s the firewall set commands, this is the firewall commands for the personal firewall that is having issues. Text was too big to paste in chat.

firewall-c2.txt (49.0 KB)

L0crian · November 9, 2025, 2:24am

I don’t see wg201 or bond10.201 anywhere in your config. What is the nft config error with this exact config?

EDIT: I just applied your entire config to a Q2 instance, and it commited just fine.

sudo nft -t list chain vyos_filter VZONE_VPN
table ip vyos_filter {
        chain VZONE_VPN {
                iifname { "wg75", "wg27", "wg300", "wg182", "wg183", "wg899", "wg23147" } counter packets 0 bytes 0 jump NAME_VPN-Intra
                iifname { "wg75", "wg27", "wg300", "wg182", "wg183", "wg899", "wg23147" } counter packets 0 bytes 0 return
                iifname "bond10.110" counter packets 0 bytes 0 jump NAME_All-VPN
                iifname "bond10.110" counter packets 0 bytes 0 return
                iifname { "eth1.122", "bond10.70", "bond10.32", "bond10.64", "bond10.65", "bond10.75", "bond10.87", "bond10.550", "bond10.170", "bond10.171", "bond10.122", "bond10.123" } counter packets 0 bytes 0 jump NAME_All-VPN
                iifname { "eth1.122", "bond10.70", "bond10.32", "bond10.64", "bond10.65", "bond10.75", "bond10.87", "bond10.550", "bond10.170", "bond10.171", "bond10.122", "bond10.123" } counter packets 0 bytes 0 return
                counter packets 0 bytes 0 drop comment "zone_VPN default-action drop"
        }
}

Do you maybe have a member interface somewhere in your config that is causing that error that looks like this?:

set firewall zone VPN member interface 'wg201,bond10.201'

Soarin · November 9, 2025, 2:41am

wg201 and bond10.201 live in a separate VRF that does not have a firewall applied to it, however when I do set firewall zone VPN member vrf Vultr-MI-Edge (the VRF that wg201 and bond10.201 live in) it errors out and can not commit- which is likely the reason we don’t see it in there.

The VRF has only a VNI and Table tied to it, a normal ‘stock’ VRF.

Edit: Did another check and verified that bond10.201 and wg201 are not part of any other firewall config. Very strange!

If it’s worth nothing, I have another VyOS box that has config-sync enabled for the firewalling and it has the same problem. Same hardware and version of VyOS

L0crian · November 9, 2025, 2:53am

Okay, that’s the bug then. When you add a VRF, it attempts to add the interfaces that are in that VRF, but doesn’t split them into a list. It keeps them as a comma-separated string.

set vrf name test table 101
set interfaces dummy dum0 vrf test
set interfaces dummy dum1 vrf test
set interfaces dummy dum2 vrf test
set interfaces dummy dum3 vrf test
set interfaces dummy dum4 vrf test
set firewall zone VPN member vrf test
commit
[ firewall ]

WARNING: address-group "GeoIP-Filter-India" has no members!

Unknown firewall error detected: /run/nftables.conf:580:19-44: Error:
String exceeds maximum length of 16         oifname {
"dum1,dum0,dum2,dum3,dum4" } counter jump VZONE_VPN
^^^^^^^^^^^^^^^^^^^^^^^^^^ /run/nftables.conf:666:19-44: Error: String
exceeds maximum length of 16         oifname {
"dum1,dum0,dum2,dum3,dum4" } counter jump NAME_Local-VPN
^^^^^^^^^^^^^^^^^^^^^^^^^^ /run/nftables.conf:667:19-44: Error: String
exceeds maximum length of 16         oifname {
"dum1,dum0,dum2,dum3,dum4" } counter return
^^^^^^^^^^^^^^^^^^^^^^^^^^ /run/nftables.conf:790:19-44: Error: String
exceeds maximum length of 16         oifname {
"dum1,dum0,dum2,dum3,dum4" } counter jump VZONE_VPN
^^^^^^^^^^^^^^^^^^^^^^^^^^
[[firewall]] failed
Commit failed

delete interfaces dummy dum3
delete interfaces dummy dum4
commit
[ firewall ]

WARNING: address-group "GeoIP-Filter-India" has no members!

Updating GeoIP. Please wait...

sudo nft -t list chain vyos_filter VYOS_ZONE_FORWARD
table ip vyos_filter {
        chain VYOS_ZONE_FORWARD {
                type filter hook forward priority filter + 1; policy accept;
                ... other rules omitted
                oifname "dum1,dum0,dum2" counter packets 0 bytes 0 jump VZONE_VPN
        }
}

syncer · November 10, 2025, 3:54pm

Please register again and let me know, this is most likely caused by anti-spam bot

Soarin · November 15, 2025, 5:07pm

Thanks, I was able to get in!

Soarin · November 15, 2025, 5:08pm

Happy to report that with the latest VyOS Stream 2025.11 image, this is fixed. I have no issues, even when adding additional interfaces to my VRF.

system · December 15, 2025, 5:08pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.