Policy route issue

Bugs
, , , ,
1

Hello,

I’m trying to set the following policy route with vyos 1.1.7:

set protocols static table 5 route 10.0.1.29/32 next-hop 10.0.1.1

set policy route A-ROUTE rule 100 destination address 10.0.1.29/32
set policy route A-ROUTE rule 100 protocol tcp
set policy route A-ROUTE rule 100 source address 91.112.x.x/32
set policy route A-ROUTE rule 100 set table 5

set policy route A-ROUTE rule 999 destination address 0.0.0.0/0
set policy route A-ROUTE rule 999 source address 0.0.0.0/0
set policy route A-ROUTE rule 999 set table main

91.112.x.x is the IP of the WAN interface
10.0.1.29 is the IP of an internal server

When I’m trying to commit then I get the following error:

[ policy route A-ROUTE ]
iptables v1.4.12.2: Couldn’t load target `VYATTA_PBR_5’:No such file or directory

Try `iptables -h’ or ‘iptables --help’ for more information.
Use of uninitialized value $rule_strs[1] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 642.
Use of uninitialized value $rule_strs[2] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 642.
Use of uninitialized value $rule_strs[3] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 642.
Use of uninitialized value $rule_strs[4] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 642.
Use of uninitialized value $rule_strs[5] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 642.
iptables error: No such file or directory - -m comment --comment “A-ROUTE-100” -p tcp --source 91.112.x.x/32 --destination 10.0.1.29/32 -j VYATTA_PBR_5 at /opt/vyatta/sbin/vyatta-firewall.pl line 642.

[[policy route A-ROUTE]] failed
Commit failed

Please help!

2

Hello,

I have the same issue using vyos 1.1.8
iptables v1.4.12.2: Couldn’t load target VYATTA_PBR_1':No such file or directory Tryiptables -h’ or ‘iptables --help’ for more information.
iptables error: Inappropriate ioctl for device - -m comment --comment “FW_OUT-5” -p udp

did you resolved the issue

Can you help please ?

Regards

3

Hi,

VyOS 1.1.x is already End-Of-Life. Could you upgrade to any of the new 1.2 releases and check?

Cheers

4

Just in case someone else comes across this, it’s a limitation within the PBR sub system which needs to be rewritten. There is an open task (T445) in phabricator for v1.3 which also mentions a temporary workaround:

The best fix for this would be to finally switch to using iptables-restore instead of inserting rules one by one.

There’s a simple workaround though: delete the rule and re-create it with the new table. To make it easier, copy the commands from ‘run show configuration commands’.