QoS redirect WG fixed port

mrpops2ko · May 22, 2026, 12:14am

so i’ve spent ages on this trying to fix it and i come with a bug and a solution… what i need though for closure though is to find out the why (and also for it to be fixed)

QoS/CAKE / FQ_CODEL IFB redirect fails at boot when WireGuard interface has fixed local port, but works with dynamic port or post-boot redirect (works when you set it up)

i had this issue where i’d set up QoS and then on boot it would break. then I randomly fixed it, then i got the bug back again and that sent me down a spiral of the past 6 hours figuring out how it worked and then didn’t and ultimately its down to the listening port in the config

i migrated from pfsense+ and copied the configs across near enough exact (which used defined listening ports).

so i would like to know why this happens, it must be some kind of race condition but i dont get how, you’d imagine that a defined port would come up before an defined one

i’ll throw an example

set interfaces input ifb99 description 'BUG TEST IFB'

set qos policy cake CAKE-BUG-TEST bandwidth '100mbit'
set qos policy cake CAKE-BUG-TEST description 'BUG TEST'
set qos policy cake CAKE-BUG-TEST flow-isolation dual-dst-host
set qos policy cake CAKE-BUG-TEST flow-isolation-nat
set qos policy cake CAKE-BUG-TEST rtt '100'

set qos interface ifb99 egress 'CAKE-BUG-TEST'

set interfaces wireguard wg99 description 'BUG TEST WG'
set interfaces wireguard wg99 address '10.99.99.1/32'
set interfaces wireguard wg99 private-key '<x>'
set interfaces wireguard wg99 port '51999'
                                       ^^ 👀
set interfaces wireguard wg99 redirect 'ifb99'

^ not working

set interfaces input ifb99 description 'BUG TEST IFB'

set qos policy cake CAKE-BUG-TEST bandwidth '100mbit'
set qos policy cake CAKE-BUG-TEST description 'BUG TEST'
set qos policy cake CAKE-BUG-TEST flow-isolation dual-dst-host
set qos policy cake CAKE-BUG-TEST flow-isolation-nat
set qos policy cake CAKE-BUG-TEST rtt '100'

set qos interface ifb99 egress 'CAKE-BUG-TEST'

set interfaces wireguard wg99 description 'BUG TEST'
set interfaces wireguard wg99 address '10.99.99.1/32'
set interfaces wireguard wg99 private-key '<x>'
set interfaces wireguard wg99 redirect 'ifb99'

^ works

github.com/vyos/vyos-1x

configverify: T8413: fix issue in duplex shaping (redirect to input interface) (#5073)

current ← c-po:qos-redirect-fix

opened 06:46PM - 20 Mar 26 UTC

c-po

+6 -6

## Change summary After commit 6eafdbf1a8 (`configdict: T8358: rename inter…nal representation from traffic_policy to qos`) we uncovered a bug/added a feature in supporting QoS and redirect on an interface. The code in VyOS stream 2026.02 is: `if ('mirror' in config or 'redirect' in config) and dict_search('traffic_policy.in', config) is not None:` and this got changed to: `if 'qos' in config and ('mirror' in config or 'redirect' in config):` in the commit mentioned above When looking at the code in 2026.02 release ``` # git describe --tags 2026.02 # git grep traffic_policy python/vyos/configdict.py: dict.update({'traffic_policy': {}}) python/vyos/configdict.py: dict['vif'][vif].update({'traffic_policy': {}}) python/vyos/configdict.py: dict['vif_s'][vif_s].update({'traffic_policy': {}}) python/vyos/configdict.py: dict['vif_s'][vif_s]['vif_c'][vif_c].update({'traffic_policy': {}}) python/vyos/configverify.py: if ('mirror' in config or 'redirect' in config) and dict_search('traffic_policy.in', config) is not None: python/vyos/ifconfig/interface.py: if not 'traffic_policy' in self.config: ``` I never see `traffic_policy.in` set, so the check seems to have never worked in the past at all During the QoS rewrite from 1.3 -> 1.4 CLI `traffic-policy` was renamed by me to `qos` but we kept that synthetic key in the Python code. That is the root cause. So it should have never worked (CLI wise) but during that bug it started to work as expected, and even the Python code stated in a comment: ``` if 'qos' in config and ('mirror' in config or 'redirect' in config): # XXX: support combination of limiting and redirect/mirror - this is an artificial limitation raise ConfigError('Can not use QoS together with mirror/redirect!') ``` So we have enabled this feature for a long time by accident already. ## Types of changes - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Code style update (formatting, renaming) - [ ] Refactoring (no functional changes) - [ ] Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component - [ ] Other (please describe): ## Related Task(s) * https://vyos.dev/T8413 ## Related PR(s) * https://github.com/vyos/vyos-1x/pull/5036 ## How to test / Smoketest result ``` vyos@vyos:~$ /usr/libexec/vyos/tests/smoke/cli/test_qos.py test_01_cake (__main__.TestQoS.test_01_cake) ... ok test_02_drop_tail (__main__.TestQoS.test_02_drop_tail) ... ok test_03_fair_queue (__main__.TestQoS.test_03_fair_queue) ... ok test_04_fq_codel (__main__.TestQoS.test_04_fq_codel) ... ok test_05_limiter (__main__.TestQoS.test_05_limiter) ... ok test_06_network_emulator (__main__.TestQoS.test_06_network_emulator) ... ok test_07_priority_queue (__main__.TestQoS.test_07_priority_queue) ... ok test_08_random_detect (__main__.TestQoS.test_08_random_detect) ... ok test_09_rate_control (__main__.TestQoS.test_09_rate_control) ... ok test_10_round_robin (__main__.TestQoS.test_10_round_robin) ... ok test_11_shaper (__main__.TestQoS.test_11_shaper) ... ok test_12_shaper_with_red_queue (__main__.TestQoS.test_12_shaper_with_red_queue) ... ok test_13_shaper_delete_only_rule (__main__.TestQoS.test_13_shaper_delete_only_rule) ... ok test_14_policy_limiter_marked_traffic (__main__.TestQoS.test_14_policy_limiter_marked_traffic) ... ok test_15_traffic_match_group (__main__.TestQoS.test_15_traffic_match_group) ... ok test_16_wrong_traffic_match_group (__main__.TestQoS.test_16_wrong_traffic_match_group) ... ok test_17_cake_updates (__main__.TestQoS.test_17_cake_updates) ... ok test_18_priority_queue_default (__main__.TestQoS.test_18_priority_queue_default) ... ok test_19_priority_queue_default_random_detect (__main__.TestQoS.test_19_priority_queue_default_random_detect) ... ok test_20_round_robin_policy_default (__main__.TestQoS.test_20_round_robin_policy_default) ... ok test_21_shaper_hfsc (__main__.TestQoS.test_21_shaper_hfsc) ... ok test_22_rate_control_default (__main__.TestQoS.test_22_rate_control_default) ... ok test_23_policy_limiter_iif_filter (__main__.TestQoS.test_23_policy_limiter_iif_filter) ... ok test_24_policy_shaper_match_ether (__main__.TestQoS.test_24_policy_shaper_match_ether) ... ok ---------------------------------------------------------------------- Ran 24 tests in 87.333s OK ``` ## Checklist: - [x] I have read the [**CONTRIBUTING**](https://github.com/vyos/vyos-1x/blob/current/CONTRIBUTING.md) document - [x] I have linked this PR to one or more Phabricator Task(s) - [x] I have run the components [**SMOKETESTS**](https://github.com/vyos/vyos-1x/tree/current/smoketest/scripts/cli) if applicable - [x] My commit headlines contain a valid Task id - [ ] My change requires a change to the documentation - [ ] I have updated the documentation accordingly

i did try to make a bug thread but it seems my permissions are dodgy and i have no clue who to contact to fix those permissions