Traffic policy can't be committed on vyos 1.2.3

Bugs
, , ,
1

Hi,

I’m trying to use traffic policy on the certain interfaces in VyOS 1.2.3. But neither shaper nor limiter policy can be committed successfully, they are both blocked by permission issue according to commit error message.

My configuration is:

set traffic-policy limiter IN-LIMITER-10M default bandwidth '10mbit'
set traffic-policy limiter IN-LIMITER-10M default burst '200kb'
set traffic-policy shaper 50Mbps bandwidth '50mbit'
set traffic-policy shaper 50Mbps default bandwidth '50mbit'
set traffic-policy shaper 50Mbps default burst '0'
set traffic-policy shaper 50Mbps default queue-limit '1000'
set traffic-policy shaper 50Mbps default queue-type 'fair-queue'

the error message is:

[edit]
set interfaces ethernet eth1 traffic-policy in IN-LIMITER-10M 
[edit]
commit
[ interfaces ethernet eth1 traffic-policy in IN-LIMITER-10M ]
RTNETLINK answers: Operation not permitted
Command failed -:1
TC command failed. at /opt/vyatta/sbin/vyatta-qos.pl line 236.
qdisc add dev eth1 handle ffff: ingress
filter add dev eth1 parent ffff: prio 255 protocol all basic  action police rate 10000000 conform-exceed drop burst 200kb flowid ffff:1

[[interfaces ethernet eth1]] failed
Commit failed

It’s not like that at first, but it starts to happen recently. I wonder if there is anyone who met this kind of problem before or have any clue about tracing the problem?

best regards

2

I have no problem commiting a similar config.

set traffic-policy shaper WAN-IN bandwidth "500.5Mbit"
set traffic-policy shaper WAN-IN default bandwidth "50%"
set traffic-policy shaper WAN-IN default burst "15k"
set traffic-policy shaper WAN-IN default ceiling "100%"
set traffic-policy shaper WAN-IN default queue-type "fair-queue"
set traffic-policy shaper WAN-OUT bandwidth "500.5Mbit"
set traffic-policy shaper WAN-OUT default bandwidth "50%"
set traffic-policy shaper WAN-OUT default burst "15k"
set traffic-policy shaper WAN-OUT default ceiling "100%"
set traffic-policy shaper WAN-OUT default queue-type "fair-queue"

set interfaces ethernet eth0 vif 42 traffic-policy out "WAN-OUT"
set interfaces input ifb042 traffic-policy out "WAN-IN"
3

This is strange thing, it works at first, but suddenly, it doesn’t, I can’t commit traffic policy to any interfaces as you saw in the log.

I tried to check what commit did in the VyOS and found instructions below in /opt/vyatta/share/vyatta-cfg/templates/interfaces/ethernet/node.tag/traffic-policy/in/node.def:

type: txt
help: Ingress traffic policy for interface
allowed: /opt/vyatta/sbin/vyatta-qos.pl --list-policy in
update: /opt/vyatta/sbin/vyatta-qos.pl --update-interface $VAR(../../@) in $VAR(@)
delete: /opt/vyatta/sbin/vyatta-qos.pl --delete-interface $VAR(../../@) in

obviously, when I commit the traffic policy for ingress direction, the command /opt/vyatta/sbin/vyatta-qos.pl --update-interface $VAR(../../@) in $VAR(@) will be executed. But somehow it has permission issue now. I added sudo on that command, then commit works again, but I think it’s not the solution since it worked without sudo, I wonder what cause the problem and measure the risk of using it.

4

I seem to find the cause, in the system which works:

getcap /sbin/tc
/sbin/tc = cap_net_admin+ep

tc binary have cap_net_admin, so it can be executed without sudo privilege, but in my system:

getcap /sbin/tc

it’s nothing, the according linux capabilities is deprived, I don’t know why.

5

No one can answer why the linux cap is deprived?

6

Hello @MapleWang, do you using own build 1.2.3? Provide please show version

7

Hi Dmitry,

Yes, I built VyOS by myself, actually, I already found the problem. It was caused by squashfs-tools. I normally will customize the filesystem.squashfs by using squashfs-tools, it turns out that squashfs-tools will cause lost of linux attributes until version 4.4. After using squashfs-tools 4.4-1, all linux capabilities are back. Thanks for support.

best regards.