I’m trying to use traffic policy on the certain interfaces in VyOS 1.2.3. But neither shaper nor limiter policy can be committed successfully, they are both blocked by permission issue according to commit error message.
My configuration is:
set traffic-policy limiter IN-LIMITER-10M default bandwidth '10mbit'
set traffic-policy limiter IN-LIMITER-10M default burst '200kb'
set traffic-policy shaper 50Mbps bandwidth '50mbit'
set traffic-policy shaper 50Mbps default bandwidth '50mbit'
set traffic-policy shaper 50Mbps default burst '0'
set traffic-policy shaper 50Mbps default queue-limit '1000'
set traffic-policy shaper 50Mbps default queue-type 'fair-queue'
the error message is:
[edit]
set interfaces ethernet eth1 traffic-policy in IN-LIMITER-10M
[edit]
commit
[ interfaces ethernet eth1 traffic-policy in IN-LIMITER-10M ]
RTNETLINK answers: Operation not permitted
Command failed -:1
TC command failed. at /opt/vyatta/sbin/vyatta-qos.pl line 236.
qdisc add dev eth1 handle ffff: ingress
filter add dev eth1 parent ffff: prio 255 protocol all basic action police rate 10000000 conform-exceed drop burst 200kb flowid ffff:1
[[interfaces ethernet eth1]] failed
Commit failed
It’s not like that at first, but it starts to happen recently. I wonder if there is anyone who met this kind of problem before or have any clue about tracing the problem?
This is strange thing, it works at first, but suddenly, it doesn’t, I can’t commit traffic policy to any interfaces as you saw in the log.
I tried to check what commit did in the VyOS and found instructions below in /opt/vyatta/share/vyatta-cfg/templates/interfaces/ethernet/node.tag/traffic-policy/in/node.def:
type: txt
help: Ingress traffic policy for interface
allowed: /opt/vyatta/sbin/vyatta-qos.pl --list-policy in
update: /opt/vyatta/sbin/vyatta-qos.pl --update-interface $VAR(../../@) in $VAR(@)
delete: /opt/vyatta/sbin/vyatta-qos.pl --delete-interface $VAR(../../@) in
obviously, when I commit the traffic policy for ingress direction, the command /opt/vyatta/sbin/vyatta-qos.pl --update-interface $VAR(../../@) in $VAR(@) will be executed. But somehow it has permission issue now. I added sudo on that command, then commit works again, but I think it’s not the solution since it worked without sudo, I wonder what cause the problem and measure the risk of using it.
Yes, I built VyOS by myself, actually, I already found the problem. It was caused by squashfs-tools. I normally will customize the filesystem.squashfs by using squashfs-tools, it turns out that squashfs-tools will cause lost of linux attributes until version 4.4. After using squashfs-tools 4.4-1, all linux capabilities are back. Thanks for support.