…/configuration/firewall/flowtables.html (Apparently I’m blocked posting links to docs. vyos. io as it’s considered spam – could that be fixed please?).
Retested today using the latest 1.5 image, 1.5-rolling-202406250020
.
Upon implementing the provided flowtable configuration from the documentation, committing without issue, saving, and rebooting, I get a configuration failed to apply.
Moving into configuration mode, loading the saved config.boot
with the flowtable configuration, and attempting to commit it results in the following:
vyos@vyos3# commit
Failed to apply firewall: /run/nftables.conf:20:17-27: Error: No such
file or directory; did you mean table ‘vyos_filter’ in family ip? delete
table ip vyos_filter ^^^^^^^^^^^
/run/nftables.conf:338:18-28: Error: No such file or directory; did you
mean table ‘vyos_filter’ in family ip? delete table ip6 vyos_filter
^^^^^^^^^^^ /run/nftables.conf:414:21-31: Error: No such file or
directory; did you mean table ‘vyos_filter’ in family ip? delete table
bridge vyos_filter ^^^^^^^^^^^
[[firewall]] failed
Commit failed
[edit]
The lines in question from the nftables.conf:
20 delete table ip vyos_filter
21 table ip vyos_filter {
22 flowtable VYOS_FLOWTABLE_FT01 {
23 hook ingress priority 0; devices = { eth0, eth1, eth1.10, eth1.20, eth1.50, wg0 };
24 counter
25 }
...
338 delete table ip6 vyos_filter
339 table ip6 vyos_filter {
340 flowtable VYOS_FLOWTABLE_FT01 {
341 hook ingress priority 0; devices = { eth0, eth1, eth1.10, eth1.20, eth1.50, wg0 };
342 counter
343 }
...
413 ## Bridge Firewall
414 delete table bridge vyos_filter
415 table bridge vyos_filter {
416 chain VYOS_FORWARD_filter {
417 type filter hook forward priority filter; policy accept;
418 counter accept comment "FWD-filter default-action accept"
419 }
Applying the configuration during runtime succeeds, but the above errors are observed on reboot in addition to wiping out the entirety of the firewall config, exposing the device.
The configuration delta that causes the configuration to break on reboot is as follows:
[firewall ipv4 forward filter rule]
+ 500 {
+ action "offload"
+ offload-target "FT01"
+ state "established"
+ state "related"
+ }
+ 510 {
+ action "accept"
+ state "established"
+ state "related"
+ }
[firewall]
+ flowtable FT01 {
+ interface "eth0"
+ interface "eth1"
+ interface "eth1.10"
+ interface "eth1.20"
+ interface "eth1.50"
+ interface "wg0"
+ offload "software"
+ }
and a mistakenly missed global delete:
vyos@vyos3# del global-options state-policy established
Where did I go wrong?