Unable to enable flowtables in 1.5-rolling-202406250020 after a reboot

…/configuration/firewall/flowtables.html (Apparently I’m blocked posting links to docs. vyos. io as it’s considered spam – could that be fixed please?).

Retested today using the latest 1.5 image, 1.5-rolling-202406250020.
Upon implementing the provided flowtable configuration from the documentation, committing without issue, saving, and rebooting, I get a configuration failed to apply.

Moving into configuration mode, loading the saved config.boot with the flowtable configuration, and attempting to commit it results in the following:

vyos@vyos3# commit

Failed to apply firewall: /run/nftables.conf:20:17-27: Error: No such
file or directory; did you mean table ‘vyos_filter’ in family ip? delete
table ip vyos_filter                 ^^^^^^^^^^^
/run/nftables.conf:338:18-28: Error: No such file or directory; did you
mean table ‘vyos_filter’ in family ip? delete table ip6 vyos_filter
^^^^^^^^^^^ /run/nftables.conf:414:21-31: Error: No such file or
directory; did you mean table ‘vyos_filter’ in family ip? delete table
bridge vyos_filter                     ^^^^^^^^^^^

[[firewall]] failed
Commit failed
[edit]

The lines in question from the nftables.conf:

     20 delete table ip vyos_filter
     21 table ip vyos_filter {
     22     flowtable VYOS_FLOWTABLE_FT01 {
     23         hook ingress priority 0; devices = { eth0, eth1, eth1.10, eth1.20, eth1.50, wg0 };
     24         counter
     25     }
...
    338 delete table ip6 vyos_filter
    339 table ip6 vyos_filter {
    340     flowtable VYOS_FLOWTABLE_FT01 {
    341         hook ingress priority 0; devices = { eth0, eth1, eth1.10, eth1.20, eth1.50, wg0 };
    342         counter
    343     }
...
    413 ## Bridge Firewall
    414 delete table bridge vyos_filter
    415 table bridge vyos_filter {
    416     chain VYOS_FORWARD_filter {
    417         type filter hook forward priority filter; policy accept;
    418     counter accept comment "FWD-filter default-action accept"
    419     }

Applying the configuration during runtime succeeds, but the above errors are observed on reboot in addition to wiping out the entirety of the firewall config, exposing the device.

The configuration delta that causes the configuration to break on reboot is as follows:

[firewall ipv4 forward filter rule]
+ 500 {
+     action "offload"
+     offload-target "FT01"
+     state "established"
+     state "related"
+ }
+ 510 {
+     action "accept"
+     state "established"
+     state "related"
+ }
[firewall]
+ flowtable FT01 {
+     interface "eth0"
+     interface "eth1"
+     interface "eth1.10"
+     interface "eth1.20"
+     interface "eth1.50"
+     interface "wg0"
+     offload "software"
+ }

and a mistakenly missed global delete:

vyos@vyos3# del global-options state-policy established 

Where did I go wrong?

It’s a well-known bug because of race-conditions:

1. First firewall is loaded
2. Then wireguard interface is loaded.

And the problem is that interface must exists in the system in order to use it in firewall flowtables. So during boot process wg0 interface doesn’t exists in the system yet while loading firewall.

After reboot, and the error, you can try:

sudo rm /run/nftables.conf
conf
load
commit

Well that was silly of me thinking wg0 was relevant. Thanks for the link. Removing wg0 interface from the flowtable allows a successful configuration on reboot.

BTW: You don’t need to add wg0, or any of the vlan sub-interfaces there for Flow Offload to work.

image830×189 16 KB

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.