Upgrade from 1.3 to 1.4.0-rc1 results in "migrate configure failed!" and loss of all firewall rules

Bugs
,
1

All that’s around the failure in the default syslog is:

	
2023-12-30 06:46:10.012	
 Dump terminated
	
	
2023-12-30 06:46:10.011	
 Error: ipv4: FIB table does not exist.
	
	
2023-12-30 06:46:10.008	
 Dump terminated
	
	
2023-12-30 06:46:10.008	
 Error: ipv4: FIB table does not exist.
	
	
2023-12-30 06:46:09.374	
 Network interface NamePolicy= disabled on kernel command line.
	
	
2023-12-30 06:46:06.810	
 Configuration error
	
	
2023-12-30 06:46:06.711	
 System clock TAI offset set to 37 seconds
	
	
2023-12-30 06:46:06.711	
 System clock was stepped by -1.231771 seconds
	
	
2023-12-30 06:46:06.711	
 System clock wrong by -1.231771 seconds
	
	
2023-12-30 06:46:06.699	
 Selected source 2607:f1c0:1800:7b::1 (2.pool.ntp.org)
	
	
2023-12-30 06:46:06.151	
 Reloading.
	
	
2023-12-30 06:46:06.148	
 Starting VyOS router: migrate configure failed!
	
	
2023-12-30 06:46:06.132	
 opt-vyatta-config-tmp-new_config_1776.mount: Deactivated successfully.
	
	
2023-12-30 06:46:06.087	
 msg="Not validating response for security status update, this is a non-release version" subsystem="housekeeping" level="0" prio="Warning" tid="0" ts="1703936767.322" query="recursor-4.8.4-1.Debian.security-status.secpoll.powerdns.com" version="4.8.4-1.Debian"
	
	
2023-12-30 06:46:04.968	
 Interface eth2 has changed state to ACTIVE
	
	
2023-12-30 06:46:04.968	
 Interface eth1 has changed state to ACTIVE
	
	
2023-12-30 06:46:04.952	
 opt-vyatta-config-tmp-new_config_1776.mount: Deactivated successfully.
	
	
2023-12-30 06:46:04.605	
 Sending response 1
	
	
2023-12-30 06:46:04.605	
 Started ssh.service - OpenBSD Secure Shell server.

Here’s my /config/vyos-migrate.log from when i was running 1.4.0-rc1. I’ve booted back into 1.3.4 so that i can have a firewall :.

(side note, the vyos-migrate.log has wireguard keys in it? that normal?)

2

Can you share full configuration running in 1.3.4 before upgrade?

3

Sure, i cleaned it up a bit, mostly static mappings, passwords and wireguard infos.

4

Error seems to be in ipv6 rules using icmp-type values, which are different and not migrated properly in vyos-1x/src/migration-scripts/firewall/6-to-7 at current · vyos/vyos-1x · GitHub

vyos@vyos# commit
[ firewall ipv6 name WAN-LOCAL-6 rule 10 icmpv6 type-name router-advertisement ]


[ firewall ipv6 name WAN-LOCAL-6 rule 10 icmpv6 type-name router-advertisement ]
Invalid value

[[firewall]] failed
Commit failed
[edit]
vyos@vyos#

You can fix it by your own by:

  • Upgrade router
  • Login, enter config mode, load configuration, and commit:
vyos@vyos:~$ config
WARNING: There was a config error on boot: saving the configuration now could overwrite data.
You may want to check and reload the boot config
[edit]
vyos@vyos# load
Loading configuration from 'config.boot'
Load complete. Use 'commit' to make changes effective.
[edit]
vyos@vyos# commit
[ firewall ipv6 name WAN-LOCAL-6 rule 10 icmpv6 type-name router-advertisement ]


[ firewall ipv6 name WAN-LOCAL-6 rule 10 icmpv6 type-name router-advertisement ]
Invalid value

[[firewall]] failed
Commit failed
[edit]
vyos@vyos#
  • Fix such which fails (use tab completion help in order to use correct type-name). For example:
set firewall ipv6 name WAN-LOCAL-6 rule 10 icmpv6 type-name nd-router-advert
commit

Different errors, for other rules that has icmpv6, are expected. So you’ll need to fix one by one until commit doesn’t fail.

From our side, I’ll check migration script in order to check all possible icmp and icmpv6 options in both versions, and avoid these errors!
Sorry for the inconvenience

2 Likes
5

Hey, thanks @n.fort! Will do.

Let me know if you’d like me to file a bug over on the tracker, I was going to the other day when i put this in but had to wait for my account to get approved.

6

Information about bug and patch: ⚓ T5888 Firewall upgrade fails because of icmpv6

7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.