search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
18.06k stars 14.1k forks source link

nftables with flow offload referencing VLAN network interfaces starts too early #141802

Open antifuchs opened 3 years ago

antifuchs commented 3 years ago

Describe the bug

I have a firewall box running nix, which defines VLAN network interfaces, which it manages with nftables. I attempted to add a flow offload table, but when that gets added, nftables.service fails to start with the following error:

Oct 15 20:04:05 bauxerl dpdjsy56ck3mim9bh4lsanscq165f4n0-nftables-rules[1064]: In file included from /nix/store/dpdjsy56ck>
Oct 15 20:04:05 bauxerl dpdjsy56ck3mim9bh4lsanscq165f4n0-nftables-rules[1064]: /nix/store/88iy1rd1dgvmh2b0w00c3xwgkkqh4bmx>
Oct 15 20:04:05 bauxerl dpdjsy56ck3mim9bh4lsanscq165f4n0-nftables-rules[1064]:   flowtable f_clients {
Oct 15 20:04:05 bauxerl dpdjsy56ck3mim9bh4lsanscq165f4n0-nftables-rules[1064]:             ^^^^^^^^^
Oct 15 20:04:05 bauxerl dpdjsy56ck3mim9bh4lsanscq165f4n0-nftables-rules[1064]: In file included from /nix/store/dpdjsy56ck>
Oct 15 20:04:05 bauxerl dpdjsy56ck3mim9bh4lsanscq165f4n0-nftables-rules[1064]: /nix/store/88iy1rd1dgvmh2b0w00c3xwgkkqh4bmx>
Oct 15 20:04:05 bauxerl dpdjsy56ck3mim9bh4lsanscq165f4n0-nftables-rules[1064]:     ip protocol { tcp, udp } flow offload @>
Oct 15 20:04:05 bauxerl dpdjsy56ck3mim9bh4lsanscq165f4n0-nftables-rules[1064]:                              ^^^^^^^^^^^^^^>

I'm fairly certain this is due to the boot order: systemd first starts nftables (before networking-pre), and then sometime after it sets up VLAN interfaces. Since the interfaces referenced in the flowtable definition are "real" interfaces and not just name, they have to exist before the nftable config can be loaded.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Define at least one LAN interface named "clients"
  2. add a flowtable in an nftables filter table like this: 
      flowtable f_clients {
    hook ingress priority 0;
    devices = { clients };
  }
  3. reboot the machine and observe the boot order

Expected behavior

VLANs would be set up before nftables gets started

Notify maintainers

@Mic92

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

 - system: `"x86_64-linux"`
 - host os: `Linux 5.10.70, NixOS, 21.11 (Porcupine)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.4pre20210922_bcd73eb`
 - nixpkgs: `/nix/store/52c4vhw245jsmmb5npqlz9pkifzairsc-source`

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute:
# a list of nixos modules affected by the problem
module: networking.nftables.ruleset
fbegyn commented 2 years ago

Can confirm. This also happens when using a services.pppd interface in the nftables configuration (since the existance of a ppp0 interface is no certainty).

2xsaiko commented 1 year ago

I just hit this as well with bridge and sit interfaces. I feel like instead of Before=network-pre.target, nftables should have After=network-pre.target. That's what I changed right now and it seems to work.

megheaiulian commented 11 months ago

One other possible solution could be to add the flow offload with a separate service after the necessary interfaces are up. Since flow offload is just a nice to have optimisation its failure is not critical.