Closed posita closed 4 months ago
Overlap of
192.168.1.0/24
between two rules:config policy option name 'hulu.com' option src_addr '192.168.1.0/24' option dest_addr 'hulu.com' option interface 'wan' config policy option name 'ticketmaster.com' option src_addr '192.168.1.0/24' option dest_addr 'ticketmaster.com' option interface 'wan'
I can't reproduce, I've added those two policies to my test OpenWrt config and pbr started just fine in the nft_file mode.
I can't reproduce, I've added those two policies to my test OpenWrt config and pbr started just fine in the nft_file mode.
Hmmm ... that's odd. I might have misunderstood when I received the error. What about with this?
config policy
option name 'lan-to-wan'
option src_addr '192.168.101.0/23'
option dest_addr 'hulu.com'
option interface 'wan'
config policy
option name 'lan-guest-to-wan'
option src_addr '192.168.101.0/23 192.168.102.0/23'
option dest_addr 'espn.api.edge.bamgrid.com d2f2ekwwtg17a.cloudfront.net'
option interface 'wan'
config policy
option name 'to-vpn'
option dest_addr 'espn.com'
option interface 'vpn' # or any VPN interface
Yeah, that fails. I don't understand why nft sees a collision there. But if you split the middle policy into two, this works:
config policy
option name 'lan-guest-to-wan'
option src_addr '192.168.100.0/23'
option dest_addr 'espn.api.edge.bamgrid.com d2f2ekwwtg17a.cloudfront.net'
option interface 'wan'
config policy
option name 'lan-guest-to-wan2'
option src_addr '192.168.102.0/23'
option dest_addr 'espn.api.edge.bamgrid.com d2f2ekwwtg17a.cloudfront.net'
option interface 'wan'
I can see several options here:
pbr
to accommodate the use case (my favorite, since it preserves the ergonomics of the documented parameters);pbr
, intercept it, and notify the user how to correct it (possibly with a reference to updated docs providing a more thorough explanation);nft
in the docs, and when any nft
failure occurs, detect it and direct the user there to diagnose on their own (not nearly as ergonomic as either of the above, but probably less time to implement);nft
(probably not viable; that workflow looks awful to me; even submitting/searching for a bug looks unnecessarily cumbersome given that it's 2024).By "set manipulation", I mean that pbr
could read the example from my https://github.com/stangri/source.openwrt.melmac.net/issues/194#issuecomment-1904581610 and (de?)normalize it to entries without any overlap, like that in your https://github.com/stangri/source.openwrt.melmac.net/issues/194#issuecomment-1904966510.
You're welcome to contribute any improvement to both pbr and pbr docs on the matter.
Additionally it may be helpful to post the example of nft ip collision on the OpenWrt forum and if the nft gurus can suggest an easy way to create the nft file from this policy which would not be rejected by nft I'm game to implement it.
Closing due to lack of response.
With 1.1.3-25, the following will now result in collisions detectable via
nft -c -f /var/run/pbr.nft
:Overlap of
192.168.1.0/24
between two rules:Overlap of
192.168.1.0/24
between two rules, even though second rule includes another entry insrc_addr
:The following results in the error going away, but this means that only one
policy
entry can contain a particularsrc_addr
:This appears to be a regression from prior versions (e.g., 1.1.1-7), where multiple rules could contain a particular
src_addr
. The prior allowance was helpful if one wanted to route traffic directed to a lot of different domains from particular network, and wanted to break those up into multiple rules. For example, one could once do this:Now one can only accommodate these one way, and it has to be in a single entry for each subnet:
I don't believe this restriction is reflected in the documentation. It certainly doesn't result in an accessible or actionable error in
pbr
's own logging.