Skip to content

vrf: T6097: Fix for veth pair in different VRFS #4876

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: current
Choose a base branch
from
Draft

vrf: T6097: Fix for veth pair in different VRFS #4876

wants to merge 1 commit into from
+4 −4

Conversation

@hedrok
Copy link
Contributor

@hedrok hedrok commented Nov 27, 2025
edited
Loading

Change summary

When veth interface pair is in different VRFS and there is a firewall rule, ct original zone is set for a VRF, which blocks packets somewhy.

Changing to ct zone (for both directions) fixes this.

Types of changes

  • Bug fix (non-breaking change which fixes an issue) (hopefully non-breaking)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

How to test / Smoketest result

configure
set firewall ipv6 input filter default-action accept
set interfaces virtual-ethernet veth0 address 2001:db8::/127
set interfaces virtual-ethernet veth0 peer-name veth1
set interfaces virtual-ethernet veth1 address 2001:db8::1/127
set interfaces virtual-ethernet veth1 peer-name veth0
set interfaces virtual-ethernet veth1 vrf red
set vrf name red table 1000
commit

# Works:
run ping 2001:db8::1 source-address 2001:db8::

set firewall ipv6 input filter rule 10 action accept 
set firewall ipv6 input filter rule 10 state established 
commit

# Doesn't work:
run ping 2001:db8::1 source-address 2001:db8::

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@github-actions
Copy link

github-actions bot commented Nov 27, 2025
edited
Loading

👍
No issues in PR Title / Commit Title

@hedrok
vrf: T6097: Fix for veth pair in different VRFS
5d79697 
When veth interface pair is in different VRFS and there is a firewall
rule, `ct original zone` is set for a VRF, which blocks packets somewhy.

Changing to `ct zone` (for both directions) fixes this.
@hedrok hedrok force-pushed the T6097-vrf-zones-ipv6-traffic branch from 0e797d6 to 5d79697 Compare November 27, 2025 10:23
@github-actions
Copy link

github-actions bot commented Nov 27, 2025

CI integration ❌ failed!

Details

CI logs

  • CLI Smoketests (no interfaces) ❌ failed
  • CLI Smoketests VPP 👍 passed
  • CLI Smoketests (interfaces only) 👍 passed
  • Config tests 👍 passed
  • Config tests VPP 👍 passed
  • RAID1 tests 👍 passed
  • TPM tests 👍 passed

@hedrok
Copy link
Contributor Author

hedrok commented Nov 27, 2025

Failed test:

2025-11-27T10:59:03.5121777Z DEBUG - Running Testcase: /usr/libexec/vyos/tests/smoke/cli/test_protocols_bgp.py
2025-11-27T11:03:29.9029325Z DEBUG - test_bgp_99_bmp (__main__.TestProtocolsBGP.test_bgp_99_bmp) ... FAIL

Most probably has no connection to changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@hedrok hedrok

Labels

current

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hedrok