Cannot install pbr package on TOS 7.0

Software SW bugs discussion
1

Hello,

I have an issue installing pbr package, it seem I have a conflict with vpn-policy-routing. But, I already uninstalled that package.

Below the error:

Collected errors:
 * check_conflicts_for: The following packages conflict with pbr:
 * check_conflicts_for: 	vpn-policy-routing * 
 * opkg_install_cmd: Cannot install package pbr.

Turris version:

NAME="TurrisOS"
VERSION="7.0.0"
ID="turrisos"
ID_LIKE="lede openwrt"
PRETTY_NAME="TurrisOS 7.0.0"
VERSION_ID="7.0.0"
HOME_URL="https://www.turris.cz/"
BUG_URL="https://gitlab.nic.cz/groups/turris/-/issues/"
SUPPORT_URL="https://www.turris.cz/support/"
BUILD_ID="r20300+124-3547565f24"
OPENWRT_BOARD="mvebu/cortexa9"
OPENWRT_ARCH="arm_cortex-a9_vfpv3-d16"
OPENWRT_TAINTS="busybox"
OPENWRT_DEVICE_MANUFACTURER="CZ.NIC"
OPENWRT_DEVICE_MANUFACTURER_URL="https://www.turris.cz/"
OPENWRT_DEVICE_PRODUCT="Turris Omnia"
OPENWRT_DEVICE_REVISION="v0"
OPENWRT_RELEASE="TurrisOS 7.0.0 3547565f245479dc1643ea66828fb55635d49051"

Any idea ?

2

Try pbr-iptables instead. Turris 7.0 still uses iptables while the underlying Openwrt 22.03 switched to nftables.

3

I gave a try to pbr-iptables but I got the same error:

Collected errors:
 * check_conflicts_for: The following packages conflict with pbr-iptables:
 * check_conflicts_for: 	vpn-policy-routing * 
 * opkg_install_cmd: Cannot install package pbr-iptables.

The thing is I uninstalled vpn-policy-routing and I tried to find some left-over like the following:

$ find / -name -xdev "vpn-policy*"
$ grep -rnHi policy /etc

Nothing foundā€¦

4

Does someone have any idea about uninstalling properly vpn-policy-routing ?

5

Thatā€™s right, as noted here (ā€˜We are still keeping iptablesā€™).

But when pbr-iptables are installed - the luci-app-pbr canā€™t be because it does take as dependency the newest PBR (info: pbr (20.49 KiB) Not installed) and that is in conflict with the pbr-iptables already installed.

So only manual config in /etc/config/pbr is possible so far.

While in it, on latest HBS, did install pbr-iptables.

After config edited for some host, from LuCI the start/restart throw:

Failed to execute "/etc/init.d/pbr restart" action: Command failed

and if

/etc/init.d/pbr start
ERROR: iptables binary cannot be found!

Fresh install, source is from Turris default repos, not manual import from developer.

So probably it wonā€™t work from scratch even if you get rid of previous solution.

Before factory reset however I did somehow run PRB from stangry repo on HBT.

Donā€™t know yet, what is wrong now.

ā€“
While in LuCi all seems OK, in reForis the notification informing me about uninstalling packages - as waiting for confirmation (because have stopped for few days automatic updates).

After approval:

Updater execution failed:
WARN:Couldn't read the status file: [string "backend"]:1226: [string "backend"]:278: attempt to concatenate local 'pkg_name' (a nil value)
INFO:Target Turris OS: 7.0.2
WARN:Request not satisfied to install package: luci-i18n-pbr-cs
WARN:Request not satisfied to install package: luci-i18n-pbr-en
WARN:Request not satisfied to install package: luci-i18n-pbr-de
WARN:Requested package reforis-librespeed-plugin-l10n-de that is missing, ignoring as requested.
WARN:Requested package reforis-diagnostics-plugin-l10n-de that is missing, ignoring as requested.
WARN:Requested package reforis-snapshots-plugin-l10n-de that is missing, ignoring as requested.
line not found
line not found
line not found
ERROR:
[string "backend"]:1226: [string "backend"]:278: attempt to concatenate local 'pkg_name' (a nil value)

Just installing&uninstalling pbr and luci app companion maybe helped me into this fail.

Rollback few snapshots needed unless after triggering manual update process wonā€™t throw this error.

Also it caused connection loss.

6

It seems it was a mistake to buy the Turris Omnia.

7

Well, itā€™s possible to install just OpenWRT - itā€™s still great HW, especially the used ones are good price/performance option.

8

use forum search. topic is discussed very often and there is a workaround

9

The workaround is for VPN policy - there is PBR for iptables - that is what I would like to install.

Did search forum - you talking probably about this - if changes performed for PBR it does not install the ā€œluci-app-pbrā€.

After pkgupdate: INFO:Queue install of pbr-iptables/turris-hbt-packages/1.1.1-7

The vpn-policy.lua file in /etc/updater/conf.d/ is as:

for Omnia

Repository('turris-hbt-packages', 'https://repo.turris.cz/hbs/omnia/packages/packages/', {
        priority = 40,
        ocsp = false,
        pubkey = "file:///etc/updater/keys/release.pub"
})

Repository('turris-hbt-luci', 'https://repo.turris.cz/hbs/omnia/packages/luci/', {
        priority = 40,
        ocsp = false,
        pubkey = "file:///etc/updater/keys/release.pub"
})

Install("pbr-iptables", {repository = {'turris-hbt-packages'}})
Install("luci-app-pbr", {repository = {'turris-hbt-luci'}})

for Turris 1.X:

Repository('turris-652-packages', 'https://repo.turris.cz/archive/6.5.2/turris1x/packages/packages', {
        priority = 40,
        ocsp = false,
        pubkey = "file:///etc/updater/keys/release.pub"
})

Repository('turris-652-luci', 'https://repo.turris.cz/archive/6.5.2/turris1x/packages/luci', {
        priority = 40,
        ocsp = false,
        pubkey = "file:///etc/updater/keys/release.pub"
})

Install("vpn-policy-routing", {repository = {'turris-652-packages'}})
Install("luci-app-vpn-policy-routing", {repository = {'turris-652-luci'}})

Will try the VPN policy later on - and itā€™s working.

The PRB 1.1.7 in general requiring Fw4 Nft File Mode (docs : This mode is the only operating mode in version 1.1.7.)

Well Fw4 does need ā€˜nftablesā€™ and that is not compatible with iptables thus.

A bit weird the ā€˜luci-app-pbr_1.1.1-7_all.ipkā€™ companion enforce this despite the iptables version is installed and on top of that itā€™s mainly UI/config shortcut - but it is what it is.

10

Not needed anymore - just:

  1. delete the custom confs for VPN Policy package in /etc/updater/conf.d/
  2. opkg remove the luci app and vpn package
  3. delete old configs of pbr/vpn in /etc/config/
  4. update to 7.1 - reboot
  5. install pbr (luci app will as dependence install pbr itself)
  6. start it from PBR menu (now Services - Policy Routing) - it wonā€™t react on manual start from System - Startup
  7. recreate the rules

Only err encountered (reported by opkg while installing) having the Dynamic FW enabled:

   * Cleaning up the remnants of the old firewall
   * Dynamic blocking on zone 'wan'
   * Logging of zone 'wan'
   * Minipot FTP on zone 'wan' (21 -> 2133)
   * Minipot HTTP on zone 'wan' (80 -> 8033)
   * Minipot SMTP on zone 'wan' (25 -> 5873)
   * Minipot SMTP submission on zone 'wan' (587 -> 5873)
   * Minipot Telnet on zone 'wan' (23 -> 2333)

But so far after restart it working as expected.
Each device on LAN not going by default routes rather as by (AS rules or per IP/port range) the PBR rules returning for IP check the right values.

1 Like
11

Thank you for your detailed list of actions.

For your information, I didnā€™t perform step 3, so I kept the /etc/config/vpn-policy-routing file. And when I installed the pbr package, it automatically converted the content of /etc/config/vpn-config-routing to /etc/config/pbr file. So no need to recreate the rules.

Once done, I removed the /etc/config/vpn-policy-routing and /etc/config/vpn-policy-routing-opkg files.

Also, I needed to install the ipset package which is required by pbr to work correctly.

2 Likes
12

Interesting, ipset (you mean the ā€˜kmod-ipt-ipsetā€™?)

According this section of FAQ they say since the 1.1.6 (there is, from repo for Turris, available the 1.1.7):

ā€˜This release has separate code for nft- and iptables-capable versions, the nft version (pbr package) no longer supports resolver options with ipset.ā€™

Thus assumed that ā€˜ipsetā€™ is no more needed, as using the pbr and not ā€˜pbr-iptablesā€™ because itā€™s already same with 1.1.7.

Iā€™m testing after each update/restart, from the devices (with PBR rules enabled for them) if they are routed as they should and it does work.

But also have the ā€˜kmod-ipt-ipsetā€™ already installed, probably from before - so didnā€™t noticed any warning.

So if Iā€™m missing something, let me know.

Fact is, that only 1.1.8 ā€˜release completely drops the iptables/ipset (and resolvers using ipset) supportā€™.

ā€“
As for step 3 - didnā€™t know it will perform that action - good to know! It does make sense as PBR is the successor so for seamless upgrade it could do that.

Somehow did that way because, while in it, chances are, recreated and changed the rule set again as moving some devices behind this router.