Page MenuHomeVyOS Platform
Create Task
Maniphest T8438

VPP: dependencies fail when rely on an attached interface
Closed, ResolvedPublicBUG
Actions

Description

Summary

If an interface is used somewhere in the VPP services configuration, and it is removed from VPP, this leads to a commit crash due to failed dependencies.

How to reproduce

(commit after each step)

  1. Configure VPP
set system option kernel cpu disable-nmi-watchdog
set system option kernel cpu isolate-cpus '2-3'
set system option kernel cpu nohz-full '2-3'
set system option kernel cpu rcu-no-cbs '2-3'
set system option kernel disable-hpet
set system option kernel disable-mce
set system option kernel disable-mitigations
set system option kernel disable-softlockup
set system option kernel memory hugepage-size 2M hugepage-count '1024'
set system option reboot-on-upgrade-failure '5'
set system syslog local facility all level 'info'
set system syslog local facility local7 level 'debug'
set vpp settings interface eth0
set vpp settings interface eth1
set vpp settings poll-sleep-usec '1000'
set vpp settings resource-allocation memory main-heap-size '1G'
  1. Use the interface attached to VPP somewhere in the configuration:
set vpp nat nat44 address-pool translation interface 'eth1'
set vpp nat nat44 interface inside 'eth0'
set vpp nat nat44 interface outside 'eth1'
  1. Remove an interface from VPP:
delete vpp settings interface eth1

The commit will be validated and tried to be committed, but since now eth1 is not part of VPP, the NAT configuration cannot be applied, and the commit will stop on dependencies:

vyos@vyos# commit
[ vpp ]

WARNING: NOTE: Current dataplane capacity (estimated): 2 M IPv4
routes. Exceeding these values will lead to a dataplane out-of-memory
condition and a crash. Extensive use of features like ACLs, NAT and
others may reduce the numbers above. Please read the documentation for
details: https://docs.vyos.io/

dependent vpp_nat_nat44: eth1 must be a VPP interface for outside NAT
interface
[[vpp]] failed
Commit failed
[edit]

After this, we have VPP NAT in the CLI config, but not in the VPP dataplane:

vyos@vyos# show | commands | grep nat
set vpp nat nat44 address-pool translation interface 'eth1'
set vpp nat nat44 interface inside 'eth0'
set vpp nat nat44 interface outside 'eth1'
[edit]
vyos@vyos# run show vpp nat nat44 interfaces 
NAT44 interfaces:
[edit]
vyos@vyos#

Suggested fix

We need to validate dependencies before committing changes in VPP.

Details

Version
2026.03.27-0030-rolling
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

zsdc created this task.Mar 27 2026, 4:41 PM
zsdc renamed this task from VPP: dependencies fail whan rely on an attached interface to VPP: dependencies fail when rely on an attached interface.
pasik subscribed.Mar 28 2026, 1:13 PM
natali-rs1985 changed the task status from Open to In progress.Mar 30 2026, 9:20 AM
natali-rs1985 claimed this task.
natali-rs1985 triaged this task as Normal priority.
natali-rs1985 added a comment.Apr 2 2026, 11:28 AM

https://github.com/vyos/vyos-1x/pull/5101

Restricted Repository Identity mentioned this in rVYOSONEXb476308dc3f6: Merge pull request #5101 from natali-rs1985/T8438.Apr 3 2026, 2:39 PM
natali-rs1985 mentioned this in rVYOSONEX3139ba759c21: vpp: T8438: Add bidirectional interface-in-use validation.Apr 3 2026, 2:39 PM
natali-rs1985 closed this task as Resolved.Apr 10 2026, 1:16 PM
natali-rs1985 moved this task from Need Triage to Completed on the VyOS Rolling board.