Hi!
In firewall exist [[ https://manpages.debian.org/stretch/iptables/iptables-extensions.8.en.html | recent ]] option, that allow to use dynamic lists for matching packets. But, one very important part of this extension is missed - there is no --name parameter in generated rules. So, all firewall rules with recent will use the same table DEFAULT for matching packets.
This can cause to unwanted behaviour, when will be more than one such rules in system exist.
We must add --name option or generate unique name for every rule to avoid problems.
Description
Description
Details
Details
- Difficulty level
- Easy (less than an hour)
- Version
- 1.2.0-rolling+201812172124
- Why the issue appeared?
- Implementation mistake
Related Objects
Related Objects
- Mentioned In
- Submitting a patch
Event Timeline
Comment Actions
Thanks for catching this! I've fixed it in the upcoming rc11.
vyos@vyos-test-1# set firewall name Foo rule 10 action accept
[edit]
vyos@vyos-test-1# set firewall name Foo rule 10 recent time 60
[edit]
vyos@vyos-test-1# set firewall name Foo rule 10 recent count 100
[edit]
vyos@vyos-test-1# commit
[edit]
vyos@vyos-test-1# sudo iptables -L -nv | grep Foo
Chain Foo (0 references)
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* Foo-10 */ recent: UPDATE seconds: 60 hit_count: 100 name: Foo-10 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 /* Foo-10 */ recent: SET name: Foo-10 side: source mask: 255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* Foo-10000 default-action drop */