Page MenuHomePhabricator

Misbehaviour of "recent" options in firewall rules
Closed, ResolvedPublicBUG

Description

Hi!
In firewall exist recent option, that allow to use dynamic lists for matching packets. But, one very important part of this extension is missed - there is no --name parameter in generated rules. So, all firewall rules with recent will use the same table DEFAULT for matching packets.
This can cause to unwanted behaviour, when will be more than one such rules in system exist.
We must add --name option or generate unique name for every rule to avoid problems.

Details

Difficulty level
Easy (less than an hour)
Version
1.2.0-rolling+201812172124
Why the issue appeared?
Implementation mistake

Event Timeline

zsdc created this task.Dec 17 2018, 9:19 PM
zsdc updated the task description. (Show Details)

Thanks for catching this! I've fixed it in the upcoming rc11.

vyos@vyos-test-1# set firewall name Foo rule 10 action accept 
[edit]
vyos@vyos-test-1# set firewall name Foo rule 10 recent time 60
[edit]
vyos@vyos-test-1# set firewall name Foo rule 10 recent count 100
[edit]
vyos@vyos-test-1# commit
[edit]
vyos@vyos-test-1# sudo iptables -L -nv | grep Foo
Chain Foo (0 references)
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Foo-10 */ recent: UPDATE seconds: 60 hit_count: 100 name: Foo-10 side: source mask: 255.255.255.255
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Foo-10 */ recent: SET name: Foo-10 side: source mask: 255.255.255.255
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Foo-10000 default-action drop */
dmbaturin changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).
dmbaturin changed Why the issue appeared? from Will be filled on close to Implementation mistake.
dmbaturin closed this task as Resolved.Dec 17 2018, 9:50 PM
pasik added a subscriber: pasik.Dec 19 2018, 7:36 AM