Page MenuHomePhabricator

Unwanted/broken "disable" option in firewall state
Open, LowPublicBUG

Description

Hi!
In firewall configuration exist state option, that allow matching packets by theirs states in conntrack. It have disable suboption:

[edit]
vyos@vyos# set firewall name TESTFW1 rule 10 state established 
Possible completions:
   <text>       Established state
   disable      
   enable

As I can understand it must be used for inverse state value: ! --state established. I don't see any other application for it. But this suboption don't work at all. Also, when user create rules, we must check that they don't add enabled and disabled options in the same rule, as iptables can use only one --state in single rule.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0-rolling+201812172124
Why the issue appeared?
Will be filled on close