Page MenuHomeVyOS Platform

Unwanted/broken "disable" option in firewall state
Closed, WontfixPublicBUG

Description

Hi!
In firewall configuration exist state option, that allow matching packets by theirs states in conntrack. It have disable suboption:

[edit]
vyos@vyos# set firewall name TESTFW1 rule 10 state established 
Possible completions:
   <text>       Established state
   disable      
   enable

As I can understand it must be used for inverse state value: ! --state established. I don't see any other application for it. But this suboption don't work at all. Also, when user create rules, we must check that they don't add enabled and disabled options in the same rule, as iptables can use only one --state in single rule.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0-rolling+201812172124
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

syncer triaged this task as Low priority.
syncer edited projects, added VyOS 1.2 Crux ( VyOS 1.2.0-EPA); removed VyOS 1.2 Crux.
dmbaturin set Is it a breaking change? to Unspecified (possibly destroys the router).
erkin set Issue type to Bug (incorrect behavior).Aug 31 2021, 7:01 PM
Viacheslav added a subscriber: Viacheslav.

Refactored in 1.4/1.5
Let's avoid the firewall migrations for the stable branch.