Page MenuHomePhabricator
Create Task
Maniphest T1292

Issues while deleting all rules from a firewall
Open, Requires assessmentPublic
Actions

Description

It is possible to create a firewall name with no rules other than the default-action:

[edit]
vyos@vyos# set firewall name TEST default-action accept 
[edit]
vyos@vyos# set interfaces ethernet eth0 firewall in name 'TEST'
[edit]
vyos@vyos# commit
[edit]
vyos@vyos#

It is possible to go from an empty firewall to one with rules:

[edit]
vyos@vyos# set firewall name TEST rule 1 action accept 
[edit]
vyos@vyos# commit
[edit]
vyos@vyos#

However the operation is not reversable:

[edit]
vyos@vyos# delete firewall name TEST rule 1
[edit]
vyos@vyos# commit
[ firewall name TEST ]
Firewall configuration error: Cannot delete rule set "TEST" (still in use)



[[firewall name TEST]] failed
Commit failed
[edit]
vyos@vyos#

The also seems to be a race condition/improper order of operations when simultaneously removing both the firewall and the places it is used:

[edit]
vyos@vyos# delete interfaces ethernet eth0 firewall in name 'TEST'
[edit]
vyos@vyos# delete firewall name TEST
[edit]
vyos@vyos# commit
[ firewall name TEST ]
Firewall configuration error: Cannot delete rule set "TEST" (still in use)



delete [ firewall name TEST ] failed
Commit failed
[edit]
vyos@vyos#

This needs two commits to succeed:

[edit]
vyos@vyos# delete interfaces ethernet eth0 firewall in name 'TEST'
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# delete firewall name TEST
[edit]
vyos@vyos# commit
[edit]
vyos@vyos#

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0-rolling+201903040337
Why the issue appeared?
Will be filled on close

Event Timeline

varesa created this task.Mar 11 2019, 8:38 AM
varesa created this object in space S1 VyOS Public.
varesa updated the task description. (Show Details)Mar 11 2019, 7:23 PM