Page MenuHomeVyOS Platform
Create Task
Maniphest T1292

Issues while deleting all rules from a firewall
Closed, ResolvedPublicBUG
Actions

Description

It is possible to create a firewall name with no rules other than the default-action:

[edit]
vyos@vyos# set firewall name TEST default-action accept 
[edit]
vyos@vyos# set interfaces ethernet eth0 firewall in name 'TEST'
[edit]
vyos@vyos# commit
[edit]
vyos@vyos#

It is possible to go from an empty firewall to one with rules:

[edit]
vyos@vyos# set firewall name TEST rule 1 action accept 
[edit]
vyos@vyos# commit
[edit]
vyos@vyos#

However the operation is not reversable:

[edit]
vyos@vyos# delete firewall name TEST rule 1
[edit]
vyos@vyos# commit
[ firewall name TEST ]
Firewall configuration error: Cannot delete rule set "TEST" (still in use)



[[firewall name TEST]] failed
Commit failed
[edit]
vyos@vyos#

The also seems to be a race condition/improper order of operations when simultaneously removing both the firewall and the places it is used:

[edit]
vyos@vyos# delete interfaces ethernet eth0 firewall in name 'TEST'
[edit]
vyos@vyos# delete firewall name TEST
[edit]
vyos@vyos# commit
[ firewall name TEST ]
Firewall configuration error: Cannot delete rule set "TEST" (still in use)



delete [ firewall name TEST ] failed
Commit failed
[edit]
vyos@vyos#

This needs two commits to succeed:

[edit]
vyos@vyos# delete interfaces ethernet eth0 firewall in name 'TEST'
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# delete firewall name TEST
[edit]
vyos@vyos# commit
[edit]
vyos@vyos#

Details

Difficulty level
Hard (possibly days)
Version
1.2.0-rolling+201903040337
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Related Objects
Search...

Event Timeline

varesa created this task.Mar 11 2019, 8:38 AM
varesa created this object in space S1 VyOS Public.
varesa updated the task description. (Show Details)Mar 11 2019, 7:23 PM
dmbaturin added a project: VyOS 1.3 Equuleus.Jun 18 2020, 10:31 PM
dmbaturin added a subscriber: dmbaturin.

Sadly, still reproducible. I fear we may want to keep it as a known wart until the firewall rewrite is complete.

dmbaturin edited projects, added VyOS 1.4 Sagitta; removed VyOS 1.3 Equuleus.Jun 25 2020, 8:39 AM
dmbaturin set Is it a breaking change? to Unspecified (possibly destroys the router).
dmbaturin mentioned this in T2300: Cannot remove PBR.Jun 25 2020, 8:41 AM
pasik added a subscriber: pasik.Oct 19 2020, 12:18 PM
Viacheslav triaged this task as Normal priority.Feb 22 2021, 10:26 AM
Viacheslav changed the subtype of this task from "Task" to "Bug".
Viacheslav changed Difficulty level from Unknown (require assessment) to Hard (possibly days).
Viacheslav added a parent task: T2199: Rewrite firewall in new XML/Python style.Apr 4 2021, 3:32 PM
Viacheslav mentioned this in T3989: Firewall - Can't delete rule in firewall entry and leave just default-action when firewall entry is in used.Nov 15 2021, 5:55 AM
sarthurdev changed the task status from Open to Needs testing.Jan 18 2022, 1:45 PM
sarthurdev claimed this task.
sarthurdev added a subscriber: sarthurdev.

Fixed in 1.4 PR: https://github.com/vyos/vyos-1x/pull/1176

n.fort added a subscriber: n.fort.Feb 15 2022, 6:50 PM

Tested on VyOS 1.4-rolling-202202150317 and working as expected.

n.fort closed this task as Resolved.Feb 15 2022, 6:51 PM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.Feb 15 2022, 10:12 PM