Page MenuHomePhabricator

Port group cannot be configured if the same port is configured as standalone and inside a range
Closed, ResolvedPublicBUG

Description

If we are tried to configure port group which contains the same port as standalone and inside the range, the router will accept and allow to commit and save such configuration, but ipset will not create a set properly:

[edit]
vyos@test-06# set firewall group port-group PORTSET1 port 100
[edit]
vyos@test-06# set firewall group port-group PORTSET1 port 200
[edit]
vyos@test-06# set firewall group port-group PORTSET1 port 150-250
vyos@test-06# commit
[ firewall group port-group PORTSET1 ]
ipset v6.23: Element cannot be added to the set: it's already added
Error: call to ipset failed [256]
[edit]
vyos@test-06# show firewall group 
 port-group PORTSET1 {
     port 100
     port 200
     port 150-250
 }
[edit]
vyos@test-06# sudo ipset list
[edit]
vyos@test-06#

The second problem is that member_exists function does not work for port range at all, because ipset does not accept range for a test:

root@test-06:/home/vyos# ipset -T TEST1 100-200
ipset v6.23: FROM-TO port range is not allowed in command test with set type bitmap:port and family unspec

Details

Difficulty level
Normal (likely a few hours)
Version
1.2.1
Why the issue appeared?
Will be filled on close

Event Timeline

zsdc created this task.Jun 19 2019, 7:09 PM
zsdc claimed this task.