Page MenuHomePhabricator

Firewall get's confused when using the same network-group name for IPv4 and IPv6
Open, NormalPublicBUG

Description

This is not a real bug as it can be "workarounded" by using different names for IPv4 and IPv6 network groups, e.g. by appending -4 and -6 to the rule name, this should be updated in the docs!

Adding rules

Set commands

set firewall group network-group NET-FOO network 192.168.1.0/24
set firewall group ipv6-network-group NET-FOO network 2001:db8::/64
commit
set firewall name VLAN15-IN rule 1000 action accept
set firewall name VLAN15-IN rule 1000 source group network-group NET-FOO
commit

Show

vyos@vyos# show firewall
 group {
     ipv6-network-group NET-FOO {
         network 2001:db8::/64
     }
     network-group NET-FOO {
         network 192.168.1.0/24
     }
 }
+name VLAN15-IN {
+    rule 1000 {
+        action accept
+        source {
+            group {
+                network-group NET-FOO
+            }
+        }
+    }
+}
vyos@vyos# commit
[ firewall group network-group NET-FOO ]
ipset v6.23: Syntax error: cannot parse 192.168.1.0: resolving to IPv6 address failed
Error: call to ipset failed [256]
[ firewall name VLAN15-IN rule 1000 source group network-group NET-FOO ]
Group [NET-FOO] has not been defined

[[firewall name VLAN15-IN]] failed
Commit failed

Discarding changes

vyos@vyos# discard

  Changes have been discarded

vyos@vyos# show firewall
 group {
     ipv6-network-group NET-FOO {
         network 2001:db8::/64
     }
     network-group NET-FOO {
         network 192.168.1.0/24
     }
 }

Deleting group

vyos@vyos# delete firewall group
[edit]
vyos@vyos# commit
[ firewall group ipv6-network-group NET-FOO ]
Error: group [NET-FOO] doesn't exists

[ firewall group network-group NET-FOO ]
Error: group [NET-FOO] doesn't exists


vyos@vyos# show firewall
[edit]

Details

Difficulty level
Normal (likely a few hours)
Version
1.2.1
Why the issue appeared?
Will be filled on close

Event Timeline

c-po created this task.Jul 11 2019, 3:36 PM
c-po updated the task description. (Show Details)
c-po updated the task description. (Show Details)
runar added a subscriber: runar.Jul 11 2019, 3:52 PM

As long as its allowed but not working its a bug.. :)

To close this there is a need to create a check that disallow the existance of v4 and v6 list with the same name..

c-po added a comment.Jul 11 2019, 5:07 PM

A check is already present when configuring the firewall name.

set firewall name VLAN15-IN
set firewall ipv6-name VLAN15-IN

is not permitted

vyos@vyos# commit
[ firewall name VLAN15-IN ]
Configuration error: Rule set name "VLAN15-IN" already used in "firewall ipv6-name"

[[firewall name VLAN15-IN]] failed
[ firewall ipv6-name VLAN15-IN ]
Configuration error: Rule set name "VLAN15-IN" already used in "firewall name"
syncer triaged this task as Normal priority.Jul 15 2019, 1:17 PM
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.

This is really a broken abstraction. There is no separate namespaces for IPv4 and IPv6 groups in IPset.
We'll have to autoprefix the groups or similar, if we want it to work that way.

Pull Request to clarify group names must be unique.

https://github.com/vyos/vyos-documentation/pull/127

If a solution is finally developed, we can always leave the manual as it was.

Hi @c-po and @dmbaturin

As the manual now shows how to proceed, should we resolve this task?

Or maybe you prefer to leave it open in order to create new code...

c-po added a comment.Oct 27 2019, 11:07 PM

I'd keep it open as a reminder what to add to the validator steps in a possible rewrite.

pasik added a subscriber: pasik.Oct 28 2019, 4:21 PM