Page MenuHomeVyOS Platform

prefix-list and prefix-list6 rules incorrectly accept a host address where prefix is required
Open, Requires assessmentPublic

Description

After create policy prefix-list and then delete this policy, the system dont commit this.

delete policy prefix-list OUT
-policy {
-    prefix-list OUT {
-        rule 10 {
-            action permit
-            prefix 127.0.0.1/29
-        }
-    }
-}
vyos@vyos# commit
[ policy prefix-list OUT rule 10 ]
% Can't find specified prefix-list

delete [ policy prefix-list OUT ] failed
Commit failed
[edit]
vyos@vyos#
vyos@vyos# delete policy 
[edit]
vyos@vyos# commit
[ policy prefix-list OUT rule 10 ]
% Can't find specified prefix-list

delete [ policy prefix-list OUT ] failed
[[]] failed
Commit failed
copy failed [/opt/vyatta/config/tmp/tmp_18986/work/.unionfs][/opt/vyatta/config/tmp/new_config_18986/.unionfs]
Failed to generate committed config
[edit]
vyos@vyos#

Update
If last octet is "1" this don't permit commit.
If last octet is "0" - everything is fine.

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.2-rolling-201909160118
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Stricter validation

Event Timeline

sever created this task.Sep 16 2019, 1:59 PM
sever created this object in space S1 VyOS Public.
sever updated the task description. (Show Details)Sep 16 2019, 2:36 PM
pasik added a subscriber: pasik.Sep 16 2019, 3:19 PM

The root cause was insufficient validation.

vyos@vyos-test-2# set policy prefix-list Foo rule 10 prefix 127.0.0.1/29
[edit]
vyos@vyos-test-2# set policy prefix-list Foo rule 10 action permit 
[edit]
vyos@vyos-test-2# commit
[ policy prefix-list Foo rule 10 ]
% Prefix-list Foo prefix changed from 127.0.0.1/29 to 127.0.0.0/29 to match length

The "ipv4net" type is "net" in the name only, it doesn't check that it's actually a network rather than host addresss.

NOTE: do not backports this to 1.2.x! It will prevent some configs from loading, and we don't want to break anyone's config in point releases!
dmbaturin renamed this task from Commit failed after delete prefix-list to prefix-list incorrectly accept a host address where prefix is required.Thu, Jun 25, 7:02 AM
dmbaturin renamed this task from prefix-list incorrectly accept a host address where prefix is required to prefix-list and prefix-list6 rules incorrectly accept a host address where prefix is required.
dmbaturin claimed this task.
dmbaturin added a project: VyOS 1.3 Equuleus.
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Stricter validation.