Page MenuHomeVyOS Platform

prefix-list and prefix-list6 rules incorrectly accept a host address where prefix is required
Closed, ResolvedPublic

Description

After create policy prefix-list and then delete this policy, the system dont commit this.

delete policy prefix-list OUT
-policy {
-    prefix-list OUT {
-        rule 10 {
-            action permit
-            prefix 127.0.0.1/29
-        }
-    }
-}
vyos@vyos# commit
[ policy prefix-list OUT rule 10 ]
% Can't find specified prefix-list

delete [ policy prefix-list OUT ] failed
Commit failed
[edit]
vyos@vyos#
vyos@vyos# delete policy 
[edit]
vyos@vyos# commit
[ policy prefix-list OUT rule 10 ]
% Can't find specified prefix-list

delete [ policy prefix-list OUT ] failed
[[]] failed
Commit failed
copy failed [/opt/vyatta/config/tmp/tmp_18986/work/.unionfs][/opt/vyatta/config/tmp/new_config_18986/.unionfs]
Failed to generate committed config
[edit]
vyos@vyos#

Update
If last octet is "1" this don't permit commit.
If last octet is "0" - everything is fine.

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.2-rolling-201909160118
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Stricter validation

Event Timeline

sever created this task.Sep 16 2019, 1:59 PM
sever created this object in space S1 VyOS Public.
sever updated the task description. (Show Details)Sep 16 2019, 2:36 PM
pasik added a subscriber: pasik.Sep 16 2019, 3:19 PM

The root cause was insufficient validation.

vyos@vyos-test-2# set policy prefix-list Foo rule 10 prefix 127.0.0.1/29
[edit]
vyos@vyos-test-2# set policy prefix-list Foo rule 10 action permit 
[edit]
vyos@vyos-test-2# commit
[ policy prefix-list Foo rule 10 ]
% Prefix-list Foo prefix changed from 127.0.0.1/29 to 127.0.0.0/29 to match length

The "ipv4net" type is "net" in the name only, it doesn't check that it's actually a network rather than host addresss.

NOTE: do not backports this to 1.2.x! It will prevent some configs from loading, and we don't want to break anyone's config in point releases!
dmbaturin renamed this task from Commit failed after delete prefix-list to prefix-list incorrectly accept a host address where prefix is required.Jun 25 2020, 7:02 AM
dmbaturin renamed this task from prefix-list incorrectly accept a host address where prefix is required to prefix-list and prefix-list6 rules incorrectly accept a host address where prefix is required.
dmbaturin claimed this task.
dmbaturin added a project: VyOS 1.3 Equuleus.
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Stricter validation.
dmbaturin closed this task as Resolved.Aug 20 2020, 2:44 PM
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Mon, Nov 23, 5:23 PM