Page MenuHomeVyOS Platform

Can't commit due to with the same name, but different firewall groups types
Needs testing, NormalPublicBUG

Description

Here is a simple firewall group that would not let me execute a commit despite that address-group in question has been defined.

This is the config.boot :

firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    group {
...
}
address-group emby {
    address 10.0.7.10
}
...
}
port-group emby {
    port 8096
    port 8920
}

This is the error I was getting when committing :

vyos@fw01# commit
[ firewall name trust_to_server rule 710 destination group address-group emby ]
Group [emby] has not been defined

[[firewall name trust_to_server]] failed
Commit failed

This is the candidate config :

vyos@fw01# compare
[edit firewall name trust_to_server]
+rule 710 {
+    action accept
+    description "emby access"
+    destination {
+        group {
+            address-group emby
+            port-group emby
+        }
+    }
+    protocol tcp
+}

I deleted the address-group then save the config to overwrite the previous config.boot. By doing this, I got a new error message as shown below.

vyos@fw01# commit
[ firewall name trust_to_server rule 710 destination group port-group emby ]
Error: group [emby] is of type [address] not [port]

[[firewall name trust_to_server]] failed
Commit failed

I was able to commit when I renamed one of the groups. In my case, I renamed the port-group to emby_app and the system let me commit.
Now, I am not sure if I encountered two different issues here.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.1
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

syncer changed the task status from Open to Needs testing.Mar 28 2020, 11:55 AM
syncer triaged this task as Normal priority.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
syncer added a subscriber: syncer.

can you try to reproduce in rolling, please?

Downloaded the latest rolling, the only thing I have done with the rolling was installing it on a fresh Proxmox VM. I created two firewall groups with the same name - one for address-group and the other is for port-group.

+    group {
+        address-group emby {
+            address 10.0.7.10
+        }
+        port-group emby {
+            port 8096
+            port 8920
+        }
+    }

When I tried to commit, I got the error below. However, I was able to commit and save.

vyos@vyos# commit
[ firewall group address-group emby ]
Error: type mismatch [port] [address]

When creating a firewall name, the error below is what I got. Also, I get a commit failed.

vyos@vyos# compare 
[edit firewall]
+name trust_to_server {
+    default-action drop
+    rule 100 {
+        action accept
+        destination {
+            group {
+                address-group emby
+                port-group emby
+            }
+        }
+        source {
+            address 10.0.11.0/24
+        }
+    }
+}
[edit]
vyos@vyos# commit
[ firewall name trust_to_server rule 100 destination group address-group emby ]
Group [emby] has not been defined

[[firewall name trust_to_server]] failed
Commit failed
[edit]
vyos@vyos# 
[edit]
vyos@vyos#

I discarded the candidate config; deleted the "port-group emby" and created a new "port-group emby_app". Then I recreated the same firewall rules and I got the same commit error above despite renaming the port-group. The odd part is the "address-group emby" exist.

The workaround that I find is to delete the "address-group emby" then commit and save. Recreate the "address-group emby" then commit and save. Recreate the same firewall rules with the new port-group emby_app then commit and save. The workaround let me commit the firewall rules. It seems to be related to the config.boot. I have to keep saving the changes I made; otherwise, it would fail to commit.

The main problem is that you use the same name for different group types.

ipset -N emby bitmap:port --from 1 --to 65535
ipset -A emby 8096
ipset -A emby 8920

What we get

root@r5-roll:/home/vyos# ipset -L
Name: emby
Type: bitmap:port
Revision: 3
Header: range 1-65535
Size in memory: 8264
References: 0
Number of entries: 2
Members:
8096
8920

So now it trying to set IP address in the group for "Type: bitmap:port" or trying to recreate the group with type "Type: hash:ip"

# ipset -N emby hash:ip family inet
ipset v6.38: Kernel support protocol versions 6-7 while userspace supports protocol versions 6-6
Set cannot be created: set with the same name already exists

So we should prevent to use the same names for different types of groups.
The names should be unique.

erkin set Issue type to Bug (incorrect behavior).Tue, Aug 31, 5:38 PM