Page MenuHomeVyOS Platform

"show firewall" garbled output
Open, LowPublic

Description

Missing tags, missing firewall rule information, line breaks in the middle of comments even on wider terminals

Some examples of garbled output:

missing starting comment /* tag, missing condition - destination port

9123  accept   udp       10646    809096                                  
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 VID-LOCAL-9123 */

line break in the middle of a comment, rule 1194 missing destination port

15    accept   tcp       26       1560                                    
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0  dports 2012,3012 /* OUTSIDE-LOCAL-1
              5 */                                                              

1194  accept   udp       8437     380191                                  
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 OUTSIDE-LOCAL-1194 */

what do the 0, 1, 2 before the comment mean?

9802  accept   icmpv6    0        0                                       
  condition - saddr ::/0 daddr ::/0 6outside-in-9802 */                         

9803  accept   icmpv6    0        0                                       
  condition - saddr ::/0 daddr ::/0 0 /* 6outside-in-9803 */                    

9804  accept   icmpv6    0        0                                       
  condition - saddr ::/0 daddr ::/0 1 /* 6outside-in-9804 */                    

9805  accept   icmpv6    0        0                                       
  condition - saddr ::/0 daddr ::/0 2 /* 6outside-in-9805 */

closing */ tag used in place of opening /*, missing closing tag, missing rule condition information, missing whitespace before "LOG enabled"

IPv6 Firewall "6INSIDE-OUT":

 Active on (eth0,OUT)

rule  action   proto     packets  bytes                                   
----  ------   -----     -------  -----                                   
9025  reject   tcp_udp   0        0                                       
  condition - saddr ::/0 daddr ::/0 6INSIDE-OUT-9025 */ reject-with icmp6-port-u
              nreachableLOG enabled                                             

10000 accept   all       6215584  754005993                               
  condition - saddr ::/0 daddr ::/0
# show firewall ipv6-name 6INSIDE-OUT 
 default-action accept
 rule 9025 {
     action reject
     description "Block outgoing SMTP"
     destination {
         port 25
     }
     log enable
     protocol tcp_udp
 }

Details

Difficulty level
Unknown (require assessment)
Version
1.3-rolling-202003291001
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

StatusSubtypeAssignedTask
OpenNone
OpenNone

Event Timeline

jjakob created this task.
jjakob created this object in space S1 VyOS Public.

There are different outputs from "iptables" between 1.2 and 1.3:

config:

vyos@r12-lts:~$ show conf com | match fire
set firewall ipv6-name 6INSIDE-OUT default-action 'accept'
set firewall ipv6-name 6INSIDE-OUT rule 9025 action 'reject'
set firewall ipv6-name 6INSIDE-OUT rule 9025 description 'Block outgoing SMTP'
set firewall ipv6-name 6INSIDE-OUT rule 9025 destination port '25'
set firewall ipv6-name 6INSIDE-OUT rule 9025 log 'enable'
set firewall ipv6-name 6INSIDE-OUT rule 9025 protocol 'tcp_udp'
set interfaces ethernet eth1 firewall out ipv6-name '6INSIDE-OUT'

1.2

vyos@r12-lts:~$ sudo ip6tables -L 6INSIDE-OUT 
Chain 6INSIDE-OUT (1 references)
target     prot opt source               destination         
LOG        tcp      anywhere             anywhere             /* 6INSIDE-OUT-9025 */ tcp dpt:smtp LOG level warning prefix "[6INSIDE-OUT-9025-R] "
REJECT     tcp      anywhere             anywhere             /* 6INSIDE-OUT-9025 */ tcp dpt:smtp reject-with icmp6-port-unreachable
LOG        udp      anywhere             anywhere             /* 6INSIDE-OUT-9025 */ udp dpt:25 LOG level warning prefix "[6INSIDE-OUT-9025-R] "
REJECT     udp      anywhere             anywhere             /* 6INSIDE-OUT-9025 */ udp dpt:25 reject-with icmp6-port-unreachable
RETURN     all      anywhere             anywhere             /* 6INSIDE-OUT-10000 default-action accept */

1.3:

vyos@r4-1.3:~$ sudo ip6tables -L 6INSIDE-OUT
Chain 6INSIDE-OUT (1 references)
target     prot opt source               destination         
LOG        tcp      anywhere             anywhere             tcp dpt:smtp /* 6INSIDE-OUT-9025 */ LOG level warning prefix "[6INSIDE-OUT-9025-R] "
REJECT     tcp      anywhere             anywhere             tcp dpt:smtp /* 6INSIDE-OUT-9025 */ reject-with icmp6-port-unreachable
LOG        udp      anywhere             anywhere             udp dpt:25 /* 6INSIDE-OUT-9025 */ LOG level warning prefix "[6INSIDE-OUT-9025-R] "
REJECT     udp      anywhere             anywhere             udp dpt:25 /* 6INSIDE-OUT-9025 */ reject-with icmp6-port-unreachable
RETURN     all      anywhere             anywhere             /* 6INSIDE-OUT-10000 default-action accept */

But template the same:

${vyatta_bindir}/vyatta-show-firewall.pl "firewall_all" /opt/vyatta/share/xsl/show_firewall_detail.xsl
erkin set Issue type to Bug (incorrect behavior).Aug 30 2021, 7:49 AM
erkin removed a subscriber: Active contributors.