Page MenuHomeVyOS Platform
Create Task
Maniphest T3513

Attempting to remove firewall rule results in error
Resolved (N/A)PublicBUG
Actions

Description

I am running VyOS in a Zone Based Firewall (ZBF) configuration and have a number of rulesets that have only a default action. For example WAN-LAN default action is drop etc. I have set the system-wide state setting to allow related, established connections and drop invalid ones so that I do not have to declare firewall individual rules for each firewall ruleset. From time to time, I create a rule in order to enable logging as I troubleshoot a particular routing/connection issue. The issue is that when I try to delete the rule, VyOS throws an error and says that the firewall ruleset is still in use.

Firewall ruleset example with no rules (with system-wide state policy allow established, related and deny invalid enabled)

vyos@VyosOverseas# show firewall state-policy 
 established {
     action accept
 }
 invalid {
     action drop
 }
 related {
     action accept
 }
name WAN-LAN {
    default-action drop
    enable-default-log
}

The router functions perfectly and I received no errors when I created and assigned the rulesets with no rule created.

I then created a rule for one of the rulesets in a Trusted VPN zone

name UTAH-LAN {
    default-action accept
    rule 10 {
        action accept
        log enable
    }
}

However, I no longer want the rule as it does nothing that the default action doesn't do. I merely created the rule in order to enable logging as I was having a connectivity issue. When I got to delete the rule, I get the following:

vyos@VyosOverseas# delete firewall name UTAH-LAN rule 10
[edit]
vyos@VyosOverseas# commit
[ firewall name UTAH-LAN ]
Firewall configuration error: Cannot delete rule set "UTAH-LAN" (still in use)



[[firewall name UTAH-LAN]] failed
Commit failed
[edit]

Again, before I created this rule, the firewall worked just fine with the default action only declared. I don't understand why I cannot revert to the previous ruleset declaration when VyOS accepted that declaration before with no problem. I had a good exchange of thoughts on this situation with Soucy on Reddit and he recommended I submit this as a bug to be fixed. My complete configuration, if needed, is attached.

Thanks!

config.txt35 KBDownload

Details

Difficulty level
Unknown (require assessment)
Version
1.3 RC4
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Related Objects
Search...

Event Timeline

ngoehring created this task.May 3 2021, 7:05 PM
ngoehring added a comment.May 3 2021, 7:07 PM

Forgot to include the version info

vyos@VyosOverseas:~$ show version

Version:          VyOS 1.3.0-rc4
Release Train:    equuleus

Built by:         Sentrium S.L.
Built on:         Mon 19 Apr 2021 08:28 UTC
Build UUID:       8d9996d2-511e-4dea-be4f-cd4515c404f3
Build Commit ID:  2aac286ccfe594

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal

Hardware vendor:  Netgate
Hardware model:   SG-5100
Hardware S/N:     NG201812003513
Hardware UUID:    03000200-0400-0500-0006-000700080009

Copyright:        VyOS maintainers and contributors
pasik added a subscriber: pasik.May 4 2021, 9:29 AM
Viacheslav added a parent task: T2199: Rewrite firewall in new XML/Python style.May 4 2021, 2:04 PM
dmbaturin added a project: test.Jul 29 2021, 9:02 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0-epa1); removed test, VyOS 1.3 Equuleus.Sep 5 2021, 7:06 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus (1.3.0-epa1).Nov 1 2021, 10:09 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).Aug 29 2022, 7:04 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).Jul 12 2023, 9:39 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:29 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus (1.3.5).Dec 17 2023, 11:37 PM
dmbaturin closed this task as Resolved N/A.Jan 9 2024, 8:56 PM
dmbaturin added a subscriber: dmbaturin.

Should be a non-issue with the new firewall implementation.