After upgrading to the latest rolling build of VyOS 1.4, I have encountered problem with firewall rule migration on boot. It seems that one of the firewalls (VLAN20-VLAN43) did not load successfully.
For troubleshooting purposes, I've saved the configuration (without the errored firewall), rebooted and there were no errors. I've then loaded the old config, and the following was the difference:
# compare | strip-private
[edit firewall]
+name VLAN20-VLAN43 {
+ default-action drop
+ rule 5 {
+ action accept
+ description "Allow est/rel traffic"
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 20 {
+ action accept
+ description "Allow ICMP"
+ protocol icmp
+ state {
+ new enable
+ }
+ }
+ rule 100 {
...
+ }
+ rule 101 {
...
+ }
+ rule 102 {
+ action accept
+ description "Allow HA->F1TV (SSH)"
+ destination {
+ group {
+ address-group F1TV
+ }
+ port ssh
+ }
+ protocol tcp
+ source {
+ group {
+ address-group dockerhost
+ }
+ }
+ state {
+ new enable
+ }
+ }
+}
[edit interfaces ethernet eth1 vif 43 policy]
+route F1TV
[edit policy]
+route F1TV {
+ rule 2 {
+ destination {
+ address !xxx.xxx.0.0/8
+ }
+ set {
+ table 2
+ }
+ source {
+ group {
+ address-group F1TV
+ }
+ }
+ }
+}However on commit, there is the following error:
# commit [ policy route F1TV rule 2 source group address-group F1TV ] Group [F1TV] has not been defined [[policy route F1TV]] failed [ firewall name VLAN20-VLAN43 rule 102 destination group address-group F1TV ] Group [F1TV] has not been defined [[firewall name VLAN20-VLAN43]] failed [ interfaces ethernet eth1 vif 43 policy route F1TV ] iptables v1.8.7 (nf_tables): Chain 'F1TV' does not exist Try `iptables -h' or 'iptables --help' for more information. [[interfaces ethernet eth1 vif 43 policy route]] failed Commit failed
Now, funny enough, the address-group does exist:
# show firewall group address-group F1TV | strip-private address xxx.xxx.3.20
Could it be the case that policy name (I'm using PBR routing) and the firewall address group cannot require unique names between each other?