Page MenuHomeVyOS Platform

Firewall does not load on boot, address-group not found, even though it exists
Open, Requires assessmentPublicBUG

Description

After upgrading to the latest rolling build of VyOS 1.4, I have encountered problem with firewall rule migration on boot. It seems that one of the firewalls (VLAN20-VLAN43) did not load successfully.

For troubleshooting purposes, I've saved the configuration (without the errored firewall), rebooted and there were no errors. I've then loaded the old config, and the following was the difference:

# compare | strip-private
[edit firewall]
+name VLAN20-VLAN43 {
+    default-action drop
+    rule 5 {
+        action accept
+        description "Allow est/rel traffic"
+        state {
+            established enable
+            related enable
+        }
+    }
+    rule 20 {
+        action accept
+        description "Allow ICMP"
+        protocol icmp
+        state {
+            new enable
+        }
+    }
+    rule 100 {
...
+    }
+    rule 101 {
...
+    }
+    rule 102 {
+        action accept
+        description "Allow HA->F1TV (SSH)"
+        destination {
+            group {
+                address-group F1TV
+            }
+            port ssh
+        }
+        protocol tcp
+        source {
+            group {
+                address-group dockerhost
+            }
+        }
+        state {
+            new enable
+        }
+    }
+}
[edit interfaces ethernet eth1 vif 43 policy]
+route F1TV
[edit policy]
+route F1TV {
+    rule 2 {
+        destination {
+            address !xxx.xxx.0.0/8
+        }
+        set {
+            table 2
+        }
+        source {
+            group {
+                address-group F1TV
+            }
+        }
+    }
+}

However on commit, there is the following error:

# commit
[ policy route F1TV rule 2 source group address-group F1TV ]
Group [F1TV] has not been defined

[[policy route F1TV]] failed
[ firewall name VLAN20-VLAN43 rule 102 destination group address-group F1TV ]
Group [F1TV] has not been defined

[[firewall name VLAN20-VLAN43]] failed
[ interfaces ethernet eth1 vif 43 policy route F1TV ]
iptables v1.8.7 (nf_tables): Chain 'F1TV' does not exist
Try `iptables -h' or 'iptables --help' for more information.

[[interfaces ethernet eth1 vif 43 policy route]] failed
Commit failed

Now, funny enough, the address-group does exist:

# show firewall group address-group F1TV | strip-private
 address xxx.xxx.3.20

Could it be the case that policy name (I'm using PBR routing) and the firewall address group cannot require unique names between each other?

Details

Difficulty level
Unknown (require assessment)
Version
1.4-rolling-202110120218
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

@FileGo Can you replace double-quotes with single-quotes?

If I change the double-quotes to single-quotes for all the rules in that firewall, I get this (no changes detected):

# load /home/xxx/vyos.config
Loading configuration from '/home/xxx/vyos.config'

[edit]
xxx@vyos# compare
No changes between working and active configurations.
[edit]