Page MenuHomeVyOS Platform
Create Task
Maniphest T4078

A hybrid of "network-group" and "address-group".
Resolved (N/A)PublicFEATURE REQUEST
Actions

Description

It is very convenient to create a special group in the firewall settings to which you can add both addresses and networks (a hybrid of network-group and address-group).
I was faced with the need to combine addresses, ranges, and subnets into one group, and for configuration, I have to create separate rules for the "network-group" and for the "address-group".

Example: you need to allocate these IPs to the group: 10.0.30.5-10.0.30.7, 10.0.0.12, 10.0.0.222 , 10.0.0.250 , 10.0.1.0/30 , 10.0.2.0/30 , 10.0.10.0/24

Option number 1

set firewall group address-group MY_GROUP address 10.0.30.5-10.0.30.7
set firewall group address-group MY_GROUP address 10.0.0.12
set firewall group address-group MY_GROUP address 10.0.0.222
set firewall group address-group MY_GROUP address 10.0.0.250
set firewall group network-group MY_GROUP_1 network 10.0.1.0/30
set firewall group network-group MY_GROUP_1 network 10.0.2.0/30
set firewall group network-group MY_GROUP_1 network 10.0.10.0/24
Can't combine network and address group for source (for this reason have to use two rules 10 and 20)
set firewall name TEST default-action drop
set firewall name TEST rule 10 action 'accept'
set firewall name TEST rule 10 source group address-group MY_GROUP
set firewall name TEST rule 10 description MY_GROUP-any
set firewall name TEST rule 20 action 'accept'
set firewall name TEST rule 20 source group network-group MY_GROUP_1
set firewall name TEST rule 20 description MY_GROUP_1-any

Option number 2
This is inconvenient (specify all hosts as / 32 networks)

set firewall group network-group MY_GROUP network 10.0.30.5/32
set firewall group network-group MY_GROUP network 10.0.30.6/32
set firewall group network-group MY_GROUP network 10.0.30.7/32
set firewall group network-group MY_GROUP network 10.0.0.12/32
set firewall group network-group MY_GROUP network 10.0.0.222/32
set firewall group network-group MY_GROUP network 10.0.0.250/32
set firewall group network-group MY_GROUP network 10.0.1.0/30
set firewall group network-group MY_GROUP network 10.0.2.0/30
set firewall group network-group MY_GROUP network 10.0.10.0/24

set firewall name TEST default-action drop
set firewall name TEST rule 10 action 'accept'
set firewall name TEST rule 10 source group address-group MY_GROUP
set firewall name TEST rule 10 description MY_GROUP-any

Option number 3

set firewall group "hybrid"-group MY_GROUP address 10.0.30.5-10.0.30.7
set firewall group "hybrid"-group MY_GROUP address 10.0.0.12
set firewall group "hybrid"-group MY_GROUP address 10.0.0.222
set firewall group "hybrid"-group MY_GROUP address 10.0.0.250
set firewall group "hybrid"-group MY_GROUP address 10.0.1.0/30
set firewall group "hybrid"-group MY_GROUP address 10.0.2.0/30
set firewall group "hybrid"-group MY_GROUP address 10.0.10.0/24

set firewall name TEST default-action drop
set firewall name TEST rule 10 action 'accept'
set firewall name TEST rule 10 source group "hybrid"-group MY_GROUP
set firewall name TEST rule 10 description MY_GROUP-any

The "hybrid" group allows us to configure more flexible traffic filtering rules and reduce configuration.

Possible completions:

<x.x.x.x>    IPv4 address to match
<x.x.x.x>-<x.x.x.x> IPv4 range to match (e.g. 10.0.0.1-10.0.0.200)
<x.x.x.x/x>  IPv4 Subnet to match

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

m.korobeinikov created this task.Dec 16 2021, 2:05 AM
m.korobeinikov updated the task description. (Show Details)
pasik added a subscriber: pasik.Dec 16 2021, 8:47 AM
Viacheslav removed a project: VyOS 1.2 Crux.Dec 16 2021, 8:49 AM
adestis added a subscriber: adestis.Dec 20 2021, 7:41 AM

@m.korobeinikov why not use network group with /32 host addresses ?

m.korobeinikov added a comment.Dec 21 2021, 12:11 AM

@adestis thank you. This issue isn't critical. It's more for to improve the design and for convenience of our customers.
You can use /32 to add a host, but we have to have the opportunity to add hosts without masks.
For example, if you need to create a group consisting of 1000 (or more random hosts), it's more convenient to use configuration without masks.

syncer edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).Aug 29 2022, 7:04 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).Jul 12 2023, 9:39 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:29 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus (1.3.5).Dec 17 2023, 11:36 PM
dmbaturin closed this task as Resolved N/A.Jan 8 2024, 7:26 PM
dmbaturin added a subscriber: dmbaturin.

I suppose with the new firewall implementation, this is no longer relevant.