Page MenuHomeVyOS Platform

Show firewall group incorrect format members
Closed, ResolvedPublicBUG

Description

Incorrect output for the members
Configuration:

set firewall group address-group FOO address '203.0.113.1'
set firewall group address-group FOO address '203.0.113.3'
set firewall group address-group FOO address '203.0.113.4'
set firewall group address-group FOO address '203.0.113.5'
set firewall group address-group FOO address '203.0.113.6'
set firewall group address-group FOO address '203.0.113.7'
set firewall group address-group FOO address '203.0.113.8'
set firewall group address-group FOO address '203.0.113.9'
set firewall group address-group FOO address '203.0.113.10'
set firewall group address-group FOO address '203.0.113.11'
set firewall group address-group FOO address '203.0.113.12'
set firewall group address-group FOO address '203.0.113.13'
set firewall group address-group FOO address '203.0.113.14'
set firewall group address-group FOO address '203.0.113.15'
set firewall group address-group FOO address '203.0.113.16'
set firewall group address-group FOO address '203.0.113.17'
set firewall group address-group FOO address '203.0.113.18'
set firewall group address-group FOO address '203.0.113.19'
set firewall group address-group FOO address '203.0.113.20'
set firewall group address-group FOO address '203.0.113.99'
set firewall group address-group FOO address '203.0.113.125'
set firewall group address-group FOO address '203.0.113.255'
set firewall group address-group FOO address '203.0.113.254'
set firewall group address-group FOO address '203.0.113.0'
set firewall group address-group FOO2 address '203.0.113.3'

Show:

vyos@r11-roll:~$ show firewall group 
Firewall Groups

Name    Type           References    Members
------  -------------  ------------  ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
FOO     address_group                203.0.113.1, 203.0.113.3, 203.0.113.4, 203.0.113.5, 203.0.113.6, 203.0.113.7, 203.0.113.8, 203.0.113.9, 203.0.113.10, 203.0.113.11, 203.0.113.12, 203.0.113.13, 203.0.113.14, 203.0.113.15, 203.0.113.16, 203.0.113.17, 203.0.113.18, 203.0.113.19, 203.0.113.20, 203.0.113.99, 203.0.113.125, 203.0.113.255, 203.0.113.254, 203.0.113.0
FOO2    address_group                203.0.113.3
vyos@r11-roll:~$

Expected addresses under members

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202201020317
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Cosmetic issue (typos etc.)

Event Timeline

Can you please add output from VyOS 1.3 as reference?

In 1.3 it looks like just ipset -L:

vyos@r4:~$ show firewall group 
Name       : FOO2
Type       : address
References : none
Members    :
             203.0.113.3

Name       : FOO
Type       : address
References : none
Members    :
             203.0.113.0
             203.0.113.1
             203.0.113.3
             203.0.113.4
             203.0.113.5
             203.0.113.6
             203.0.113.7
             203.0.113.8
             203.0.113.9
             203.0.113.10
             203.0.113.11
             203.0.113.12
             203.0.113.13
             203.0.113.14
             203.0.113.15
             203.0.113.16
             203.0.113.17
             203.0.113.18
             203.0.113.19
             203.0.113.20
             203.0.113.99
             203.0.113.125
             203.0.113.254
             203.0.113.255
sarthurdev changed the task status from Open to Needs testing.Jan 11 2022, 2:46 PM
sarthurdev claimed this task.
sarthurdev added a subscriber: sarthurdev.

PR: https://github.com/vyos/vyos-1x/pull/1158

@Viacheslav Not using exact ipset format, however addresses are sorted and output one per line.

Loading address group described in task and then printing, works OK.

vyos@vyos# run show firewall group 
Firewall Groups

Name    Type           References    Members
------  -------------  ------------  -------------
FOO     address_group  N/A           203.0.113.0
                                     203.0.113.1
                                     203.0.113.3
                                     203.0.113.4
                                     203.0.113.5
                                     203.0.113.6
                                     203.0.113.7
                                     203.0.113.8
                                     203.0.113.9
                                     203.0.113.10
                                     203.0.113.11
                                     203.0.113.12
                                     203.0.113.13
                                     203.0.113.14
                                     203.0.113.15
                                     203.0.113.16
                                     203.0.113.17
                                     203.0.113.18
                                     203.0.113.19
                                     203.0.113.20
                                     203.0.113.99
                                     203.0.113.125
                                     203.0.113.254
                                     203.0.113.255
FOO2    address_group  N/A           203.0.113.3

But when adding a range:

vyos@vyos# set firewall group address-group FOO address 203.0.113.222-203.0.113. 225
[edit]
vyos@vyos# 
[edit]
vyos@vyos# 
[edit]
vyos@vyos# commit
[edit]     run show firewall group 
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/firewall.py", line 354, in <module>
    show_firewall_group(args.name)
  File "/usr/libexec/vyos/op_mode/firewall.py", line 272, in show_firewall_group
    row.append("\n".join(sorted(group_conf['address'], key=ipaddress.ip_address)))
  File "/usr/lib/python3.9/ipaddress.py", line 53, in ip_address
    raise ValueError('%r does not appear to be an IPv4 or IPv6 address' %
ValueError: '203.0.113.222-203.0.113.225' does not appear to be an IPv4 or IPv6 address

Version: VyOS 1.4-rolling-202201180317

Viacheslav moved this task from In Progress to Finished on the VyOS 1.4 Sagitta board.

@sdev Thanks