Page MenuHomeVyOS Platform

Firewall - Error messages not that clear as it were in old firewall
Needs testing, Requires assessmentPublicBUG

Description

In new firewall implementation, most of errors don't expose what is wrong.
Here are some examples, comparing behavior of new implementation and 1.3 version:

##### Error while deleting firewall that is in use:
# 1.3 version
vyos@vyos# set firewall name FOO default-action accept
[edit]
vyos@vyos# set firewall name FOO description "FOO Ruleset"
[edit]
vyos@vyos# set int eth eth0 firewall in name FOO
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# del fire
[edit]
vyos@vyos# commit
[ firewall name FOO ]
Firewall configuration error: Cannot delete rule set "FOO" (still in use)
delete [ firewall name FOO ] failed
delete [ firewall ] failed
Commit failed

# 1.4 Version ->
vyos@vyos# set firewall name FOO default-action accept
[edit]
vyos@vyos# set firewall name FOO description "FOO Ruleset"
[edit]
vyos@vyos# set int eth eth0 firewall in name FOO
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# del fire
[edit]
vyos@vyos# commit
[ firewall ]
Failed to apply firewall

delete [ firewall ] failed
Commit failed



##### Error when setting invalid IPv4 range
# 1.3 version
vyos@vyos# set firewall group address-group FOO address 203.0.113.10-203.0.113.5 
  Error: [203.0.113.10-203.0.113.5] is not a valid IPv4 address range
  
  Value validation failed
  Set failed

# 1.4 version
vyos@vyos# set firewall group address-group FOO address 203.0.113.10-203.0.113.5 
  
  Invalid value
  Value validation failed
  Set failed



##### Error when setting invalid IPv4 address
# 1.3 version
vyos@vyos# set firewall group address-group FOO address 203.0.113.288

  Error: [203.0.113.288] isn't valid IPv4 address    
  
  Value validation failed
  Set failed

# 1.4 version
yos@vyos# set firewall group address-group FOO address 203.0.113.288

  Invalid value
  Value validation failed
  Set failed



##### Error when setting invalid port
# 1.3 version
vyos@vyos# set firewall group port-group FOO port 70123

  Error: [70123] is not a valid port
  
  Value validation failed
  Set failed

# 1.4 version -> no error while setting the command, and commit succed
vyos@vyos# set firewall group port-group FOO port 70123
[edit]
vyos@vyos# commit



##### Error when setting invalid port range
# 1.3 version
vyos@vyos# set firewall group port-group FOO port 55-20

  Error: [55-20] is not a valid port range
  
  Value validation failed
  Set failed

# 1.4 version -> no error while setting the command, and commit fails
vyos@vyos# set firewall group port-group FOO port 55.20
[edit]
vyos@vyos# commit
[ firewall ]
Failed to apply firewall

[[firewall]] failed
Commit failed

There are more examples, but think with those it's clear what is missing.

Details

Difficulty level
Unknown (require assessment)
Version
vyos-1.4-rolling-202201060842
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Improvement (missing useful functionality)