Page MenuHomeVyOS Platform

Firewall - Error in rules that matches everything except something
Needs testing, Requires assessmentPublicBUG

Description

Tested on VyOS 1.4-rolling-202201100317, on also on previous 1.4-2022 versions

Its not possible to add rules that contains "matches everything except" pattern.

Neither of this works (they where all tested separately, in fresh install):

set firewall name FOO rule 10 protocol !gre
set firewall name FOO rule 10 source address !198.51.100.1
set firewall name FOO rule 10 source port !22

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202201100317
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

sdev changed the task status from Open to In progress.Tue, Jan 11, 11:25 PM
sdev claimed this task.

I can see the fix, but now trying invert selection on tcp flags doesn't work

vyos@vyos# run show config comm | grep fire
set firewall name FOO rule 10 action 'accept'
set firewall name FOO rule 10 protocol 'tcp'
set firewall name FOO rule 10 tcp flags 'syn'
set firewall name FOO rule 40 action 'accept'
set firewall name FOO rule 40 protocol '!gre'
[edit]
vyos@vyos# set firewall name FOO rule 10 tcp flags !syn
[edit]
vyos@vyos# commit
[ firewall ]
Failed to apply firewall

[[firewall]] failed
Commit failed
[edit]
vyos@vyos# set firewall name FOO rule 10 tcp flags 
Possible completions:
   <text>       Multiple comma-separated flags
   syn          Syncronise flag
   ack          Acknowledge flag
   fin          Finish flag
   rst          Reset flag
   urg          Urgent flag
   psh          Push flag
                
 When specifying more than one flag, flags should be comma-separated.
 For example: value of 'SYN,!ACK,!FIN,!RST' will only match packets with
 the SYN flag set, and the ACK, FIN and RST flags unset