Page MenuHomeVyOS Platform

Commit failed when setting icmpv6 type any
Closed, ResolvedPublicBUG

Description

When setting the config option:

set firewall ipv6-name FWNAME rule 1 protocol ipv6-icmp
set firewall ipv6-name FWNAME rule 1 icmpv6 type any
commit

I am getting the output:

[ firewall ]
Failed to apply firewall

[[firewall]] failed
Commit failed

If I set a specific type instead of setting to any, then it appears to commit OK.

set firewall ipv6-name FWNAME rule 1 protocol ipv6-icmp
set firewall ipv6-name FWNAME rule 1 icmpv6 type packet-too-big
commit
[edit]

So just setting it to any causes this problem. Using a pretty recent current branch commit.

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202201190447
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

sdev changed the task status from Open to In progress.Jan 21 2022, 12:22 PM
sdev claimed this task.

Bug related: https://phabricator.vyos.net/T4186

In that bug, I suggested corrections, but there are no migration scripts, so PR is not merged.
That case if for icmp_v4, but error seems to be the same

Also, while matching parameters valid in nftables, such as echo-reply, commit fails too:

[email protected]# set firewall ipv6-name FOO-v6 rule 10 action accept 
[edit]
[email protected]# set firewall ipv6-name FOO-v6 rule 10 protocol icmp
[edit]
[email protected]# set firewall ipv6-name FOO-v6 rule 10 icmp type echo-request 
[edit]
[email protected]# commit
[ firewall ]
Failed to apply firewall

[[firewall]] failed
Commit failed
[edit]
[email protected]# cat /run/nftables.conf
#!/usr/sbin/nft -f


include "/run/nftables_defines.conf"

table ip filter {
}

table ip6 filter {
    chain FOO-v6 {
        meta l4proto  icmp icmpv6 type echo-request counter return comment "FOO-v6-10"
        return
    }
}

[edit]

Did did work as expeced

[email protected]# run show config comm | grep fire
set firewall ipv6-name FOO rule 10 action 'accept'
set firewall ipv6-name FOO rule 10 icmpv6 type 'echo-request'
set firewall ipv6-name FOO rule 10 protocol 'ipv6-icmp'


[email protected]# sudo nft list chain ip6 filter FOO
table ip6 filter {
	chain FOO {
		icmpv6 type echo-request counter packets 0 bytes 0 return comment "FOO-10"
		return
	}
}

So main confusing thing is protocol defined, that should be ipv6-icmp. For example, in 1.3.0:

[email protected]# run show config comm | grep fire
set firewall ipv6-name FOO rule 10 action 'accept'
set firewall ipv6-name FOO rule 10 icmpv6 type 'echo-request'
set firewall ipv6-name FOO rule 10 protocol 'icmpv6'
[edit]
[email protected]# sudo nft list chain ip6 filter FOO
table ip6 filter {
	chain FOO {
		meta l4proto ipv6-icmp icmpv6 type echo-request counter packets 0 bytes 0 return comment "FOO-10"
		counter packets 0 bytes 0 drop comment "FOO-10000 default-action drop"
	}
}
n.fort changed the task status from In progress to Confirmed.Jan 21 2022, 6:20 PM

So main confusing thing is protocol defined, that should be ipv6-icmp. For example, in 1.3.0:

Yeah I got caught with that too at first. Tried to use icmp which was giving a very similar commit error. I then noticed that ipv6-icmp was an option.
Not sure if it's possible in the config system to not allow icmp as an option for an IPv6 firewall, or make it an alias for ipv6-icmp?

@artooro , please try again using latest version -> vyos-1.4-rolling-202201230317-amd64.iso
Just tested, and for me, it's working as expected.
PR that solves this issue: https://github.com/vyos/vyos-1x/pull/1184

Please test it and provide feeback.

@n.fort I just built a fresh image and tested. The first thing I noticed is that icmpv6 now only accepts integers while previously it accepted names. I'm assuming this is a purposeful design change where users now have to set type-name instead.
The any option has been removed, which I suspect is OK as you'd simply leave it unset if you want to accept all icmp types.
Overall this should eliminate the user confusion so I think it's a good change.

@artooro It still accepts type-name.

[email protected]# set firewall ipv6-name FOO rule 99 icmpv6 
Possible completions:
   code         ICMPv6 code (0-255)
   type         ICMPv6 type (0-255)
   type-name    ICMPv6 type-name

Quick and simple example

[email protected]# run show config comm | grep fire
set firewall ipv6-name FOO rule 10 action 'accept'
set firewall ipv6-name FOO rule 10 icmpv6 code '3'
set firewall ipv6-name FOO rule 10 icmpv6 type '1'
set firewall ipv6-name FOO rule 10 protocol 'ipv6-icmp'
set firewall ipv6-name FOO rule 20 action 'drop'
set firewall ipv6-name FOO rule 20 icmpv6 type-name 'echo-request'
set firewall ipv6-name FOO rule 20 protocol 'ipv6-icmp'

[email protected]# sudo nft list chain ip6 filter FOO
table ip6 filter {
	chain FOO {
		icmpv6 type destination-unreachable icmpv6 code addr-unreachable counter packets 0 bytes 0 return comment "FOO-10"
		icmpv6 type echo-request counter packets 0 bytes 0 drop comment "FOO-20"
		counter packets 0 bytes 0 return comment "FOO default-action accept"
	}
}

I think this task can be marked as resolved, but before doing that, anything else @artooro ? Were you able to test it?

Hey @n.fort yes I did test it per my comment on Jan 23rd. It's fine just different in that type used to be a name and now it's an integer with a separate option of type-name. It's fine was just noting the difference compared to previous versions.
Thanks for checking!

sdev moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.