Page MenuHomeVyOS Platform

NFT: Zone policies fail to apply when "l2tp+" is in the interface list
Closed, ResolvedPublicBUG

Description

"l2tp+" was/is a valid interface name for l2tp connections. It makes l2tp0/l2tp1 all match to the zone.

This is a MAJOR issue because it has left me without a functional firewall for over a month.

The error that is displayed isn't useful at all, but manually attempting to apply it results in this error:

/run/nftables_zone.conf:45:51-51: Error: syntax error, unexpected +, expecting comma or '}'
        iifname { eth1.2,eth1.10,eth1.50,eth1,l2tp+,wg0,tun0,vtun0,eth1.146,wg3,eth1.510,eth1.509,eth1.4,tun2,eth1.508,eth1.505,eth1.504,eth1.501,eth1.42,eth1.3,eth1.8,eth1.9,eth1.11,eth1.20,eth1.21,eth1.22,eth1.51,br142 } counter jump LAN-WAN

Details

Difficulty level
Unknown (require assessment)
Version
1.4
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Security vulnerability

Event Timeline

Wildcard + should be replaces with *, according to nft man page:

Like with iptables, wildcard matching on interface name prefixes is available for iifname and oifname matches by appending an asterisk (*) character

We have to replace it in migration scripts if it is already not done

Viacheslav claimed this task.