Page MenuHomeVyOS Platform

Firewall: can't use negated groups in firewall rules
Closed, ResolvedPublicBUG

Description

hi,

since firewall rewrite in 1.4 rolling can't use any negated groups in firewall rules with "!".

example

set firewall group network-group internal_net network '10.0.0.0/8'
set firewall name A-FROM-B rule 1 action 'drop'
set firewall name A-FROM-B rule 1 description 'drop traffic from non-internal networks (anti spoofing)'
set firewall name A-FROM-B rule 1 log 'enable'
set firewall name A-FROM-B rule 1 source group network-group '!internal_net'
[email protected]# commit
[ firewall ]
Invalid network-group "!internal_net" on firewall rule

[[firewall]] failed
Commit failed
[edit]

Running fine on VyOS 1.4-rolling-202109280217

[email protected]# sudo iptables -L | grep A-FROM-B
Chain A-FROM-B (1 references)
LOG        all  --  anywhere             anywhere             /* A-FROM-B-1 */ ! match-set internal_net src LOG level warning prefix "[A-FROM-B-1-D] "
DROP       all  --  anywhere             anywhere             /* A-FROM-B-1 */ ! match-set internal_net src

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202201270317
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

sdev changed the task status from Open to Confirmed.Jan 28 2022, 5:02 PM
sdev claimed this task.
sdev changed the task status from Confirmed to In progress.Jan 29 2022, 10:34 PM

tested my previous code in latest rolling, looking good so far.
no errors on commiting.

rules in nft are okay aswell.