Firewall address group (multi and nesting)
Closed, ResolvedPublicFEATURE REQUEST


As requested here

Resubmitting as a feature request.

I understand that Ubiquiti fork does multiple address groups in a single firewall setting, and would like to be able to use that in VyOS.

Related request, can you make address groups be composable from other defined address groups rather than strictly IP based definitions? Like F = A+B and D = A+C.


Difficulty level
Hard (possibly days)
Is it a breaking change?
Config syntax change (migratable)

Groups need a big overhaul, but its probably out of the 1.2.0 scope.

With nftables, this should in principle be possible with nested variables, and the firewall groups are based on these now.

From the man page:


define variable = expr

Symbolic variables can be defined using the define statement. Variable references are expressions and can be used initialize other variables. The scope of a definition is the current block and all blocks contained within.

Using symbolic variables.

define int_if1 = eth0
define int_if2 = eth1
define int_ifs = { $int_if1, $int_if2 }

filter input iif $int_ifs accept

Not sure if and how nftables handles potentially recursive definitions and how that would be reflected in the CLI.

