Page MenuHomeVyOS Platform

A network with `/32` or `/128` mask cannot be removed from a network-group
Closed, ResolvedPublicBUG

Description

Brief info

If a network address in a group has the /32 or /128 netmask, it cannot be removed from this group.


Reproducing

  1. Add two networks to groups:
set firewall group network-group ng01 network 192.0.2.0/32
set firewall group ipv6-network-group ng02 network 2001:db8::/128
commit
  1. Check ipset status:
vyos@vyos# sudo ipset list
Name: ng01
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 512
References: 0
Number of entries: 1
Members:
192.0.2.0

Name: ng02
Type: hash:net
Revision: 6
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 1344
References: 0
Number of entries: 1
Members:
2001:db8::
  1. Try to delete items:
[edit]
vyos@vyos# delete firewall group network-group ng01 network 192.0.2.0/32 
[edit]
vyos@vyos# delete firewall group ipv6-network-group ng02 network 2001:db8::/128 
[edit]
vyos@vyos# commit
[ firewall group network-group ng01 ]
Error: member [192.0.2.0/32] does not exist in [01f21b94-df6d-4975-abeb-5dc159b]

[ firewall group ipv6-network-group ng02 ]
Error: member [2001:db8::/128] does not exist in [fe0c619d-ceda-4fcc-8765-69dd4df]

Possible reasons

It seems that the problem occurs because the configuration script performs a check for existing by text comparison and an element inside an ipset looks differently: 192.0.2.0 vs 192.0.2.0/32.


Recommended solution

I think that the optimal way to solve the problem is by adding netmasks to elements extracted from an ipset, or removing them from configured items for networks with netmasks /32 or /128, depending on what will be easier.

Details

Difficulty level
Normal (likely a few hours)
Version
1.3.2-20221209
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Mentioned In
1.3.4