Page MenuHomeVyOS Platform
Create Task
Maniphest T506

Support CIDR notation in firewall address-group
Closed, InvalidPublicFEATURE REQUEST
Actions

Description

EdgeOS supports this syntax:

cpo@BR1# set firewall group address-group SSH-IN-ALLOW address
Possible completions:
  <x.x.x.x>     IPv4 address to match
  <x.x.x.x/x>   IPv4 network to match
  <x.x.x.x>-<x.x.x.x>
                IPv4 range to match (e.g. 10.0.0.1-10.0.0.200)

Whereas VyOS 1.2.x only supports:

cpo@AC1# set firewall group address-group SSH-IN-ALLOW address
Possible completions:
   <x.x.x.x>    IPv4 address to match
   <x.x.x.x>-<x.x.x.x>
                IPv4 range to match (e.g. 10.0.0.1-10.0.0.200)

As I'm currently running both brands it would be nice to also support the CIDR notation.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close

Event Timeline

c-po created this task.Dec 29 2017, 12:18 PM
syncer triaged this task as Wishlist priority.Jan 14 2018, 5:40 PM
syncer moved this task from Need Triage to Backlog on the VyOS 1.2 Crux board.
dmbaturin closed this task as Invalid.Jun 4 2018, 12:52 PM
dmbaturin added a subscriber: dmbaturin.

It was just an error in the help. Someone probably copied it from somewhere else (e.g. the address option of firewall rules) and forgot to edit.

It was never supported, the very idea of address groups is to provide efficient lookup for the case when you have a fixed set of addresses. If you want to match networks, use a network group.

In 1.1.8:

# set firewall group address-group Foo address 192.0.2.1/24

  Error: [192.0.2.1/24] isn't valid IPv4 address
  
  Value validation failed
  Set failed
syncer moved this task from Backlog to Finished on the VyOS 1.2 Crux board.Oct 15 2018, 5:27 AM
syncer removed a project: VyOS 1.2 Crux.
syncer added a project: Invalid.Oct 15 2018, 5:46 AM