Page MenuHomeVyOS Platform
Create Task
Maniphest T5644

Firewall groups deletion can break config
Closed, ResolvedPublicBUG
Actions

Description

Firewall groups are created in firewall section, and this groups can also be used in policy, nat and conntrack ignore rules.
But when group is being used in those section, and then the group is deleted from firewall configuration, commit is accepted. Feature still works but on next reboot configuration will not be able to be load succesfully.

Simple steps to reproduce bug with NAT:

vyos@default-log# run show config comm | grep "fire\|nat"
set firewall group address-group AG address '198.51.100.5'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source group address-group 'AG'
set nat source rule 10 translation address 'masquerade'
[edit]
vyos@default-log# del firewall 
[edit]
vyos@default-log# commit
[edit]
vyos@default-log# save
[edit]
vyos@default-log#

After rebooting, NAT config breaks and is not present.

[   19.070379] vyos-router[688]: Waiting for NICs to settle down: settled in 1sec..
[   21.775587] vyos-router[688]: Mounting VyOS Config...done.
[   29.350953] vyos-router[688]: Starting VyOS router: migrate configure failed!
[   29.956104] vyos-config[701]: Configuration error

Welcome to VyOS - default-log ttyS0

default-log login:

In 1.4, such erros seems not to be present, and commit fails:

[email protected]# run show config comm | grep "fire\|nat"
set firewall group address-group AG address '198.51.100.5'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source group address-group 'AG'
set nat source rule 10 translation address 'masquerade'
[edit]
[email protected]# del firewall 
[edit]
[email protected]# commit
[ firewall ]
ConfigError('Invalid address-group "AG" on firewall rule')

delete [ firewall ] failed
Commit failed
[edit]
[email protected]#

Details

Difficulty level
Unknown (require assessment)
Version
1.5-rolling-202310110022
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Related Objects
Search...

Event Timeline

n.fort changed the task status from Open to Confirmed.Oct 11 2023, 10:20 AM
n.fort created this task.
pasik added a subscriber: pasik.Oct 11 2023, 11:41 AM
jestabro claimed this task.Oct 12 2023, 1:30 AM
jestabro mentioned this in T5660: Remove redundant calls to config dependency scripts.Oct 16 2023, 7:19 PM
jestabro added a subtask: T5660: Remove redundant calls to config dependency scripts.
jestabro mentioned this in T5662: Fix indexing error in configdep script organization.Oct 17 2023, 4:01 AM
jestabro added a subtask: T5662: Fix indexing error in configdep script organization.
jestabro added a comment.Oct 17 2023, 3:42 PM

This will be fixed by merge of PR:
https://github.com/vyos/vyos-1x/pull/2371

jestabro changed the task status from Confirmed to In progress.Oct 17 2023, 3:42 PM
jestabro changed the status of subtask T5662: Fix indexing error in configdep script organization from Open to Backport pending.Oct 17 2023, 5:18 PM
jestabro closed this task as Resolved.Oct 17 2023, 5:52 PM
jestabro closed subtask T5662: Fix indexing error in configdep script organization as Resolved.
jestabro moved this task from Need Triage to Finished on the VyOS 1.5 Circinus board.
jestabro changed the status of subtask T5660: Remove redundant calls to config dependency scripts from Open to Needs testing.Feb 29 2024, 1:09 PM
jestabro changed the status of subtask T5660: Remove redundant calls to config dependency scripts from Needs testing to Backport candidate.Thu, Apr 25, 2:49 PM
jestabro closed subtask T5660: Remove redundant calls to config dependency scripts as Resolved.Mon, Apr 29, 12:17 PM