I added a rule to dynamically add the source address to the dynamic address group through the command line.
# set firewall ipv4 name WAN_IN rule 30 action continue # set firewall ipv4 name WAN_IN rule 30 add-address-to-group source-address timeout 1m # set firewall ipv4 name WAN_IN rule 30 add-address-to-group source-address address-group tempGroup # set firewall ipv4 name WAN_IN rule 30 icmp # set firewall ipv4 name WAN_IN rule 30 packet-length 1052
The following is the content added to the configuration file:
# show
+ rule 30 {
+ action continue
+ add-address-to-group {
+ source-address {
+ address-group tempGroup
+ timeout 1m
+ }
+ }
+ icmp {
+ }
+ packet-length 1052
+ }When I execute 'commit', the vyos system reports an error, the error is as follows
# commit
Failed to apply firewall: /run/nftables.conf:45:65-77: Error: No such
file or directory; did you mean set ‘DA_tempGroup’ in table ip
‘vyos_conntrack’? ip length {1052} counter set update ip saddr
timeout 1m @DA_tempGroup continue comment "ipv4-NAM-WAN_IN-30"
^^^^^^^^^^^^^
[[firewall]] failed
Commit failedWhen I create the dynamic address group manually and then commit, everything works fine.
# set firewall group dynamic-group address-group tempGroup # commit
My suggestion: when the user uses a dynamic (static) address group when creating a firewall rule, first check whether the address group exists. If it does not exist, tell user to create it or the system automatically creates the address group for the user.