Page MenuHomePhabricator

Address-group commits with duplicate, but fails when adding rule later.
On hold, LowPublicBUG

Description

VyOS 1.1.8
When creating an address-group and adding a range and a single ip that is also in that range, it will commit with warning but then not allow rules referencing the address-group to be committed.

vyos@vyos# commit
[ firewall name ETH0_IN rule 20 source group address-group WOWDCS-ADMIN-IPs ]
Group [WOWDCS-ADMIN-IPs] has not been defined

[[firewall name ETH0_IN]] failed
[ firewall name VYOSFW rule 10 source group address-group WOWDCS-ADMIN-IPs ]
Group [WOWDCS-ADMIN-IPs] has not been defined

[[firewall name VYOSFW]] failed
Commit failed
[

Details

Difficulty level
Unknown (require assessment)
Version
1.1.8
Why the issue appeared?
Will be filled on close

Event Timeline

jwhipple created this task.Jun 13 2018, 5:14 PM
syncer triaged this task as Low priority.Jun 30 2018, 12:34 AM
syncer added a subscriber: syncer.

Can you check behavior on 1.2 ?
Thanks

syncer changed the task status from Open to On hold.Oct 13 2018, 9:10 AM
syncer edited projects, added VyOS 1.2 Crux; removed VyOS 1.1.x.

@jwhipple can you confirm that issue exists on 1.2?

This behavior is observed in v1.2-rolling+201810011457.


pasik added a subscriber: pasik.Nov 4 2018, 11:24 AM

The range feature is quite problematic since IPset doesn't really support ranges, and "ipset -A foo 192.0.2.10-192.0.2.20" really adds 20 addressed to the group "foo". Thus, if you add a range and then add a single address to that range, and then delete that address (or the range), your IPset setup ends up in an inconsistent state where that address is supposed to be there according to the VyOS config, but actually isn't.

The only way to get around it would be to re-create ranges when something is deleted, but do we really want it? For now, disallowing it seems like a sensible solution.
I'm moving the task to 1.3.0 for the time being, this is a design issue we may want to address in the firewall scripts rewrite.