Page MenuHomeVyOS Platform

prefix-list and prefix-list6 rules incorrectly accept a host address where prefix is required
Closed, ResolvedPublic

Description

After create policy prefix-list and then delete this policy, the system dont commit this.

delete policy prefix-list OUT
-policy {
-    prefix-list OUT {
-        rule 10 {
-            action permit
-            prefix 127.0.0.1/29
-        }
-    }
-}
vyos@vyos# commit
[ policy prefix-list OUT rule 10 ]
% Can't find specified prefix-list

delete [ policy prefix-list OUT ] failed
Commit failed
[edit]
vyos@vyos#
vyos@vyos# delete policy 
[edit]
vyos@vyos# commit
[ policy prefix-list OUT rule 10 ]
% Can't find specified prefix-list

delete [ policy prefix-list OUT ] failed
[[]] failed
Commit failed
copy failed [/opt/vyatta/config/tmp/tmp_18986/work/.unionfs][/opt/vyatta/config/tmp/new_config_18986/.unionfs]
Failed to generate committed config
[edit]
vyos@vyos#

Update
If last octet is "1" this don't permit commit.
If last octet is "0" - everything is fine.

Details

Version
VyOS 1.2-rolling-201909160118
Is it a breaking change?
Stricter validation
Issue type
Bug (incorrect behavior)

Event Timeline

sever created this object in space S1 VyOS Public.

The root cause was insufficient validation.

vyos@vyos-test-2# set policy prefix-list Foo rule 10 prefix 127.0.0.1/29
[edit]
vyos@vyos-test-2# set policy prefix-list Foo rule 10 action permit 
[edit]
vyos@vyos-test-2# commit
[ policy prefix-list Foo rule 10 ]
% Prefix-list Foo prefix changed from 127.0.0.1/29 to 127.0.0.0/29 to match length

The "ipv4net" type is "net" in the name only, it doesn't check that it's actually a network rather than host addresss.

NOTE: do not backports this to 1.2.x! It will prevent some configs from loading, and we don't want to break anyone's config in point releases!
dmbaturin renamed this task from Commit failed after delete prefix-list to prefix-list incorrectly accept a host address where prefix is required.Jun 25 2020, 7:02 AM
dmbaturin renamed this task from prefix-list incorrectly accept a host address where prefix is required to prefix-list and prefix-list6 rules incorrectly accept a host address where prefix is required.
dmbaturin claimed this task.
dmbaturin added a project: VyOS 1.3 Equuleus.
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Stricter validation.
erkin set Issue type to Bug (incorrect behavior).Aug 31 2021, 6:47 PM