Page MenuHomeVyOS Platform
Create Task
Maniphest T171

Unable to delete a firewall fule
Closed, ResolvedPublicBUG
Actions

Description

When deleting a rule from a ruleset, get errors that the ruleset is still in use. Delete logic is pooched.
Version: VyOS 999.201609170235

vyos@vyos# compare
[edit firewall ipv6-name wan_in-6]
-rule 1 {
-    action accept
-    state {
-        established enable
-        related enable
-    }
-}
-rule 2 {
-    action drop
-    log enable
-    state {
-        invalid enable
-    }
-}
[edit firewall ipv6-name wan_local-6]
-rule 1 {
-    action accept
-    state {
-        established enable
-        related enable
-    }
-}
-rule 2 {
-    action drop
-    log enable
-    state {
-        invalid enable
-    }
-}
[edit firewall name wan_in-4]
-rule 1 {
-    action accept
-    state {
-        established enable
-        related enable
-    }
-}
-rule 2 {
-    action drop
-    log enable
-    state {
-        invalid enable
-    }
-}
[edit firewall name wan_local-4]
-rule 1 {
-    action accept
-    state {
-        established enable
-        related enable
-    }
-}
-rule 2 {
-    action drop
-    log enable
-    state {
-        invalid enable
-    }
-}
[edit]
vyos@vyos# commit
[ firewall ipv6-name wan_in-6 ]
Firewall configuration error: Cannot delete rule set "wan_in-6" (still in use)



[[firewall ipv6-name wan_in-6]] failed
[ firewall name wan_local-4 ]
Firewall configuration error: Cannot delete rule set "wan_local-4" (still in use)



[[firewall name wan_local-4]] failed
[ firewall name wan_in-4 ]
Firewall configuration error: Cannot delete rule set "wan_in-4" (still in use)



[[firewall name wan_in-4]] failed
[ firewall ipv6-name wan_local-6 ]
Firewall configuration error: Cannot delete rule set "wan_local-6" (still in use)



[[firewall ipv6-name wan_local-6]] failed
Commit failed

Details

Difficulty level
Easy (less than an hour)
Version
999.201609170235
Why the issue appeared?
Will be filled on close

Revisions and Commits

Restricted Diffusion Commit
Restricted Diffusion Commit
Restricted Diffusion Commit

Related Objects

Event Timeline

mrjester created this task.Oct 9 2016, 1:31 PM
murmaider added a subscriber: murmaider.Oct 10 2016, 6:31 AM

Are those firwall names not still assigned to the interfaces?

If so, remove them from the interfaces first,. then remove the firewall names.

mrjester added a comment.Oct 10 2016, 12:03 PM

Not removing the ruleset. Just a couple of rules.

mtz4718 added a subscriber: mtz4718.Oct 12 2016, 12:24 AM

are you using interface based firewall or zone based?

if you remove a rule-set's assignment can you then remove individual rules without problem?

mrjester added a comment.Oct 12 2016, 1:32 AM

If I delete the ruleset from the interface and then commit, the rules will delete.

mtz4718 added a comment.Oct 12 2016, 1:43 AM

So i'm assuming interface assigned firewall.

I question if this is really a problem as it's best practice to configure a rule fully before applying it to an interface. Your thoughts on that approach?

mrjester added a comment.EditedOct 12 2016, 1:57 AM

This is a regression and has always been possible. Always, meaning back around Vyatta 4.x at minimum.

You most certainly should be able to add/remove rules from a ruleset that is applied to an interface. Rules are not static for the life of a install.

m.cremers added a subscriber: m.cremers.Jun 17 2017, 12:05 PM

I'm currently running into the same issue, I'm trying to automate to configuration of a firewall so what I do is that I in one go remove a entire firewall ruleset and then set the ruleset with new rules. In the end when running 'show | compare' the ruleset isn't actually being removed but rather being updated. Simply removing a single firewall rule from a ruleset has the same issue.

syncer triaged this task as Normal priority.Aug 1 2017, 5:11 AM
syncer changed the edit policy from "Task Author" to "Custom Policy".
syncer added subscribers: Maintainers, Community, Active contributors.

Can someone retry on latest nightlies?
If this reproducible, we may start collection info on issue,
defining fix and moving this to backlog

syncer added a project: VyOS 1.2 Crux.Aug 1 2017, 5:20 AM
mrjester removed a subscriber: mrjester.Aug 29 2017, 11:14 PM
Unknown Object (User) added a subscriber: Unknown Object (User).Sep 6 2017, 1:45 PM

Tried on → 999.201706052137

vyos@-fw00# comp                                                                                                                                                                                                                  
[edit firewall name U_TO_LOCAL]                                                                                                                                                                                                   
-rule 100 {                                                                                                                                                                                                                       
-    action accept                                                                                                                                                                                                                
-    destination {                                                                                                                                                                                                                
-        address 192.168.17.1                                                                                                                                                                                                     
-        port 47000-47050                                                                                                                                                                                                         
-    }                                                                                                                                                                                                                            
-    protocol udp                                                                                                                                                                                                                 
-}                                                                                                                                                                                                                                
[edit]                                                                                                                                                                                                                            
vyos@-fw00# commit                                                                                                                                                                                                                
[ firewall name U_TO_LOCAL ]                                                                                                                                                                                                      
Firewall configuration error: Cannot delete rule set "U_TO_LOCAL" (still in use)                                                                                                                                                  
                                                                                                                                                                                                                                  
                                                                                                                                                                                                                                  
                                                                                                                                                                                                                                  
[[firewall name U_TO_LOCAL]] failed                                                                                                                                                                                               
Commit failed                                                                                                                                                                                                                     
[edit]                                                                                                                                                                                                                            
vyos@-fw00#

I am using the zone based firewall.

BeryJu added a subscriber: BeryJu.Oct 29 2017, 2:19 PM
syncer reassigned this task from syncer to dmbaturin.Nov 3 2017, 12:54 PM
syncer added a subscriber: syncer.
aibanez added a subscriber: aibanez.Feb 15 2018, 1:34 PM

Hi, on 999.201801111542 can still be reproduced:

# delete firewall name WAN-INBOUND rule 5
[edit]
# compare
[edit firewall name WAN-INBOUND]
-rule 5 {
-    action accept
-    destination {
-        group {
-            network-group PUBLIC
-        }
-    }
-    source {
-        group {
-            address-group PROBES
-        }
-    }
-}
[edit]
# commit
[ firewall name WAN-INBOUND ]
Firewall configuration error: Cannot delete rule set "WAN-INBOUND" (still in use)



[[firewall name WAN-INBOUND]] failed
Commit failed

If you need to collect more info on the issue, just tell me.

Thanks!!

mickvav added a subscriber: mickvav.Feb 16 2018, 9:27 AM

Can you attach output of

iptables-save

here?

aibanez added a comment.Feb 16 2018, 11:23 AM

Sure!

$ sudo iptables-save
# Generated by iptables-save v1.4.21 on Fri Feb 16 12:02:44 2018
*nat
:PREROUTING ACCEPT [455:68437]
:INPUT ACCEPT [453:68365]
:OUTPUT ACCEPT [28690:1721678]
:POSTROUTING ACCEPT [28690:1721678]
:VYATTA_PRE_DNAT_HOOK - [0:0]
:VYATTA_PRE_SNAT_HOOK - [0:0]
-A PREROUTING -j VYATTA_PRE_DNAT_HOOK
-A PREROUTING -s X.X.128.0/19 -d X.X.169.254/32 -i eth3 -p tcp -m tcp --dport 80 -m comment --comment DST-NAT-5 -j DNAT --to-destination X.X.128.183
-A POSTROUTING -j VYATTA_PRE_SNAT_HOOK
-A POSTROUTING -s X.X.128.0/19 ! -d X.X.128.0/19 -o eth1 -m comment --comment SRC-NAT-50 -j MASQUERADE
-A VYATTA_PRE_DNAT_HOOK -j RETURN
-A VYATTA_PRE_SNAT_HOOK -j RETURN
COMMIT
# Completed on Fri Feb 16 12:02:44 2018
# Generated by iptables-save v1.4.21 on Fri Feb 16 12:02:44 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LAN-INBOUND - [0:0]
:LOCAL - [0:0]
:LOCAL-SYNC - [0:0]
:LOCAL_NAS - [0:0]
:NAS - [0:0]
:VYATTA_FW_IN_HOOK - [0:0]
:VYATTA_FW_LOCAL_HOOK - [0:0]
:VYATTA_FW_OUT_HOOK - [0:0]
:VYATTA_POST_FW_FWD_HOOK - [0:0]
:VYATTA_POST_FW_IN_HOOK - [0:0]
:VYATTA_POST_FW_OUT_HOOK - [0:0]
:VYATTA_PRE_FW_FWD_HOOK - [0:0]
:VYATTA_PRE_FW_IN_HOOK - [0:0]
:VYATTA_PRE_FW_OUT_HOOK - [0:0]
:VYATTA_STATE_POLICY_FWD_HOOK - [0:0]
:VYATTA_STATE_POLICY_IN_HOOK - [0:0]
:VYATTA_STATE_POLICY_OUT_HOOK - [0:0]
:WAN-INBOUND - [0:0]
-A INPUT -j VYATTA_PRE_FW_IN_HOOK
-A INPUT -j VYATTA_FW_LOCAL_HOOK
-A INPUT -j VYATTA_POST_FW_IN_HOOK
-A FORWARD -j VYATTA_PRE_FW_FWD_HOOK
-A FORWARD -j VYATTA_FW_IN_HOOK
-A FORWARD -j VYATTA_FW_OUT_HOOK
-A FORWARD -j VYATTA_POST_FW_FWD_HOOK
-A OUTPUT -j VYATTA_PRE_FW_OUT_HOOK
-A OUTPUT -j VYATTA_POST_FW_OUT_HOOK
-A LAN-INBOUND -m comment --comment LAN-INBOUND-1 -m set ! --match-set PUBLIC src -j DROP
-A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-1015 -m set --match-set PUBLIC src -m tcp --dport 67 -m set --match-set DHCP-SERVERS dst -j RETURN
-A LAN-INBOUND -p udp -m comment --comment LAN-INBOUND-1015 -m set --match-set PUBLIC src -m udp --dport 67 -m set --match-set DHCP-SERVERS dst -j RETURN
-A LAN-INBOUND -d X.X.136.198/32 -p tcp -m comment --comment LAN-INBOUND-1020 -m set --match-set NAGIOS_PROBES src -m tcp --dport 5667 -j RETURN
-A LAN-INBOUND -m comment --comment LAN-INBOUND-1030 -m set --match-set F5-NLB src -j RETURN
-A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-1200 -m set --match-set PUBLIC src -m iprange --dst-range X.X.131.16-X.X.131.17 -m tcp --dport 88 -j RETURN
-A LAN-INBOUND -p udp -m comment --comment LAN-INBOUND-1200 -m set --match-set PUBLIC src -m iprange --dst-range X.X.131.16-X.X.131.17 -m udp --dport 88 -j RETURN
-A LAN-INBOUND -m comment --comment LAN-INBOUND-1201 -m set --match-set PUBLIC src -m iprange --dst-range X.X.131.253-X.X.131.254 -j RETURN
-A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-1220 -m set --match-set DT_SMTP_BLOCKED src -m tcp --dport 25 -j DROP
-A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2000 -m tcp --dport 22 -m set --match-set G-22-TCP dst -j RETURN
-A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2001 -m tcp --dport 3389 -m set --match-set G-3389-TCP dst -j RETURN
-A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2002 -m tcp --dport 80 -m set --match-set G-80-TCP dst -j RETURN
-A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2003 -m tcp --dport 443 -m set --match-set G-443-TCP dst -j RETURN
-A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2004 -m tcp --dport 53 -m set --match-set G-53-TCP dst -j RETURN
-A LAN-INBOUND -p udp -m comment --comment LAN-INBOUND-2005 -m udp --dport 53 -m set --match-set G-53-UDP dst -j RETURN
-A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2006 -m tcp --dport 25 -m set --match-set G-25-TCP dst -j RETURN
-A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2007 -m tcp --dport 143 -m set --match-set G-143-TCP dst -j RETURN
-A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2008 -m tcp --dport 110 -m set --match-set G-110-TCP dst -j RETURN
-A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2009 -m tcp --dport 1433 -m set --match-set G-1433-TCP dst -j RETURN
-A LAN-INBOUND -p udp -m comment --comment LAN-INBOUND-2010 -m udp --dport 1433 -m set --match-set G-1433-UDP dst -j RETURN
-A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2011 -m tcp --dport 3306 -m set --match-set G-3306-TCP dst -j RETURN
-A LAN-INBOUND -p udp -m comment --comment LAN-INBOUND-2012 -m udp --dport 3306 -m set --match-set G-3306-UDP dst -j RETURN
-A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2013 -m tcp --dport 20 -m set --match-set G-20-TCP dst -j RETURN
-A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2014 -m tcp --dport 21 -m set --match-set G-21-TCP dst -j RETURN
-A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2015 -m tcp --dport 465 -m set --match-set G-465-TCP dst -j RETURN
-A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2016 -m tcp --dport 587 -m set --match-set G-587-TCP dst -j RETURN
-A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2017 -m tcp --dport 993 -m set --match-set G-993-TCP dst -j RETURN
-A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2018 -m tcp --dport 995 -m set --match-set G-995-TCP dst -j RETURN
-A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2019 -m tcp --dport 8080 -m set --match-set G-8080-TCP dst -j RETURN
-A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2020 -m tcp --dport 8443 -m set --match-set G-8443-TCP dst -j RETURN
-A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2021 -m tcp --dport 10000 -m set --match-set G-10000-TCP dst -j RETURN
-A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2022 -m tcp --dport 8447 -m set --match-set G-8447-TCP dst -j RETURN
-A LAN-INBOUND -m comment --comment LAN-INBOUND-2040 -m set --match-set G-ALL_OPEN dst -j RETURN
-A LAN-INBOUND -p icmp -m comment --comment LAN-INBOUND-2050 -m set --match-set G-ICMP dst -j RETURN
-A LAN-INBOUND -m comment --comment LAN-INBOUND-2060 -m set --match-set DT_BLOCKED src -j DROP
-A LAN-INBOUND -m comment --comment LAN-INBOUND-8000 -m set --match-set PUBLIC src -m set ! --match-set PUBLIC dst -j RETURN
-A LAN-INBOUND -m comment --comment "LAN-INBOUND-10000 default-action drop" -j DROP
-A LOCAL -d X.X.254.1/32 -p icmp -m comment --comment LOCAL-2 -m set --match-set PUBLIC src -j RETURN
-A LOCAL -d X.X.254.1/32 -p tcp -m comment --comment LOCAL-3 -m set --match-set PUBLIC src -m tcp --dport 53 -j RETURN
-A LOCAL -d X.X.254.1/32 -p udp -m comment --comment LOCAL-3 -m set --match-set PUBLIC src -m udp --dport 53 -j RETURN
-A LOCAL -s X.X.137.28/30 -d X.X.137.28/30 -m comment --comment LOCAL-4 -j RETURN
-A LOCAL -m comment --comment LOCAL-10 -m set --match-set LAN_ADDRESSES src -m set --match-set LAN_ADDRESSES dst -j RETURN
-A LOCAL -m comment --comment LOCAL-12 -m set --match-set F5-NLB src -j RETURN
-A LOCAL -m comment --comment "LOCAL-10000 default-action drop" -j DROP
-A LOCAL-SYNC -s X.X.137.28/30 -d X.X.137.28/30 -m comment --comment LOCAL-SYNC-10 -j RETURN
-A LOCAL-SYNC -m comment --comment "LOCAL-SYNC-10000 default-action drop" -j DROP
-A LOCAL_NAS -m comment --comment "LOCAL_NAS-10000 default-action drop" -j DROP
-A NAS -m comment --comment "NAS-10000 default-action drop" -j DROP
-A VYATTA_FW_IN_HOOK -i eth1 -j WAN-INBOUND
-A VYATTA_FW_IN_HOOK -i eth3 -j LAN-INBOUND
-A VYATTA_FW_LOCAL_HOOK -i eth2 -j LOCAL-SYNC
-A VYATTA_FW_LOCAL_HOOK -i eth3 -j LOCAL
-A VYATTA_POST_FW_FWD_HOOK -j ACCEPT
-A VYATTA_POST_FW_IN_HOOK -j ACCEPT
-A VYATTA_POST_FW_OUT_HOOK -j ACCEPT
-A VYATTA_PRE_FW_FWD_HOOK -j VYATTA_STATE_POLICY_FWD_HOOK
-A VYATTA_PRE_FW_FWD_HOOK -j RETURN
-A VYATTA_PRE_FW_IN_HOOK -j VYATTA_STATE_POLICY_IN_HOOK
-A VYATTA_PRE_FW_IN_HOOK -j RETURN
-A VYATTA_PRE_FW_OUT_HOOK -j VYATTA_STATE_POLICY_OUT_HOOK
-A VYATTA_PRE_FW_OUT_HOOK -j RETURN
-A VYATTA_STATE_POLICY_FWD_HOOK -m state --state INVALID -j DROP
-A VYATTA_STATE_POLICY_FWD_HOOK -m state --state ESTABLISHED -j VYATTA_POST_FW_FWD_HOOK
-A VYATTA_STATE_POLICY_FWD_HOOK -m state --state RELATED -j VYATTA_POST_FW_FWD_HOOK
-A VYATTA_STATE_POLICY_FWD_HOOK -j RETURN
-A VYATTA_STATE_POLICY_IN_HOOK -m state --state INVALID -j DROP
-A VYATTA_STATE_POLICY_IN_HOOK -m state --state ESTABLISHED -j VYATTA_POST_FW_IN_HOOK
-A VYATTA_STATE_POLICY_IN_HOOK -m state --state RELATED -j VYATTA_POST_FW_IN_HOOK
-A VYATTA_STATE_POLICY_IN_HOOK -j RETURN
-A VYATTA_STATE_POLICY_OUT_HOOK -m state --state INVALID -j DROP
-A VYATTA_STATE_POLICY_OUT_HOOK -m state --state ESTABLISHED -j VYATTA_POST_FW_OUT_HOOK
-A VYATTA_STATE_POLICY_OUT_HOOK -m state --state RELATED -j VYATTA_POST_FW_OUT_HOOK
-A VYATTA_STATE_POLICY_OUT_HOOK -j RETURN
-A WAN-INBOUND -m comment --comment WAN-INBOUND-1 -m set --match-set REDES_PUESTOS src -m set --match-set PUBLIC dst -j RETURN
-A WAN-INBOUND -m comment --comment WAN-INBOUND-5 -m set --match-set PROBES src -m set --match-set PUBLIC dst -j RETURN
-A WAN-INBOUND -s X.X.0.1/32 -d X.X.10.100/32 -p tcp -m comment --comment WAN-INBOUND-25 -m tcp --dport 443 -j RETURN
-A WAN-INBOUND -s X.X.136.198/32 -p icmp -m comment --comment WAN-INBOUND-100 -m set --match-set NAGIOS_PROBES dst -j RETURN
-A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2000 -m tcp --dport 22 -m set --match-set G-22-TCP dst -j RETURN
-A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2001 -m tcp --dport 3389 -m set --match-set G-3389-TCP dst -j RETURN
-A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2002 -m tcp --dport 80 -m set --match-set G-80-TCP dst -j RETURN
-A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2003 -m tcp --dport 443 -m set --match-set G-443-TCP dst -j RETURN
-A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2004 -m tcp --dport 53 -m set --match-set G-53-TCP dst -j RETURN
-A WAN-INBOUND -p udp -m comment --comment WAN-INBOUND-2005 -m udp --dport 53 -m set --match-set G-53-UDP dst -j RETURN
-A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2006 -m tcp --dport 25 -m set --match-set G-25-TCP dst -j RETURN
-A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2007 -m tcp --dport 143 -m set --match-set G-143-TCP dst -j RETURN
-A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2008 -m tcp --dport 110 -m set --match-set G-110-TCP dst -j RETURN
-A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2009 -m tcp --dport 1433 -m set --match-set G-1433-TCP dst -j RETURN
-A WAN-INBOUND -p udp -m comment --comment WAN-INBOUND-2010 -m udp --dport 1433 -m set --match-set G-1433-UDP dst -j RETURN
-A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2011 -m tcp --dport 3306 -m set --match-set G-3306-TCP dst -j RETURN
-A WAN-INBOUND -p udp -m comment --comment WAN-INBOUND-2012 -m udp --dport 3306 -m set --match-set G-3306-UDP dst -j RETURN
-A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2013 -m tcp --dport 20 -m set --match-set G-20-TCP dst -j RETURN
-A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2014 -m tcp --dport 21 -m set --match-set G-21-TCP dst -j RETURN
-A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2015 -m tcp --dport 465 -m set --match-set G-465-TCP dst -j RETURN
-A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2016 -m tcp --dport 587 -m set --match-set G-587-TCP dst -j RETURN
-A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2017 -m tcp --dport 993 -m set --match-set G-993-TCP dst -j RETURN
-A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2018 -m tcp --dport 995 -m set --match-set G-995-TCP dst -j RETURN
-A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2019 -m tcp --dport 8080 -m set --match-set G-8080-TCP dst -j RETURN
-A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2020 -m tcp --dport 8443 -m set --match-set G-8443-TCP dst -j RETURN
-A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2021 -m tcp --dport 10000 -m set --match-set G-10000-TCP dst -j RETURN
-A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2022 -m tcp --dport 8447 -m set --match-set G-8447-TCP dst -j RETURN
-A WAN-INBOUND -m comment --comment WAN-INBOUND-2040 -m set --match-set G-ALL_OPEN dst -j RETURN
-A WAN-INBOUND -p icmp -m comment --comment WAN-INBOUND-2050 -m set --match-set G-ICMP dst -j RETURN
-A WAN-INBOUND -m comment --comment "WAN-INBOUND-10000 default-action drop" -j DROP
COMMIT
# Completed on Fri Feb 16 12:02:44 2018
# Generated by iptables-save v1.4.21 on Fri Feb 16 12:02:44 2018
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FW_CONNTRACK - [0:0]
:FW_STATE_POLICY_CONNTRACK - [0:0]
:NAT_CONNTRACK - [0:0]
:VYATTA_CT_HELPER - [0:0]
:VYATTA_CT_IGNORE - [0:0]
:VYATTA_CT_OUTPUT_HOOK - [0:0]
:VYATTA_CT_PREROUTING_HOOK - [0:0]
:VYATTA_CT_TIMEOUT - [0:0]
-A PREROUTING -j VYATTA_CT_IGNORE
-A PREROUTING -j VYATTA_CT_HELPER
-A PREROUTING -j VYATTA_CT_TIMEOUT
-A PREROUTING -j VYATTA_CT_PREROUTING_HOOK
-A PREROUTING -j NAT_CONNTRACK
-A PREROUTING -j FW_CONNTRACK
-A PREROUTING -j FW_STATE_POLICY_CONNTRACK
-A PREROUTING -j NOTRACK
-A OUTPUT -j VYATTA_CT_IGNORE
-A OUTPUT -j VYATTA_CT_HELPER
-A OUTPUT -j VYATTA_CT_TIMEOUT
-A OUTPUT -j VYATTA_CT_OUTPUT_HOOK
-A OUTPUT -j NAT_CONNTRACK
-A OUTPUT -j FW_CONNTRACK
-A OUTPUT -j FW_STATE_POLICY_CONNTRACK
-A OUTPUT -j NOTRACK
-A FW_CONNTRACK -j RETURN
-A FW_STATE_POLICY_CONNTRACK -j ACCEPT
-A NAT_CONNTRACK -j ACCEPT
-A VYATTA_CT_HELPER -p tcp -m tcp --dport 1536 -j CT --helper tns
-A VYATTA_CT_HELPER -p tcp -m tcp --dport 1525 -j CT --helper tns
-A VYATTA_CT_HELPER -p tcp -m tcp --dport 1521 -j CT --helper tns
-A VYATTA_CT_HELPER -p udp -m udp --dport 111 -j CT --helper rpc
-A VYATTA_CT_HELPER -p tcp -m tcp --dport 111 -j CT --helper rpc
-A VYATTA_CT_HELPER -j RETURN
-A VYATTA_CT_IGNORE -j RETURN
-A VYATTA_CT_OUTPUT_HOOK -j RETURN
-A VYATTA_CT_PREROUTING_HOOK -j RETURN
-A VYATTA_CT_TIMEOUT -j RETURN
COMMIT
# Completed on Fri Feb 16 12:02:44 2018

Thanks!!

mtudosoiu added a subscriber: mtudosoiu.Feb 18 2018, 11:28 AM
mtudosoiu added a comment.Feb 19 2018, 11:31 AM

I created this patch for this issue https://github.com/vyos/vyatta-cfg-firewall/pull/6

mtudosoiu added a comment.Feb 19 2018, 12:49 PM

The use case this patch solve is the following:
-we have a firewall with multiple rules set
-the firewall is mapped to an interface
-we want to remove one/or multiple rules from the rule chain (this is not possible using current VyOs version as long as the filter is mapped to an interface)

With this patch the firewall rules can be deleted anytime in realtime.
The code still prevent deleting the firewall rule chain as long as it is mapped to an interface.

dmbaturin added a commit: Restricted Diffusion Commit.Feb 23 2018, 12:00 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc4); removed VyOS 1.2 Crux.Oct 13 2018, 10:09 AM
syncer changed the subtype of this task from "Task" to "Bug".Oct 18 2018, 5:52 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc5); removed VyOS 1.2 Crux (VyOS 1.2.0-rc4).Oct 24 2018, 4:40 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc6); removed VyOS 1.2 Crux (VyOS 1.2.0-rc5).Oct 29 2018, 6:16 PM
pasik added a subscriber: pasik.Nov 4 2018, 11:25 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc7); removed VyOS 1.2 Crux (VyOS 1.2.0-rc6).Nov 6 2018, 12:57 AM
dmbaturin closed this task as Resolved.Nov 11 2018, 10:26 AM

I cannot reproduce it in rc6, either with zone-policy or without. I guess the pull request fixed it.

dmbaturin renamed this task from Unable to Delete Rule to Unable to delete a firewall fule.Nov 11 2018, 10:26 AM
dmbaturin set Why the issue appeared? to Will be filled on close.
syncer added a project: VyOS-1.2.0-GA.Nov 11 2018, 5:06 PM
syncer moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc7) board.
c-po reopened this task as Open by committing Restricted Diffusion Commit.Feb 8 2019, 6:27 PM
c-po added a commit: Restricted Diffusion Commit.
c-po added a subscriber: c-po.Feb 8 2019, 6:36 PM

Handled in/with T484, hopefully

c-po changed the task status from Open to Needs testing.Feb 8 2019, 6:36 PM
c-po changed the task status from Needs testing to Open by committing Restricted Diffusion Commit.Mar 17 2019, 3:23 PM
c-po added a commit: Restricted Diffusion Commit.
c-po closed this task as Resolved.Mar 17 2019, 3:37 PM
c-po claimed this task.
c-po added a subscriber: dmbaturin.