Page MenuHomeVyOS Platform
Create Task
Maniphest T2045

Can't commit due to with the same name, but different firewall groups types
Closed, WontfixPublicBUG
Actions

Description

Here is a simple firewall group that would not let me execute a commit despite that address-group in question has been defined.

This is the config.boot :

firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    group {
...
}
address-group emby {
    address 10.0.7.10
}
...
}
port-group emby {
    port 8096
    port 8920
}

This is the error I was getting when committing :

vyos@fw01# commit
[ firewall name trust_to_server rule 710 destination group address-group emby ]
Group [emby] has not been defined

[[firewall name trust_to_server]] failed
Commit failed

This is the candidate config :

vyos@fw01# compare
[edit firewall name trust_to_server]
+rule 710 {
+    action accept
+    description "emby access"
+    destination {
+        group {
+            address-group emby
+            port-group emby
+        }
+    }
+    protocol tcp
+}

I deleted the address-group then save the config to overwrite the previous config.boot. By doing this, I got a new error message as shown below.

vyos@fw01# commit
[ firewall name trust_to_server rule 710 destination group port-group emby ]
Error: group [emby] is of type [address] not [port]

[[firewall name trust_to_server]] failed
Commit failed

I was able to commit when I renamed one of the groups. In my case, I renamed the port-group to emby_app and the system let me commit.
Now, I am not sure if I encountered two different issues here.

Details

Version
1.2.1
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects
Search...

Event Timeline

kabaga created this task.Feb 16 2020, 11:21 PM
pasik subscribed.Feb 17 2020, 8:13 AM
syncer changed the task status from Open to Needs testing.Mar 28 2020, 11:55 AM
syncer triaged this task as Normal priority.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
syncer subscribed.

can you try to reproduce in rolling, please?

kabaga added a comment.Mar 28 2020, 1:08 PM

Downloaded the latest rolling, the only thing I have done with the rolling was installing it on a fresh Proxmox VM. I created two firewall groups with the same name - one for address-group and the other is for port-group.

+    group {
+        address-group emby {
+            address 10.0.7.10
+        }
+        port-group emby {
+            port 8096
+            port 8920
+        }
+    }

When I tried to commit, I got the error below. However, I was able to commit and save.

vyos@vyos# commit
[ firewall group address-group emby ]
Error: type mismatch [port] [address]

When creating a firewall name, the error below is what I got. Also, I get a commit failed.

vyos@vyos# compare 
[edit firewall]
+name trust_to_server {
+    default-action drop
+    rule 100 {
+        action accept
+        destination {
+            group {
+                address-group emby
+                port-group emby
+            }
+        }
+        source {
+            address 10.0.11.0/24
+        }
+    }
+}
[edit]
vyos@vyos# commit
[ firewall name trust_to_server rule 100 destination group address-group emby ]
Group [emby] has not been defined

[[firewall name trust_to_server]] failed
Commit failed
[edit]
vyos@vyos# 
[edit]
vyos@vyos#

I discarded the candidate config; deleted the "port-group emby" and created a new "port-group emby_app". Then I recreated the same firewall rules and I got the same commit error above despite renaming the port-group. The odd part is the "address-group emby" exist.

The workaround that I find is to delete the "address-group emby" then commit and save. Recreate the "address-group emby" then commit and save. Recreate the same firewall rules with the new port-group emby_app then commit and save. The workaround let me commit the firewall rules. It seems to be related to the config.boot. I have to keep saving the changes I made; otherwise, it would fail to commit.

syncer assigned this task to Unknown Object (User).Mar 28 2020, 1:30 PM
Viacheslav subscribed.Dec 23 2020, 10:32 AM

The main problem is that you use the same name for different group types.

ipset -N emby bitmap:port --from 1 --to 65535
ipset -A emby 8096
ipset -A emby 8920

What we get

root@r5-roll:/home/vyos# ipset -L
Name: emby
Type: bitmap:port
Revision: 3
Header: range 1-65535
Size in memory: 8264
References: 0
Number of entries: 2
Members:
8096
8920

So now it trying to set IP address in the group for "Type: bitmap:port" or trying to recreate the group with type "Type: hash:ip"

# ipset -N emby hash:ip family inet
ipset v6.38: Kernel support protocol versions 6-7 while userspace supports protocol versions 6-6
Set cannot be created: set with the same name already exists

So we should prevent to use the same names for different types of groups.
The names should be unique.

Viacheslav mentioned this in T1519: Firewall get's confused when using the same network-group name for IPv4 and IPv6.Dec 30 2020, 5:16 PM
Viacheslav added a parent task: T2199: Rewrite firewall in new XML/Python style.May 27 2021, 11:05 AM
erkin set Issue type to Bug (incorrect behavior).Aug 31 2021, 5:38 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Nov 6 2021, 11:25 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).Aug 29 2022, 7:05 AM
Viacheslav mentioned this in T4894: Using the same name for address and network group yields in ipset error.Dec 27 2022, 10:39 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).Jul 12 2023, 9:43 PM
syncer reassigned this task from Unknown Object (User) to Viacheslav.Jul 16 2023, 9:29 PM
syncer added a subscriber: Unknown Object (User).
syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:30 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus (1.3.5).Dec 17 2023, 11:38 PM
Viacheslav closed this task as Wontfix.Dec 19 2023, 8:32 AM

It won't fix due the old backend
Fixed in 1.4/1.5