Page MenuHomeVyOS Platform
Create Task
Maniphest T3390

Expansion of a range in an address-group doesn't include the new addresses after commit
Closed, WontfixPublicBUG
Actions

Description

If I define a range in an address-group and try to expand it later, I receive an error during the commit. The final configuration has two overlapping ranges but the "ipset" doesn't include the expanded addresses.

vyos@vyos#
 set fire group address-group foo add 10.1.0.2-10.1.0.3
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# set fire group address-group foo add 10.1.0.2-10.1.0.5
[edit]
vyos@vyos# commit
[ firewall group address-group foo ]
ipset v6.38: Element cannot be added to the set: it's already added
Error: call to ipset failed [256]
[edit]
vyos@vyos# show fire
 group {
     address-group foo {
         address 10.1.0.2-10.1.0.3
         address 10.1.0.2-10.1.0.5
     }
 }
[edit]
vyos@vyos# sudo ipset list foo
Name: foo
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 184
References: 0
Number of entries: 2
Members:
10.1.0.2
10.1.0.3

If I edit manually the file /config/config.boot and load it, the show command returns the right modification and "ipset" is properly updated.

vyos@vyos# 
head -9 /config/config.boot
firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    group {
        address-group foo {
            address 10.1.0.2-10.1.0.3
        }
    }
[edit]
vyos@vyos# sudo vi /config/config.boot
[edit]
vyos@vyos# head -9 /config/config.boot
firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    group {
        address-group foo {
            address 10.1.0.2-10.1.0.5
        }
    }
[edit]
vyos@vyos# load /config/config.boot
Loading configuration from '/config/config.boot'
Load complete. Use 'commit' to make changes effective.
[edit]
vyos@vyos# show fire
 firewall {
     group {
         address-group foo {
-            address 10.1.0.2-10.1.0.3
+            address 10.1.0.2-10.1.0.5
         }
     }
 }
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# sudo ipset list foo
Name: foo
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 280
References: 0
Number of entries: 4
Members:
10.1.0.2
10.1.0.4
10.1.0.5
10.1.0.3
[edit]

vyos@vyos:~$ show vers

Version: VyOS 1.3-rolling-202011240217
Release Train: equuleus

Built by: [email protected]
Built on: Tue 24 Nov 2020 02:17 UTC
Build UUID: 123b3e83-6744-4c7f-aab3-8701e8b87a25
Build Commit ID: 5df15815874f4c

Architecture: x86_64
Boot via: installed image
System type: KVM guest

Hardware vendor: QEMU
Hardware model: Standard PC (i440FX + PIIX, 1996)
Hardware S/N: Unknown
Hardware UUID: Unknown

Copyright: VyOS maintainers and contributors

Details

Difficulty level
Hard (possibly days)
Version
VyOS 1.3-rolling-202011240217
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Related Objects
Search...

Event Timeline

guertinf created this task.Mar 5 2021, 2:30 PM
pasik added a subscriber: pasik.Mar 5 2021, 2:55 PM
guertinf added a comment.Mar 5 2021, 3:22 PM

The same behavior happens with VyOS-1.3.0-rc1

vyos@vyos:~$ show vers

Version:          VyOS 1.3.0-rc1
Release Train:    equuleus

Built by:         Sentrium S.L.
Built on:         Wed 24 Feb 2021 05:44 UTC
Build UUID:       61e4c2f0-2ca1-45f4-9377-0181dfcaa03c
Build Commit ID:  f4be339392a75b

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (i440FX + PIIX, 1996)
Hardware S/N:     
Hardware UUID:    c9e940e9-d3c6-4f41-82ec-9d0fec4e3e7b

Copyright:        VyOS maintainers and contributors
vyos@vyos:~$ 
vyos@vyos:~$ conf
[edit]
vyos@vyos# set fire group address-group foo add 10.1.0.2-10.1.0.3
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# set fire group address-group foo add 10.1.0.2-10.1.0.5
[edit]
vyos@vyos# commit
[ firewall group address-group foo ]
ipset v6.38: Kernel support protocol versions 6-7 while userspace supports protocol versions 6-6
Element cannot be added to the set: it's already added
Error: call to ipset failed [256]
[edit]
guertinf added a comment.Mar 5 2021, 3:52 PM

Same thing on

vyos@vyos:~$ show vers
Version:          VyOS 1.2.7-epa1
Release Train:    crux

Built by:         Sentrium S.L.
Built on:         Wed 24 Feb 2021 18:00 UTC
Build UUID:       5d56776c-8832-4db3-9222-caaf8c30a524
Build Commit ID:  b09b7c5e1fbeb5

and on

vyos@vyos:~$ show vers

Version:          VyOS 1.4-rolling-202102171100
Release Train:    sagitta

Built by:         [email protected]
Built on:         Wed 17 Feb 2021 11:00 UTC
Build UUID:       5dc74543-6b04-471b-80a9-5e5e4840fcd1
Build Commit ID:  a63a11b47ee2f4
Viacheslav triaged this task as Normal priority.Mar 5 2021, 4:05 PM
Viacheslav changed Difficulty level from Unknown (require assessment) to Hard (possibly days).
Viacheslav added a subscriber: Viacheslav.

The same with ports.
It will be fixed after rewriting the firewall to python.

Viacheslav added a parent task: T2199: Rewrite firewall in new XML/Python style.May 26 2021, 6:22 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Nov 6 2021, 11:24 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).Aug 29 2022, 7:04 AM
Viacheslav mentioned this in T5140: Firewall network-group problems.Apr 3 2023, 10:08 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).Jul 12 2023, 9:39 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:29 PM
Viacheslav closed this task as Wontfix.Aug 29 2023, 12:15 PM
Viacheslav claimed this task.

Impossible to expand with the old firewal l backend
There is a warning that doesn't now you to do it.

vyos@r1#  set fire group address-group foo add 10.1.0.2-10.1.0.3
[edit]
vyos@r1#  set fire group address-group foo add 10.1.0.2-10.1.0.5
[edit]
vyos@r1# compare 
+firewall {
+    all-ping enable
+    broadcast-ping disable
+    config-trap disable
+    group {
+        address-group foo {
+            address 10.1.0.2-10.1.0.3
+            address 10.1.0.2-10.1.0.5
+        }
+    }
+    ipv6-receive-redirects disable
+    ipv6-src-route disable
+    ip-src-route disable
+    log-martians enable
+    receive-redirects disable
+    send-redirects enable
+    source-validation disable
+    syn-cookies enable
+    twa-hazards-protection disable
+}
[edit]
vyos@r1# commit
[ firewall group address-group foo ]
Address 10.1.0.2 exists in more than one configuration enrty

[ firewall group address-group foo ]
There are duplicates inside address-group foo

[[firewall group address-group foo]] failed
Commit failed
[edit]
vyos@r1#
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.5) board.Dec 18 2023, 12:19 AM