Page MenuHomeVyOS Platform

Attempting to remove firewall rule results in error
Not ApplicablePublicBUG

Description

I am running VyOS in a Zone Based Firewall (ZBF) configuration and have a number of rulesets that have only a default action. For example WAN-LAN default action is drop etc. I have set the system-wide state setting to allow related, established connections and drop invalid ones so that I do not have to declare firewall individual rules for each firewall ruleset. From time to time, I create a rule in order to enable logging as I troubleshoot a particular routing/connection issue. The issue is that when I try to delete the rule, VyOS throws an error and says that the firewall ruleset is still in use.

Firewall ruleset example with no rules (with system-wide state policy allow established, related and deny invalid enabled)

vyos@VyosOverseas# show firewall state-policy 
 established {
     action accept
 }
 invalid {
     action drop
 }
 related {
     action accept
 }
name WAN-LAN {
    default-action drop
    enable-default-log
}

The router functions perfectly and I received no errors when I created and assigned the rulesets with no rule created.

I then created a rule for one of the rulesets in a Trusted VPN zone

name UTAH-LAN {
    default-action accept
    rule 10 {
        action accept
        log enable
    }
}

However, I no longer want the rule as it does nothing that the default action doesn't do. I merely created the rule in order to enable logging as I was having a connectivity issue. When I got to delete the rule, I get the following:

vyos@VyosOverseas# delete firewall name UTAH-LAN rule 10
[edit]
vyos@VyosOverseas# commit
[ firewall name UTAH-LAN ]
Firewall configuration error: Cannot delete rule set "UTAH-LAN" (still in use)



[[firewall name UTAH-LAN]] failed
Commit failed
[edit]

Again, before I created this rule, the firewall worked just fine with the default action only declared. I don't understand why I cannot revert to the previous ruleset declaration when VyOS accepted that declaration before with no problem. I had a good exchange of thoughts on this situation with Soucy on Reddit and he recommended I submit this as a bug to be fixed. My complete configuration, if needed, is attached.

Thanks!

Details

Version
1.3 RC4
Is it a breaking change?
Unspecified (possibly destroys the router)

Related Objects

Event Timeline

Forgot to include the version info

vyos@VyosOverseas:~$ show version

Version:          VyOS 1.3.0-rc4
Release Train:    equuleus

Built by:         Sentrium S.L.
Built on:         Mon 19 Apr 2021 08:28 UTC
Build UUID:       8d9996d2-511e-4dea-be4f-cd4515c404f3
Build Commit ID:  2aac286ccfe594

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal

Hardware vendor:  Netgate
Hardware model:   SG-5100
Hardware S/N:     NG201812003513
Hardware UUID:    03000200-0400-0500-0006-000700080009

Copyright:        VyOS maintainers and contributors
dmbaturin subscribed.

Should be a non-issue with the new firewall implementation.