Page MenuHomeVyOS Platform
Create Task
Maniphest T4078

A hybrid of "network-group" and "address-group".
Not ApplicablePublicFEATURE REQUEST
Actions

Description

It is very convenient to create a special group in the firewall settings to which you can add both addresses and networks (a hybrid of network-group and address-group).
I was faced with the need to combine addresses, ranges, and subnets into one group, and for configuration, I have to create separate rules for the "network-group" and for the "address-group".

Example: you need to allocate these IPs to the group: 10.0.30.5-10.0.30.7, 10.0.0.12, 10.0.0.222 , 10.0.0.250 , 10.0.1.0/30 , 10.0.2.0/30 , 10.0.10.0/24

Option number 1

set firewall group address-group MY_GROUP address 10.0.30.5-10.0.30.7
set firewall group address-group MY_GROUP address 10.0.0.12
set firewall group address-group MY_GROUP address 10.0.0.222
set firewall group address-group MY_GROUP address 10.0.0.250
set firewall group network-group MY_GROUP_1 network 10.0.1.0/30
set firewall group network-group MY_GROUP_1 network 10.0.2.0/30
set firewall group network-group MY_GROUP_1 network 10.0.10.0/24
Can't combine network and address group for source (for this reason have to use two rules 10 and 20)
set firewall name TEST default-action drop
set firewall name TEST rule 10 action 'accept'
set firewall name TEST rule 10 source group address-group MY_GROUP
set firewall name TEST rule 10 description MY_GROUP-any
set firewall name TEST rule 20 action 'accept'
set firewall name TEST rule 20 source group network-group MY_GROUP_1
set firewall name TEST rule 20 description MY_GROUP_1-any

Option number 2
This is inconvenient (specify all hosts as / 32 networks)

set firewall group network-group MY_GROUP network 10.0.30.5/32
set firewall group network-group MY_GROUP network 10.0.30.6/32
set firewall group network-group MY_GROUP network 10.0.30.7/32
set firewall group network-group MY_GROUP network 10.0.0.12/32
set firewall group network-group MY_GROUP network 10.0.0.222/32
set firewall group network-group MY_GROUP network 10.0.0.250/32
set firewall group network-group MY_GROUP network 10.0.1.0/30
set firewall group network-group MY_GROUP network 10.0.2.0/30
set firewall group network-group MY_GROUP network 10.0.10.0/24

set firewall name TEST default-action drop
set firewall name TEST rule 10 action 'accept'
set firewall name TEST rule 10 source group address-group MY_GROUP
set firewall name TEST rule 10 description MY_GROUP-any

Option number 3

set firewall group "hybrid"-group MY_GROUP address 10.0.30.5-10.0.30.7
set firewall group "hybrid"-group MY_GROUP address 10.0.0.12
set firewall group "hybrid"-group MY_GROUP address 10.0.0.222
set firewall group "hybrid"-group MY_GROUP address 10.0.0.250
set firewall group "hybrid"-group MY_GROUP address 10.0.1.0/30
set firewall group "hybrid"-group MY_GROUP address 10.0.2.0/30
set firewall group "hybrid"-group MY_GROUP address 10.0.10.0/24

set firewall name TEST default-action drop
set firewall name TEST rule 10 action 'accept'
set firewall name TEST rule 10 source group "hybrid"-group MY_GROUP
set firewall name TEST rule 10 description MY_GROUP-any

The "hybrid" group allows us to configure more flexible traffic filtering rules and reduce configuration.

Possible completions:

<x.x.x.x>    IPv4 address to match
<x.x.x.x>-<x.x.x.x> IPv4 range to match (e.g. 10.0.0.1-10.0.0.200)
<x.x.x.x/x>  IPv4 Subnet to match

Details

Version
-
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

Unknown Object (User) created this task.Dec 16 2021, 2:05 AM
Unknown Object (User) updated the task description. (Show Details)
pasik subscribed.Dec 16 2021, 8:47 AM
Viacheslav removed a project: VyOS 1.2 Crux.Dec 16 2021, 8:49 AM
adestis subscribed.Dec 20 2021, 7:41 AM

@m.korobeinikov why not use network group with /32 host addresses ?

Unknown Object (User) added a comment.Dec 21 2021, 12:11 AM

@adestis thank you. This issue isn't critical. It's more for to improve the design and for convenience of our customers.
You can use /32 to add a host, but we have to have the opportunity to add hosts without masks.
For example, if you need to create a group consisting of 1000 (or more random hosts), it's more convenient to use configuration without masks.

syncer edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).Aug 29 2022, 7:04 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).Jul 12 2023, 9:39 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:29 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus (1.3.5).Dec 17 2023, 11:36 PM
dmbaturin closed this task as Not Applicable.Jan 8 2024, 7:26 PM
dmbaturin subscribed.

I suppose with the new firewall implementation, this is no longer relevant.

Fr0stedD0nut subscribed.Jul 13 2024, 10:48 PM
In T4078#170371, @dmbaturin wrote:

I suppose with the new firewall implementation, this is no longer relevant.

Could you link to the part of the docs that talk about what solves this, and which version this is solved in (1.4? 1.5?)? I am still on 1.3 but would love some reading materials to look forward to to clean up my rules a bit when I upgrade!