Page MenuHomeVyOS Platform
Create Task
Maniphest T4130

Firewall state policy errors chain
Closed, ResolvedPublicBUG
Actions

Description

To reproduce:

set firewall state-policy established action accept
set firewall state-policy related action accept
set firewall state-policy invalid action drop

Commit:

vyos@r11-roll# commit
[ firewall ]
VyOS had an issue completing a command.

Report time:      2022-01-03 19:38:02
Image version:    VyOS 1.4-rolling-202201020317
Release train:    sagitta

Built by:         autobuild@vyos.net
Built on:         Sun 02 Jan 2022 03:17 UTC
Build UUID:       4ede964a-6099-4799-b36e-a22a6b9a1914
Build commit ID:  e933c7e50fd4f0

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (Q35 + ICH9, 2009)
Hardware S/N:     
Hardware UUID:    8e21d64e-e498-475c-9866-290cd53a3b86

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/firewall.py", line 315, in <module>
    apply(c)
  File "/usr/libexec/vyos/conf_mode/firewall.py", line 301, in apply
    cmd(f'nft insert rule ip filter {chain} jump VYOS_STATE_POLICY')
  File "/usr/lib/python3/dist-packages/vyos/util.py", line 161, in cmd
    raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: nft insert rule ip filter INPUT jump VYOS_STATE_POLICY
returned: 
exit code: 1

noteworthy:
cmd 'nft insert rule ip filter INPUT jump VYOS_STATE_POLICY'
returned (out):

returned (err):
Error: No such file or directory; did you mean chain ‘OUTPUT’ in table ip ‘raw’?
insert rule ip filter INPUT jump VYOS_STATE_POLICY
                      ^^^^^

[[firewall]] failed
Commit failed

Details

Version
VyOS 1.4-rolling-202201020317
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Related Objects

Event Timeline

Viacheslav created this task.Jan 3 2022, 5:41 PM
Viacheslav renamed this task from Firewall state policy erros chain to Firewall state policy errors chain.Jan 3 2022, 5:56 PM
c-po assigned this task to sarthurdev.Jan 3 2022, 6:13 PM
c-po subscribed.Jan 3 2022, 7:00 PM

Comparing the old iptables firewall it will look like this:

After Reboot

iptables-save

cpo@LR2.wue3:~$ sudo iptables-save
# Generated by xtables-save v1.8.2 on Mon Jan  3 19:58:38 2022
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VYATTA_CT_IGNORE - [0:0]
:VYATTA_CT_TIMEOUT - [0:0]
:VYATTA_CT_HELPER - [0:0]
:VYATTA_CT_PREROUTING_HOOK - [0:0]
:VYATTA_CT_OUTPUT_HOOK - [0:0]
-A PREROUTING -j VYATTA_CT_IGNORE
-A PREROUTING -j VYATTA_CT_TIMEOUT
-A PREROUTING -j VYATTA_CT_PREROUTING_HOOK
-A PREROUTING -j NOTRACK
-A OUTPUT -j VYATTA_CT_IGNORE
-A OUTPUT -j VYATTA_CT_TIMEOUT
-A OUTPUT -j VYATTA_CT_OUTPUT_HOOK
-A OUTPUT -j NOTRACK
-A VYATTA_CT_IGNORE -j RETURN
-A VYATTA_CT_TIMEOUT -j RETURN
-A VYATTA_CT_HELPER -p tcp -m tcp --dport 1536 -j CT --helper tns
-A VYATTA_CT_HELPER -p tcp -m tcp --dport 1525 -j CT --helper tns
-A VYATTA_CT_HELPER -p tcp -m tcp --dport 1521 -j CT --helper tns
-A VYATTA_CT_HELPER -p udp -m udp --dport 111 -j CT --helper rpc
-A VYATTA_CT_HELPER -p tcp -m tcp --dport 111 -j CT --helper rpc
-A VYATTA_CT_HELPER -j RETURN
-A VYATTA_CT_PREROUTING_HOOK -j RETURN
-A VYATTA_CT_OUTPUT_HOOK -j RETURN
COMMIT
# Completed on Mon Jan  3 19:58:38 2022
# Generated by xtables-save v1.8.2 on Mon Jan  3 19:58:38 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VYATTA_PRE_FW_IN_HOOK - [0:0]
:VYATTA_PRE_FW_FWD_HOOK - [0:0]
:VYATTA_PRE_FW_OUT_HOOK - [0:0]
:VYATTA_POST_FW_IN_HOOK - [0:0]
:VYATTA_POST_FW_FWD_HOOK - [0:0]
:VYATTA_POST_FW_OUT_HOOK - [0:0]
-A INPUT -j VYATTA_PRE_FW_IN_HOOK
-A INPUT -j VYATTA_POST_FW_IN_HOOK
-A FORWARD -j VYATTA_PRE_FW_FWD_HOOK
-A FORWARD -j VYATTA_POST_FW_FWD_HOOK
-A OUTPUT -j VYATTA_PRE_FW_OUT_HOOK
-A OUTPUT -j VYATTA_POST_FW_OUT_HOOK
-A VYATTA_PRE_FW_IN_HOOK -j RETURN
-A VYATTA_PRE_FW_FWD_HOOK -j RETURN
-A VYATTA_PRE_FW_OUT_HOOK -j RETURN
-A VYATTA_POST_FW_IN_HOOK -j ACCEPT
-A VYATTA_POST_FW_FWD_HOOK -j ACCEPT
-A VYATTA_POST_FW_OUT_HOOK -j ACCEPT
COMMIT
# Completed on Mon Jan  3 19:58:38 2022
# Generated by xtables-save v1.8.2 on Mon Jan  3 19:58:38 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VYATTA_PRE_DNAT_HOOK - [0:0]
:VYATTA_PRE_SNAT_HOOK - [0:0]
-A PREROUTING -j VYATTA_PRE_DNAT_HOOK
-A POSTROUTING -j VYATTA_PRE_SNAT_HOOK
-A VYATTA_PRE_DNAT_HOOK -j RETURN
-A VYATTA_PRE_SNAT_HOOK -j RETURN
COMMIT
# Completed on Mon Jan  3 19:58:38 2022

iptables-restore-translate

cpo@LR2.wue3:~$ sudo iptables-save > /tmp/iptables ; iptables-restore-translate --file /tmp/iptables
# Translated by iptables-restore-translate v1.8.2 on Mon Jan  3 19:58:24 2022
add table ip raw
add chain ip raw PREROUTING { type filter hook prerouting priority -300; policy accept; }
add chain ip raw OUTPUT { type filter hook output priority -300; policy accept; }
add chain ip raw VYATTA_CT_IGNORE
add chain ip raw VYATTA_CT_TIMEOUT
add chain ip raw VYATTA_CT_HELPER
add chain ip raw VYATTA_CT_PREROUTING_HOOK
add chain ip raw VYATTA_CT_OUTPUT_HOOK
add rule ip raw PREROUTING counter jump VYATTA_CT_IGNORE
add rule ip raw PREROUTING counter jump VYATTA_CT_TIMEOUT
add rule ip raw PREROUTING counter jump VYATTA_CT_PREROUTING_HOOK
# -t raw -A PREROUTING -j NOTRACK
add rule ip raw OUTPUT counter jump VYATTA_CT_IGNORE
add rule ip raw OUTPUT counter jump VYATTA_CT_TIMEOUT
add rule ip raw OUTPUT counter jump VYATTA_CT_OUTPUT_HOOK
# -t raw -A OUTPUT -j NOTRACK
add rule ip raw VYATTA_CT_IGNORE counter return
add rule ip raw VYATTA_CT_TIMEOUT counter return
# -t raw -A VYATTA_CT_HELPER -p tcp -m tcp --dport 1536 -j CT --helper tns
# -t raw -A VYATTA_CT_HELPER -p tcp -m tcp --dport 1525 -j CT --helper tns
# -t raw -A VYATTA_CT_HELPER -p tcp -m tcp --dport 1521 -j CT --helper tns
# -t raw -A VYATTA_CT_HELPER -p udp -m udp --dport 111 -j CT --helper rpc
# -t raw -A VYATTA_CT_HELPER -p tcp -m tcp --dport 111 -j CT --helper rpc
add rule ip raw VYATTA_CT_HELPER counter return
add rule ip raw VYATTA_CT_PREROUTING_HOOK counter return
add rule ip raw VYATTA_CT_OUTPUT_HOOK counter return
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; policy accept; }
add chain ip filter FORWARD { type filter hook forward priority 0; policy accept; }
add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; }
add chain ip filter VYATTA_PRE_FW_IN_HOOK
add chain ip filter VYATTA_PRE_FW_FWD_HOOK
add chain ip filter VYATTA_PRE_FW_OUT_HOOK
add chain ip filter VYATTA_POST_FW_IN_HOOK
add chain ip filter VYATTA_POST_FW_FWD_HOOK
add chain ip filter VYATTA_POST_FW_OUT_HOOK
add rule ip filter INPUT counter jump VYATTA_PRE_FW_IN_HOOK
add rule ip filter INPUT counter jump VYATTA_POST_FW_IN_HOOK
add rule ip filter FORWARD counter jump VYATTA_PRE_FW_FWD_HOOK
add rule ip filter FORWARD counter jump VYATTA_POST_FW_FWD_HOOK
add rule ip filter OUTPUT counter jump VYATTA_PRE_FW_OUT_HOOK
add rule ip filter OUTPUT counter jump VYATTA_POST_FW_OUT_HOOK
add rule ip filter VYATTA_PRE_FW_IN_HOOK counter return
add rule ip filter VYATTA_PRE_FW_FWD_HOOK counter return
add rule ip filter VYATTA_PRE_FW_OUT_HOOK counter return
add rule ip filter VYATTA_POST_FW_IN_HOOK counter accept
add rule ip filter VYATTA_POST_FW_FWD_HOOK counter accept
add rule ip filter VYATTA_POST_FW_OUT_HOOK counter accept
add table ip nat
add chain ip nat PREROUTING { type nat hook prerouting priority -100; policy accept; }
add chain ip nat INPUT { type nat hook input priority 100; policy accept; }
add chain ip nat POSTROUTING { type nat hook postrouting priority 100; policy accept; }
add chain ip nat OUTPUT { type nat hook output priority -100; policy accept; }
add chain ip nat VYATTA_PRE_DNAT_HOOK
add chain ip nat VYATTA_PRE_SNAT_HOOK
add rule ip nat PREROUTING counter jump VYATTA_PRE_DNAT_HOOK
add rule ip nat POSTROUTING counter jump VYATTA_PRE_SNAT_HOOK
add rule ip nat VYATTA_PRE_DNAT_HOOK counter return
add rule ip nat VYATTA_PRE_SNAT_HOOK counter return
# Completed on Mon Jan  3 19:58:24 2022

After state-policy commands

iptables-save

cpo@LR2.wue3:~$ sudo iptables-save
# Generated by xtables-save v1.8.2 on Mon Jan  3 19:59:34 2022
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VYATTA_CT_IGNORE - [0:0]
:VYATTA_CT_TIMEOUT - [0:0]
:VYATTA_CT_HELPER - [0:0]
:VYATTA_CT_PREROUTING_HOOK - [0:0]
:VYATTA_CT_OUTPUT_HOOK - [0:0]
:FW_STATE_POLICY_CONNTRACK - [0:0]
-A PREROUTING -j VYATTA_CT_IGNORE
-A PREROUTING -j VYATTA_CT_TIMEOUT
-A PREROUTING -j VYATTA_CT_PREROUTING_HOOK
-A PREROUTING -j FW_STATE_POLICY_CONNTRACK
-A PREROUTING -j NOTRACK
-A OUTPUT -j VYATTA_CT_IGNORE
-A OUTPUT -j VYATTA_CT_TIMEOUT
-A OUTPUT -j VYATTA_CT_OUTPUT_HOOK
-A OUTPUT -j FW_STATE_POLICY_CONNTRACK
-A OUTPUT -j NOTRACK
-A VYATTA_CT_IGNORE -j RETURN
-A VYATTA_CT_TIMEOUT -j RETURN
-A VYATTA_CT_HELPER -p tcp -m tcp --dport 1536 -j CT --helper tns
-A VYATTA_CT_HELPER -p tcp -m tcp --dport 1525 -j CT --helper tns
-A VYATTA_CT_HELPER -p tcp -m tcp --dport 1521 -j CT --helper tns
-A VYATTA_CT_HELPER -p udp -m udp --dport 111 -j CT --helper rpc
-A VYATTA_CT_HELPER -p tcp -m tcp --dport 111 -j CT --helper rpc
-A VYATTA_CT_HELPER -j RETURN
-A VYATTA_CT_PREROUTING_HOOK -j RETURN
-A VYATTA_CT_OUTPUT_HOOK -j RETURN
-A FW_STATE_POLICY_CONNTRACK -j ACCEPT
COMMIT
# Completed on Mon Jan  3 19:59:34 2022
# Generated by xtables-save v1.8.2 on Mon Jan  3 19:59:34 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VYATTA_PRE_FW_IN_HOOK - [0:0]
:VYATTA_PRE_FW_FWD_HOOK - [0:0]
:VYATTA_PRE_FW_OUT_HOOK - [0:0]
:VYATTA_POST_FW_IN_HOOK - [0:0]
:VYATTA_POST_FW_FWD_HOOK - [0:0]
:VYATTA_POST_FW_OUT_HOOK - [0:0]
:VYATTA_STATE_POLICY_FWD_HOOK - [0:0]
:VYATTA_STATE_POLICY_IN_HOOK - [0:0]
:VYATTA_STATE_POLICY_OUT_HOOK - [0:0]
-A INPUT -j VYATTA_PRE_FW_IN_HOOK
-A INPUT -j VYATTA_POST_FW_IN_HOOK
-A FORWARD -j VYATTA_PRE_FW_FWD_HOOK
-A FORWARD -j VYATTA_POST_FW_FWD_HOOK
-A OUTPUT -j VYATTA_PRE_FW_OUT_HOOK
-A OUTPUT -j VYATTA_POST_FW_OUT_HOOK
-A VYATTA_PRE_FW_IN_HOOK -j VYATTA_STATE_POLICY_IN_HOOK
-A VYATTA_PRE_FW_IN_HOOK -j RETURN
-A VYATTA_PRE_FW_FWD_HOOK -j VYATTA_STATE_POLICY_FWD_HOOK
-A VYATTA_PRE_FW_FWD_HOOK -j RETURN
-A VYATTA_PRE_FW_OUT_HOOK -j VYATTA_STATE_POLICY_OUT_HOOK
-A VYATTA_PRE_FW_OUT_HOOK -j RETURN
-A VYATTA_POST_FW_IN_HOOK -j ACCEPT
-A VYATTA_POST_FW_FWD_HOOK -j ACCEPT
-A VYATTA_POST_FW_OUT_HOOK -j ACCEPT
-A VYATTA_STATE_POLICY_FWD_HOOK -m state --state INVALID -j DROP
-A VYATTA_STATE_POLICY_FWD_HOOK -m state --state ESTABLISHED -j VYATTA_POST_FW_FWD_HOOK
-A VYATTA_STATE_POLICY_FWD_HOOK -m state --state RELATED -j VYATTA_POST_FW_FWD_HOOK
-A VYATTA_STATE_POLICY_FWD_HOOK -j RETURN
-A VYATTA_STATE_POLICY_IN_HOOK -m state --state INVALID -j DROP
-A VYATTA_STATE_POLICY_IN_HOOK -m state --state ESTABLISHED -j VYATTA_POST_FW_IN_HOOK
-A VYATTA_STATE_POLICY_IN_HOOK -m state --state RELATED -j VYATTA_POST_FW_IN_HOOK
-A VYATTA_STATE_POLICY_IN_HOOK -j RETURN
-A VYATTA_STATE_POLICY_OUT_HOOK -m state --state INVALID -j DROP
-A VYATTA_STATE_POLICY_OUT_HOOK -m state --state ESTABLISHED -j VYATTA_POST_FW_OUT_HOOK
-A VYATTA_STATE_POLICY_OUT_HOOK -m state --state RELATED -j VYATTA_POST_FW_OUT_HOOK
-A VYATTA_STATE_POLICY_OUT_HOOK -j RETURN
COMMIT
# Completed on Mon Jan  3 19:59:34 2022
# Generated by xtables-save v1.8.2 on Mon Jan  3 19:59:34 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VYATTA_PRE_DNAT_HOOK - [0:0]
:VYATTA_PRE_SNAT_HOOK - [0:0]
-A PREROUTING -j VYATTA_PRE_DNAT_HOOK
-A POSTROUTING -j VYATTA_PRE_SNAT_HOOK
-A VYATTA_PRE_DNAT_HOOK -j RETURN
-A VYATTA_PRE_SNAT_HOOK -j RETURN
COMMIT
# Completed on Mon Jan  3 19:59:34 2022

iptables-restore-translate

cpo@LR2.wue3:~$ sudo iptables-save > /tmp/iptables ; iptables-restore-translate --file /tmp/iptables
# Translated by iptables-restore-translate v1.8.2 on Mon Jan  3 20:00:13 2022
add table ip raw
add chain ip raw PREROUTING { type filter hook prerouting priority -300; policy accept; }
add chain ip raw OUTPUT { type filter hook output priority -300; policy accept; }
add chain ip raw VYATTA_CT_IGNORE
add chain ip raw VYATTA_CT_TIMEOUT
add chain ip raw VYATTA_CT_HELPER
add chain ip raw VYATTA_CT_PREROUTING_HOOK
add chain ip raw VYATTA_CT_OUTPUT_HOOK
add chain ip raw FW_STATE_POLICY_CONNTRACK
add rule ip raw PREROUTING counter jump VYATTA_CT_IGNORE
add rule ip raw PREROUTING counter jump VYATTA_CT_TIMEOUT
add rule ip raw PREROUTING counter jump VYATTA_CT_PREROUTING_HOOK
add rule ip raw PREROUTING counter jump FW_STATE_POLICY_CONNTRACK
# -t raw -A PREROUTING -j NOTRACK
add rule ip raw OUTPUT counter jump VYATTA_CT_IGNORE
add rule ip raw OUTPUT counter jump VYATTA_CT_TIMEOUT
add rule ip raw OUTPUT counter jump VYATTA_CT_OUTPUT_HOOK
add rule ip raw OUTPUT counter jump FW_STATE_POLICY_CONNTRACK
# -t raw -A OUTPUT -j NOTRACK
add rule ip raw VYATTA_CT_IGNORE counter return
add rule ip raw VYATTA_CT_TIMEOUT counter return
# -t raw -A VYATTA_CT_HELPER -p tcp -m tcp --dport 1536 -j CT --helper tns
# -t raw -A VYATTA_CT_HELPER -p tcp -m tcp --dport 1525 -j CT --helper tns
# -t raw -A VYATTA_CT_HELPER -p tcp -m tcp --dport 1521 -j CT --helper tns
# -t raw -A VYATTA_CT_HELPER -p udp -m udp --dport 111 -j CT --helper rpc
# -t raw -A VYATTA_CT_HELPER -p tcp -m tcp --dport 111 -j CT --helper rpc
add rule ip raw VYATTA_CT_HELPER counter return
add rule ip raw VYATTA_CT_PREROUTING_HOOK counter return
add rule ip raw VYATTA_CT_OUTPUT_HOOK counter return
add rule ip raw FW_STATE_POLICY_CONNTRACK counter accept
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; policy accept; }
add chain ip filter FORWARD { type filter hook forward priority 0; policy accept; }
add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; }
add chain ip filter VYATTA_PRE_FW_IN_HOOK
add chain ip filter VYATTA_PRE_FW_FWD_HOOK
add chain ip filter VYATTA_PRE_FW_OUT_HOOK
add chain ip filter VYATTA_POST_FW_IN_HOOK
add chain ip filter VYATTA_POST_FW_FWD_HOOK
add chain ip filter VYATTA_POST_FW_OUT_HOOK
add chain ip filter VYATTA_STATE_POLICY_FWD_HOOK
add chain ip filter VYATTA_STATE_POLICY_IN_HOOK
add chain ip filter VYATTA_STATE_POLICY_OUT_HOOK
add rule ip filter INPUT counter jump VYATTA_PRE_FW_IN_HOOK
add rule ip filter INPUT counter jump VYATTA_POST_FW_IN_HOOK
add rule ip filter FORWARD counter jump VYATTA_PRE_FW_FWD_HOOK
add rule ip filter FORWARD counter jump VYATTA_POST_FW_FWD_HOOK
add rule ip filter OUTPUT counter jump VYATTA_PRE_FW_OUT_HOOK
add rule ip filter OUTPUT counter jump VYATTA_POST_FW_OUT_HOOK
add rule ip filter VYATTA_PRE_FW_IN_HOOK counter jump VYATTA_STATE_POLICY_IN_HOOK
add rule ip filter VYATTA_PRE_FW_IN_HOOK counter return
add rule ip filter VYATTA_PRE_FW_FWD_HOOK counter jump VYATTA_STATE_POLICY_FWD_HOOK
add rule ip filter VYATTA_PRE_FW_FWD_HOOK counter return
add rule ip filter VYATTA_PRE_FW_OUT_HOOK counter jump VYATTA_STATE_POLICY_OUT_HOOK
add rule ip filter VYATTA_PRE_FW_OUT_HOOK counter return
add rule ip filter VYATTA_POST_FW_IN_HOOK counter accept
add rule ip filter VYATTA_POST_FW_FWD_HOOK counter accept
add rule ip filter VYATTA_POST_FW_OUT_HOOK counter accept
add rule ip filter VYATTA_STATE_POLICY_FWD_HOOK ct state invalid  counter drop
add rule ip filter VYATTA_STATE_POLICY_FWD_HOOK ct state established  counter jump VYATTA_POST_FW_FWD_HOOK
add rule ip filter VYATTA_STATE_POLICY_FWD_HOOK ct state related  counter jump VYATTA_POST_FW_FWD_HOOK
add rule ip filter VYATTA_STATE_POLICY_FWD_HOOK counter return
add rule ip filter VYATTA_STATE_POLICY_IN_HOOK ct state invalid  counter drop
add rule ip filter VYATTA_STATE_POLICY_IN_HOOK ct state established  counter jump VYATTA_POST_FW_IN_HOOK
add rule ip filter VYATTA_STATE_POLICY_IN_HOOK ct state related  counter jump VYATTA_POST_FW_IN_HOOK
add rule ip filter VYATTA_STATE_POLICY_IN_HOOK counter return
add rule ip filter VYATTA_STATE_POLICY_OUT_HOOK ct state invalid  counter drop
add rule ip filter VYATTA_STATE_POLICY_OUT_HOOK ct state established  counter jump VYATTA_POST_FW_OUT_HOOK
add rule ip filter VYATTA_STATE_POLICY_OUT_HOOK ct state related  counter jump VYATTA_POST_FW_OUT_HOOK
add rule ip filter VYATTA_STATE_POLICY_OUT_HOOK counter return
add table ip nat
add chain ip nat PREROUTING { type nat hook prerouting priority -100; policy accept; }
add chain ip nat INPUT { type nat hook input priority 100; policy accept; }
add chain ip nat POSTROUTING { type nat hook postrouting priority 100; policy accept; }
add chain ip nat OUTPUT { type nat hook output priority -100; policy accept; }
add chain ip nat VYATTA_PRE_DNAT_HOOK
add chain ip nat VYATTA_PRE_SNAT_HOOK
add rule ip nat PREROUTING counter jump VYATTA_PRE_DNAT_HOOK
add rule ip nat POSTROUTING counter jump VYATTA_PRE_SNAT_HOOK
add rule ip nat VYATTA_PRE_DNAT_HOOK counter return
add rule ip nat VYATTA_PRE_SNAT_HOOK counter return
# Completed on Mon Jan  3 20:00:13 2022
sarthurdev changed the task status from Open to In progress.Jan 3 2022, 9:58 PM
sarthurdev changed the task status from In progress to Needs testing.Jan 4 2022, 12:14 AM

PR: https://github.com/vyos/vyos-1x/pull/1130

sarthurdev mentioned this in T4136: Firewall State Policy entries fail to load..Jan 4 2022, 12:45 AM
syncer merged a task: T4136: Firewall State Policy entries fail to load..Jan 4 2022, 1:18 AM
syncer added subscribers: JamesGreenlee, sarthurdev.
Restricted Repository Identity mentioned this in rVYOSONEX993b87458456: Merge pull request #1130 from sarthurdev/firewall.Jan 4 2022, 4:11 AM
sarthurdev mentioned this in rVYOSONEX9213d9cc7bcd: firewall: T4130: Add state-policy test to firewall smoketest.Jan 4 2022, 4:11 AM
sarthurdev mentioned this in rVYOSONEX84a83ecc4c78: firewall: T4130: Fix firewall state-policy errors.
Restricted Repository Identity mentioned this in rVYOSONEX7eadd337bed0: Merge pull request #1134 from sarthurdev/firewall.Jan 5 2022, 12:23 AM
sarthurdev mentioned this in rVYOSONEX459c7079bebe: firewall: zone-policy: T2199: T4130: Fixes for firewall, state-policy and zone….Jan 5 2022, 12:23 AM
Viacheslav closed this task as Resolved.Jan 6 2022, 11:14 AM
Viacheslav moved this task from Open to Finished on the VyOS 1.4 Sagitta board.
c-po mentioned this in rVYOSONEXb9c2ce3e3589: xml: firewall: T4130: add protocol completion helper all and tcp_udp.Jan 7 2022, 9:06 PM
Restricted Repository Identity mentioned this in rVYOSONEX3b7629eaa4c8: Merge pull request #1184 from sarthurdev/firewall_icmp.Jan 22 2022, 7:55 AM
sarthurdev mentioned this in rVYOSONEX958c887f9c01: firewall: T4130: Use correct table to check for state policy rule.Jan 22 2022, 7:55 AM