Page MenuHomeVyOS Platform

[Firewall-IPV6] Error delete Fw rules on VIF/INT
Closed, ResolvedPublicBUG

Description

In new firewall implementation, it doesn't allow remove all configuration FW , current settings:

set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall group ipv6-network-group IPv6_VLAN_1 network '2001:db8:9d91::/64'
set firewall group ipv6-network-group IPv6_VLAN_2 network '2001:db8:9d91:2::/64'
set firewall group ipv6-network-group IPv6_VLAN_3 network '2001:db8:9d91:3::/64'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 default-action 'drop'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 10 action 'accept'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 10 state established 'enable'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 10 state related 'enable'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 20 action 'accept'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 20 icmpv6 type '1'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 20 limit burst '1'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 20 protocol 'icmpv6'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 21 action 'accept'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 21 icmpv6 type '2'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 21 limit burst '1'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 21 protocol 'icmpv6'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 22 action 'accept'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 22 icmpv6 type '3'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 22 limit burst '1'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 22 protocol 'icmpv6'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 23 action 'accept'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 23 icmpv6 type '4'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 23 limit burst '1'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 23 protocol 'icmpv6'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 24 action 'reject'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 24 icmpv6 type '101'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 24 limit burst '1'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 24 log 'enable'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 24 protocol 'icmpv6'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 25 action 'accept'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 25 icmpv6 type '128'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 25 limit burst '1'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 25 protocol 'icmpv6'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 26 action 'accept'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 26 icmpv6 type '129'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 26 limit burst '1'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 26 protocol 'icmpv6'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 27 action 'accept'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 27 icmpv6 type '130'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 27 limit burst '1'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 27 protocol 'icmpv6'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 28 action 'accept'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 28 icmpv6 type '131'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 28 limit burst '1'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 28 protocol 'icmpv6'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 29 action 'accept'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 29 icmpv6 type '132'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 29 limit burst '1'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 29 protocol 'icmpv6'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 30 action 'accept'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 30 icmpv6 type '133'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 30 limit burst '1'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 30 protocol 'icmpv6'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 31 action 'accept'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 31 icmpv6 type '134'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 31 limit burst '1'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 31 protocol 'icmpv6'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 32 action 'accept'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 32 icmpv6 type '135'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 32 limit burst '1'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 32 protocol 'icmpv6'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 33 action 'accept'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 33 icmpv6 type '136'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 33 limit burst '1'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 33 protocol 'icmpv6'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 34 action 'reject'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 34 icmpv6 type '137'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 34 limit burst '1'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 34 log 'enable'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 34 protocol 'icmpv6'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 35 action 'accept'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 35 icmpv6 type '138'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 35 limit burst '1'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 35 protocol 'icmpv6'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 36 action 'accept'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 36 icmpv6 type '141'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 36 limit burst '1'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 36 protocol 'icmpv6'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 37 action 'accept'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 37 icmpv6 type '142'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 37 limit burst '1'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 37 protocol 'icmpv6'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 38 action 'accept'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 38 icmpv6 type '143'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 38 limit burst '1'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 38 protocol 'icmpv6'
set firewall ipv6-name IPv6_FWD_IN_VLAN_1 rule 39 action 'accept'

set interfaces ethernet eth1 vif 1 address '192.168.0.1/24'
set interfaces ethernet eth1 vif 1 address '2001:db8:9d91::1/64'
set interfaces ethernet eth1 vif 1 description 'MGNT'
set interfaces ethernet eth1 vif 1 firewall in ipv6-name 'IPv6_FWD_IN_VLAN_1'

if you want to remove all the setting with delete firewall , it doesn't allow remove those setting and this show :

vyos@vyos# delete firewall
[edit]
vyos@vyos# commit
[ firewall ]
Failed to apply firewall

delete [ firewall ] failed
Commit failed
[edit]
vyos@vyos#

it should remove the interface associated with a FW rule or display a message :

Firewall configuration error: Cannot delete rule set

Details

Difficulty level
Easy (less than an hour)
Version
1.4-rolling-202201060842
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

sarthurdev changed the task status from Open to In progress.Jan 10 2022, 5:53 PM
sarthurdev claimed this task.

I've been testing and it works :

vyos@test-firewall# commit
[ firewall ]
Firewall ipv6-name "IPv6_FWD_IN_VLAN_1" is still referenced on interface
eth1.1

delete [ firewall ] failed
Commit failed
[edit]
vyos@test-firewall# run show version

Version:          VyOS 1.4-rolling-202201110811
Release train:    sagitta

Built by:         [email protected]
Built on:         Tue 11 Jan 2022 08:11 UTC
Build UUID:       2e678787-bf60-4ed5-b53b-300252863cc4
Build commit ID:  f0cdd802c2a6a9

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID:    0ed1854a-565e-4368-8c9e-843e33c8c181

Copyright:        VyOS maintainers and contributors
[edit]

thanks