Page MenuHomeVyOS Platform
Create Task
Maniphest T4201

Firewall - ICMPv6 matches not working as expected on 1.3.0
Closed, ResolvedPublicBUG
Actions

Description

On VyOS 1.3.0, this rules doesn't generate correct firewall rules:

# Firewall rules
vyos@vyos# run show config comm | grep fire
set firewall ipv6-name FOO-v6 rule 10 action 'drop'
set firewall ipv6-name FOO-v6 rule 10 icmpv6 type 'echo-request'
set firewall ipv6-name FOO-v6 rule 10 protocol 'icmp'
set firewall ipv6-name FOO-v6 rule 20 action 'accept'
set firewall ipv6-name FOO-v6 rule 20 icmpv6 type 'parameter-problem'
set firewall ipv6-name FOO-v6 rule 20 protocol 'icmp'
[edit]

# nft tables
vyos@vyos# sudo nft list chain ip6 filter FOO-v6
table ip6 filter {
	chain FOO-v6 {
		meta l4proto icmp counter packets 0 bytes 0 drop comment "FOO-v6-10"
		meta l4proto icmp counter packets 0 bytes 0 return comment "FOO-v6-20"
		counter packets 0 bytes 0 drop comment "FOO-v6-10000 default-action drop"
	}
}
[edit]

As you can see, both rules are equals (except action that is different), and no "type" are inserted in rules.

Details

Version
vyos-1.3.0
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

n.fort created this task.Jan 21 2022, 4:20 PM
n.fort closed this task as Resolved.Feb 15 2022, 6:22 PM
n.fort claimed this task.

Solved. New commands:

vyos@vyos:~$ show config comm | grep firewall
set firewall ipv6-name FOO-v6 rule 10 action 'drop'
set firewall ipv6-name FOO-v6 rule 10 icmpv6 type-name 'echo-request'
set firewall ipv6-name FOO-v6 rule 10 protocol 'ipv6-icmp'
set firewall ipv6-name FOO-v6 rule 20 action 'accept'
set firewall ipv6-name FOO-v6 rule 20 icmpv6 type-name 'parameter-problem'
set firewall ipv6-name FOO-v6 rule 20 protocol 'ipv6-icmp'

Generated rules:

vyos@vyos:~$ sudo nft list chain ip6 filter FOO-v6
table ip6 filter {
	chain FOO-v6 {
		icmpv6 type echo-request counter packets 0 bytes 0 drop comment "FOO-v6-10"
		icmpv6 type parameter-problem counter packets 0 bytes 0 return comment "FOO-v6-20"
		counter packets 0 bytes 0 return comment "FOO-v6 default-action accept"
	}
}
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Aug 29 2022, 12:15 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.