Page MenuHomeVyOS Platform
Create Task
Maniphest T4286

Fix for firewall ipv6 name address validator
Closed, ResolvedPublicBUG
Actions

Description

IPV6 firewall is accepting ipv4-address and the error is received while committing the change. The validator is not working.

vyos@vyos# set firewall ipv6-name test6 rule 100 source address
Possible completions:
   <h:h:h:h:h:h:h:h>
                IP address to match
   <h:h:h:h:h:h:h:h/x>
                Subnet to match
   <h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>
                IP range to match
   !<h:h:h:h:h:h:h:h>
                Match everything except the specified address
   !<h:h:h:h:h:h:h:h/x>
                Match everything except the specified prefix
   !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>
                Match everything except the specified range



[edit]
vyos@vyos# set firewall ipv6-name test6 rule 100 source address 192.168.0.1
[edit]
vyos@vyos#

Error:

vyos@vyos# compare
[edit firewall ipv6-name test6 rule 100]
+source {
+    address 192.168.1.0/24
+}
[edit]
vyos@vyos# commit
[ firewall ]
Failed to apply firewall

[[firewall]] failed
Commit failed

Version:

vyos@vyos# run sh ver


Version:          VyOS 1.4-rolling-202203030317
Release train:    sagitta

Built by:         autobuild@vyos.net
Built on:         Thu 03 Mar 2022 03:17 UTC
Build UUID:       787aac35-01b2-4b91-a8b4-488a7134fac1
Build commit ID:  b2ca3389494c35

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (Q35 + ICH9, 2009)
Hardware S/N:
Hardware UUID:    6af50af1-a018-4476-81cc-7db8ca26513c

Copyright:        VyOS maintainers and contributors

Details

Version
1.4-rolling-202203030317
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

SrividyaA created this task.Mar 7 2022, 12:01 PM
SrividyaA claimed this task.
pasik subscribed.Mar 7 2022, 1:22 PM
Unknown Object (User) subscribed.Mar 9 2022, 10:47 PM

Similar situation in VyOS 1.3-stable-202202191602

FW IPv6 - validator is working:

vyos@vyos# set firewall ipv6-name test1 rule 20 source address 192.168.0.1

  "192.168.0.1" is not a valid value of type "ipv6_addr_param"

  Value validation failed
  Set failed

FW IPv4 - validator is't working

vyos@vyos# set firewall name test rule 10 source address abcdefg123
vyos@vyos# compare
+    name test {
+        default-action drop
+        rule 10 {
+            source {
+                address abcdefg123
n.fort subscribed.Mar 10 2022, 6:30 PM

For 1.4, problem is in ipv6-range validator, which accepts lots of values that should be considered as invalid:

root@vyos:/home/vyos# python3 ipv6-range.py '2008:1234::1-2008:1234::6' ; echo $?
0
root@vyos:/home/vyos# python3 ipv6-range.py 'blablabla' ; echo $?
0
root@vyos:/home/vyos# python3 ipv6-range.py '192.168.55.55' ; echo $?
0
root@vyos:/home/vyos# python3 ipv6-range.py '192.168.55.55-151' ; echo $?
0
root@vyos:/home/vyos# python3 ipv6-range.py '24654-12322' ; echo $?
0
root@vyos:/home/vyos# python3 ipv6-range.py '24654-12322::2' ; echo $?
0
root@vyos:/home/vyos# python3 ipv6-range.py '24654:1-12322::2' ; echo $?
Error: 24654:1-12322::2 is not a valid IPv6 range
1
n.fort added a comment.Mar 10 2022, 6:50 PM

A simplified validator that rejects non-ipv6 address range (still lacks of 1st ipv6 minor than 2nd address validator):

#!/usr/bin/python3

import sys
import re
from vyos.template import is_ipv6

if __name__ == '__main__':
    if len(sys.argv)>1:
        ipv6_range = sys.argv[1]
        if (ipv6_range.find('-') == -1):
            print(f'Error: {ipv6_range} is not a valid IPv6 range.')
            sys.exit(1)
        for tmp in ipv6_range.split('-'):
            if not is_ipv6(tmp):
                print(f'Error: {ipv6_range} is not a valid IPv6 range')
                sys.exit(1)
    sys.exit(0)
n.fort claimed this task.Mar 11 2022, 6:17 PM
n.fort added a comment.Mar 12 2022, 3:23 PM

PR for 1.4: https://github.com/vyos/vyos-1x/pull/1247

Restricted Repository Identity mentioned this in rVYOSONEX4924a82cbdc7: Merge pull request #1247 from nicolas-fort/T4286.Mar 14 2022, 6:56 PM
n.fort mentioned this in rVYOSONEXff0e43807789: Firewall: T4286: Correct ipv6-range validator.Mar 14 2022, 6:56 PM
n.fort closed this task as Resolved.Mar 18 2022, 6:32 PM