New firewall code does not accept "rate/time interval" syntax used in old config
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	lucasec
	Apr 5 2022, 10:36 PM

Description

The XML version of the config no longer allows the iptables style verbose rate limit format:

[ firewall name WAN-Local rule 100 limit rate 50/minute ]
'50/minute' is not a valid integer number

The help string for the rate limit is kind of confusing. It’s not entirely obvious to me what value I should use to reproduce 50/minute, as the new version of the config only accepts an integer (that appears to be rendered as RATE/second to iptables internally). If we only support the integer format going forward, we should make some effort to migrate rate limits using the old syntax.

Details

Difficulty level: Normal (likely a few hours)
Version: VyOS 1.4-rolling-202204040217
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Config syntax change (migratable)
Issue type: Bug (incorrect behavior)

Event Timeline

lucasec created this task.Apr 5 2022, 10:36 PM

c-po assigned this task to sarthurdev.Apr 6 2022, 8:22 AM

pasik added a subscriber: pasik.Apr 6 2022, 11:43 AM

sarthurdev changed the task status from Open to In progress.Apr 6 2022, 12:01 PM

sarthurdev moved this task from Need Triage to In Progress on the VyOS 1.4 Sagitta board.

PR: https://github.com/vyos/vyos-1x/pull/1275

Thank you very much @sdev !

sarthurdev closed this task as Resolved.Apr 20 2022, 11:58 AM

c-po moved this task from In Progress to Finished on the VyOS 1.4 Sagitta board.Jun 10 2022, 6:31 PM

New firewall code does not accept "rate/time interval" syntax used in old configClosed, ResolvedPublicBUGActions

Description

Details

Event Timeline

New firewall code does not accept "rate/time interval" syntax used in old config
Closed, ResolvedPublicBUG
Actions