Page MenuHomeVyOS Platform
Create Task
Maniphest T5065

Mixing `destination port xxx` and `destination group port-group yyy` in firewall rules doesn't work, but can be commited
Closed, ResolvedPublicBUG
Actions

Description

When creating a firewall rule that mixes destination ports and destination port groups, no error message is displayed after commit. The resulting netfilter rule does not work, however. Only after removing either the port or port-group, the rule is working as expected.
Example rule config:

name stdnt-in {
     default-action drop
     enable-default-log
     rule 3 {
          action accept
          destination {
                 group {
                     domain-group scl01
                     port-group pg-http_s
                 }
                 port 3128
          }
          log enable
          protocol tcp
          state {
               new enable
          }
     }
}

Resulting netfilter rule:

ct state new tcp dport 3128 ip daddr @D_scl01 tcp dport @P_pg-http_s log prefix "[stdnt-in-3-A]" counter packets 0 bytes 0 return comment "stdnt-in-3" # handle 27

Details

Difficulty level
Unknown (require assessment)
Version
1.4-rolling-202303020317
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)