Page MenuHomeVyOS Platform
Create Task
Maniphest T5140

Firewall network-group problems
Closed, ResolvedPublicBUG
Actions

Description

  • 1) When specifying a network-group which contains a generic network, for example /24, then adding a more specific network returns an error, but configuration is saved:
vyos@edgecore-per-test# set firewall group network-group NG network 198.51.100.0/24
[edit]
vyos@edgecore-per-test# commit
[edit]
vyos@edgecore-per-test# set firewall group network-group NG network 198.51.100.99/32
[edit]
vyos@edgecore-per-test# commit
[ firewall group network-group NG ]
Error: member [198.51.100.99/32] already exists in [NG]

[edit]
vyos@edgecore-per-test# run show config comm | grep group
set firewall group network-group NG network '198.51.100.0/24'
set firewall group network-group NG network '198.51.100.99/32'
[edit]
vyos@edgecore-per-test# sudo ipset -L
Name: NG
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 512
References: 0
Number of entries: 1
Members:
198.51.100.0/24
[edit]
vyos@edgecore-per-test#
  • 2a) Then removing element /32 from vyos config, returns ipset error message:
vyos@edgecore-per-test# del firewall group network-group NG network 198.51.100.99/32 
[edit]
vyos@edgecore-per-test# commit
[ firewall group network-group NG ]
ipset v6.38: Kernel support protocol versions 6-7 while userspace supports protocol versions 6-6
Element cannot be deleted from the set: it's not added
Error: call to ipset failed [256]
  • 2b) If while removing the /32 entry (which exists on firewall cli, but doesn't exist on ipset) we also add another valid entry, is even worst:
    • vyos cli removes the /32 and adds new entry.
    • ipset error while deleting /32 (which it does not exists in ipset configuration) and new configuration is not loaded into ipset.
vyos@edgecore-per-test# run show config comm | grep group
set firewall group network-group NG network '198.51.100.0/24'
set firewall group network-group NG network '198.51.100.99/32'
[edit]
vyos@edgecore-per-test# sudo ipset -L
Name: NG
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 512
References: 0
Number of entries: 1
Members:
198.51.100.0/24
[edit]
vyos@edgecore-per-test# set firewall group network-group NG network 203.0.113.0/24
[edit]
vyos@edgecore-per-test# del firewall group network-group NG network 198.51.100.99/32 
[edit]
vyos@edgecore-per-test# commit
[ firewall group network-group NG ]
ipset v6.38: Kernel support protocol versions 6-7 while userspace supports protocol versions 6-6
Element cannot be deleted from the set: it's not added
Error: call to ipset failed [256]
[edit]
vyos@edgecore-per-test# run show config comm | grep group
set firewall group network-group NG network '198.51.100.0/24'
set firewall group network-group NG network '203.0.113.0/24'
[edit]
vyos@edgecore-per-test# sudo ipset -L
Name: NG
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 512
References: 0
Number of entries: 1
Members:
198.51.100.0/24
[edit]
vyos@edgecore-per-test#

Details

Difficulty level
Unknown (require assessment)
Version
vyos-1.3.2
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

n.fort created this task.Apr 3 2023, 9:57 AM
Viacheslav added a subscriber: Viacheslav.EditedApr 3 2023, 10:08 AM

The similar task/bug with address-group T3390 T469 and port-group

pasik added a subscriber: pasik.Apr 10 2023, 1:26 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus.Aug 27 2023, 12:09 AM
Viacheslav closed this task as Resolved.EditedAug 31 2023, 9:12 AM
Viacheslav claimed this task.
Viacheslav edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.5).

Fixed VyOS 1.3-stable-202308240442

vyos@r1# set firewall group network-group NG network 198.51.100.0/24
[edit]
vyos@r1# commit
[edit]
vyos@r1# set firewall group network-group NG network 198.51.100.99/32
[edit]
vyos@r1# commit
[edit]
vyos@r1#

vyos@r1# del firewall group network-group NG network 198.51.100.99/32 
[edit]
vyos@r1# commit
[edit]
vyos@r1#
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.4) board.Aug 31 2023, 9:12 AM
dmbaturin mentioned this in 1.3.4.Sep 14 2023, 1:07 PM