custome firewall network-group and update CIDR from a file
Open, WishlistPublic
Actions

Assigned To

None

Authored By

	dongjunbo
	Jun 10 2023, 2:15 AM

Description

As we know vyos 1.4 merge iptables to nftables, then ipset command is not working anymore.
Is there any way to implement shell script loading CIDR on VyOS 1.4?

bash
#implement with ipset
set firewall group network-group us-ip-ranges

# cat /config/scripts/vyos-postconfig-bootup.script
for l in `cat /config/usipranges.txt`; do sudo ipset add us-ip-ranges $l;done

Details

Difficulty level: Unknown (require assessment)
Version: 1.4
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Unspecified (please specify)

Related Objects

Mentioned Here: T4797: External address/network lists for firewall (Local and remote)

Event Timeline

dongjunbo created this task.Jun 10 2023, 2:15 AM

dongjunbo created this object in space S1 VyOS Public.

The similar task https://vyos.dev/T4797
You can add manually nft rules that used for firewall group, but they will overwritten per next firewall change/commit. The whole firewall config will overwritten.
There are 2 ways. Somehow use it in CLI or use native (nft) tables, chains, group-sets and rules which are not overlapping with generated “system” firewall ruleset

pasik added a subscriber: pasik.Jun 10 2023, 7:01 AM

Viacheslav triaged this task as Wishlist priority.Jan 20 2024, 12:49 PM

dmbaturin edited projects, added VyOS 1.5 Circinus; removed VyOS 1.4 Sagitta.Fri, Apr 12, 1:59 PM

custome firewall network-group and update CIDR from a fileOpen, WishlistPublicActions

Description

Details

Related Objects

Event Timeline

custome firewall network-group and update CIDR from a file
Open, WishlistPublic
Actions