Maniphest T5416

Ignoring "ipsec match-none" for firewall
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	daniil
	Jul 29 2023, 9:11 PM

Tags

Referenced Files

None

Subscribers

Description

Config:

firewall {
    interface eth0{
        local {
            ipv6-name DROP-GRE-NOIPSEC
        }
    }
    ipv6-name DROP-GRE-NOIPSEC {
        default-action accept
        rule 100 {
            action drop
            ipsec {
                match-none
            }
            protocol gre
        }
    }
}

Check:

# nft list chain ip6 vyos_filter NAME6_DROP-GRE-NOIPSEC
table ip6 vyos_filter {
	chain NAME6_DROP-GRE-NOIPSEC {
		meta l4proto gre counter packets 340 bytes 46240 drop comment "DROP-GRE-NOIPSEC-100"
		counter packets 434 bytes 65608 return comment "DROP-GRE-NOIPSEC default-action accept"
	}
}

The expression "meta secpath missing" is missing.

Details

Version: 1.4-rolling-202307280757
Is it a breaking change?: Behavior change
Issue type: Bug (incorrect behavior)

Related Objects

Mentioned In: rVYOSONEX96a89fee625b: T5416: fix ipsec matcher
rVYOSONEX6335bbfc79af: Merge pull request #2121 from nicolas-fort/T5416

Event Timeline

daniil created this task.Jul 29 2023, 9:11 PM

pasik subscribed.Jul 29 2023, 9:32 PM

n.fort changed the task status from Open to Confirmed.Jul 31 2023, 10:00 AM

n.fort claimed this task.

PR: https://github.com/vyos/vyos-1x/pull/2121

Restricted Repository Identity mentioned this in rVYOSONEX6335bbfc79af: Merge pull request #2121 from nicolas-fort/T5416.Jul 31 2023, 11:36 AM

n.fort mentioned this in rVYOSONEX96a89fee625b: T5416: fix ipsec matcher.Jul 31 2023, 11:37 AM

Viacheslav changed the task status from Confirmed to Needs testing.Aug 1 2023, 8:20 AM

n.fort closed this task as Resolved.Aug 10 2023, 6:54 PM

Viacheslav moved this task from Open to Finished on the VyOS 1.4 Sagitta board.Aug 11 2023, 8:18 AM