Page MenuHomeVyOS Platform
Create Task
Maniphest T5460

Firewall - remove config-trap
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Firewall config-trap seems to be a legacy feature inherit from vyatta.
I see no clear reason on why that option shall remain under firewall configuration.

Details

Version
vyos-1.4-rolling-202308060317
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature/functionality removal

Related Objects

Event Timeline

n.fort created this task.Aug 10 2023, 7:04 PM
n.fort changed the task status from Open to Confirmed.
n.fort claimed this task.
n.fort changed Version from - to vyos-1.4-rolling-202308060317.
pasik subscribed.Aug 10 2023, 7:49 PM
Apachez subscribed.Aug 10 2023, 9:30 PM

Its good for traceability to get a snmp trap sent when the firewall config has been altered/changed/(re-)applied.

Ability to send snmp traps exists through "set service snmp".

So I would vote to keep "set firewall config-trap enable".

If one doesnt like it then the feature can be disabled through "set firewall config-trap disable".

n.fort mentioned this in rVYOSONEX4e07fa25f551: T5460: remove config-trap from firewall.Aug 11 2023, 8:14 PM
n.fort changed the task status from Confirmed to Needs testing.Aug 11 2023, 10:21 PM
Apachez added a comment.Aug 25 2023, 8:46 PM

Using VyOS 1.4-rolling-202308250021 the option "config-trap" is no longer to be found and the remains of config-trap causing commit to crash with a traceback have also been fixed:

vyos@vyos:~$ config
[edit]
vyos@vyos# set firewall global-options 
Possible completions:
   all-ping             Policy for handling of all IPv4 ICMP echo requests (default:
                        enable)
   broadcast-ping       Policy for handling broadcast IPv4 ICMP echo and timestamp
                        requests (default: disable)
   ip-src-route         Policy for handling IPv4 packets with source route option
                        (default: disable)
   ipv6-receive-redirects
                        Policy for handling received ICMPv6 redirect messages (default:
                        disable)
   ipv6-src-route       Policy for handling IPv6 packets with routing extension header
                        (default: disable)
   log-martians         Policy for logging IPv4 packets with invalid addresses (default:
                        enable)
   receive-redirects    Policy for handling received IPv4 ICMP redirect messages
                        (default: disable)
   resolver-cache       Retains last successful value if domain resolution fails
   resolver-interval    Domain resolver update interval (default: 300)
   send-redirects       Policy for sending IPv4 ICMP redirect messages (default: enable)
   source-validation    Policy for source validation by reversed path, as specified in
                        RFC3704 (default: disable)
   syn-cookies          Policy for using TCP SYN cookies with IPv4 (default: enable)
   twa-hazards-protection
                        RFC1337 TCP TIME-WAIT assasination hazards protection (default:
                        disable)
n.fort closed this task as Resolved.Sep 8 2023, 10:04 AM
Viacheslav moved this task from Open to Finished on the VyOS 1.4 Sagitta board.Sep 8 2023, 11:45 AM
adestis subscribed.May 15 2025, 7:18 AM

Sorry to respond to such an old ticket but we stumbled over it now with a migration from VyOS 1.3.8 to VyOS 1.4.2.
After rebooting the system seems to have lost the configuration completely because it was not possible to logon to the system on the console anymore.
In the boot screen just a System error was shown.

The migration should remove / ignore the line completely.

Regards
Markus