Page MenuHomeVyOS Platform
Create Task
Maniphest T5460

Firewall - remove config-trap
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Firewall config-trap seems to be a legacy feature inherit from vyatta.
I see no clear reason on why that option shall remain under firewall configuration.

Details

Difficulty level
Unknown (require assessment)
Version
vyos-1.4-rolling-202308060317
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature/functionality removal

Event Timeline

n.fort changed the task status from Open to Confirmed.Aug 10 2023, 7:04 PM
n.fort claimed this task.
n.fort created this task.
n.fort changed Version from - to vyos-1.4-rolling-202308060317.
pasik added a subscriber: pasik.Aug 10 2023, 7:49 PM
Apachez added a subscriber: Apachez.Aug 10 2023, 9:30 PM

Its good for traceability to get a snmp trap sent when the firewall config has been altered/changed/(re-)applied.

Ability to send snmp traps exists through "set service snmp".

So I would vote to keep "set firewall config-trap enable".

If one doesnt like it then the feature can be disabled through "set firewall config-trap disable".

n.fort changed the task status from Confirmed to Needs testing.Aug 11 2023, 10:21 PM
Apachez added a comment.Aug 25 2023, 8:46 PM

Using VyOS 1.4-rolling-202308250021 the option "config-trap" is no longer to be found and the remains of config-trap causing commit to crash with a traceback have also been fixed:

vyos@vyos:~$ config
[edit]
vyos@vyos# set firewall global-options 
Possible completions:
   all-ping             Policy for handling of all IPv4 ICMP echo requests (default:
                        enable)
   broadcast-ping       Policy for handling broadcast IPv4 ICMP echo and timestamp
                        requests (default: disable)
   ip-src-route         Policy for handling IPv4 packets with source route option
                        (default: disable)
   ipv6-receive-redirects
                        Policy for handling received ICMPv6 redirect messages (default:
                        disable)
   ipv6-src-route       Policy for handling IPv6 packets with routing extension header
                        (default: disable)
   log-martians         Policy for logging IPv4 packets with invalid addresses (default:
                        enable)
   receive-redirects    Policy for handling received IPv4 ICMP redirect messages
                        (default: disable)
   resolver-cache       Retains last successful value if domain resolution fails
   resolver-interval    Domain resolver update interval (default: 300)
   send-redirects       Policy for sending IPv4 ICMP redirect messages (default: enable)
   source-validation    Policy for source validation by reversed path, as specified in
                        RFC3704 (default: disable)
   syn-cookies          Policy for using TCP SYN cookies with IPv4 (default: enable)
   twa-hazards-protection
                        RFC1337 TCP TIME-WAIT assasination hazards protection (default:
                        disable)
n.fort closed this task as Resolved.Sep 8 2023, 10:04 AM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.Sep 8 2023, 11:45 AM