Firewall groups are created in firewall section, and this groups can also be used in policy, nat and conntrack ignore rules.
But when group is being used in those section, and then the group is deleted from firewall configuration, commit is accepted. Feature still works but on next reboot configuration will not be able to be load succesfully.
Simple steps to reproduce bug with NAT:
vyos@default-log# run show config comm | grep "fire\|nat" set firewall group address-group AG address '198.51.100.5' set nat source rule 10 outbound-interface 'eth0' set nat source rule 10 source group address-group 'AG' set nat source rule 10 translation address 'masquerade' [edit] vyos@default-log# del firewall [edit] vyos@default-log# commit [edit] vyos@default-log# save [edit] vyos@default-log#
After rebooting, NAT config breaks and is not present.
[ 19.070379] vyos-router[688]: Waiting for NICs to settle down: settled in 1sec.. [ 21.775587] vyos-router[688]: Mounting VyOS Config...done. [ 29.350953] vyos-router[688]: Starting VyOS router: migrate configure failed! [ 29.956104] vyos-config[701]: Configuration error Welcome to VyOS - default-log ttyS0 default-log login:
In 1.4, such erros seems not to be present, and commit fails:
vyos@latest-1.4# run show config comm | grep "fire\|nat"
set firewall group address-group AG address '198.51.100.5'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source group address-group 'AG'
set nat source rule 10 translation address 'masquerade'
[edit]
vyos@latest-1.4# del firewall
[edit]
vyos@latest-1.4# commit
[ firewall ]
ConfigError('Invalid address-group "AG" on firewall rule')
delete [ firewall ] failed
Commit failed
[edit]
vyos@latest-1.4#