Page MenuHomeVyOS Platform
Create Task
Maniphest T5681

Interface match - Simplified and unified cli
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Current cli structure for mathing interface and/or interface groups:

set firewall ... rule 10 inbound-interface interface-name <iface>
set firewall ... rule 10 inbound-interface interface-group <iface_group>

set nat destination rule 10 outbound-interface interface-name <iface>
set nat destination rule 10 outbound-interface interface-group <iface_group>

set nat source rule 10 inbound-interface interface-name <iface>
set nat source rule 10 inbound-interface interface-group <iface_group>

New cli to be used:

set firewall ... rule 10 inbound-interface name <iface>
set firewall ... rule 10 inbound-interface group <iface_group>

set nat destination rule 10 outbound-interface name <iface>
set nat destination rule 10 outbound-interface group <iface_group>

set nat source rule 10 inbound-interface name <iface>
set nat source rule 10 inbound-interface group <iface_group>

Also, change NAT66 to:

set nat66 source rule 10 outbound-interface name <iface>
set nat66 destination rule 10 inbound-interface name <iface>

Details

Difficulty level
Unknown (require assessment)
Version
1.5-rolling-202310240118
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (migratable)
Issue type
Improvement (missing useful functionality)

Event Timeline

n.fort changed the task status from Open to In progress.Oct 24 2023, 2:52 PM
n.fort claimed this task.
n.fort created this task.
n.fort added a project: VyOS 1.4 Sagitta.
n.fort changed Version from - to 1.5-rolling-202310240118.
pasik added a subscriber: pasik.Oct 24 2023, 3:38 PM
Apachez added a subscriber: Apachez.Oct 24 2023, 4:53 PM
n.fort added a comment.Oct 25 2023, 12:11 PM

PR: https://github.com/vyos/vyos-1x/pull/2406

n.fort added a comment.Oct 26 2023, 10:26 AM

PR for op-mode command that fits new cli: https://github.com/vyos/vyos-1x/pull/2408

n.fort changed the task status from In progress to Needs testing.Oct 26 2023, 12:19 PM
JeffWDH added a subscriber: JeffWDH.EditedNov 2 2023, 12:11 PM

When moving from vyos-1.5-rolling-202310090023 to vyos-1.5-rolling-202311020022 all of my inbound-interfaces got dropped from my firewall config. The NAT ones got migrated successfully.

Snippet from vyos-migrate.log:

List of executed migration scripts:
List of executed migration scripts:
List of executed migration scripts:
/opt/vyatta/etc/config-migrate/migrate/cluster/1-to-2
/opt/vyatta/etc/config-migrate/migrate/interfaces/31-to-32
/opt/vyatta/etc/config-migrate/migrate/nat/5-to-6
- op: delete path: ['nat', 'source', 'rule', '40', 'outbound-interface']
- op: set path: ['nat', 'source', 'rule', '40', 'outbound-interface', 'interface-name'] value: vtun0 replace: True
- op: delete path: ['nat', 'source', 'rule', '41', 'outbound-interface']
- op: set path: ['nat', 'source', 'rule', '41', 'outbound-interface', 'interface-name'] value: vtun1 replace: True
<omitted a bunch of NAT rules>
/opt/vyatta/etc/config-migrate/migrate/nat/6-to-7
- op: delete path: ['nat', 'source', 'rule', '40', 'outbound-interface', 'interface-name']
- op: set path: ['nat', 'source', 'rule', '40', 'outbound-interface', 'name'] value: vtun0 replace: True
- op: delete path: ['nat', 'source', 'rule', '41', 'outbound-interface', 'interface-name']
- op: set path: ['nat', 'source', 'rule', '41', 'outbound-interface', 'name'] value: vtun1 replace: True
<omitted a bunch of NAT rules>
/opt/vyatta/etc/config-migrate/migrate/nat66/1-to-2
// Warning: Do not remove the following line.
// vyos-config-version: "bgp@4:broadcast-relay@1:cluster@1:config-management@1:conntrack@4:conntrack-sync@2:container@1:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-dynamic@1:dns-forwarding@4:firewall@11:flow-accounting@1:https@4:ids@1:interfaces@31:ipoe-server@1:ipsec@12:isis@3:l2tp@4:lldp@1:mdns@1:monitoring@1:nat@5:nat66@1:ntp@3:openconnect@2:openvpn@1:ospf@2:policy@6:pppoe-server@6:pptp@2:qos@2:quagga@11:rip@1:rpki@1:salt@1:snmp@3:ssh@2:sstp@4:system@26:vrf@3:vrrp@4:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2"
// Release version: 1.5-rolling-202309250022

After readding them with the new syntax all is good, but it looks like for some reason the migration script didn't run on my system.

Viacheslav added a subscriber: Viacheslav.Nov 2 2023, 1:15 PM
In T5681#163634, @JeffWDH wrote:

When moving from vyos-1.5-rolling-202310090023 to vyos-1.5-rolling-202311020022 all of my inbound-interfaces got dropped from my firewall config. The NAT ones got migrated successfully.

Snippet from vyos-migrate.log:

List of executed migration scripts:
List of executed migration scripts:
List of executed migration scripts:
/opt/vyatta/etc/config-migrate/migrate/cluster/1-to-2
/opt/vyatta/etc/config-migrate/migrate/interfaces/31-to-32
/opt/vyatta/etc/config-migrate/migrate/nat/5-to-6
- op: delete path: ['nat', 'source', 'rule', '40', 'outbound-interface']
- op: set path: ['nat', 'source', 'rule', '40', 'outbound-interface', 'interface-name'] value: vtun0 replace: True
- op: delete path: ['nat', 'source', 'rule', '41', 'outbound-interface']
- op: set path: ['nat', 'source', 'rule', '41', 'outbound-interface', 'interface-name'] value: vtun1 replace: True
<omitted a bunch of NAT rules>
/opt/vyatta/etc/config-migrate/migrate/nat/6-to-7
- op: delete path: ['nat', 'source', 'rule', '40', 'outbound-interface', 'interface-name']
- op: set path: ['nat', 'source', 'rule', '40', 'outbound-interface', 'name'] value: vtun0 replace: True
- op: delete path: ['nat', 'source', 'rule', '41', 'outbound-interface', 'interface-name']
- op: set path: ['nat', 'source', 'rule', '41', 'outbound-interface', 'name'] value: vtun1 replace: True
<omitted a bunch of NAT rules>
/opt/vyatta/etc/config-migrate/migrate/nat66/1-to-2

After readding them with the new syntax all is good, but it looks like for some reason the migration script didn't run on my system.

Migration scripts MUST migrate only from LTS release to any other release.
Migrations between rolling releases are only optional and could be not exist.

JeffWDH added a comment.Nov 2 2023, 1:20 PM

I understand (and accept) the risks of running rolling.

I'm just bringing to attention that my v11 firewall configuration did not trigger the 11-to-12 script in case it was a bug.

fransking added a subscriber: fransking.Nov 4 2023, 11:18 PM
JeffWDH added a comment.Nov 7 2023, 12:58 PM

According to firewall-version.xml.i, the firewall config version was not updated to 12. Was this intentional?

n.fort closed this task as Resolved.Nov 22 2023, 7:14 PM