Page MenuHomeVyOS Platform
Create Task
Maniphest T5888

Firewall upgrade fails because of icmpv6
Closed, ResolvedPublicBUG
Actions

Description

Supported options for icmpv6 are different in 1.3.X and 1.4.0-rc1.
Some of them are migrated properly in https://github.com/vyos/vyos-1x/blob/current/src/migration-scripts/firewall/6-to-7#L138, but some are missing.

Summary of the options and migrations for icmp and icmpv6:

###########
vyos@vyos# set firewall name FOO rule 10 icmp type-name  
### 1.3.4: #####                          ## Supported in 1.4        ## Migrated in 6-to-7
Possible completions:
any                                       No                            Yes
echo-reply (pong)                         Yes                           No need
destination-unreachable                   Yes                           No need
network-unreachable                       No                            Yes
host-unreachable                          No                            Yes
protocol-unreachable                      No                            Yes
port-unreachable                          No                            Yes
fragmentation-needed                      No                            Yes
source-route-failed                       No                            Yes
network-unknown                           No                            Yes
host-unknown                              No                            Yes
network-prohibited                        No                            Yes
host-prohibited                           No                            Yes
TOS-network-unreachable                   No                            Yes
TOS-host-unreachable                      No                            Yes
communication-prohibited                  No                            Yes
host-precedence-violation                 No                            Yes
precedence-cutoff                         No                            Yes
source-quench                             Yes                           No need
redirect                                  Yes                           No need
network-redirect                          No                            Yes
host-redirect                             No                            Yes
TOS-network-redirect                      No                            Yes
TOS-host-redirect                         No                            Yes
TOS-host-unreachable                      No                            Yes
echo-request                              Yes                           No need                                                       
ip-header-bad                             No                            Yes              
ping                                      No                            Yes
pong                                      No                            Yes                
required-option-missing                   No                            Yes
time-exceeded                             Yes                           No need
ttl-exceeded                              No                            NO (need to migrate to 'time-exceeded')
ttl-zero-during-reassembly                No                            Yes
ttl-zero-during-transit                   No                            Yes


vyos@vyos# set firewall ipv6-name FOO5 rule 10 icmpv6 type 
### 1.3.4: #####                          ## Supported in 1.4        ## Migrated in 6-to-7
Possible completions:
destination-unreachable                   Yes                           No need
no-route                                  No                            Yes
communication-prohibited                  No                            Yes
address-unreachable                       No                            Yes
port-unreachable                          No                            Yes
packet-too-big                            Yes                           No need
time-exceeded                             Yes                           No need
ttl-zero-during-transit                   No                            Yes
ttl-zero-during-reassembly                No                            Yes
parameter-problem                         Yes                           No need
bad-header                                No                            Yes
unknown-header-type                       No                            Yes
unknown-option                            No                            Yes
echo-request                              Yes                           No need
ping                                      No                            Yes
echo-reply                                Yes                           No need
pong                                      No                            Yes
router-solicitation                       No                            No (need to migrate to 'nd-router-solicit')
router-advertisement                      No                            No (need to migrate to 'nd-router-advert')
neighbour-solicitation                    No                            No (need to migrate to 'nd-neighbor-solicit')
neighbour-advertisement                   No                            No (need to migrate to 'nd-neighbor-advert')
redirect                                  No                            Yes
<0-255>
<0-255>/<0-255>
[edit]
vyos@vyos#

Details

Difficulty level
Unknown (require assessment)
Version
vyos-1.4.0-rc1, 1.5-rolling-202401021120
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

n.fort changed the task status from Open to Confirmed.Jan 2 2024, 5:46 PM
n.fort claimed this task.
n.fort created this task.
n.fort added a project: VyOS 1.5 Circinus.
n.fort changed Version from vyos-1.4.0-rc1 to vyos-1.4.0-rc1, 1.5-rolling-202401021120.
pasik added a subscriber: pasik.Jan 2 2024, 7:08 PM
n.fort changed the task status from Confirmed to Needs testing.Jan 2 2024, 7:36 PM
n.fort closed this task as Resolved.Jan 8 2024, 6:42 PM