I added a rule to dynamically add the source address to the dynamic address group through the command line.
# set firewall ipv4 name WAN_IN rule 30 action continue # set firewall ipv4 name WAN_IN rule 30 add-address-to-group source-address timeout 1m # set firewall ipv4 name WAN_IN rule 30 add-address-to-group source-address address-group tempGroup # set firewall ipv4 name WAN_IN rule 30 icmp # set firewall ipv4 name WAN_IN rule 30 packet-length 1052
The following is the content added to the configuration file:
# show + rule 30 { + action continue + add-address-to-group { + source-address { + address-group tempGroup + timeout 1m + } + } + icmp { + } + packet-length 1052 + }
When I execute 'commit', the vyos system reports an error, the error is as follows
# commit Failed to apply firewall: /run/nftables.conf:45:65-77: Error: No such file or directory; did you mean set ‘DA_tempGroup’ in table ip ‘vyos_conntrack’? ip length {1052} counter set update ip saddr timeout 1m @DA_tempGroup continue comment "ipv4-NAM-WAN_IN-30" ^^^^^^^^^^^^^ [[firewall]] failed Commit failed
When I create the dynamic address group manually and then commit, everything works fine.
# set firewall group dynamic-group address-group tempGroup # commit
My suggestion: when the user uses a dynamic (static) address group when creating a firewall rule, first check whether the address group exists. If it does not exist, tell user to create it or the system automatically creates the address group for the user.