Add appropriate constraints in xml definitions for firewall groups.
Ensure that what is supported in 1.3, its also supported in latest versions.
Example:
- Suported in 1.3:
vyos@vyos# run show config comm | grep firewall set firewall group network-group FOO+BAR network '10.1.1.0/24' set firewall group network-group I.NV network '10.1.1.0/24' set firewall group network-group LAN+VLAN-side network '192.168.0.0/24' set firewall name TEST rule 10 action 'accept' set firewall name TEST rule 10 destination group network-group 'I.NV' set firewall name TEST rule 10 source group network-group 'LAN+VLAN-side' [edit] vyos@vyos# sudo iptables -S | grep TEST -N TEST -A TEST -m set --match-set LAN+VLAN-side src -m set --match-set I.NV dst -m comment --comment TEST-10 -j RETURN -A TEST -m comment --comment "TEST-1000000 default-action drop" -j DROP [edit] vyos@vyos# sudo ipset -L | grep Name Name: FOO+BAR Name: I.NV Name: LAN+VLAN-side [edit] vyos@vyos#
- Not supported in latests, and also error message is not clear:
vyos@vyos# set firewall group network-group LAN+VLAN-side network 10.1.1.0/24 Invalid value Value validation failed Set failed [edit] vyos@vyos#