Firewall group names that contain the '+' character break the config
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	n.fort
	Apr 9 2024, 12:10 PM

Description

In 1.3, for firewall groups it is used ipset, and it supports character +. But in nftables, present in 1.4, this is not supported
So upgrading from working config in 1.3 results in configuration error in 1.4
For example:

vyos@Equuleus:~$ show config comm | grep firewall
set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall group address-group _MAIN address '10.10.10.10'
set firewall group network-group LAN+VLANS network '198.51.100.0/24'
set firewall group network-group LAN+VLANS network '192.0.2.0/24'
set firewall group network-group LAN+VLANS network '203.0.113.0/24'
set firewall group network-group _FOO network '1.1.1.0/24'
set firewall group port-group PG_01 port '55'
set firewall group port-group PG_01 port '66'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name BAR default-action 'drop'
set firewall name BAR rule 101 action 'accept'
set firewall name BAR rule 101 destination group network-group 'LAN+VLANS'
set firewall name BAR rule 101 source group address-group '_MAIN'
set firewall name FOO default-action 'drop'
set firewall name FOO rule 10 action 'accept'
set firewall name FOO rule 10 destination group port-group 'PG_01'
set firewall name FOO rule 10 protocol 'tcp'
set firewall name FOO+BAR default-action 'drop'
set firewall name FOO+BAR rule 10 action 'drop'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth2 firewall in name 'FOO'
set interfaces ethernet eth3 firewall in name 'BAR'
set interfaces ethernet eth3 firewall out name 'BAR'
vyos@Equuleus:~$ sudo ipset -L | grep Name
Name: _MAIN
Name: PG_01
Name: _FOO
Name: LAN+VLANS
vyos@Equuleus:~$ 
vyos@Equuleus:~$ sudo iptables -S | grep "FOO\|BAR"
-N BAR
-N FOO+BAR
-N FOO
-A VYATTA_FW_OUT_HOOK -o eth3 -j BAR
-A VYATTA_FW_IN_HOOK -i eth3 -j BAR
-A VYATTA_FW_IN_HOOK -i eth2 -j FOO
-A BAR -m set --match-set _MAIN src -m set --match-set LAN+VLANS dst -m comment --comment BAR-101 -j RETURN
-A BAR -m comment --comment "BAR-1000000 default-action drop" -j DROP
-A FOO+BAR -m comment --comment "FOO+BAR-10" -j DROP
-A FOO+BAR -m comment --comment "FOO+BAR-1000000 default-action drop" -j DROP
-A FOO -p tcp -m set --match-set PG_01 dst -m comment --comment FOO-10 -j RETURN
-A FOO -m comment --comment "FOO-1000000 default-action drop" -j DROP
vyos@Equuleus:~$ 


And after upgrade to epa2:
[   27.787444] vyos-router[1125]: Waiting for NICs to settle down: settled in 0sec..
[   31.555061] vyos-router[1125]: Mounting VyOS Config...done.
[   45.263905] vyos-router[1125]: Starting VyOS router: migrate configure failed!
[   46.184097] vyos-config[1131]: Configuration error

Welcome to VyOS - Equuleus ttyS0

Equuleus login

Then, loading config, and commit:

vyos@Equuleus:~$ conf
WARNING: There was a config error on boot: saving the configuration now could overwrite data.
You may want to check and reload the boot config
[edit]
vyos@Equuleus# load
Loading configuration from 'config.boot'
Load complete. Use 'commit' to make changes effective.
[edit]
vyos@Equuleus# commit

Failed to apply configuration: /run/nftables-ct.conf:108:14-14: Error:
syntax error, unexpected +, expecting '{'     set N_LAN+VLANS {
^ /run/nftables-ct.conf:109:9-12: Error: syntax error, unexpected type
type ipv4_addr         ^^^^ /run/nftables-ct.conf:110:15-22: Error:
syntax error, unexpected interval, expecting string         flags
interval               ^^^^^^^^ /run/nftables-ct.conf:111:9-18: Error:
syntax error, unexpected auto-merge         auto-merge
^^^^^^^^^^ /run/nftables-ct.conf:112:9-16: Error: syntax error,
unexpected elements         elements = { 198.51.100.0/24 }
^^^^^^^^ /run/nftables-ct.conf:114:16-16: Error: syntax error,
unexpected '{', expecting string or last     set N__FOO {
^ /run/nftables-ct.conf:115:9-12: Error: syntax error, unexpected type
type ipv4_addr         ^^^^ /run/nftables-ct.conf:116:9-13: Error:
syntax error, unexpected flags         flags interval         ^^^^^
/run/nftables-ct.conf:117:9-18: Error: syntax error, unexpected auto-
merge         auto-merge         ^^^^^^^^^^ /run/nftables-
ct.conf:118:9-16: Error: syntax error, unexpected elements
elements = { 1.1.1.0/24 }         ^^^^^^^^

[[system conntrack]] failed
[ firewall group address-group _MAIN ]


[ firewall group address-group _MAIN ]
Invalid value  

[[firewall]] failed
Commit failed  
[edit]
vyos@Equuleus#

Details

Version: vyos-1.4.0-epa2, 1.5-rolling-202404090019
Is it a breaking change?: Config syntax change (migratable)
Issue type: Bug (incorrect behavior)

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Open	BUG	dmbaturin	T5938 Migration fail root task for 1.4-rc
		Resolved	BUG	n.fort	T6216 Firewall group names that contain the '+' character break the config

Event Timeline

n.fort created this task.Apr 9 2024, 12:10 PM

n.fort changed the task status from Open to Confirmed.

n.fort triaged this task as High priority.

n.fort added a parent task: T5938: Migration fail root task for 1.4-rc.Apr 9 2024, 12:20 PM

PR: https://github.com/vyos/vyos-1x/pull/3290

n.fort changed the task status from Confirmed to In progress.Apr 10 2024, 2:01 PM

pasik subscribed.Apr 10 2024, 2:10 PM

n.fort claimed this task.Apr 10 2024, 2:34 PM

Restricted Repository Identity mentioned this in rVYOSONEX869a94fce6e1: Merge pull request #3290 from nicolas-fort/T6216.Apr 11 2024, 3:40 PM

n.fort mentioned this in rVYOSONEX36baf771b8ea: T6216: firewall: add patch while migrating from 1.3 to 1.4 in order to avoid….Apr 11 2024, 3:40 PM

Restricted Repository Identity mentioned this in rVYOSONEXea32a6f62e04: T6216: firewall: add patch while migrating from 1.3 to 1.4 in order to avoid….Apr 11 2024, 3:40 PM

Restricted Repository Identity mentioned this in rVYOSONEXf37bfac9c020: Merge pull request #3294 from vyos/mergify/bp/sagitta/pr-3290.Apr 11 2024, 3:41 PM

dmbaturin closed this task as Resolved.Apr 12 2024, 2:50 PM

dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.0-epa3); removed VyOS 1.5 Circinus, VyOS 1.4 Sagitta.

dmbaturin renamed this task from Upgrade error from 1.3 to 1.4 - Firewall using character '+' to Firewall group names that contain the '+' character break the config.May 11 2024, 6:43 PM

dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Config syntax change (migratable).

Firewall group names that contain the '+' character break the configClosed, ResolvedPublicBUGActions

Description

Details

Related ObjectsSearch...

Event Timeline

Firewall group names that contain the '+' character break the config
Closed, ResolvedPublicBUG
Actions

Related Objects
Search...