Page MenuHomeVyOS Platform
Create Task
Maniphest T6216

Upgrade error from 1.3 to 1.4 - Firewall using character '+'
Closed, ResolvedPublicBUG
Actions

Description

In 1.3, for firewall groups it is used ipset, and it supports character +. But in nftables, present in 1.4, this is not supported
So upgrading from working config in 1.3 results in configuration error in 1.4
For example:

vyos@Equuleus:~$ show config comm | grep firewall
set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall group address-group _MAIN address '10.10.10.10'
set firewall group network-group LAN+VLANS network '198.51.100.0/24'
set firewall group network-group LAN+VLANS network '192.0.2.0/24'
set firewall group network-group LAN+VLANS network '203.0.113.0/24'
set firewall group network-group _FOO network '1.1.1.0/24'
set firewall group port-group PG_01 port '55'
set firewall group port-group PG_01 port '66'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name BAR default-action 'drop'
set firewall name BAR rule 101 action 'accept'
set firewall name BAR rule 101 destination group network-group 'LAN+VLANS'
set firewall name BAR rule 101 source group address-group '_MAIN'
set firewall name FOO default-action 'drop'
set firewall name FOO rule 10 action 'accept'
set firewall name FOO rule 10 destination group port-group 'PG_01'
set firewall name FOO rule 10 protocol 'tcp'
set firewall name FOO+BAR default-action 'drop'
set firewall name FOO+BAR rule 10 action 'drop'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth2 firewall in name 'FOO'
set interfaces ethernet eth3 firewall in name 'BAR'
set interfaces ethernet eth3 firewall out name 'BAR'
vyos@Equuleus:~$ sudo ipset -L | grep Name
Name: _MAIN
Name: PG_01
Name: _FOO
Name: LAN+VLANS
vyos@Equuleus:~$ 
vyos@Equuleus:~$ sudo iptables -S | grep "FOO\|BAR"
-N BAR
-N FOO+BAR
-N FOO
-A VYATTA_FW_OUT_HOOK -o eth3 -j BAR
-A VYATTA_FW_IN_HOOK -i eth3 -j BAR
-A VYATTA_FW_IN_HOOK -i eth2 -j FOO
-A BAR -m set --match-set _MAIN src -m set --match-set LAN+VLANS dst -m comment --comment BAR-101 -j RETURN
-A BAR -m comment --comment "BAR-1000000 default-action drop" -j DROP
-A FOO+BAR -m comment --comment "FOO+BAR-10" -j DROP
-A FOO+BAR -m comment --comment "FOO+BAR-1000000 default-action drop" -j DROP
-A FOO -p tcp -m set --match-set PG_01 dst -m comment --comment FOO-10 -j RETURN
-A FOO -m comment --comment "FOO-1000000 default-action drop" -j DROP
vyos@Equuleus:~$ 


And after upgrade to epa2:
[   27.787444] vyos-router[1125]: Waiting for NICs to settle down: settled in 0sec..
[   31.555061] vyos-router[1125]: Mounting VyOS Config...done.
[   45.263905] vyos-router[1125]: Starting VyOS router: migrate configure failed!
[   46.184097] vyos-config[1131]: Configuration error

Welcome to VyOS - Equuleus ttyS0

Equuleus login

Then, loading config, and commit:

vyos@Equuleus:~$ conf
WARNING: There was a config error on boot: saving the configuration now could overwrite data.
You may want to check and reload the boot config
[edit]
vyos@Equuleus# load
Loading configuration from 'config.boot'
Load complete. Use 'commit' to make changes effective.
[edit]
vyos@Equuleus# commit

Failed to apply configuration: /run/nftables-ct.conf:108:14-14: Error:
syntax error, unexpected +, expecting '{'     set N_LAN+VLANS {
^ /run/nftables-ct.conf:109:9-12: Error: syntax error, unexpected type
type ipv4_addr         ^^^^ /run/nftables-ct.conf:110:15-22: Error:
syntax error, unexpected interval, expecting string         flags
interval               ^^^^^^^^ /run/nftables-ct.conf:111:9-18: Error:
syntax error, unexpected auto-merge         auto-merge
^^^^^^^^^^ /run/nftables-ct.conf:112:9-16: Error: syntax error,
unexpected elements         elements = { 198.51.100.0/24 }
^^^^^^^^ /run/nftables-ct.conf:114:16-16: Error: syntax error,
unexpected '{', expecting string or last     set N__FOO {
^ /run/nftables-ct.conf:115:9-12: Error: syntax error, unexpected type
type ipv4_addr         ^^^^ /run/nftables-ct.conf:116:9-13: Error:
syntax error, unexpected flags         flags interval         ^^^^^
/run/nftables-ct.conf:117:9-18: Error: syntax error, unexpected auto-
merge         auto-merge         ^^^^^^^^^^ /run/nftables-
ct.conf:118:9-16: Error: syntax error, unexpected elements
elements = { 1.1.1.0/24 }         ^^^^^^^^

[[system conntrack]] failed
[ firewall group address-group _MAIN ]


[ firewall group address-group _MAIN ]
Invalid value  

[[firewall]] failed
Commit failed  
[edit]
vyos@Equuleus#

Details

Difficulty level
Unknown (require assessment)
Version
vyos-1.4.0-epa2, 1.5-rolling-202404090019
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects
Search...