We need to add an op-mode command, or improve existing one, in order to print members of dynamic firewall groups.
Config example:
vyos@CGNAT# run show config comm | grep firewall set firewall group dynamic-group address-group DYN-01 set firewall group dynamic-group address-group DYN-02 set firewall ipv4 input filter rule 10 action 'drop' set firewall ipv4 input filter rule 10 add-address-to-group source-address address-group 'DYN-01' set firewall ipv4 input filter rule 10 add-address-to-group source-address timeout '10s' set firewall ipv4 input filter rule 10 destination port '1010' set firewall ipv4 input filter rule 10 protocol 'tcp' set firewall ipv4 input filter rule 20 action 'drop' set firewall ipv4 input filter rule 20 add-address-to-group source-address address-group 'DYN-02' set firewall ipv4 input filter rule 20 add-address-to-group source-address timeout '2m' set firewall ipv4 input filter rule 20 destination port '2020' set firewall ipv4 input filter rule 20 protocol 'tcp' set firewall ipv4 input filter rule 20 source group dynamic-address-group 'DYN-01' set firewall ipv4 input filter rule 30 action 'accept' set firewall ipv4 input filter rule 30 source group dynamic-address-group 'DYN-02'
Content of dynamic group during test:
vyos@CGNAT# sudo nft list table ip vyos_filter table ip vyos_filter { set DA_DYN-01 { type ipv4_addr size 65535 flags dynamic,timeout elements = { 192.168.77.39 timeout 10s expires 2s848ms } } set DA_DYN-02 { type ipv4_addr size 65535 flags dynamic,timeout elements = { 192.168.0.245 timeout 2m expires 1m46s42ms, 192.168.77.39 timeout 2m expires 1m59s24ms } } chain VYOS_FORWARD_filter { type filter hook forward priority filter; policy accept; counter packets 0 bytes 0 accept comment "FWD-filter default-action accept" } chain VYOS_INPUT_filter { type filter hook input priority filter; policy accept; tcp dport 1010 counter packets 4 bytes 240 update @DA_DYN-01 { ip saddr timeout 10s } drop comment "ipv4-INP-filter-10" tcp dport 2020 ip saddr @DA_DYN-01 counter packets 6 bytes 360 update @DA_DYN-02 { ip saddr timeout 2m } drop comment "ipv4-INP-filter-20" ip saddr @DA_DYN-02 counter packets 5 bytes 260 accept comment "ipv4-INP-filter-30" counter packets 95 bytes 8256 accept comment "INP-filter default-action accept" } ...
Current output of show firewall group doesn't include members and timeout of these groups:
vyos@CGNAT# run show firewall group Firewall Groups Name Type References Members ------ ---------------------- -------------------- --------- DYN-01 address_group(dynamic) ipv4-input-filter-10 N/D DYN-02 address_group(dynamic) ipv4-input-filter-20 N/D [edit] vyos@CGNAT#
Maybe a valid proposal for printing groups could be something like this:
vyos@vyos:~$ show firewall group Firewall Groups Name Type References Members Timeout Expires ----------- ---------------------- -------------------- ----------------- --------- --------- FOO address_group N/D 1.1.1.1 N/D N/D 2.2.2.2 allowed_ssh address_group(dynamic) ipv4-input-filter-30 192.168.77.39 82800 82578 198.51.100.99 82800 15698 knock_01 address_group(dynamic) ipv4-input-filter-10 knock_02 address_group(dynamic) ipv4-input-filter-20 vyos@vyos:~$