Firewall dynamic address group - no op-mode command
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	n.fort
	Mon, Apr 22, 3:08 PM

Description

We need to add an op-mode command, or improve existing one, in order to print members of dynamic firewall groups.
Config example:

vyos@CGNAT# run show config comm | grep firewall
set firewall group dynamic-group address-group DYN-01
set firewall group dynamic-group address-group DYN-02
set firewall ipv4 input filter rule 10 action 'drop'
set firewall ipv4 input filter rule 10 add-address-to-group source-address address-group 'DYN-01'
set firewall ipv4 input filter rule 10 add-address-to-group source-address timeout '10s'
set firewall ipv4 input filter rule 10 destination port '1010'
set firewall ipv4 input filter rule 10 protocol 'tcp'
set firewall ipv4 input filter rule 20 action 'drop'
set firewall ipv4 input filter rule 20 add-address-to-group source-address address-group 'DYN-02'
set firewall ipv4 input filter rule 20 add-address-to-group source-address timeout '2m'
set firewall ipv4 input filter rule 20 destination port '2020'
set firewall ipv4 input filter rule 20 protocol 'tcp'
set firewall ipv4 input filter rule 20 source group dynamic-address-group 'DYN-01'
set firewall ipv4 input filter rule 30 action 'accept'
set firewall ipv4 input filter rule 30 source group dynamic-address-group 'DYN-02'

Content of dynamic group during test:

vyos@CGNAT# sudo nft list table ip vyos_filter
table ip vyos_filter {
        set DA_DYN-01 {
                type ipv4_addr
                size 65535
                flags dynamic,timeout
                elements = { 192.168.77.39 timeout 10s expires 2s848ms }
        }

        set DA_DYN-02 {
                type ipv4_addr
                size 65535
                flags dynamic,timeout
                elements = { 192.168.0.245 timeout 2m expires 1m46s42ms, 192.168.77.39 timeout 2m expires 1m59s24ms }
        }

        chain VYOS_FORWARD_filter {
                type filter hook forward priority filter; policy accept;
                counter packets 0 bytes 0 accept comment "FWD-filter default-action accept"
        }

        chain VYOS_INPUT_filter {
                type filter hook input priority filter; policy accept;
                tcp dport 1010 counter packets 4 bytes 240 update @DA_DYN-01 { ip saddr timeout 10s } drop comment "ipv4-INP-filter-10"
                tcp dport 2020 ip saddr @DA_DYN-01 counter packets 6 bytes 360 update @DA_DYN-02 { ip saddr timeout 2m } drop comment "ipv4-INP-filter-20"
                ip saddr @DA_DYN-02 counter packets 5 bytes 260 accept comment "ipv4-INP-filter-30"
                counter packets 95 bytes 8256 accept comment "INP-filter default-action accept"
        }
...

Current output of show firewall group doesn't include members and timeout of these groups:

vyos@CGNAT# run show firewall group 
Firewall Groups

Name    Type                    References            Members
------  ----------------------  --------------------  ---------
DYN-01  address_group(dynamic)  ipv4-input-filter-10  N/D
DYN-02  address_group(dynamic)  ipv4-input-filter-20  N/D
[edit]
vyos@CGNAT#

Maybe a valid proposal for printing groups could be something like this:

vyos@vyos:~$ show firewall group
Firewall Groups

Name         Type                    References            Members            Timeout    Expires
-----------  ----------------------  --------------------  -----------------  ---------  ---------
FOO          address_group           N/D                   1.1.1.1            N/D        N/D
                                                           2.2.2.2
allowed_ssh  address_group(dynamic)  ipv4-input-filter-30  192.168.77.39       82800     82578
                                                           198.51.100.99       82800     15698
knock_01     address_group(dynamic)  ipv4-input-filter-10
knock_02     address_group(dynamic)  ipv4-input-filter-20
vyos@vyos:~$

Details

Difficulty level: Unknown (require assessment)
Version: 1.4.0-epa2, 1.5-rolling-202404220020
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Improvement (missing useful functionality)

Event Timeline

n.fort created this task.Mon, Apr 22, 3:08 PM

pasik added a subscriber: pasik.Mon, Apr 22, 3:27 PM

Viacheslav triaged this task as Normal priority.Tue, Apr 23, 9:22 AM

sarthurdev claimed this task.Thu, Apr 25, 1:59 PM

PR: https://github.com/vyos/vyos-1x/pull/3369

c-po closed this task as Resolved.Wed, May 1, 3:47 PM

c-po moved this task from In Progress to Finished on the VyOS 1.5 Circinus board.

c-po moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta (1.4.0-epa3) board.

Firewall dynamic address group - no op-mode commandClosed, ResolvedPublicBUGActions

Description

Details

Event Timeline

Firewall dynamic address group - no op-mode command
Closed, ResolvedPublicBUG
Actions