Page MenuHomeVyOS Platform
Create Task
Maniphest T6329

Firewall - Error while printing groups
Closed, ResolvedPublicBUG
Actions

Description

Op-mode command show firewall group leads to an error if:

  1. Dynamic group is defined
  2. When using such dynamic group in firewall rules, timeout option is not defined.
  3. One or more items are dynamically added to the group.

Configuration example:

set firewall group dynamic-group address-group TEST
set firewall ipv4 input filter rule 2 action 'drop'
set firewall ipv4 input filter rule 2 add-address-to-group source-address address-group 'TEST'
set firewall ipv4 input filter rule 2 destination port '7777'
set firewall ipv4 input filter rule 2 protocol 'tcp'

Once a host (or more than one) initiaties a tcp connection and destination port 7777, source IP address is dynamically added to the group. Example of named set that is populated:

vyos@vyos# sudo nft list set ip vyos_filter DA_TEST
table ip vyos_filter {
        set DA_TEST {
                type ipv4_addr
                size 65535
                flags dynamic,timeout
                elements = { 192.168.0.245, 192.168.77.39 }
        }
}
[edit]
vyos@vyos#

And in this case, op-mode command does not work:

vyos@vyos# run show firewall group 
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/firewall.py", line 648, in <module>
    show_firewall_group(args.name)
  File "/usr/libexec/vyos/op_mode/firewall.py", line 534, in show_firewall_group
    val = member.get('val', 'N/D')
          ^^^^^^^^^^
AttributeError: 'str' object has no attribute 'get'
[edit]
vyos@vyos#

Details

Version
1.5-rolling-202405100019
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

n.fort created this task.May 10 2024, 1:05 PM
n.fort changed the task status from Open to In progress.
n.fort claimed this task.
n.fort mentioned this in rVYOSONEX78fa1ec77a22: T6329: firewall: add a patch for op-mode command <show firewall group>.May 10 2024, 1:10 PM
pasik subscribed.May 10 2024, 1:38 PM
n.fort added a comment.May 10 2024, 1:39 PM

PR: https://github.com/vyos/vyos-1x/pull/3442

c-po added a project: VyOS 1.4 Sagitta (1.4.0-epa3).May 12 2024, 6:58 AM
c-po moved this task from Open to Finished on the VyOS 1.5 Circinus board.
c-po moved this task from Need Triage to In Progress on the VyOS 1.4 Sagitta (1.4.0-epa3) board.
Restricted Repository Identity mentioned this in rVYOSONEX47196ba9b493: T6329: firewall: use isinstance() in op-mode script.May 12 2024, 6:58 AM
Restricted Repository Identity mentioned this in rVYOSONEX5987a9a3475b: T6329: firewall: add a patch for op-mode command <show firewall group>.
c-po mentioned this in rVYOSONEXb705adc40b76: T6329: firewall: use isinstance() in op-mode script.May 12 2024, 6:58 AM
Restricted Repository Identity mentioned this in rVYOSONEX4fc9d38edecd: Merge pull request #3442 from nicolas-fort/T6329.May 12 2024, 6:58 AM
n.fort mentioned this in rVYOSONEX72c95ec1df8a: T6329: firewall: add a patch for op-mode command <show firewall group>.May 12 2024, 6:58 AM
Restricted Repository Identity mentioned this in rVYOSONEXb976dad08782: Merge pull request #3448 from vyos/mergify/bp/sagitta/pr-3442.May 12 2024, 9:18 AM
c-po closed this task as Resolved.May 12 2024, 6:43 PM
c-po moved this task from In Progress to Finished on the VyOS 1.4 Sagitta (1.4.0-epa3) board.