Op-mode command show firewall group leads to an error if:
- Dynamic group is defined
- When using such dynamic group in firewall rules, timeout option is not defined.
- One or more items are dynamically added to the group.
Configuration example:
set firewall group dynamic-group address-group TEST set firewall ipv4 input filter rule 2 action 'drop' set firewall ipv4 input filter rule 2 add-address-to-group source-address address-group 'TEST' set firewall ipv4 input filter rule 2 destination port '7777' set firewall ipv4 input filter rule 2 protocol 'tcp'
Once a host (or more than one) initiaties a tcp connection and destination port 7777, source IP address is dynamically added to the group. Example of named set that is populated:
vyos@vyos# sudo nft list set ip vyos_filter DA_TEST
table ip vyos_filter {
set DA_TEST {
type ipv4_addr
size 65535
flags dynamic,timeout
elements = { 192.168.0.245, 192.168.77.39 }
}
}
[edit]
vyos@vyos#And in this case, op-mode command does not work:
vyos@vyos# run show firewall group
Traceback (most recent call last):
File "/usr/libexec/vyos/op_mode/firewall.py", line 648, in <module>
show_firewall_group(args.name)
File "/usr/libexec/vyos/op_mode/firewall.py", line 534, in show_firewall_group
val = member.get('val', 'N/D')
^^^^^^^^^^
AttributeError: 'str' object has no attribute 'get'
[edit]
vyos@vyos#