Page MenuHomeVyOS Platform
Create Task
Maniphest T6470

Deleting a Firewall addrerss-group object that is tied to a NAT rule or other resources doesn't error out, it hangs.
Open, NormalPublicBUG
Actions

Description

Running a release of VyOS 1.5 here at home, and appear to be having issues with deleting firewall address-groups that are part of other resources, like NAT rules. I went to delete an address-group entry that was a still acting as a source group for a NAT rule, and did not get an error here when I went to commit. Rather, the commit just hung permanently. My expectation here would be that the commit checks fail before the commit hangs, and it spits out an error that there's an existing reference here.

Version: VyOS 1.5-rolling-202406041634
Release train: current
Built on: Tue 04 Jun 2024 16:34 UTC
Build UUID: b10c5d6f-ae17-41b3-a38c-80b2d38272d3
Build commit ID: 38ff293a6333a3

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.5-rolling-202406041634
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

lclements0 created this task.Jun 10 2024, 11:29 PM
pasik subscribed.Jun 11 2024, 6:21 AM
Viacheslav triaged this task as Normal priority.Jun 11 2024, 7:03 AM
Viacheslav subscribed.

@lclements0 Add a simple set of commands to reproduce.

lclements0 added a comment.Jun 12 2024, 6:10 PM

Sure thing!

set firewall group address-group KNOWN_HOSTS address '10.0.0.10'
set firewall group address-group KNOWN_HOSTS address '10.0.0.11'
set firewall group address-group KNOWN_HOSTS description 'Known Hosts Example'

set nat source rule 10 description 'A Test NAT Rule'
set nat source rule 10 source group address-group KNOWN_HOSTS
set nat source rule 10 outbound-interface name 'eth0'
set nat source rule 10 translation address masquerade

Once done,

delete firewall
OR
delete firewall group

Committing at that point should hang rather than erroring out.

HollyGurza subscribed.Jun 25 2024, 11:47 AM

i tried to reproduce this and got the correct exception:

set firewall group address-group KNOWN_HOSTS address '10.0.0.10'
set firewall group address-group KNOWN_HOSTS address '10.0.0.11'
set firewall group address-group KNOWN_HOSTS description 'Known Hosts Example'

set nat source rule 1001 description 'A Test NAT Rule'
set nat source rule 1001 source group address-group KNOWN_HOSTS
set nat source rule 1001 outbound-interface name 'eth0'
set nat source rule 1001 translation address masquerade
commit
del firewall 
commit
...
[ firewall ]
ConfigError('Invalid address-group "KNOWN_HOSTS" on nat rule')

delete [ firewall ] failed
Commit failed
[edit]
vyos@vyos# del nat source rule 1001 
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# run show version 
Version:          VyOS 1.5-rolling-202406120020
Release train:    current
Release flavor:   generic

Built by:         [email protected]
Built on:         Wed 12 Jun 2024 03:11 UTC
Build UUID:       ca67e3d8-642e-43b4-927d-ff8479764627
Build commit ID:  26181773ef6847

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (i440FX + PIIX, 1996)
Hardware S/N:     
Hardware UUID:    0d8f0c13-9496-451c-8dd4-d084be5fdb4e

Copyright:        VyOS maintainers and contributors