Page MenuHomeVyOS Platform
Create Task
Maniphest T7148

Global state-policy invalid cannot be set to action reject
Closed, ResolvedPublicBUG
Actions

Description

In 1.5-rolling-202502030007, if the global state-policy for invalid packets is set to reject, a error is produced:

vyos@host# set firewall global-options state-policy invalid action 
Possible completions:
   accept               Action to accept
   drop                 Action to drop
   reject               Action to reject
                        

      
[edit]
vyos@host# set firewall global-options state-policy invalid action reject 
[edit]
vyos@host# commit
[ firewall ]
Failed to apply firewall: /run/nftables.conf:2234:9-39: Error: Could not
process rule: Operation not supported         ct state invalid counter
reject         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/run/nftables.conf:2235:9-39: Error: Could not process rule: Operation
not supported         ct state related counter accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ /run/nftables.conf:2236:9-14: Error:
Could not process rule: Operation not supported         return
^^^^^^
[[firewall]] failed
Commit failed

This worked in an older version (for ex. 1.5-rolling-202406060020) and the completion shows it as a valid option.
The actions "drop" and "accept" still work fine.

Details

Version
1.5-rolling-202502030007
Is it a breaking change?
Behavior change
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

andrin created this task.Feb 8 2025, 8:20 PM
andrin updated the task description. (Show Details)
pasik subscribed.Feb 9 2025, 11:13 AM
gaige added subscribers: evgmol, gaige.Feb 9 2025, 2:15 PM

Reportedly this problem did not exist in VyOS 1.5-rolling-202410260007 (according to slack with @evgmol ). I've seen the problem occur in versions as far back as Vyos-1.5-rolling-202411070006, so that may shed some light on where it occurs.

Viacheslav triaged this task as Normal priority.Feb 10 2025, 11:43 AM
Viacheslav changed the task status from Open to Confirmed.Thu, Feb 20, 5:49 PM
sarthurdev changed the task status from Confirmed to Needs testing.EditedThu, Feb 20, 7:25 PM
sarthurdev claimed this task.
sarthurdev subscribed.

PR: https://github.com/vyos/vyos-1x/pull/4357

sarthurdev added a project: VyOS 1.5 Circinus.Thu, Feb 20, 8:16 PM
sarthurdev mentioned this in rVYOSONEXac890f5e3ff7: firewall: T7148: Bridge state-policy uses drop in place of reject.Sat, Feb 22, 1:15 PM
Restricted Repository Identity mentioned this in rVYOSONEX5d9d232fd93a: Merge pull request #4357 from sarthurdev/T7148.Sat, Feb 22, 1:15 PM
sarthurdev closed this task as Resolved.Thu, Mar 13, 3:11 PM
sarthurdev moved this task from Open to Finished on the VyOS 1.5 Circinus board.
sarthurdev moved this task from Need Triage to Completed on the VyOS Rolling board.