Page MenuHomeVyOS Platform
Create Task
Maniphest T7177

Firewall interface-group with a container interface fails validation on reboot
Closed, ResolvedPublicBUG
Actions

Description

Issue:
After adding a container interface, “pod-XX”, to a firewall interface group, it disappears from the group upon reboot. The following error is logged in /var/log/vyatta/vyos-boot-config-loader.log for all pod interfaces:

Value validation failed
Set ['firewall' 'group' 'interface-group' 'INT_GROUP' 'interface' 'pod-XX'] failed

Possible solution:

The issue appears to be related to an interface name validation constraint in the following definition:
Interface Name Constraint

To resolve this, the regular expression in interface-name.xml.i can be updated as follows:

Original:

<regex>(bond|br|dum|en|ersp|eth|gnv|ifb|ipoe|lan|l2tp|l2tpeth|macsec|peth|ppp|pppoe|pptp|sstp|sstpc|tun|veth|vti|vtun|vxlan|wg|wlan|wwan)[0-9]+(.\d+)?|lo</regex>

to add pod-[-_a-zA-Z0-9]{1,11} from the constants of the container network.

Proposed:

<regex>(bond|br|dum|en|ersp|eth|gnv|ifb|ipoe|lan|l2tp|l2tpeth|macsec|peth|ppp|pppoe|pptp|sstp|sstpc|tun|veth|vti|vtun|vxlan|wg|wlan|wwan)[0-9]+(.\d+)?|pod-[-_a-zA-Z0-9]{1,11}|lo</regex>

This modification ensures that the “pod-XX” container interface is preserved through reboots.

It appears that T6841 may have inadvertently introduced this change in behavior. T7144 appears to be related as well.

Details

Version
latest rolling
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

markh0338 created this task.Feb 18 2025, 4:50 PM
Viacheslav triaged this task as Normal priority.Feb 18 2025, 5:29 PM
Viacheslav subscribed.

@markh0338 Are you able to add a Pull Request?

pasik subscribed.Feb 18 2025, 6:08 PM
markh0338 added a comment.Feb 18 2025, 8:24 PM

https://github.com/vyos/vyos-1x/pull/4351

markh0338 mentioned this in rVYOSONEX9db6b57e1516: firewall: T7177: update interface-name.xml.i constraint and smoketest to….Feb 20 2025, 6:34 AM
Restricted Repository Identity mentioned this in rVYOSONEXc63b11666410: Merge pull request #4351 from markh0338/int-group-container-validation.Feb 20 2025, 6:34 AM
Viacheslav changed the task status from Open to Needs testing.Feb 20 2025, 8:21 AM
Viacheslav assigned this task to markh0338.
dmbaturin renamed this task from Firewall interface-group with container interface fails validation on reboot to Firewall interface-group with a container interface fails validation on reboot.Mar 12 2025, 5:21 PM
dmbaturin closed this task as Resolved.
dmbaturin added projects: VyOS 1.4 Sagitta (1.4.2), VyOS 1.5 Circinus.
dmbaturin moved this task from Backlog to Finished on the VyOS 1.4 Sagitta (1.4.2) board.
dmbaturin moved this task from Open to Finished on the VyOS 1.5 Circinus board.
dmbaturin moved this task from Need Triage to Completed on the VyOS Rolling board.
woodsb02 mentioned this in T7144: Firewall Cannot Load Podman Network Interfaces at Boot.Tue, Mar 25, 10:35 AM
dmbaturin mentioned this in 1.4.2.Wed, Apr 2, 3:24 PM