Page MenuHomeVyOS Platform
Create Task
Maniphest T7923

Design a new syntax for "firewall groups"
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Originally, Vyatta introduced firewall groups for firewall policies only. VyOS inherited this, but over time groups became a shared resource used by NAT, load-balancing, and policy based routing. Keeping them under firewall now causes confusion and unnecessary coupling.

Creating a dedicated, lets call it - set group - subsystem makes sense both architecturally and semantically. It reflects the true, shared nature of groups. The existing set firewall group path should and all its children must be migrated to the new path.

This change establishes groups as a core, reusable subsystem rather than a firewall-specific construct.

address-group nesting was introduced during the VyOS 1.4 development cycle to work around a structural limitation: several subsystems, such as NAT and load-balancing, only accepted a single group reference rather than multiple. Nesting allowed users to indirectly combine groups by including one group inside another.

While functional, this approach added complexity. Nested groups complicate dependency resolution, increase validation overhead, and risk recursive loops. They also make it less clear which addresses are actually applied at runtime, especially in debugging and API inspection.

The cleaner and more maintainable solution is to replace this pattern with explicit multi-group support using the <multi/> XML attribute. Subsystems can then directly reference multiple address-groups, which are merged internally into a deduplicated address set - preserving behavior but simplifying the configuration model.

For VyOS 1.5, the goal should be to deprecate and remove group nesting. VyOS 1.4 should retain it for backward compatibility.

  • set group address-group <name> address <x.x.x.x>
  • set group domain-group ...
  • set group dynamic-group ...
  • set group interface-group ...
  • set group ipv6-address-group ...
  • set group ipv6-prefix-group ...
  • set group mac-group ...
  • set group prefix-group ...
  • set group port-group ...
  • set group remote-group ...

Details

Version
-
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedFEATURE REQUESTc-poT7923 Design a new syntax for "firewall groups"
 OpenFEATURE REQUESTNoneT6417 Common storage location for accounts for different VPNs
 OpenFEATURE REQUESTc-poT7987 Migrate "firewall groups" to new CLI syntax

Event Timeline

c-po created this task.Oct 10 2025, 6:58 PM
pasik subscribed.Oct 11 2025, 9:55 AM
Viacheslav subscribed.Oct 13 2025, 8:36 AM

I propose to add resource group, this way we can use not only groups for firewall but and logins

set resource group 
set resource local-users username user1 password user1
set resource radius server 192.0.2.1 key vyos-secret

As an idea, the CLI needs to be discussed.

Viacheslav added a subtask: T6417: Common storage location for accounts for different VPNs.Oct 13 2025, 8:37 AM
Viacheslav triaged this task as Normal priority.Oct 14 2025, 11:27 AM
c-po claimed this task.Nov 1 2025, 9:04 PM
c-po added a comment.Nov 2 2025, 7:32 PM

The maintainers have vouched for:

set resource-group ipv4-address FOO-4 address 1.2.3.4
set resource-group ipv4-address FOO-4 address 1.2.3.5
set resource-group ipv4-network BAR-4 prefix 1.0.0.0/16
set resource-group ipv4-network BAR-4 prefix 1.1.0.0/16
set resource-group ipv6-address FOO-6 address 2001:db8::1
set resource-group ipv6-address FOO-6 address 2001:db8::2
set resource-group ipv6-network NAME prefix 2001:db8:1000::/48
set resource-group ipv6-network NAME prefix 2001:db8:2000::/48
set resource-group port-group SSH port 22
set resource-group port-group SSH port 2222
set resource-group radius-server AAA-1 address 1.2.3.4
set resource-group radius-server AAA-1 address 2001:db8::3
set resource-group tacacs-server AAA-1 address 1.2.3.4
set resource-group tacacs-server AAA-1 address 2001:db8::3
set resource-group interface BAR-IF name eth0
set resource-group interface BAR-IF name pppoe10
set resource-group mac-address MAC address 01:23:45:67:89:ab
c-po moved this task from Need Triage to Completed on the VyOS Rolling board.Nov 2 2025, 7:33 PM
c-po mentioned this in T7987: Migrate "firewall groups" to new CLI syntax.Nov 2 2025, 7:45 PM
c-po closed this task as Resolved.Thu, Nov 6, 3:45 PM