Delete firewall network-group

anowak · November 21, 2023, 9:49am

Hi All,

I am trying to do something simple. Deleting a firewall network-group but keep getting an error.
I seem to be able to remove all the content from within the network group but not the group itself

 firewall {
     global-options {
     }
     group {
-        network-group NG-DEVICE-NETWORK {
-        }
         network-group NG-IoT-NETWORK {
         }
         network-group NG-LAN-NETWORK {
         }
         network-group NG-WLAN-NETWORK {
         }
     }
 }

delete firewall group network-group NG-DEVICE-NETWORK

ConfigError('Invalid network-group "NG-DEVICE-NETWORK" on firewall
rule')

Version: VyOS 1.4-rolling-202311130854

ADESTIS · November 21, 2023, 11:00am

In the past we saw such behavior when there was a difference between the config and iptables/nftables.
Please check whether the group exists.
If not create the group in e.g. nfrables.
Then you will be able to delete the group in the config.

That problem also solves after reboot of course.

fernando · November 21, 2023, 4:47pm

as mentioned here , it’s possible a rule or group was deleted , it may give an wrong state between our cli and nftables , also it would like to suggest update a newest version where there is many new fixed introduced .

anowak · November 23, 2023, 8:52pm

Hi,

Thank you all. I saw the rules were present and I tried re-adding and deleting with no luck. In the end I saved and rebooted vyos. Looks like none of the recent commands made it into the configuration as they were all gone after a reboot. At least I can delete groups.

Kind Regards

n.fort · November 24, 2023, 9:45am

Do you use custom scripts in your deployment? Or did you edit firewall rules directly using iptables|nftables commands?

anowak · November 24, 2023, 10:10am

Hi n.fort,

I did it directly through the CLI. added 10 groups… then changed my mind about the naming - tried deleting and got the errors.

Regards