Group [ GROUP_NAME ] has not been defined.... but it has

millap · June 17, 2020, 7:16pm

Hi All,

I have an issue with the latest rolling release of VyOS where a defined firewall address group is showing as ‘not defined’ when I try to commit.

The address group is defined like so -

set firewall group address-group MANAGEMENT-HOSTS address '192.168.X.X'
set firewall group address-group MANAGEMENT-HOSTS address 'X.X.40.1-X.X.40.254'
set firewall group address-group MANAGEMENT-HOSTS address 'X.X.50.1-X.X.50.254'
set firewall group address-group MANAGEMENT-HOSTS address 'X.X.10.32'
set firewall group address-group MANAGEMENT-HOSTS address 'X.X.X.1-X.X.254'
set firewall group address-group MANAGEMENT-HOSTS address 'X.X.X.1-X.X.X.254'
set firewall group address-group MANAGEMENT-HOSTS address 'X.X.10.34'
set firewall group address-group MANAGEMENT-HOSTS address 'X.X.X.12'

And when I try to call it in my FW config, it’s visible -

[edit firewall name management-filter rule 20]
vyos@vyos00# set source group address-group 
Possible completions:
   <text>       Group of addresses
   MANAGEMENT-HOSTS

And sets properly -

[edit firewall name management-filter rule 20]
vyos@vyos00# set source group address-group MANAGEMENT-HOSTS 
[edit firewall name management-filter rule 20]
vyos@vyos00# show
 action accept
 destination {
     port 22
 }
 protocol tcp
+source {
+    group {
+        address-group MANAGEMENT-HOSTS
+    }
+}

But when it comes to commit, I get this -

[edit firewall name management-filter rule 20]
vyos@vyos00# commit 
[ firewall name management-filter rule 20 source group address-group MANAGEMENT-HOSTS ]
Group [MANAGEMENT-HOSTS] has not been defined

[[firewall name management-filter]] failed
Commit failed

Any ideas what’s wrong? The FW filter works perfectly on earlier 1.3.x rolling releases.

Current version is -

vyos@vyos00:~$ sho version 
Version:          VyOS 1.3-rolling-202006120643
Release Train:    equuleus

Cheers
Andy

Dmitry · June 18, 2020, 7:43pm

Hello @millap, this does not possible to reproduce on the 1.3-rolling-202006170117 and 1.3-rolling-202006180117 with your configuration commands. Do you have a chance update to the latest rolling image version?

millap · June 18, 2020, 8:08pm

Hi @Dmitry,

Thanks for the response.

Even the latest rolling release has the same issue -

vyos@vyos00# commit check
[ firewall name management-filter rule 20 source group address-group MANAGEMENT-HOSTS ]
Group [MANAGEMENT-HOSTS] has not been defined

[[firewall name management-filter]] failed
Commit failed
[edit]
vyos@vyos00# exit discard 
exit
vyos@vyos00:~$ sho version 

Version:          VyOS 1.3-rolling-202006180117
Release Train:    equuleus

Built by:         autobuild@vyos.net
Built on:         Thu 18 Jun 2020 01:17 UTC
Build UUID:       4303d9b3-3e35-4bdf-a83d-c3bcb30bc86c
Build Commit ID:  5a1740044c4569

Architecture:     x86_64
Boot via:         installed image
System type:      VMware guest

Hardware vendor:  VMware, Inc.
Hardware model:   VMware Virtual Platform
Hardware S/N:     Unknown
Hardware UUID:    Unknown

Copyright:        VyOS maintainers and contributors

Best regards
Andy

Dmitry · June 18, 2020, 8:11pm

@millap provide please full configuration commands and full commands what you adding for reproducing this issue.

show configuration commands | strip-private

millap · June 18, 2020, 8:31pm

Here you go -

set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall group address-group MANAGEMENT-HOSTS address 'xxx.xxx.16.250'
set firewall group address-group MANAGEMENT-HOSTS address 'xxx.xxx.40.1-xxx.xxx.40.254'
set firewall group address-group MANAGEMENT-HOSTS address 'xxx.xxx.50.1-xxx.xxx.50.254'
set firewall group address-group MANAGEMENT-HOSTS address 'xxx.xxx.10.32'
set firewall group address-group MANAGEMENT-HOSTS address 'xxx.xxx.16.1-xxx.xxx.16.254'
set firewall group address-group MANAGEMENT-HOSTS address 'xxx.xxx.15.1-xxx.xxx.15.254'
set firewall group address-group MANAGEMENT-HOSTS address 'xxx.xxx.10.34'
set firewall group address-group MANAGEMENT-HOSTS address 'xxx.xxx.10.12'
set firewall group address-group MANAGEMENT-HOSTS address 'xxx.xxx.208.249'
set firewall group address-group RUCKUS-AP address 'xxx.xxx.20.3'
set firewall group address-group RUCKUS-AP address 'xxx.xxx.20.4'
set firewall group address-group RUCKUS-AP address 'xxx.xxx.20.5'
set firewall group address-group RUCKUS-AP address 'xxx.xxx.20.6'
set firewall group address-group RUCKUS-AP address 'xxx.xxx.20.7'
set firewall group address-group RUCKUS-AP address 'xxx.xxx.20.8'
set firewall group address-group RUCKUS-AP address 'xxx.xxx.20.9'
set firewall group address-group RUCKUS-AP address 'xxx.xxx.20.10'
set firewall group address-group RUCKUS-AP address 'xxx.xxx.20.11'
set firewall group address-group RUCKUS-AP address 'xxx.xxx.20.12'
set firewall group address-group RUCKUS-AP address 'xxx.xxx.20.13'
set firewall group address-group RUCKUS-AP address 'xxx.xxx.20.14'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name management-filter default-action 'drop'
set firewall name management-filter rule 10 action 'accept'
set firewall name management-filter rule 10 protocol 'all'
set firewall name management-filter rule 10 source group address-group 'RUCKUS-AP'
set firewall name management-filter rule 20 action 'accept'
set firewall name management-filter rule 20 destination port '22'
set firewall name management-filter rule 20 protocol 'tcp'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces bridge br0 aging '300'
set interfaces bridge br0 description '*** GRE-TUNNEL to eth1 802.1Q INTERFACE ***'
set interfaces bridge br0 hello-time '2'
set interfaces bridge br0 ip
set interfaces bridge br0 max-age '20'
set interfaces bridge br0 member interface eth1
set interfaces bridge br0 member interface tun0
set interfaces bridge br0 member interface tun1
set interfaces bridge br0 member interface tun2
set interfaces bridge br0 member interface tun3
set interfaces bridge br0 member interface tun4
set interfaces bridge br0 member interface tun5
set interfaces bridge br0 member interface tun6
set interfaces bridge br0 member interface tun7
set interfaces bridge br0 member interface tun8
set interfaces bridge br0 member interface tun9
set interfaces bridge br0 member interface tun10
set interfaces bridge br0 member interface tun11
set interfaces bridge br0 priority '0'
set interfaces ethernet eth0 address 'xxx.xxx.20.2/24'
set interfaces ethernet eth0 description '*** GRE-TUNNEL LOCAL-IP INTERFACE ***'
set interfaces ethernet eth0 hw-id 'XX:XX:XX:XX:XX:2c'
set interfaces ethernet eth1 description '*** GRE-TUNNEL BRIDGE 802.1Q INTERFACE ***'
set interfaces ethernet eth1 hw-id 'XX:XX:XX:XX:XX:11'
set interfaces loopback lo
set interfaces tunnel tun0 description '*** APLY-OFFICE ***'
set interfaces tunnel tun0 encapsulation 'gre-bridge'
set interfaces tunnel tun0 local-ip 'xxx.xxx.20.2'
set interfaces tunnel tun0 remote-ip 'xxx.xxx.20.3'
set interfaces tunnel tun1 description '*** APLY-CONTROL ***'
set interfaces tunnel tun1 encapsulation 'gre-bridge'
set interfaces tunnel tun1 local-ip 'xxx.xxx.20.2'
set interfaces tunnel tun1 remote-ip 'xxx.xxx.20.4'
set interfaces tunnel tun2 description '*** APLY-KITCHEN ***'
set interfaces tunnel tun2 encapsulation 'gre-bridge'
set interfaces tunnel tun2 local-ip 'xxx.xxx.20.2'
set interfaces tunnel tun2 remote-ip 'xxx.xxx.20.5'
set interfaces tunnel tun3 description '*** APLY-HVB ***'
set interfaces tunnel tun3 encapsulation 'gre-bridge'
set interfaces tunnel tun3 local-ip 'xxx.xxx.20.2'
set interfaces tunnel tun3 remote-ip 'xxx.xxx.20.6'
set interfaces tunnel tun4 encapsulation 'gre-bridge'
set interfaces tunnel tun4 local-ip 'xxx.xxx.20.2'
set interfaces tunnel tun4 remote-ip 'xxx.xxx.20.7'
set interfaces tunnel tun5 encapsulation 'gre-bridge'
set interfaces tunnel tun5 local-ip 'xxx.xxx.20.2'
set interfaces tunnel tun5 remote-ip 'xxx.xxx.20.8'
set interfaces tunnel tun6 encapsulation 'gre-bridge'
set interfaces tunnel tun6 local-ip 'xxx.xxx.20.2'
set interfaces tunnel tun6 remote-ip 'xxx.xxx.20.9'
set interfaces tunnel tun7 encapsulation 'gre-bridge'
set interfaces tunnel tun7 local-ip 'xxx.xxx.20.2'
set interfaces tunnel tun7 remote-ip 'xxx.xxx.20.10'
set interfaces tunnel tun8 encapsulation 'gre-bridge'
set interfaces tunnel tun8 local-ip 'xxx.xxx.20.2'
set interfaces tunnel tun8 remote-ip 'xxx.xxx.20.11'
set interfaces tunnel tun9 encapsulation 'gre-bridge'
set interfaces tunnel tun9 local-ip 'xxx.xxx.20.2'
set interfaces tunnel tun9 remote-ip 'xxx.xxx.20.12'
set interfaces tunnel tun10 encapsulation 'gre-bridge'
set interfaces tunnel tun10 local-ip 'xxx.xxx.20.2'
set interfaces tunnel tun10 remote-ip 'xxx.xxx.20.13'
set interfaces tunnel tun11 encapsulation 'gre-bridge'
set interfaces tunnel tun11 local-ip 'xxx.xxx.20.2'
set interfaces tunnel tun11 remote-ip 'xxx.xxx.20.14'
set protocols static route xxx.xxx.0.0/0 next-hop xxx.xxx.20.1
set service lldp interface eth0
set service lldp legacy-protocols cdp
set service lldp management-address 'xxx.xxx.20.2'
set service lldp snmp enable
set service snmp community public authorization 'ro'
set service snmp contact 'bob@example.com'
set service ssh listen-address 'xxx.xxx.20.2'
set service ssh port '22'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '115200'
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system name-server 'xxx.xxx.16.2'
set system name-server 'xxx.xxx.16.1'
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set system time-zone 'Europe/London'

Best regards
Andy

Dmitry · June 19, 2020, 9:57am

Hi, I think this happens because you have duplicates address in the group

set firewall group address-group MANAGEMENT-HOSTS address 'xxx.xxx.16.250'
set firewall group address-group MANAGEMENT-HOSTS address 'xxx.xxx.16.1-xxx.xxx.16.254'

Can you confirm this?

millap · June 19, 2020, 6:36pm

Hiya,

Yup! Spot on. That fixed it.

Many thanks
Andy

system · June 21, 2020, 6:36pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.