Unable to add Firewall Rules Due To Python Error

Hey all - I think I stumbled upon a bug when trying to configure some firewall rules.

I tried to run set firewall name WAN-LAN default-action drop, and when I ran commit, VyOS returned the below error.


VyOS had an issue completing a command.

We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):

When reporting problems, please include as much information as possible:

  • do not obfuscate any data (feel free to contact us privately if your
    business policy requires it)
  • and include all the information presented below

Report time: 2022-09-11 11:22:30
Image version: VyOS 1.4-rolling-202209090632
Release train: sagitta

Built by: j u s t i n <AT) m a r m o r a t o D0T n e t
Built on: Fri 09 Sep 2022 06:32 UTC
Build UUID: 8a0e0dca-1e8c-4007-9e18-c68cc91f5ae3
Build commit ID: 9f0ab18e71ee1d

Architecture: x86_64
Boot via: installed image
System type: KVM guest

Hardware vendor: QEMU
Hardware model: Standard PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID: 75ae3479-8248-4248-85c4-f2a792bb0b52

Traceback (most recent call last):
File “/usr/libexec/vyos/conf_mode/firewall.py”, line 592, in
generate(c)
File “/usr/libexec/vyos/conf_mode/firewall.py”, line 463, in generate
firewall[‘cleanup_commands’] = cleanup_commands(firewall)
File “/usr/libexec/vyos/conf_mode/firewall.py”, line 430, in cleanup_commands
target, _ = next(dict_search_recursive(rule[‘expr’], ‘target’))
StopIteration


This was the config before attempting to add the firewall

 interfaces {
     ethernet eth0 {
         address 192.168.7.101/24
     }
     ethernet eth1 {
         address 10.10.1.3/24
     }
     loopback lo {
     }
     tunnel tun100 {
         address 192.168.254.2/24
         encapsulation gre
         multicast enable
         parameters {
             ip {
                 key 1
             }
         }
         source-address 0.0.0.0
     }
 }
 protocols {
     nhrp {
         tunnel tun100 {
             cisco-authentication secret
             holding-time 300
             map 192.168.254.1/24 {
                 nbma-address 192.168.7.100
                 register
             }
             multicast nhs
             redirect
             shortcut
         }
     }
 }
 service {
     ssh {
     }
 }
 system {
     config-management {
         commit-revisions 100
     }
     conntrack {
         modules {
             ftp
             h323
             nfs
             pptp
             sip
             sqlnet
             tftp
         }
     }
     console {
         device ttyS0 {
             speed 115200
         }
     }
     host-name sept9spoke
     login {
         user vyos {
             authentication {
                 encrypted-password <theencryptedpassword>
                 plaintext-password ""
             }
         }
     }
     ntp {
         server time1.vyos.net {
         }
         server time2.vyos.net {
         }
         server time3.vyos.net {
         }
     }
     syslog {
         global {
             facility all {
                 level info
             }
             facility protocols {
                 level debug
             }
         }
     }
 }
 vpn {
     ipsec {
         esp-group ESP-HUB {
             compression disable
             lifetime 1800
             mode transport
             pfs dh-group2
             proposal 1 {
                 encryption aes256
                 hash sha1
             }
             proposal 2 {
                 encryption 3des
                 hash md5
             }
         }
         ike-group IKE-HUB {
             close-action none
             dead-peer-detection {
                 action restart
                 interval 3
                 timeout 3
             }
             ikev2-reauth no
             key-exchange ikev1
             lifetime 3600
             proposal 1 {
                 dh-group 2
                 encryption aes256
                 hash sha1
             }
             proposal 2 {
                 dh-group 2
                 encryption aes128
                 hash sha1
             }
         }
         profile NHRPVPN {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret secret
             }
             bind {
                 tunnel tun100
             }
             esp-group ESP-HUB
             ike-group IKE-HUB
         }
     }
 }

A couple of additional bits of information:

  • If I add the firewall config to the /config/config.boot file and reboot, I don’t get any errors.
  • When I removed the NHRP section from the config, I was able to add firewall rules from the command line again.
  • Any firewall config I try to add using the command line will trigger this error
  • Any firewall config I tried to add was already tested on another VyOS install that isn’t (yet) setup for DMVPN, and works
  • While I discovered this error on a very recent build, it is also present on older 1.4 builds

Has anyone seen anything like this before? Should I add this in Phabricator?

Thanks!

Hello @jmarmorato,
Can you provide the firewall configuration you want to apply?

Unfortunately I don’t have the entire firewall config figured out yet - but simply trying to run set firewall name WAN-LAN default-action drop then commit causes the error (this is starting from no firewall config at all). On my VyOS routers that don’t have DMVPN configured, this command works perfectly fine.

Eventually the goal is to setup zone-policy, and I’m working on that part now. It’s just annoying having to write the config manually then rebooting to test.

This issue should be fixed within the next week as part of an incoming firewall refactor.

1 Like