Hey all - I think I stumbled upon a bug when trying to configure some firewall rules.
I tried to run set firewall name WAN-LAN default-action drop
, and when I ran commit
, VyOS returned the below error.
VyOS had an issue completing a command.
We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):
- Contact us using the online help desk if you have a subscription:
https://support.vyos.io/ - Make sure you are running the latest version of VyOS available at:
VyOS Community - Consult the community forum to see how to handle this issue:
https://forum.vyos.io - Join us on Slack where our users exchange help and advice:
https://vyos.slack.com
When reporting problems, please include as much information as possible:
- do not obfuscate any data (feel free to contact us privately if your
business policy requires it) - and include all the information presented below
Report time: 2022-09-11 11:22:30
Image version: VyOS 1.4-rolling-202209090632
Release train: sagitta
Built by: j u s t i n <AT) m a r m o r a t o D0T n e t
Built on: Fri 09 Sep 2022 06:32 UTC
Build UUID: 8a0e0dca-1e8c-4007-9e18-c68cc91f5ae3
Build commit ID: 9f0ab18e71ee1d
Architecture: x86_64
Boot via: installed image
System type: KVM guest
Hardware vendor: QEMU
Hardware model: Standard PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID: 75ae3479-8248-4248-85c4-f2a792bb0b52
Traceback (most recent call last):
File â/usr/libexec/vyos/conf_mode/firewall.pyâ, line 592, in
generate(c)
File â/usr/libexec/vyos/conf_mode/firewall.pyâ, line 463, in generate
firewall[âcleanup_commandsâ] = cleanup_commands(firewall)
File â/usr/libexec/vyos/conf_mode/firewall.pyâ, line 430, in cleanup_commands
target, _ = next(dict_search_recursive(rule[âexprâ], âtargetâ))
StopIteration
This was the config before attempting to add the firewall
interfaces {
ethernet eth0 {
address 192.168.7.101/24
}
ethernet eth1 {
address 10.10.1.3/24
}
loopback lo {
}
tunnel tun100 {
address 192.168.254.2/24
encapsulation gre
multicast enable
parameters {
ip {
key 1
}
}
source-address 0.0.0.0
}
}
protocols {
nhrp {
tunnel tun100 {
cisco-authentication secret
holding-time 300
map 192.168.254.1/24 {
nbma-address 192.168.7.100
register
}
multicast nhs
redirect
shortcut
}
}
}
service {
ssh {
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name sept9spoke
login {
user vyos {
authentication {
encrypted-password <theencryptedpassword>
plaintext-password ""
}
}
}
ntp {
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}
vpn {
ipsec {
esp-group ESP-HUB {
compression disable
lifetime 1800
mode transport
pfs dh-group2
proposal 1 {
encryption aes256
hash sha1
}
proposal 2 {
encryption 3des
hash md5
}
}
ike-group IKE-HUB {
close-action none
dead-peer-detection {
action restart
interval 3
timeout 3
}
ikev2-reauth no
key-exchange ikev1
lifetime 3600
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
proposal 2 {
dh-group 2
encryption aes128
hash sha1
}
}
profile NHRPVPN {
authentication {
mode pre-shared-secret
pre-shared-secret secret
}
bind {
tunnel tun100
}
esp-group ESP-HUB
ike-group IKE-HUB
}
}
}
A couple of additional bits of information:
- If I add the firewall config to the /config/config.boot file and reboot, I donât get any errors.
- When I removed the NHRP section from the config, I was able to add firewall rules from the command line again.
- Any firewall config I try to add using the command line will trigger this error
- Any firewall config I tried to add was already tested on another VyOS install that isnât (yet) setup for DMVPN, and works
- While I discovered this error on a very recent build, it is also present on older 1.4 builds
Has anyone seen anything like this before? Should I add this in Phabricator?
Thanks!