VyOS 1.4 Rolling - Unable to commit firewall changes

Hi,

Trying to apply a firewall configuration similar to whats in the quick start as follows:

  • block ipv4 inbound on WAN iface, apart from established / related
  • allow ipv4 inbound on WAN iface, only ICMP “echo-request” packets
  • allow ipv4/ipv6 outbound on WAN iface from local networks

However I’m getting this error when running commit:

Failed to apply firewall: /run/nftables.conf:12:51-57: Error: No such file or directory ct state {new} meta l4proto icmp iifname @I_eth0 icmp type echo-request counter accept comment "INP- ^^^^^^^
filter-999998

Any ideas?

Hi!

Can you provide the VyOS version, a full configuration before the commit, and the exact config lines which you entered to get this error message?

The firewall was rewritten lately a lot and may contain uncaught bugs. This info would help to find them.

Hi,

Version: 1.4-rolling-202308180646
Commands:

 1845  2023-08-22T08:44:36+0000 configure
 1846  2023-08-22T08:45:17+0000 set firewall ipv4 output filter rule 10 outbound-interface interface-name eth0
 1847  2023-08-22T08:45:29+0000 set firewall ipv4 output filter rule 10 source group network-group RFC1918
 1848  2023-08-22T08:45:38+0000 set firewall ipv4 output filter rule 10 action accept
 1849  2023-08-22T08:45:59+0000 set firewall ipv4 output filter default-action accept
 1850  2023-08-22T08:46:01+0000 commit
 1851  2023-08-22T08:48:08+0000 show firewall ipv4 input filter
 1852  2023-08-22T08:48:18+0000 set firewall ipv4 input filter default-action drop
 1853  2023-08-22T08:48:41+0000 set firewall ipv4 input filter rule 999999 action accept
 1854  2023-08-22T08:48:55+0000 set firewall ipv4 input filter rule 999999 state established enable
 1855  2023-08-22T08:49:00+0000 set firewall ipv4 input filter rule 999999 state related enable
 1856  2023-08-22T08:49:32+0000 set firewall ipv4 input filter rule 999998 action accept
 1857  2023-08-22T08:49:50+0000 set firewall ipv4 input filter rule 999999 inbound-interface interface-name eth0
 1858  2023-08-22T08:50:13+0000 set firewall ipv4 input filter rule 999998 icmp type-name echo-request
 1859  2023-08-22T08:50:21+0000 set firewall ipv4 input filter rule 999998 protocol icmp
 1860  2023-08-22T08:50:30+0000 set firewall ipv4 input filter rule 999998 state new enable
 1861  2023-08-22T08:50:42+0000 show firewall ipv4
 1862  2023-08-22T08:50:58+0000 set firewall ipv4 input filter rule 999998 inbound-interface interface-group eth0
 1863  2023-08-22T08:51:00+0000 commit

Configuration before:

firewall {
    group {
        network-group RFC1918 {
            network 192.168.0.0/16
            network 10.0.0.0/8
            network 172.16.0.0/16
        }
    }
}
interfaces {
    ethernet eth0 {
        address 181.215.32.123/27
        address 2a06:8184:1:13::a/64
        hw-id 00:21:f6:8c:5b:f7
    }
    ethernet eth1 {
        address 172.16.55.14/24
        address 2a13:df80:800::1/48
        mtu 1460
    }
    loopback lo {
    }
}
nat {
    source {
        rule 10 {
            outbound-interface eth0
            source {
                group {
                    network-group RFC1918
                }
            }
            translation {
                address masquerade
            }
        }
    }
}
policy {
    prefix-list6 AS198075-OUT {
        rule 10 {
            action permit
            prefix 2a13:df80:800::/38
        }
    }
}
protocols {
    bgp {
        address-family {
            ipv6-unicast {
                redistribute {
                    connected {
                    }
                    kernel {
                    }
                }
            }
        }
        neighbor 2a06:8181:1::2 {
            address-family {
                ipv6-unicast {
                }
            }
            ebgp-multihop 2
            remote-as 48605
            solo
        }
        system-as 198075
    }
    static {
        route 0.0.0.0/0 {
            next-hop 181.215.32.97 {
            }
        }
        route6 ::/0 {
            next-hop 2a06:8181:1::1 {
            }
        }
        route6 2a06:8181::/32 {
            interface eth0 {
            }
        }
        route6 2a06:8184::/32 {
            interface eth0 {
            }
        }
        route6 2a13:df80:800::/38 {
            next-hop ::1 {
            }
        }
    }
}
service {
    ntp {
        allow-client {
            address 0.0.0.0/0
            address ::/0
        }
        server time1.vyos.net {
        }
        server time2.vyos.net {
        }
        server time3.vyos.net {
        }
    }
}
system {
    config-management {
        commit-revisions 100
    }
    conntrack {
        modules {
            ftp
            h323
            nfs
            pptp
            sip
            sqlnet
            tftp
        }
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    host-name vyos
    name-server 8.8.8.8
    name-server 8.8.4.4
    syslog {
        global {
            facility all {
                level info
            }
            facility local7 {
                level debug
            }
        }
    }
}

Thanks! It was useful.

This is the bug with missed validation - the config is not valid because an interface-group eth0 does not exist. To mitigate the problem before we issue the fix, please create it in advance:

set firewall group interface-group eth0 interface eth0

For the reference / bug report. To reproduce the problem:

set firewall ipv4 name FW1 rule 10 inbound-interface interface-group IG1
set firewall ipv4 name FW1 rule 10 action accept
commit
2 Likes

Ahh I see, thank you. In fact I didn’t even spot that I had entered interface-group rather than interface-name

Glad its nothing too complex

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.