Reply
New Member
Posts: 24
Registered: ‎05-12-2014
Kudos: 7
Solutions: 1
Accepted Solution

CLI address-group bug, I can add ip/32 but dont remove

[ Edited ]

HW model: EdgeRouter Pro 8-Port
Version: v1.6.0

maximus@ERCore-0# show
firewall {
     all-ping enable
     broadcast-ping disable
     group {
         address-group Clients-accept {
             description "Customers with Internet access. Hydra writes here!!!"
         }
maximus@ERCore-0# set firewall group address-group Clients-accept address 192.168.100.1/32
Error: invalid mask [32] - must be between 1-31

[edit]
maximus@ERCore-0# show
 firewall {
     all-ping enable
     broadcast-ping disable
     group {
         address-group Clients-accept {
+            address 192.168.100.1/32
             description "Customers with Internet access. Hydra writes here!!!"
         }
maximus@ERCore-0# commit
[ firewall group address-group Clients-accept address 192.168.100.1/32 ]
Error: invalid mask [32] - must be between 1-31

[edit]
maximus@ERCore-0# save
Saving configuration to '/config/config.boot'...
Done
[edit]
maximus@ERCore-0# show
 firewall {
     all-ping enable
     broadcast-ping disable
     group {
         address-group Clients-accept {
             address 192.168.100.1/32
             description "Customers with Internet access. Hydra writes here!!!"
         }
maximus@ERCore-0# delete firewall group address-group Clients-accept address 192.168.100.1/32
[edit]
maximus@ERCore-0# show
 firewall {
     all-ping enable
     broadcast-ping disable
     group {
         address-group Clients-accept {
-            address 192.168.100.1/32
             description "Customers with Internet access. Hydra writes here!!!"
         }
maximus@ERCore-0# commit
[ firewall group address-group Clients-accept ]
unexpected member not found [192.168.100.1/32]

Commit failed
[edit]
maximus@ERCore-0# show
 firewall {
     all-ping enable
     broadcast-ping disable
     group {
         address-group Clients-accept {
-            address 192.168.100.1/32
             description "Customers with Internet access. Hydra writes here!!!"
         }

 Only rollback help me.

Why mask can not be /32? CLI: Error: invalid mask [32] - must be between 1-31
Possible to do like in junos:

If I type 192.168.100.1, in config 192.168.100.1/32.
If I type 192.168.100.1/32, in config 192.168.100.1/32.


Accepted Solutions
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5411
Solutions: 1657
Contributions: 2

Re: CLI address-group bug, I can add ip/32 but dont remove

The bug here is that either the validation should not allow /32, or the config should handle /32 correctly. As can be seen in the output, when setting /32 it's reporting an error but doesn't actually fail the set/commit, which causes problems. I've found and fixed the issue in the validation so this should not be an issue in the next release. Thanks Zubr again for reporting the issue!

View solution in original post


All Replies
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5411
Solutions: 1657
Contributions: 2

Re: CLI address-group bug, I can add ip/32 but dont remove

Yeah that looks like a bug and we'll need to fix it. Thanks for reporting the issue.

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3069
Solutions: 945
Contributions: 16

Re: CLI address-group bug, I can add ip/32 but dont remove

The address group can take either an address or network.  Try leaving off the /32.

EdgeMAX Router Software Development
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5411
Solutions: 1657
Contributions: 2

Re: CLI address-group bug, I can add ip/32 but dont remove

The bug here is that either the validation should not allow /32, or the config should handle /32 correctly. As can be seen in the output, when setting /32 it's reporting an error but doesn't actually fail the set/commit, which causes problems. I've found and fixed the issue in the validation so this should not be an issue in the next release. Thanks Zubr again for reporting the issue!

New Member
Posts: 24
Registered: ‎05-12-2014
Kudos: 7
Solutions: 1

Re: CLI address-group bug, I can add ip/32 but dont remove

Thank you guys for the quick response. Ubnt Banana

 

Emerging Member
Posts: 58
Registered: ‎03-15-2015
Kudos: 20
Solutions: 1

Re: CLI address-group bug, I can add ip/32 but dont remove

Upgraded to alpha3. Still complains;

 

jocke@dalek# set firewall group network-group foobar network 1.2.3.4/32
Error: invalid mask [32] - must be between 1-31

Value validation failed
Set failed

 

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3069
Solutions: 945
Contributions: 16

Re: CLI address-group bug, I can add ip/32 but dont remove

Use the address group instead.

EdgeMAX Router Software Development
Emerging Member
Posts: 58
Registered: ‎03-15-2015
Kudos: 20
Solutions: 1

Re: CLI address-group bug, I can add ip/32 but dont remove

It would be nice to combine /32's and larger ranges in one place. In any case; this is marked as "solved" in alpha3, but it doesn't look like it's solved? (as it's still complaining).

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5411
Solutions: 1657
Contributions: 2

Re: CLI address-group bug, I can add ip/32 but dont remove


jocke wrote:

Upgraded to alpha3. Still complains;

 

jocke@dalek# set firewall group network-group foobar network 1.2.3.4/32
Error: invalid mask [32] - must be between 1-31

Value validation failed
Set failed

 


Yes actually that is the "fix" for the "inconsistency" issue. Note the "Set failed" part, which means now the validation is correctly implemented and does not allow the /32 value. Previously the error message was shown but it did not actually fail the setting (no "Set failed"), which led to the inconsistencies in subsequent commands as reported by Zubr.

Emerging Member
Posts: 58
Registered: ‎03-15-2015
Kudos: 20
Solutions: 1

Re: CLI address-group bug, I can add ip/32 but dont remove

I see that this thread is for the error shown when using address-group (and I used network-group). However, they seem related? (i.e. why is /32 not a valid entry in a network-group?).

Emerging Member
Posts: 58
Registered: ‎03-15-2015
Kudos: 20
Solutions: 1

Re: CLI address-group bug, I can add ip/32 but dont remove

[ Edited ]

 

UBNT-ancheng wrote:

Yes actually that is the "fix" for the "inconsistency" issue. Note the "Set failed" part, which means now the validation is correctly implemented and does not allow the /32 value. Previously the error message was shown but it did not actually fail the setting (no "Set failed"), which led to the inconsistencies in subsequent commands as reported by Zubr.


 

Ah. I see. In any case; is there a reason for why a /32 is not considered a valid network in a network-group?

 

(sorry for hijacking the thread (-: )

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5411
Solutions: 1657
Contributions: 2

Re: CLI address-group bug, I can add ip/32 but dont remove

Just an implementation decision, partially related to the fact that "ipset" (the underlying software used to implement groups) allows /32 but removes it from actual output. So to summarize:

  • "address group" can support both individual addresses (without the mask) or subnets (with mask /1 to /31).
  • "network group" supports only subnets (with mask /1 to /31).
Emerging Member
Posts: 58
Registered: ‎03-15-2015
Kudos: 20
Solutions: 1

Re: CLI address-group bug, I can add ip/32 but dont remove

Ah. I see. Thanks for the clarification (-:

Highlighted
Emerging Member
Posts: 58
Registered: ‎03-15-2015
Kudos: 20
Solutions: 1

Re: CLI address-group bug, I can add ip/32 but dont remove

Is it differently implemented for ipv6-network-group? (since that one allows /128's)

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5411
Solutions: 1657
Contributions: 2

Re: CLI address-group bug, I can add ip/32 but dont remove

Heh looks like you've found the equivalent bug in the ipv6 group implementation, and we should fix that too. Thanks!

Emerging Member
Posts: 58
Registered: ‎03-15-2015
Kudos: 20
Solutions: 1

Re: CLI address-group bug, I can add ip/32 but dont remove

Hihi. It accepts /128's in ipv6-address-group too (-:

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5411
Solutions: 1657
Contributions: 2

Re: CLI address-group bug, I can add ip/32 but dont remove

Yep that is the same issue and should be addressed.

Senior Member
Posts: 2,936
Registered: ‎03-25-2014
Kudos: 905
Solutions: 40

Re: CLI address-group bug, I can add ip/32 but dont remove

@UBNT-cmb was this adressed already?

Ubiquiti Certified - UEWA / UCWA
Reply