You SSH into a remote router. Change firewall rules. Commit. Connection drops. You just locked yourself out. The router is 500 km away. Your Friday evening plans are cancelled.
commit-confirm exists precisely for this scenario. It commits changes temporarily. If you don’t confirm within a timeout, changes roll back automatically. The router saves itself from your mistakes.
Every remote change should use commit-confirm. No exceptions.
How Commit-Confirm Works
1. You run: commit-confirm 52. Changes are applied3. Timer starts (5 minutes)4. If you run 'confirm' before timeout → changes persist5. If timeout expires → automatic rollback to previous configThe key insight: if your change breaks connectivity, you can’t confirm. So the router reverts itself.
Basic Usage
Standard Commit-Confirm
# Enter configuration modeconfigure
# Make your changesset firewall ipv4 name WAN-IN rule 100 action dropset firewall ipv4 name WAN-IN rule 100 source address 10.0.0.0/8
# Commit with 5-minute timeoutcommit-confirm 5
# Test connectivity, verify everything works# Then confirm:confirm
# Or if something is wrong, just wait - it will rollbackDifferent Timeout Values
# Quick change, confident it works (minimum 1 minute)commit-confirm 1
# Complex change, need time to verifycommit-confirm 10
# Major change, need extensive testingcommit-confirm 30Choose timeout based on how long you need to verify the change works.
Check Remaining Time
# See if there's a pending confirmshow system commit
# Output shows:# Commit confirmed in X minutesReal-World Scenarios
Scenario 1: Firewall Rule Change
configure
# Adding rule to allow new serviceset firewall ipv4 name WAN-IN rule 50 action acceptset firewall ipv4 name WAN-IN rule 50 destination port 8443set firewall ipv4 name WAN-IN rule 50 protocol tcp
# Use confirm because this touches firewallcommit-confirm 3
# Test from external client# curl https://server:8443 - works!
# Confirm the changeconfirmScenario 2: Interface Address Change
configure
# Changing management IP - very risky remotelyset interfaces ethernet eth0 address 192.168.1.100/24delete interfaces ethernet eth0 address 192.168.1.50/24
# Critical: use confirm with enough time to reconnectcommit-confirm 5
# Immediately try to SSH to new IP# ssh admin@192.168.1.100
# If you can connect:confirm
# If you can't connect - wait 5 minutes, router revertsScenario 3: Routing Change
configure
# Changing default gatewaydelete protocols static route 0.0.0.0/0set protocols static route 0.0.0.0/0 next-hop 10.0.0.1
commit-confirm 3
# Verify connectivityping 8.8.8.8traceroute 8.8.8.8
# Looks goodconfirmWhat Happens on Rollback
When timeout expires without confirmation:
# 1. Current session is terminated# 2. Config reverts to pre-commit state# 3. All services reload with old config# 4. Log entry created
# Check what happenedshow log | grep -i rollbackshow log | grep -i commit
# View current config (should be pre-change)show configurationCommit-Confirm vs Regular Commit
| Aspect | commit | commit-confirm |
|---|---|---|
| Immediate | Yes | Yes |
| Persistent | Yes | Only after confirm |
| Rollback | Manual | Automatic on timeout |
| Remote safety | None | High |
| Use case | Local changes | Remote changes |
Best Practices
1. Always Use for Remote Sessions
# Script wrapper for remote changes#!/bin/bashTIMEOUT=${1:-5} # Default 5 minutes
source /opt/vyatta/etc/functions/script-templateconfigure# ... your changes ...commit-confirm $TIMEOUT
echo "Changes applied. Confirm with 'confirm' within $TIMEOUT minutes"echo "Or changes will automatically rollback"2. Test Connectivity Immediately
commit-confirm 3
# Immediately verify you can still reach the router# From another terminal:ping router-ipssh admin@router-ip
# Only then confirmconfirm3. Have Console Access Ready
For major changes, have out-of-band access ready:
- IPMI/iLO console
- Serial console
- Local access
If commit-confirm somehow doesn’t save you, console access will.
4. Document the Rollback Happened
# After a rollback, document itshow log | grep -i rollback
# Add comment explaining what was attemptedconfigurecomment firewall ipv4 name WAN-IN "Note: rule 100 attempt on 2025-01-08 caused lockout, rolled back"commitEdge Cases
Confirm from Different Session
# Session 1: commit-confirm 5# Session 1: loses connectivity
# Session 2: SSH into router (if possible via different path)confirm # This confirms Session 1's changes
# Useful when you have multiple network pathsImmediate Rollback
# Changed your mind before timeout?configurerollback 0 # Rollback to last saved configcommit
# Or simply exit without confirmingexit discard# Wait for timeoutPower Failure During Confirm Window
If router reboots during commit-confirm window:
- Uncommitted changes are lost
- Router boots with last saved (pre-commit-confirm) config
- This is the safe behavior
Automating Confirm
For automated deployments, you need programmatic confirm:
# Ansible approach- name: Apply VyOS config with confirm vyos.vyos.vyos_config: lines: - set firewall ipv4 name TEST rule 10 action accept save: no
- name: Verify connectivity wait_for: host: "{{ inventory_hostname }}" port: 22 timeout: 60
- name: Confirm changes vyos.vyos.vyos_command: commands: - confirm
# If verify fails, Ansible doesn't reach confirm# Timeout expires, config rolls backAPI-Based Confirm
# Using VyOS APIcurl -X POST https://router/configure \ -H "Content-Type: application/json" \ -d '{ "op": "set", "path": ["firewall", "ipv4", "name", "TEST"], "value": "..." }'
# Apply with timeoutcurl -X POST https://router/config-file \ -d '{"op": "commit-confirm", "minutes": 5}'
# Verify connectivity, then:curl -X POST https://router/config-file \ -d '{"op": "confirm"}'Common Mistakes
Mistake 1: Timeout Too Short
# Bad: 1 minute for complex changecommit-confirm 1# You're still verifying when it rolls back
# Better: Give yourself timecommit-confirm 10Mistake 2: Forgetting to Confirm
commit-confirm 5# Test, looks good# Get distracted# 5 minutes pass# Changes gone!
# Tip: Set a timer on your phoneMistake 3: Not Using It At All
# The classic mistakeconfigureset firewall ... # Typo somewherecommit # No safety net# Locked outThe Lesson
Every remote change should use commit-confirm. No exceptions.
The cost of using commit-confirm:
- Few seconds to type the command
- Remember to confirm
The cost of not using it:
- Emergency drive to datacenter
- Out-of-band console access scramble
- Ruined weekend
The router can save itself from your mistakes. Let it.
I’ve been saved by commit-confirm more times than I care to admit. Every time I think “this change is simple, I don’t need confirm” — that’s exactly when I need it most.
Use it. Always.