Merge branch 'firewall' of https://github.com/sarthurdev/vyos-1x into current

* 'firewall' of https://github.com/sarthurdev/vyos-1x: zone_policy: T3873: Implement intra-zone-filtering policy: T2199: Migrate policy route op-mode to XML/Python policy: T2199: Migrate policy route to XML/Python zone-policy: T2199: Migrate zone-policy op-mode to XML/Python zone-policy: T2199: Migrate zone-policy to XML/Python firewall: T2199: Migrate firewall op-mode to XML/Python firewall: T2199: Migrate firewall to XML/Python
author: Christian Poessinger <christian@poessinger.com> 2021-12-31 19:34:26 +0100
committer: Christian Poessinger <christian@poessinger.com> 2021-12-31 19:34:26 +0100
commit: 0091f6080181cc3836d70589d9a2f4a1c1cb11a8 (patch)
tree: 7ca1dbc816a2901b11d55c84c967592ed254aa0f /python/vyos/ifconfig/interface.py
parent: c5f118b3af482813a45c327ece29b5b41fd1ad9c (diff)
parent: 28b285b4791aece18fe1bbd76f3d555370545006 (diff)
download: vyos-1x-0091f6080181cc3836d70589d9a2f4a1c1cb11a8.tar.gz
vyos-1x-0091f6080181cc3836d70589d9a2f4a1c1cb11a8.zip
1 files changed, 19 insertions, 26 deletions
diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py
index 5fdd27828..91c7f0c33 100755
--- a/python/vyos/ifconfig/interface.py
+++ b/python/vyos/ifconfig/interface.py
@@ -577,6 +577,15 @@ class Interface(Control):
             return None
         return self.set_interface('arp_cache_tmo', tmo)
 
+    def _cleanup_mss_rules(self, table, ifname):
+        commands = []
+        results = self._cmd(f'nft -a list chain {table} VYOS_TCP_MSS').split("\n")
+        for line in results:
+            if f'oifname "{ifname}"' in line:
+                handle_search = re.search('handle (\d+)', line)
+                if handle_search:
+                    self._cmd(f'nft delete rule {table} VYOS_TCP_MSS handle {handle_search[1]}')
+
     def set_tcp_ipv4_mss(self, mss):
         """
         Set IPv4 TCP MSS value advertised when TCP SYN packets leave this
@@ -588,22 +597,14 @@ class Interface(Control):
         >>> from vyos.ifconfig import Interface
         >>> Interface('eth0').set_tcp_ipv4_mss(1340)
         """
-        iptables_bin = 'iptables'
-        base_options = f'-A FORWARD -o {self.ifname} -p tcp -m tcp --tcp-flags SYN,RST SYN'
-        out = self._cmd(f'{iptables_bin}-save -t mangle')
-        for line in out.splitlines():
-            if line.startswith(base_options):
-                # remove OLD MSS mangling configuration
-                line = line.replace('-A FORWARD', '-D FORWARD')
-                self._cmd(f'{iptables_bin} -t mangle {line}')
-
-        cmd_mss = f'{iptables_bin} -t mangle {base_options} --jump TCPMSS'
+        self._cleanup_mss_rules('raw', self.ifname)
+        nft_prefix = 'nft add rule raw VYOS_TCP_MSS'
+        base_cmd = f'oifname "{self.ifname}" tcp flags & (syn|rst) == syn'
         if mss == 'clamp-mss-to-pmtu':
-            self._cmd(f'{cmd_mss} --clamp-mss-to-pmtu')
+            self._cmd(f"{nft_prefix} '{base_cmd} tcp option maxseg size set rt mtu'")
         elif int(mss) > 0:
-            # probably add option to clamp only if bigger:
             low_mss = str(int(mss) + 1)
-            self._cmd(f'{cmd_mss} -m tcpmss --mss {low_mss}:65535 --set-mss {mss}')
+            self._cmd(f"{nft_prefix} '{base_cmd} tcp option maxseg size {low_mss}-65535 tcp option maxseg size set {mss}'")
 
     def set_tcp_ipv6_mss(self, mss):
         """
@@ -616,22 +617,14 @@ class Interface(Control):
         >>> from vyos.ifconfig import Interface
         >>> Interface('eth0').set_tcp_mss(1320)
         """
-        iptables_bin = 'ip6tables'
-        base_options = f'-A FORWARD -o {self.ifname} -p tcp -m tcp --tcp-flags SYN,RST SYN'
-        out = self._cmd(f'{iptables_bin}-save -t mangle')
-        for line in out.splitlines():
-            if line.startswith(base_options):
-                # remove OLD MSS mangling configuration
-                line = line.replace('-A FORWARD', '-D FORWARD')
-                self._cmd(f'{iptables_bin} -t mangle {line}')
-
-        cmd_mss = f'{iptables_bin} -t mangle {base_options} --jump TCPMSS'
+        self._cleanup_mss_rules('ip6 raw', self.ifname)
+        nft_prefix = 'nft add rule ip6 raw VYOS_TCP_MSS'
+        base_cmd = f'oifname "{self.ifname}" tcp flags & (syn|rst) == syn'
         if mss == 'clamp-mss-to-pmtu':
-            self._cmd(f'{cmd_mss} --clamp-mss-to-pmtu')
+            self._cmd(f"{nft_prefix} '{base_cmd} tcp option maxseg size set rt mtu'")
         elif int(mss) > 0:
-            # probably add option to clamp only if bigger:
             low_mss = str(int(mss) + 1)
-            self._cmd(f'{cmd_mss} -m tcpmss --mss {low_mss}:65535 --set-mss {mss}')
+            self._cmd(f"{nft_prefix} '{base_cmd} tcp option maxseg size {low_mss}-65535 tcp option maxseg size set {mss}'")
 
     def set_arp_filter(self, arp_filter):
         """
author	Christian Poessinger <christian@poessinger.com>	2021-12-31 19:34:26 +0100
committer	Christian Poessinger <christian@poessinger.com>	2021-12-31 19:34:26 +0100
commit	0091f6080181cc3836d70589d9a2f4a1c1cb11a8 (patch)
tree	7ca1dbc816a2901b11d55c84c967592ed254aa0f /python/vyos/ifconfig/interface.py
parent	c5f118b3af482813a45c327ece29b5b41fd1ad9c (diff)
parent	28b285b4791aece18fe1bbd76f3d555370545006 (diff)
download	vyos-1x-0091f6080181cc3836d70589d9a2f4a1c1cb11a8.tar.gz vyos-1x-0091f6080181cc3836d70589d9a2f4a1c1cb11a8.zip