diff options
author | Christian Breunig <christian@breunig.cc> | 2023-08-26 14:59:10 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-08-26 14:59:10 +0200 |
commit | 75aa90cf2b234a34565d165697196ac9a304bb66 (patch) | |
tree | 8a1c07e17cec0333b71ed32c12f403953a762afe /python | |
parent | 3144b67f1b04e88f5ba928db2eee6f198be04a3a (diff) | |
parent | 2509a1ab84cdb6d9389b547f93b0904cf329e78a (diff) | |
download | vyos-1x-75aa90cf2b234a34565d165697196ac9a304bb66.tar.gz vyos-1x-75aa90cf2b234a34565d165697196ac9a304bb66.zip |
Merge pull request #2163 from sarthurdev/firewall_rpfilter
firewall: T3509: Add support for IPv6 reverse path filtering
Diffstat (limited to 'python')
-rw-r--r-- | python/vyos/ifconfig/interface.py | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py index ddac387e7..41ce352ad 100644 --- a/python/vyos/ifconfig/interface.py +++ b/python/vyos/ifconfig/interface.py @@ -777,6 +777,30 @@ class Interface(Control): return None return self.set_interface('rp_filter', value) + def _cleanup_ipv6_source_validation_rules(self, ifname): + commands = [] + results = self._cmd(f'nft -a list chain ip6 raw vyos_rpfilter').split("\n") + for line in results: + if f'iifname "{ifname}"' in line: + handle_search = re.search('handle (\d+)', line) + if handle_search: + self._cmd(f'nft delete rule ip6 raw vyos_rpfilter handle {handle_search[1]}') + + def set_ipv6_source_validation(self, mode): + """ + Set IPv6 reverse path validation + + Example: + >>> from vyos.ifconfig import Interface + >>> Interface('eth0').set_ipv6_source_validation('strict') + """ + self._cleanup_ipv6_source_validation_rules(self.ifname) + nft_prefix = f'nft add rule ip6 raw vyos_rpfilter iifname "{self.ifname}"' + if mode == 'strict': + self._cmd(f"{nft_prefix} fib saddr . iif oif 0 counter drop") + elif mode == 'loose': + self._cmd(f"{nft_prefix} fib saddr oif 0 counter drop") + def set_ipv6_accept_ra(self, accept_ra): """ Accept Router Advertisements; autoconfigure using them. @@ -1568,6 +1592,11 @@ class Interface(Control): value = tmp if (tmp != None) else '0' self.set_ipv4_source_validation(value) + # IPv6 source-validation + tmp = dict_search('ipv6.source_validation', config) + value = tmp if (tmp != None) else '0' + self.set_ipv6_source_validation(value) + # MTU - Maximum Transfer Unit has a default value. It must ALWAYS be set # before mangling any IPv6 option. If MTU is less then 1280 IPv6 will be # automatically disabled by the kernel. Also MTU must be increased before |