summaryrefslogtreecommitdiff
path: root/python
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2023-08-26 14:59:10 +0200
committerGitHub <noreply@github.com>2023-08-26 14:59:10 +0200
commit75aa90cf2b234a34565d165697196ac9a304bb66 (patch)
tree8a1c07e17cec0333b71ed32c12f403953a762afe /python
parent3144b67f1b04e88f5ba928db2eee6f198be04a3a (diff)
parent2509a1ab84cdb6d9389b547f93b0904cf329e78a (diff)
downloadvyos-1x-75aa90cf2b234a34565d165697196ac9a304bb66.tar.gz
vyos-1x-75aa90cf2b234a34565d165697196ac9a304bb66.zip
Merge pull request #2163 from sarthurdev/firewall_rpfilter
firewall: T3509: Add support for IPv6 reverse path filtering
Diffstat (limited to 'python')
-rw-r--r--python/vyos/ifconfig/interface.py29
1 files changed, 29 insertions, 0 deletions
diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py
index ddac387e7..41ce352ad 100644
--- a/python/vyos/ifconfig/interface.py
+++ b/python/vyos/ifconfig/interface.py
@@ -777,6 +777,30 @@ class Interface(Control):
return None
return self.set_interface('rp_filter', value)
+ def _cleanup_ipv6_source_validation_rules(self, ifname):
+ commands = []
+ results = self._cmd(f'nft -a list chain ip6 raw vyos_rpfilter').split("\n")
+ for line in results:
+ if f'iifname "{ifname}"' in line:
+ handle_search = re.search('handle (\d+)', line)
+ if handle_search:
+ self._cmd(f'nft delete rule ip6 raw vyos_rpfilter handle {handle_search[1]}')
+
+ def set_ipv6_source_validation(self, mode):
+ """
+ Set IPv6 reverse path validation
+
+ Example:
+ >>> from vyos.ifconfig import Interface
+ >>> Interface('eth0').set_ipv6_source_validation('strict')
+ """
+ self._cleanup_ipv6_source_validation_rules(self.ifname)
+ nft_prefix = f'nft add rule ip6 raw vyos_rpfilter iifname "{self.ifname}"'
+ if mode == 'strict':
+ self._cmd(f"{nft_prefix} fib saddr . iif oif 0 counter drop")
+ elif mode == 'loose':
+ self._cmd(f"{nft_prefix} fib saddr oif 0 counter drop")
+
def set_ipv6_accept_ra(self, accept_ra):
"""
Accept Router Advertisements; autoconfigure using them.
@@ -1568,6 +1592,11 @@ class Interface(Control):
value = tmp if (tmp != None) else '0'
self.set_ipv4_source_validation(value)
+ # IPv6 source-validation
+ tmp = dict_search('ipv6.source_validation', config)
+ value = tmp if (tmp != None) else '0'
+ self.set_ipv6_source_validation(value)
+
# MTU - Maximum Transfer Unit has a default value. It must ALWAYS be set
# before mangling any IPv6 option. If MTU is less then 1280 IPv6 will be
# automatically disabled by the kernel. Also MTU must be increased before