From a8a9cfe750da719605ab90ce8c83c42276ab07f3 Mon Sep 17 00:00:00 2001
From: Nicolas Fort <nicolasfort1988@gmail.com>
Date: Wed, 24 Jul 2024 17:40:28 +0000
Subject: T6570: firewall: add global-option to configure sysctl parameter for
 enabling/disabling sending traffic from bridge layer to ipvX layer

---
 data/templates/firewall/sysctl-firewall.conf.j2       |  8 ++++++++
 .../include/firewall/global-options.xml.i             | 19 +++++++++++++++++++
 src/etc/sysctl.d/30-vyos-router.conf                  |  5 +++++
 3 files changed, 32 insertions(+)

diff --git a/data/templates/firewall/sysctl-firewall.conf.j2 b/data/templates/firewall/sysctl-firewall.conf.j2
index b9c3311e2..119c6577b 100644
--- a/data/templates/firewall/sysctl-firewall.conf.j2
+++ b/data/templates/firewall/sysctl-firewall.conf.j2
@@ -13,6 +13,14 @@ net.ipv4.conf.*.send_redirects = {{ 1 if global_options.send_redirects == 'enabl
 net.ipv4.tcp_syncookies = {{ 1 if global_options.syn_cookies == 'enable' else 0 }}
 net.ipv4.tcp_rfc1337 = {{ 1 if global_options.twa_hazards_protection == 'enable' else 0 }}
 
+{% if global_options.apply_for_bridge is vyos_defined %}
+net.bridge.bridge-nf-call-iptables = {{ 1 if global_options.apply_for_bridge.ipv4 is vyos_defined else 0 }}
+net.bridge.bridge-nf-call-ip6tables = {{ 1 if global_options.apply_for_bridge.ipv6 is vyos_defined else 0 }}
+{% else %}
+net.bridge.bridge-nf-call-iptables =0
+net.bridge.bridge-nf-call-ip6tables = 0
+{% endif %}
+
 ## Timeout values:
 net.netfilter.nf_conntrack_icmp_timeout = {{ global_options.timeout.icmp }}
 net.netfilter.nf_conntrack_generic_timeout = {{ global_options.timeout.other }}
diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i
index 9039b76fd..1f2899672 100644
--- a/interface-definitions/include/firewall/global-options.xml.i
+++ b/interface-definitions/include/firewall/global-options.xml.i
@@ -44,6 +44,25 @@
       </properties>
       <defaultValue>disable</defaultValue>
     </leafNode>
+    <node name="apply-for-bridge">
+      <properties>
+        <help>Apply configured firewall rules to traffic switched by bridges</help>
+      </properties>
+      <children>
+        <leafNode name="ipv4">
+          <properties>
+            <help>Apply configured IPv4 firewall rules</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+        <leafNode name="ipv6">
+          <properties>
+            <help>Apply configured IPv6 firewall rules</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+      </children>
+    </node>
     <leafNode name="directed-broadcast">
       <properties>
         <help>Policy for handling IPv4 directed broadcast forwarding on all interfaces</help>
diff --git a/src/etc/sysctl.d/30-vyos-router.conf b/src/etc/sysctl.d/30-vyos-router.conf
index c9b8ef8fe..76be41ddc 100644
--- a/src/etc/sysctl.d/30-vyos-router.conf
+++ b/src/etc/sysctl.d/30-vyos-router.conf
@@ -110,3 +110,8 @@ net.ipv6.conf.all.seg6_enabled = 0
 net.ipv6.conf.default.seg6_enabled = 0
 
 net.vrf.strict_mode = 1
+
+# https://vyos.dev/T6570
+# By default, do not forward traffic from bridge to IPvX layer
+net.bridge.bridge-nf-call-iptables = 0
+net.bridge.bridge-nf-call-ip6tables = 0
\ No newline at end of file
-- 
cgit v1.2.3