From e846d2c1500df83742eb803684980396857cc0f1 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Thu, 3 Oct 2024 14:51:55 +0000 Subject: T6760: firewall: add packet modifications existing in policy route to regular firewall ruleset. --- .../include/firewall/bridge-hook-forward.xml.i | 6 ++ .../include/firewall/bridge-hook-output.xml.i | 6 ++ .../include/firewall/bridge-hook-prerouting.xml.i | 5 ++ .../include/firewall/ipv4-custom-name.xml.i | 6 ++ .../include/firewall/ipv4-hook-forward.xml.i | 5 ++ .../include/firewall/ipv4-hook-output.xml.i | 10 +++ .../include/firewall/ipv4-hook-prerouting.xml.i | 4 + .../include/firewall/ipv6-custom-name.xml.i | 5 ++ .../include/firewall/ipv6-hook-forward.xml.i | 5 ++ .../include/firewall/ipv6-hook-output.xml.i | 10 +++ .../include/firewall/ipv6-hook-prerouting.xml.i | 4 + .../set-packet-modifications-conn-mark.xml.i | 21 +++++ .../firewall/set-packet-modifications-dscp.xml.i | 21 +++++ .../set-packet-modifications-hop-limit.xml.i | 21 +++++ .../firewall/set-packet-modifications-mark.xml.i | 21 +++++ .../set-packet-modifications-table-and-vrf.xml.i | 48 +++++++++++ .../set-packet-modifications-tcp-mss.xml.i | 21 +++++ .../firewall/set-packet-modifications-ttl.xml.i | 21 +++++ .../firewall/set-packet-modifications.xml.i | 96 ---------------------- .../include/policy/route-common.xml.i | 6 +- python/vyos/firewall.py | 6 ++ smoketest/scripts/cli/test_firewall.py | 16 ++-- 22 files changed, 262 insertions(+), 102 deletions(-) create mode 100644 interface-definitions/include/firewall/set-packet-modifications-conn-mark.xml.i create mode 100644 interface-definitions/include/firewall/set-packet-modifications-dscp.xml.i create mode 100755 interface-definitions/include/firewall/set-packet-modifications-hop-limit.xml.i create mode 100644 interface-definitions/include/firewall/set-packet-modifications-mark.xml.i create mode 100644 interface-definitions/include/firewall/set-packet-modifications-table-and-vrf.xml.i create mode 100644 interface-definitions/include/firewall/set-packet-modifications-tcp-mss.xml.i create mode 100755 interface-definitions/include/firewall/set-packet-modifications-ttl.xml.i delete mode 100644 interface-definitions/include/firewall/set-packet-modifications.xml.i diff --git a/interface-definitions/include/firewall/bridge-hook-forward.xml.i b/interface-definitions/include/firewall/bridge-hook-forward.xml.i index fcc981925..03ac26cf6 100644 --- a/interface-definitions/include/firewall/bridge-hook-forward.xml.i +++ b/interface-definitions/include/firewall/bridge-hook-forward.xml.i @@ -32,6 +32,12 @@ #include #include #include + #include + #include + #include + #include + #include + #include diff --git a/interface-definitions/include/firewall/bridge-hook-output.xml.i b/interface-definitions/include/firewall/bridge-hook-output.xml.i index 38b8b08ca..853315989 100644 --- a/interface-definitions/include/firewall/bridge-hook-output.xml.i +++ b/interface-definitions/include/firewall/bridge-hook-output.xml.i @@ -31,6 +31,12 @@ #include #include #include + #include + #include + #include + #include + #include + #include diff --git a/interface-definitions/include/firewall/bridge-hook-prerouting.xml.i b/interface-definitions/include/firewall/bridge-hook-prerouting.xml.i index ea567644f..7a45f5cd1 100644 --- a/interface-definitions/include/firewall/bridge-hook-prerouting.xml.i +++ b/interface-definitions/include/firewall/bridge-hook-prerouting.xml.i @@ -28,6 +28,11 @@ #include #include #include + #include + #include + #include + #include + #include diff --git a/interface-definitions/include/firewall/ipv4-custom-name.xml.i b/interface-definitions/include/firewall/ipv4-custom-name.xml.i index 8046b2d6c..b08262e2d 100644 --- a/interface-definitions/include/firewall/ipv4-custom-name.xml.i +++ b/interface-definitions/include/firewall/ipv4-custom-name.xml.i @@ -36,6 +36,12 @@ #include #include #include + #include + #include + #include + #include + #include + diff --git a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i index b0e240a03..a2da4b701 100644 --- a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i +++ b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i @@ -31,6 +31,11 @@ #include #include #include + #include + #include + #include + #include + #include diff --git a/interface-definitions/include/firewall/ipv4-hook-output.xml.i b/interface-definitions/include/firewall/ipv4-hook-output.xml.i index ee9157592..f68136557 100644 --- a/interface-definitions/include/firewall/ipv4-hook-output.xml.i +++ b/interface-definitions/include/firewall/ipv4-hook-output.xml.i @@ -28,6 +28,11 @@ #include #include #include + #include + #include + #include + #include + #include @@ -56,6 +61,11 @@ #include #include #include + #include + #include + #include + #include + #include diff --git a/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i index b431303ae..6f9fe6842 100644 --- a/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i +++ b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i @@ -35,6 +35,10 @@ #include #include #include + #include + #include + #include + #include Set jump target. Action jump must be defined to use this setting diff --git a/interface-definitions/include/firewall/ipv6-custom-name.xml.i b/interface-definitions/include/firewall/ipv6-custom-name.xml.i index fb8740c38..d49267b52 100644 --- a/interface-definitions/include/firewall/ipv6-custom-name.xml.i +++ b/interface-definitions/include/firewall/ipv6-custom-name.xml.i @@ -36,6 +36,11 @@ #include #include #include + #include + #include + #include + #include + #include diff --git a/interface-definitions/include/firewall/ipv6-hook-forward.xml.i b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i index 7efc2614e..79898d691 100644 --- a/interface-definitions/include/firewall/ipv6-hook-forward.xml.i +++ b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i @@ -31,6 +31,11 @@ #include #include #include + #include + #include + #include + #include + #include diff --git a/interface-definitions/include/firewall/ipv6-hook-output.xml.i b/interface-definitions/include/firewall/ipv6-hook-output.xml.i index d3c4c1ead..9a6d0bb77 100644 --- a/interface-definitions/include/firewall/ipv6-hook-output.xml.i +++ b/interface-definitions/include/firewall/ipv6-hook-output.xml.i @@ -28,6 +28,11 @@ #include #include #include + #include + #include + #include + #include + #include @@ -56,6 +61,11 @@ #include #include #include + #include + #include + #include + #include + #include diff --git a/interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i b/interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i index 21f8de6f9..15454bbbf 100644 --- a/interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i +++ b/interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i @@ -35,6 +35,10 @@ #include #include #include + #include + #include + #include + #include Set jump target. Action jump must be defined to use this setting diff --git a/interface-definitions/include/firewall/set-packet-modifications-conn-mark.xml.i b/interface-definitions/include/firewall/set-packet-modifications-conn-mark.xml.i new file mode 100644 index 000000000..dff95d324 --- /dev/null +++ b/interface-definitions/include/firewall/set-packet-modifications-conn-mark.xml.i @@ -0,0 +1,21 @@ + + + + Packet modifications + + + + + Set connection mark + + u32:0-2147483647 + Connection mark + + + + + + + + + diff --git a/interface-definitions/include/firewall/set-packet-modifications-dscp.xml.i b/interface-definitions/include/firewall/set-packet-modifications-dscp.xml.i new file mode 100644 index 000000000..5082806fb --- /dev/null +++ b/interface-definitions/include/firewall/set-packet-modifications-dscp.xml.i @@ -0,0 +1,21 @@ + + + + Packet modifications + + + + + Set DSCP (Packet Differentiated Services Codepoint) bits + + u32:0-63 + DSCP number + + + + + + + + + diff --git a/interface-definitions/include/firewall/set-packet-modifications-hop-limit.xml.i b/interface-definitions/include/firewall/set-packet-modifications-hop-limit.xml.i new file mode 100755 index 000000000..8a6e5347a --- /dev/null +++ b/interface-definitions/include/firewall/set-packet-modifications-hop-limit.xml.i @@ -0,0 +1,21 @@ + + + + Packet modifications + + + + + Set hop limit + + u32:0-255 + Hop limit number + + + + + + + + + diff --git a/interface-definitions/include/firewall/set-packet-modifications-mark.xml.i b/interface-definitions/include/firewall/set-packet-modifications-mark.xml.i new file mode 100644 index 000000000..b229d0579 --- /dev/null +++ b/interface-definitions/include/firewall/set-packet-modifications-mark.xml.i @@ -0,0 +1,21 @@ + + + + Packet modifications + + + + + Set packet mark + + u32:1-2147483647 + Packet mark + + + + + + + + + diff --git a/interface-definitions/include/firewall/set-packet-modifications-table-and-vrf.xml.i b/interface-definitions/include/firewall/set-packet-modifications-table-and-vrf.xml.i new file mode 100644 index 000000000..c7875b31d --- /dev/null +++ b/interface-definitions/include/firewall/set-packet-modifications-table-and-vrf.xml.i @@ -0,0 +1,48 @@ + + + + Packet modifications + + + + + Set the routing table for matched packets + + u32:1-200 + Table number + + + main + Main table + + + + (main) + + + main + protocols static table + + + + + + VRF to forward packet with + + txt + VRF instance name + + + default + Forward into default global VRF + + + default + vrf name + + #include + + + + + diff --git a/interface-definitions/include/firewall/set-packet-modifications-tcp-mss.xml.i b/interface-definitions/include/firewall/set-packet-modifications-tcp-mss.xml.i new file mode 100644 index 000000000..06ffdfede --- /dev/null +++ b/interface-definitions/include/firewall/set-packet-modifications-tcp-mss.xml.i @@ -0,0 +1,21 @@ + + + + Packet modifications + + + + + Set TCP Maximum Segment Size + + u32:500-1460 + Explicitly set TCP MSS value + + + + + + + + + diff --git a/interface-definitions/include/firewall/set-packet-modifications-ttl.xml.i b/interface-definitions/include/firewall/set-packet-modifications-ttl.xml.i new file mode 100755 index 000000000..e2f14050b --- /dev/null +++ b/interface-definitions/include/firewall/set-packet-modifications-ttl.xml.i @@ -0,0 +1,21 @@ + + + + Packet modifications + + + + + Set TTL (time to live) + + u32:0-255 + TTL number + + + + + + + + + diff --git a/interface-definitions/include/firewall/set-packet-modifications.xml.i b/interface-definitions/include/firewall/set-packet-modifications.xml.i deleted file mode 100644 index ee019b64e..000000000 --- a/interface-definitions/include/firewall/set-packet-modifications.xml.i +++ /dev/null @@ -1,96 +0,0 @@ - - - - Packet modifications - - - - - Set connection mark - - u32:0-2147483647 - Connection mark - - - - - - - - - Set DSCP (Packet Differentiated Services Codepoint) bits - - u32:0-63 - DSCP number - - - - - - - - - Set packet mark - - u32:1-2147483647 - Packet mark - - - - - - - - - Set the routing table for matched packets - - u32:1-200 - Table number - - - main - Main table - - - - (main) - - - main - protocols static table - - - - - - VRF to forward packet with - - txt - VRF instance name - - - default - Forward into default global VRF - - - default - vrf name - - #include - - - - - Set TCP Maximum Segment Size - - u32:500-1460 - Explicitly set TCP MSS value - - - - - - - - - \ No newline at end of file diff --git a/interface-definitions/include/policy/route-common.xml.i b/interface-definitions/include/policy/route-common.xml.i index 19ffc0506..5c69a5279 100644 --- a/interface-definitions/include/policy/route-common.xml.i +++ b/interface-definitions/include/policy/route-common.xml.i @@ -66,7 +66,11 @@ -#include +#include +#include +#include +#include +#include #include #include #include diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 34d0b73f6..314e8dfe3 100755 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -583,6 +583,12 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name): if 'tcp_mss' in rule_conf['set']: mss = rule_conf['set']['tcp_mss'] output.append(f'tcp option maxseg size set {mss}') + if 'ttl' in rule_conf['set']: + ttl = rule_conf['set']['ttl'] + output.append(f'ip ttl set {ttl}') + if 'hop_limit' in rule_conf['set']: + hoplimit = rule_conf['set']['hop_limit'] + output.append(f'ip6 hoplimit set {hoplimit}') if 'action' in rule_conf: if rule_conf['action'] == 'offload': diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index 3e9ec2935..2d18f0495 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -248,6 +248,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'ipv4', 'prerouting', 'raw', 'rule', '1', 'action', 'notrack']) self.cli_set(['firewall', 'ipv4', 'prerouting', 'raw', 'rule', '1', 'protocol', 'tcp']) self.cli_set(['firewall', 'ipv4', 'prerouting', 'raw', 'rule', '1', 'destination', 'port', '23']) + self.cli_set(['firewall', 'ipv4', 'prerouting', 'raw', 'rule', '1', 'set', 'mark', '55']) self.cli_commit() @@ -275,7 +276,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): ['OUT-raw default-action drop', 'drop'], ['chain VYOS_PREROUTING_raw'], ['type filter hook prerouting priority raw; policy accept;'], - ['tcp dport 23', 'notrack'], + ['tcp dport 23', 'meta mark set 0x00000037', 'notrack'], ['PRE-raw default-action accept', 'accept'], ['chain NAME_smoketest'], ['saddr 172.16.20.10', 'daddr 172.16.10.10', 'log prefix "[ipv4-NAM-smoketest-1-A]" log level debug', 'ip ttl 15', 'accept'], @@ -315,6 +316,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'mark', '1010']) self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'action', 'jump']) self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'jump-target', name]) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'set', 'dscp', '32']) self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'protocol', 'tcp']) self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'mark', '!98765']) @@ -331,7 +333,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): nftables_search = [ ['chain VYOS_FORWARD_filter'], ['type filter hook forward priority filter; policy accept;'], - ['ip saddr 198.51.100.1-198.51.100.50', 'meta mark 0x000003f2', f'jump NAME_{name}'], + ['ip saddr 198.51.100.1-198.51.100.50', 'meta mark 0x000003f2', 'ip dscp set cs4', f'jump NAME_{name}'], ['FWD-filter default-action drop', 'drop'], ['chain VYOS_INPUT_filter'], ['type filter hook input priority filter; policy accept;'], @@ -485,6 +487,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'ipv6', 'prerouting', 'raw', 'rule', '1', 'action', 'drop']) self.cli_set(['firewall', 'ipv6', 'prerouting', 'raw', 'rule', '1', 'protocol', 'tcp']) self.cli_set(['firewall', 'ipv6', 'prerouting', 'raw', 'rule', '1', 'destination', 'port', '23']) + self.cli_set(['firewall', 'ipv6', 'prerouting', 'raw', 'rule', '1', 'set', 'hop-limit', '79']) self.cli_commit() @@ -507,7 +510,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): ['OUT-raw default-action drop', 'drop'], ['chain VYOS_IPV6_PREROUTING_raw'], ['type filter hook prerouting priority raw; policy accept;'], - ['tcp dport 23', 'drop'], + ['tcp dport 23', 'ip6 hoplimit set 79', 'drop'], ['PRE-raw default-action accept', 'accept'], [f'chain NAME6_{name}'], ['saddr 2002::1-2002::10', 'daddr 2002::1:1', 'log prefix "[ipv6-NAM-v6-smoketest-1-A]" log level crit', 'accept'], @@ -722,9 +725,12 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '1', 'action', 'accept']) self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '1', 'vlan', 'id', vlan_id]) self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '1', 'vlan', 'ethernet-type', 'ipv4']) + self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '1', 'set', 'connection-mark', '123123']) + self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '2', 'action', 'jump']) self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '2', 'jump-target', name]) self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '2', 'vlan', 'priority', vlan_prior]) + self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '2', 'set', 'ttl', '128']) self.cli_set(['firewall', 'bridge', 'input', 'filter', 'rule', '1', 'action', 'accept']) self.cli_set(['firewall', 'bridge', 'input', 'filter', 'rule', '1', 'inbound-interface', 'name', interface_in]) @@ -746,8 +752,8 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): ['chain VYOS_FORWARD_filter'], ['type filter hook forward priority filter; policy accept;'], ['jump VYOS_STATE_POLICY'], - [f'vlan id {vlan_id}', 'vlan type ip', 'accept'], - [f'vlan pcp {vlan_prior}', f'jump NAME_{name}'], + [f'vlan id {vlan_id}', 'vlan type ip', 'ct mark set 0x0001e0f3', 'accept'], + [f'vlan pcp {vlan_prior}', 'ip ttl set 128', f'jump NAME_{name}'], ['log prefix "[bri-FWD-filter-default-D]"', 'drop', 'FWD-filter default-action drop'], [f'chain NAME_{name}'], [f'ether saddr {mac_address}', f'iifname "{interface_in}"', f'log prefix "[bri-NAM-{name}-1-A]" log level crit', 'accept'], -- cgit v1.2.3