From 2ec023752bdd400835eb69a8f1f9d2873cef61fa Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Fri, 19 Jan 2024 21:01:52 +0100
Subject: firewall: T5729: T5681: T5217: backport subsystem from current branch
This is a combined backport for all accumulated changes done to the firewall
subsystem on the current branch.
---
data/config-mode-dependencies/vyos-1x.json | 88 ++++++++++++++++-------------
data/templates/firewall/nftables-bridge.j2 | 8 +--
data/templates/firewall/nftables-nat.j2 | 21 -------
data/templates/firewall/nftables-nat66.j2 | 17 ------
data/templates/firewall/nftables-offload.j2 | 2 +-
data/templates/firewall/nftables-zone.j2 | 6 +-
data/templates/firewall/nftables.j2 | 33 ++++-------
data/vyos-firewall-init.conf | 82 ++-------------------------
8 files changed, 73 insertions(+), 184 deletions(-)
(limited to 'data')
diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json
index 81d86cf7e..4fd94d895 100644
--- a/data/config-mode-dependencies/vyos-1x.json
+++ b/data/config-mode-dependencies/vyos-1x.json
@@ -1,40 +1,52 @@
{
- "firewall": {
- "conntrack": ["system_conntrack"],
- "group_resync": ["system_conntrack", "nat", "policy_route"]
- },
- "interfaces_bonding": {
- "ethernet": ["interfaces_ethernet"]
- },
- "interfaces_bridge": {
- "vxlan": ["interfaces_vxlan"]
- },
- "pki": {
- "ethernet": ["interfaces_ethernet"],
- "openvpn": ["interfaces_openvpn"],
- "https": ["service_https"],
- "ipsec": ["vpn_ipsec"],
- "openconnect": ["vpn_openconnect"],
- "sstp": ["vpn_sstp"]
- },
- "qos": {
- "bonding": ["interfaces_bonding"],
- "bridge": ["interfaces_bridge"],
- "dummy": ["interfaces_dummy"],
- "ethernet": ["interfaces_ethernet"],
- "geneve": ["interfaces_geneve"],
- "input": ["interfaces_input"],
- "l2tpv3": ["interfaces_l2tpv3"],
- "loopback": ["interfaces_loopback"],
- "macsec": ["interfaces_macsec"],
- "openvpn": ["interfaces_openvpn"],
- "pppoe": ["interfaces_pppoe"],
- "pseudo-ethernet": ["interfaces_pseudo-ethernet"],
- "tunnel": ["interfaces_tunnel"],
- "vti": ["interfaces_vti"],
- "vxlan": ["interfaces_vxlan"],
- "wireguard": ["interfaces_wireguard"],
- "wireless": ["interfaces_wireless"],
- "wwan": ["interfaces_wwan"]
- }
+ "system_conntrack": {
+ "conntrack_sync": ["service_conntrack-sync"]
+ },
+ "firewall": {
+ "conntrack": ["system_conntrack"],
+ "group_resync": ["system_conntrack", "nat", "policy_route"]
+ },
+ "interfaces_bonding": {
+ "ethernet": ["interfaces_ethernet"]
+ },
+ "interfaces_bridge": {
+ "vxlan": ["interfaces_vxlan"]
+ },
+ "load_balancing_wan": {
+ "conntrack": ["system_conntrack"]
+ },
+ "nat": {
+ "conntrack": ["system_conntrack"]
+ },
+ "nat66": {
+ "conntrack": ["system_conntrack"]
+ },
+ "pki": {
+ "ethernet": ["interfaces_ethernet"],
+ "openvpn": ["interfaces_openvpn"],
+ "https": ["service_https"],
+ "ipsec": ["vpn_ipsec"],
+ "openconnect": ["vpn_openconnect"],
+ "sstp": ["vpn_sstp"]
+ },
+ "qos": {
+ "bonding": ["interfaces_bonding"],
+ "bridge": ["interfaces_bridge"],
+ "dummy": ["interfaces_dummy"],
+ "ethernet": ["interfaces_ethernet"],
+ "geneve": ["interfaces_geneve"],
+ "input": ["interfaces_input"],
+ "l2tpv3": ["interfaces_l2tpv3"],
+ "loopback": ["interfaces_loopback"],
+ "macsec": ["interfaces_macsec"],
+ "openvpn": ["interfaces_openvpn"],
+ "pppoe": ["interfaces_pppoe"],
+ "pseudo-ethernet": ["interfaces_pseudo-ethernet"],
+ "tunnel": ["interfaces_tunnel"],
+ "vti": ["interfaces_vti"],
+ "vxlan": ["interfaces_vxlan"],
+ "wireguard": ["interfaces_wireguard"],
+ "wireless": ["interfaces_wireless"],
+ "wwan": ["interfaces_wwan"]
+ }
}
diff --git a/data/templates/firewall/nftables-bridge.j2 b/data/templates/firewall/nftables-bridge.j2
index 1a4ad2ed9..dec027bf9 100644
--- a/data/templates/firewall/nftables-bridge.j2
+++ b/data/templates/firewall/nftables-bridge.j2
@@ -2,9 +2,8 @@
{% set ns = namespace(sets=[]) %}
{% if bridge.forward is vyos_defined %}
{% for prior, conf in bridge.forward.items() %}
-{% set def_action = conf.default_action %}
chain VYOS_FORWARD_{{ prior }} {
- type filter hook forward priority {{ prior }}; policy {{ def_action }};
+ type filter hook forward priority {{ prior }}; policy accept;
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
{{ rule_conf | nft_rule('FWD', prior, rule_id, 'bri') }}
@@ -13,6 +12,7 @@
{% endif %}
{% endfor %}
{% endif %}
+ {{ conf | nft_default_rule('FWD-filter', 'bri') }}
}
{% endfor %}
{% endif %}
@@ -28,8 +28,8 @@
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule(name_text) }}
+ {{ conf | nft_default_rule(name_text, 'bri') }}
}
{% endfor %}
{% endif %}
-{% endmacro %}
\ No newline at end of file
+{% endmacro %}
diff --git a/data/templates/firewall/nftables-nat.j2 b/data/templates/firewall/nftables-nat.j2
index dcf28da88..4254f6a0e 100644
--- a/data/templates/firewall/nftables-nat.j2
+++ b/data/templates/firewall/nftables-nat.j2
@@ -2,27 +2,6 @@
{% import 'firewall/nftables-defines.j2' as group_tmpl %}
-{% if helper_functions is vyos_defined('remove') %}
-{# NAT if going to be disabled - remove rules and targets from nftables #}
-{% set base_command = 'delete rule ip raw' %}
-{{ base_command }} PREROUTING handle {{ pre_ct_ignore }}
-{{ base_command }} OUTPUT handle {{ out_ct_ignore }}
-{{ base_command }} PREROUTING handle {{ pre_ct_conntrack }}
-{{ base_command }} OUTPUT handle {{ out_ct_conntrack }}
-
-delete chain ip raw NAT_CONNTRACK
-
-{% elif helper_functions is vyos_defined('add') %}
-{# NAT if enabled - add targets to nftables #}
-add chain ip raw NAT_CONNTRACK
-add rule ip raw NAT_CONNTRACK counter accept
-{% set base_command = 'add rule ip raw' %}
-{{ base_command }} PREROUTING position {{ pre_ct_ignore }} counter jump VYOS_CT_HELPER
-{{ base_command }} OUTPUT position {{ out_ct_ignore }} counter jump VYOS_CT_HELPER
-{{ base_command }} PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK
-{{ base_command }} OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK
-{% endif %}
-
{% if first_install is not vyos_defined %}
delete table ip vyos_nat
{% endif %}
diff --git a/data/templates/firewall/nftables-nat66.j2 b/data/templates/firewall/nftables-nat66.j2
index 27b3eec88..67eb2c109 100644
--- a/data/templates/firewall/nftables-nat66.j2
+++ b/data/templates/firewall/nftables-nat66.j2
@@ -1,22 +1,5 @@
#!/usr/sbin/nft -f
-{% if helper_functions is vyos_defined('remove') %}
-{# NAT if going to be disabled - remove rules and targets from nftables #}
-{% set base_command = 'delete rule ip6 raw' %}
-{{ base_command }} PREROUTING handle {{ pre_ct_conntrack }}
-{{ base_command }} OUTPUT handle {{ out_ct_conntrack }}
-
-delete chain ip6 raw NAT_CONNTRACK
-
-{% elif helper_functions is vyos_defined('add') %}
-{# NAT if enabled - add targets to nftables #}
-add chain ip6 raw NAT_CONNTRACK
-add rule ip6 raw NAT_CONNTRACK counter accept
-{% set base_command = 'add rule ip6 raw' %}
-{{ base_command }} PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK
-{{ base_command }} OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK
-{% endif %}
-
{% if first_install is not vyos_defined %}
delete table ip6 vyos_nat
{% endif %}
diff --git a/data/templates/firewall/nftables-offload.j2 b/data/templates/firewall/nftables-offload.j2
index 087fd141c..a893e05b2 100644
--- a/data/templates/firewall/nftables-offload.j2
+++ b/data/templates/firewall/nftables-offload.j2
@@ -6,4 +6,4 @@
{% endif %}
counter
}
-{% endmacro %}
\ No newline at end of file
+{% endmacro %}
diff --git a/data/templates/firewall/nftables-zone.j2 b/data/templates/firewall/nftables-zone.j2
index 506ad815e..e78725079 100644
--- a/data/templates/firewall/nftables-zone.j2
+++ b/data/templates/firewall/nftables-zone.j2
@@ -44,7 +44,7 @@
iifname { {{ zone[from_zone].interface | join(",") }} } counter return
{% endfor %}
{% endif %}
- {{ zone_conf | nft_default_rule('zone_' + zone_name) }}
+ {{ zone_conf | nft_default_rule('zone_' + zone_name, family) }}
}
chain VZONE_{{ zone_name }}_OUT {
oifname lo counter return
@@ -54,7 +54,7 @@
oifname { {{ zone[from_zone].interface | join(",") }} } counter return
{% endfor %}
{% endif %}
- {{ zone_conf | nft_default_rule('zone_' + zone_name) }}
+ {{ zone_conf | nft_default_rule('zone_' + zone_name, family) }}
}
{% else %}
chain VZONE_{{ zone_name }} {
@@ -70,7 +70,7 @@
{% endif %}
{% endfor %}
{% endif %}
- {{ zone_conf | nft_default_rule('zone_' + zone_name) }}
+ {{ zone_conf | nft_default_rule('zone_' + zone_name, family) }}
}
{% endif %}
{% endfor %}
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index 4851e3a05..833df3a67 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -5,17 +5,10 @@
{% import 'firewall/nftables-offload.j2' as offload_tmpl %}
{% import 'firewall/nftables-zone.j2' as zone_tmpl %}
-flush chain raw FW_CONNTRACK
-flush chain ip6 raw FW_CONNTRACK
-
flush chain raw vyos_global_rpfilter
flush chain ip6 raw vyos_global_rpfilter
table raw {
- chain FW_CONNTRACK {
- {{ ipv4_conntrack_action }}
- }
-
chain vyos_global_rpfilter {
{% if global_options.source_validation is vyos_defined('loose') %}
fib saddr oif 0 counter drop
@@ -27,10 +20,6 @@ table raw {
}
table ip6 raw {
- chain FW_CONNTRACK {
- {{ ipv6_conntrack_action }}
- }
-
chain vyos_global_rpfilter {
{% if global_options.ipv6_source_validation is vyos_defined('loose') %}
fib saddr oif 0 counter drop
@@ -68,7 +57,7 @@ table ip vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule('FWD-filter') }}
+ {{ conf | nft_default_rule('FWD-filter', 'ipv4') }}
}
{% endfor %}
{% endif %}
@@ -88,7 +77,7 @@ table ip vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule('INP-filter') }}
+ {{ conf | nft_default_rule('INP-filter', 'ipv4') }}
}
{% endfor %}
{% endif %}
@@ -108,7 +97,7 @@ table ip vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule('OUT-filter') }}
+ {{ conf | nft_default_rule('OUT-filter', 'ipv4') }}
}
{% endfor %}
{% endif %}
@@ -128,7 +117,7 @@ table ip vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule('PRE-filter') }}
+ {{ conf | nft_default_rule('PRE-filter', 'ipv4') }}
}
{% endfor %}
{% endif %}
@@ -144,7 +133,7 @@ table ip vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule(name_text) }}
+ {{ conf | nft_default_rule(name_text, 'ipv4') }}
}
{% endfor %}
{% endif %}
@@ -219,7 +208,7 @@ table ip6 vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule('FWD-filter', ipv6=True) }}
+ {{ conf | nft_default_rule('FWD-filter', 'ipv6') }}
}
{% endfor %}
{% endif %}
@@ -239,7 +228,7 @@ table ip6 vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule('INP-filter', ipv6=True) }}
+ {{ conf | nft_default_rule('INP-filter', 'ipv6') }}
}
{% endfor %}
{% endif %}
@@ -259,7 +248,7 @@ table ip6 vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule('OUT-filter', ipv6=True) }}
+ {{ conf | nft_default_rule('OUT-filter', 'ipv6') }}
}
{% endfor %}
{% endif %}
@@ -280,7 +269,7 @@ table ip6 vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule(name_text, ipv6=True) }}
+ {{ conf | nft_default_rule(name_text, 'ipv6') }}
}
{% endfor %}
{% endif %}
@@ -308,7 +297,6 @@ table ip6 vyos_filter {
{% endif %}
{% endif %}
{{ group_tmpl.groups(group, True, True) }}
-
{% if zone is vyos_defined %}
{{ zone_tmpl.zone_chains(zone, True, global_options.state_policy is vyos_defined) }}
{% endif %}
@@ -326,7 +314,6 @@ table ip6 vyos_filter {
return
}
{% endif %}
-
}
## Bridge Firewall
@@ -337,4 +324,4 @@ table bridge vyos_filter {
{{ bridge_tmpl.bridge(bridge) }}
{{ group_tmpl.groups(group, False, False) }}
-}
\ No newline at end of file
+}
diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf
index b0026fdf3..cd7d5011f 100644
--- a/data/vyos-firewall-init.conf
+++ b/data/vyos-firewall-init.conf
@@ -9,6 +9,7 @@ table ip nat {
}
table inet mangle {
+ # Used by system flow-accounting
chain FORWARD {
type filter hook forward priority -150; policy accept;
}
@@ -28,61 +29,9 @@ table raw {
counter jump vyos_global_rpfilter
}
- chain PREROUTING {
+ # Used by system flow-accounting
+ chain VYOS_PREROUTING_HOOK {
type filter hook prerouting priority -300; policy accept;
- counter jump VYOS_CT_IGNORE
- counter jump VYOS_CT_TIMEOUT
- counter jump VYOS_CT_PREROUTING_HOOK
- counter jump FW_CONNTRACK
- notrack
- }
-
- chain OUTPUT {
- type filter hook output priority -300; policy accept;
- counter jump VYOS_CT_IGNORE
- counter jump VYOS_CT_TIMEOUT
- counter jump VYOS_CT_OUTPUT_HOOK
- counter jump FW_CONNTRACK
- notrack
- }
-
- ct helper rpc_tcp {
- type "rpc" protocol tcp;
- }
-
- ct helper rpc_udp {
- type "rpc" protocol udp;
- }
-
- ct helper tns_tcp {
- type "tns" protocol tcp;
- }
-
- chain VYOS_CT_HELPER {
- ct helper set "rpc_tcp" tcp dport {111} return
- ct helper set "rpc_udp" udp dport {111} return
- ct helper set "tns_tcp" tcp dport {1521,1525,1536} return
- return
- }
-
- chain VYOS_CT_IGNORE {
- return
- }
-
- chain VYOS_CT_TIMEOUT {
- return
- }
-
- chain VYOS_CT_PREROUTING_HOOK {
- return
- }
-
- chain VYOS_CT_OUTPUT_HOOK {
- return
- }
-
- chain FW_CONNTRACK {
- return
}
}
@@ -100,29 +49,8 @@ table ip6 raw {
counter jump vyos_global_rpfilter
}
- chain PREROUTING {
+ # Used by system flow-accounting
+ chain VYOS_PREROUTING_HOOK {
type filter hook prerouting priority -300; policy accept;
- counter jump VYOS_CT_PREROUTING_HOOK
- counter jump FW_CONNTRACK
- notrack
- }
-
- chain OUTPUT {
- type filter hook output priority -300; policy accept;
- counter jump VYOS_CT_OUTPUT_HOOK
- counter jump FW_CONNTRACK
- notrack
- }
-
- chain VYOS_CT_PREROUTING_HOOK {
- return
- }
-
- chain VYOS_CT_OUTPUT_HOOK {
- return
- }
-
- chain FW_CONNTRACK {
- return
}
}
--
cgit v1.2.3