From 2ec023752bdd400835eb69a8f1f9d2873cef61fa Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Fri, 19 Jan 2024 21:01:52 +0100 Subject: firewall: T5729: T5681: T5217: backport subsystem from current branch This is a combined backport for all accumulated changes done to the firewall subsystem on the current branch. --- data/config-mode-dependencies/vyos-1x.json | 88 ++++++++++++++++------------- data/templates/firewall/nftables-bridge.j2 | 8 +-- data/templates/firewall/nftables-nat.j2 | 21 ------- data/templates/firewall/nftables-nat66.j2 | 17 ------ data/templates/firewall/nftables-offload.j2 | 2 +- data/templates/firewall/nftables-zone.j2 | 6 +- data/templates/firewall/nftables.j2 | 33 ++++------- data/vyos-firewall-init.conf | 82 ++------------------------- 8 files changed, 73 insertions(+), 184 deletions(-) (limited to 'data') diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json index 81d86cf7e..4fd94d895 100644 --- a/data/config-mode-dependencies/vyos-1x.json +++ b/data/config-mode-dependencies/vyos-1x.json @@ -1,40 +1,52 @@ { - "firewall": { - "conntrack": ["system_conntrack"], - "group_resync": ["system_conntrack", "nat", "policy_route"] - }, - "interfaces_bonding": { - "ethernet": ["interfaces_ethernet"] - }, - "interfaces_bridge": { - "vxlan": ["interfaces_vxlan"] - }, - "pki": { - "ethernet": ["interfaces_ethernet"], - "openvpn": ["interfaces_openvpn"], - "https": ["service_https"], - "ipsec": ["vpn_ipsec"], - "openconnect": ["vpn_openconnect"], - "sstp": ["vpn_sstp"] - }, - "qos": { - "bonding": ["interfaces_bonding"], - "bridge": ["interfaces_bridge"], - "dummy": ["interfaces_dummy"], - "ethernet": ["interfaces_ethernet"], - "geneve": ["interfaces_geneve"], - "input": ["interfaces_input"], - "l2tpv3": ["interfaces_l2tpv3"], - "loopback": ["interfaces_loopback"], - "macsec": ["interfaces_macsec"], - "openvpn": ["interfaces_openvpn"], - "pppoe": ["interfaces_pppoe"], - "pseudo-ethernet": ["interfaces_pseudo-ethernet"], - "tunnel": ["interfaces_tunnel"], - "vti": ["interfaces_vti"], - "vxlan": ["interfaces_vxlan"], - "wireguard": ["interfaces_wireguard"], - "wireless": ["interfaces_wireless"], - "wwan": ["interfaces_wwan"] - } + "system_conntrack": { + "conntrack_sync": ["service_conntrack-sync"] + }, + "firewall": { + "conntrack": ["system_conntrack"], + "group_resync": ["system_conntrack", "nat", "policy_route"] + }, + "interfaces_bonding": { + "ethernet": ["interfaces_ethernet"] + }, + "interfaces_bridge": { + "vxlan": ["interfaces_vxlan"] + }, + "load_balancing_wan": { + "conntrack": ["system_conntrack"] + }, + "nat": { + "conntrack": ["system_conntrack"] + }, + "nat66": { + "conntrack": ["system_conntrack"] + }, + "pki": { + "ethernet": ["interfaces_ethernet"], + "openvpn": ["interfaces_openvpn"], + "https": ["service_https"], + "ipsec": ["vpn_ipsec"], + "openconnect": ["vpn_openconnect"], + "sstp": ["vpn_sstp"] + }, + "qos": { + "bonding": ["interfaces_bonding"], + "bridge": ["interfaces_bridge"], + "dummy": ["interfaces_dummy"], + "ethernet": ["interfaces_ethernet"], + "geneve": ["interfaces_geneve"], + "input": ["interfaces_input"], + "l2tpv3": ["interfaces_l2tpv3"], + "loopback": ["interfaces_loopback"], + "macsec": ["interfaces_macsec"], + "openvpn": ["interfaces_openvpn"], + "pppoe": ["interfaces_pppoe"], + "pseudo-ethernet": ["interfaces_pseudo-ethernet"], + "tunnel": ["interfaces_tunnel"], + "vti": ["interfaces_vti"], + "vxlan": ["interfaces_vxlan"], + "wireguard": ["interfaces_wireguard"], + "wireless": ["interfaces_wireless"], + "wwan": ["interfaces_wwan"] + } } diff --git a/data/templates/firewall/nftables-bridge.j2 b/data/templates/firewall/nftables-bridge.j2 index 1a4ad2ed9..dec027bf9 100644 --- a/data/templates/firewall/nftables-bridge.j2 +++ b/data/templates/firewall/nftables-bridge.j2 @@ -2,9 +2,8 @@ {% set ns = namespace(sets=[]) %} {% if bridge.forward is vyos_defined %} {% for prior, conf in bridge.forward.items() %} -{% set def_action = conf.default_action %} chain VYOS_FORWARD_{{ prior }} { - type filter hook forward priority {{ prior }}; policy {{ def_action }}; + type filter hook forward priority {{ prior }}; policy accept; {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} {{ rule_conf | nft_rule('FWD', prior, rule_id, 'bri') }} @@ -13,6 +12,7 @@ {% endif %} {% endfor %} {% endif %} + {{ conf | nft_default_rule('FWD-filter', 'bri') }} } {% endfor %} {% endif %} @@ -28,8 +28,8 @@ {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule(name_text) }} + {{ conf | nft_default_rule(name_text, 'bri') }} } {% endfor %} {% endif %} -{% endmacro %} \ No newline at end of file +{% endmacro %} diff --git a/data/templates/firewall/nftables-nat.j2 b/data/templates/firewall/nftables-nat.j2 index dcf28da88..4254f6a0e 100644 --- a/data/templates/firewall/nftables-nat.j2 +++ b/data/templates/firewall/nftables-nat.j2 @@ -2,27 +2,6 @@ {% import 'firewall/nftables-defines.j2' as group_tmpl %} -{% if helper_functions is vyos_defined('remove') %} -{# NAT if going to be disabled - remove rules and targets from nftables #} -{% set base_command = 'delete rule ip raw' %} -{{ base_command }} PREROUTING handle {{ pre_ct_ignore }} -{{ base_command }} OUTPUT handle {{ out_ct_ignore }} -{{ base_command }} PREROUTING handle {{ pre_ct_conntrack }} -{{ base_command }} OUTPUT handle {{ out_ct_conntrack }} - -delete chain ip raw NAT_CONNTRACK - -{% elif helper_functions is vyos_defined('add') %} -{# NAT if enabled - add targets to nftables #} -add chain ip raw NAT_CONNTRACK -add rule ip raw NAT_CONNTRACK counter accept -{% set base_command = 'add rule ip raw' %} -{{ base_command }} PREROUTING position {{ pre_ct_ignore }} counter jump VYOS_CT_HELPER -{{ base_command }} OUTPUT position {{ out_ct_ignore }} counter jump VYOS_CT_HELPER -{{ base_command }} PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK -{{ base_command }} OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK -{% endif %} - {% if first_install is not vyos_defined %} delete table ip vyos_nat {% endif %} diff --git a/data/templates/firewall/nftables-nat66.j2 b/data/templates/firewall/nftables-nat66.j2 index 27b3eec88..67eb2c109 100644 --- a/data/templates/firewall/nftables-nat66.j2 +++ b/data/templates/firewall/nftables-nat66.j2 @@ -1,22 +1,5 @@ #!/usr/sbin/nft -f -{% if helper_functions is vyos_defined('remove') %} -{# NAT if going to be disabled - remove rules and targets from nftables #} -{% set base_command = 'delete rule ip6 raw' %} -{{ base_command }} PREROUTING handle {{ pre_ct_conntrack }} -{{ base_command }} OUTPUT handle {{ out_ct_conntrack }} - -delete chain ip6 raw NAT_CONNTRACK - -{% elif helper_functions is vyos_defined('add') %} -{# NAT if enabled - add targets to nftables #} -add chain ip6 raw NAT_CONNTRACK -add rule ip6 raw NAT_CONNTRACK counter accept -{% set base_command = 'add rule ip6 raw' %} -{{ base_command }} PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK -{{ base_command }} OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK -{% endif %} - {% if first_install is not vyos_defined %} delete table ip6 vyos_nat {% endif %} diff --git a/data/templates/firewall/nftables-offload.j2 b/data/templates/firewall/nftables-offload.j2 index 087fd141c..a893e05b2 100644 --- a/data/templates/firewall/nftables-offload.j2 +++ b/data/templates/firewall/nftables-offload.j2 @@ -6,4 +6,4 @@ {% endif %} counter } -{% endmacro %} \ No newline at end of file +{% endmacro %} diff --git a/data/templates/firewall/nftables-zone.j2 b/data/templates/firewall/nftables-zone.j2 index 506ad815e..e78725079 100644 --- a/data/templates/firewall/nftables-zone.j2 +++ b/data/templates/firewall/nftables-zone.j2 @@ -44,7 +44,7 @@ iifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endfor %} {% endif %} - {{ zone_conf | nft_default_rule('zone_' + zone_name) }} + {{ zone_conf | nft_default_rule('zone_' + zone_name, family) }} } chain VZONE_{{ zone_name }}_OUT { oifname lo counter return @@ -54,7 +54,7 @@ oifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endfor %} {% endif %} - {{ zone_conf | nft_default_rule('zone_' + zone_name) }} + {{ zone_conf | nft_default_rule('zone_' + zone_name, family) }} } {% else %} chain VZONE_{{ zone_name }} { @@ -70,7 +70,7 @@ {% endif %} {% endfor %} {% endif %} - {{ zone_conf | nft_default_rule('zone_' + zone_name) }} + {{ zone_conf | nft_default_rule('zone_' + zone_name, family) }} } {% endif %} {% endfor %} diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 4851e3a05..833df3a67 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -5,17 +5,10 @@ {% import 'firewall/nftables-offload.j2' as offload_tmpl %} {% import 'firewall/nftables-zone.j2' as zone_tmpl %} -flush chain raw FW_CONNTRACK -flush chain ip6 raw FW_CONNTRACK - flush chain raw vyos_global_rpfilter flush chain ip6 raw vyos_global_rpfilter table raw { - chain FW_CONNTRACK { - {{ ipv4_conntrack_action }} - } - chain vyos_global_rpfilter { {% if global_options.source_validation is vyos_defined('loose') %} fib saddr oif 0 counter drop @@ -27,10 +20,6 @@ table raw { } table ip6 raw { - chain FW_CONNTRACK { - {{ ipv6_conntrack_action }} - } - chain vyos_global_rpfilter { {% if global_options.ipv6_source_validation is vyos_defined('loose') %} fib saddr oif 0 counter drop @@ -68,7 +57,7 @@ table ip vyos_filter { {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule('FWD-filter') }} + {{ conf | nft_default_rule('FWD-filter', 'ipv4') }} } {% endfor %} {% endif %} @@ -88,7 +77,7 @@ table ip vyos_filter { {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule('INP-filter') }} + {{ conf | nft_default_rule('INP-filter', 'ipv4') }} } {% endfor %} {% endif %} @@ -108,7 +97,7 @@ table ip vyos_filter { {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule('OUT-filter') }} + {{ conf | nft_default_rule('OUT-filter', 'ipv4') }} } {% endfor %} {% endif %} @@ -128,7 +117,7 @@ table ip vyos_filter { {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule('PRE-filter') }} + {{ conf | nft_default_rule('PRE-filter', 'ipv4') }} } {% endfor %} {% endif %} @@ -144,7 +133,7 @@ table ip vyos_filter { {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule(name_text) }} + {{ conf | nft_default_rule(name_text, 'ipv4') }} } {% endfor %} {% endif %} @@ -219,7 +208,7 @@ table ip6 vyos_filter { {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule('FWD-filter', ipv6=True) }} + {{ conf | nft_default_rule('FWD-filter', 'ipv6') }} } {% endfor %} {% endif %} @@ -239,7 +228,7 @@ table ip6 vyos_filter { {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule('INP-filter', ipv6=True) }} + {{ conf | nft_default_rule('INP-filter', 'ipv6') }} } {% endfor %} {% endif %} @@ -259,7 +248,7 @@ table ip6 vyos_filter { {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule('OUT-filter', ipv6=True) }} + {{ conf | nft_default_rule('OUT-filter', 'ipv6') }} } {% endfor %} {% endif %} @@ -280,7 +269,7 @@ table ip6 vyos_filter { {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule(name_text, ipv6=True) }} + {{ conf | nft_default_rule(name_text, 'ipv6') }} } {% endfor %} {% endif %} @@ -308,7 +297,6 @@ table ip6 vyos_filter { {% endif %} {% endif %} {{ group_tmpl.groups(group, True, True) }} - {% if zone is vyos_defined %} {{ zone_tmpl.zone_chains(zone, True, global_options.state_policy is vyos_defined) }} {% endif %} @@ -326,7 +314,6 @@ table ip6 vyos_filter { return } {% endif %} - } ## Bridge Firewall @@ -337,4 +324,4 @@ table bridge vyos_filter { {{ bridge_tmpl.bridge(bridge) }} {{ group_tmpl.groups(group, False, False) }} -} \ No newline at end of file +} diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf index b0026fdf3..cd7d5011f 100644 --- a/data/vyos-firewall-init.conf +++ b/data/vyos-firewall-init.conf @@ -9,6 +9,7 @@ table ip nat { } table inet mangle { + # Used by system flow-accounting chain FORWARD { type filter hook forward priority -150; policy accept; } @@ -28,61 +29,9 @@ table raw { counter jump vyos_global_rpfilter } - chain PREROUTING { + # Used by system flow-accounting + chain VYOS_PREROUTING_HOOK { type filter hook prerouting priority -300; policy accept; - counter jump VYOS_CT_IGNORE - counter jump VYOS_CT_TIMEOUT - counter jump VYOS_CT_PREROUTING_HOOK - counter jump FW_CONNTRACK - notrack - } - - chain OUTPUT { - type filter hook output priority -300; policy accept; - counter jump VYOS_CT_IGNORE - counter jump VYOS_CT_TIMEOUT - counter jump VYOS_CT_OUTPUT_HOOK - counter jump FW_CONNTRACK - notrack - } - - ct helper rpc_tcp { - type "rpc" protocol tcp; - } - - ct helper rpc_udp { - type "rpc" protocol udp; - } - - ct helper tns_tcp { - type "tns" protocol tcp; - } - - chain VYOS_CT_HELPER { - ct helper set "rpc_tcp" tcp dport {111} return - ct helper set "rpc_udp" udp dport {111} return - ct helper set "tns_tcp" tcp dport {1521,1525,1536} return - return - } - - chain VYOS_CT_IGNORE { - return - } - - chain VYOS_CT_TIMEOUT { - return - } - - chain VYOS_CT_PREROUTING_HOOK { - return - } - - chain VYOS_CT_OUTPUT_HOOK { - return - } - - chain FW_CONNTRACK { - return } } @@ -100,29 +49,8 @@ table ip6 raw { counter jump vyos_global_rpfilter } - chain PREROUTING { + # Used by system flow-accounting + chain VYOS_PREROUTING_HOOK { type filter hook prerouting priority -300; policy accept; - counter jump VYOS_CT_PREROUTING_HOOK - counter jump FW_CONNTRACK - notrack - } - - chain OUTPUT { - type filter hook output priority -300; policy accept; - counter jump VYOS_CT_OUTPUT_HOOK - counter jump FW_CONNTRACK - notrack - } - - chain VYOS_CT_PREROUTING_HOOK { - return - } - - chain VYOS_CT_OUTPUT_HOOK { - return - } - - chain FW_CONNTRACK { - return } } -- cgit v1.2.3