From 2ee8d0eef88acab60b42d0424c034414de47bddd Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Tue, 5 Sep 2023 14:51:16 +0200 Subject: interface: T5550: Interface source-validation priority over global value - Migrate IPv4 source-validation to nftables - Interface source-validation value takes priority, fallback to global value --- data/templates/firewall/nftables.j2 | 21 ++++++++++++++------- data/vyos-firewall-init.conf | 14 ++++++++++++++ 2 files changed, 28 insertions(+), 7 deletions(-) (limited to 'data') diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 0fbddfaa9..d7660c37b 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -5,29 +5,36 @@ flush chain raw FW_CONNTRACK flush chain ip6 raw FW_CONNTRACK +flush chain raw vyos_global_rpfilter +flush chain ip6 raw vyos_global_rpfilter + table raw { chain FW_CONNTRACK { {{ ipv4_conntrack_action }} } + + chain vyos_global_rpfilter { +{% if global_options.source_validation is vyos_defined('loose') %} + fib saddr oif 0 counter drop +{% elif global_options.source_validation is vyos_defined('strict') %} + fib saddr . iif oif 0 counter drop +{% endif %} + return + } } table ip6 raw { chain FW_CONNTRACK { {{ ipv6_conntrack_action }} } -} -{% if first_install is not vyos_defined %} -delete table inet vyos_global_rpfilter -{% endif %} -table inet vyos_global_rpfilter { - chain PREROUTING { - type filter hook prerouting priority -300; policy accept; + chain vyos_global_rpfilter { {% if global_options.source_validation is vyos_defined('loose') %} fib saddr oif 0 counter drop {% elif global_options.source_validation is vyos_defined('strict') %} fib saddr . iif oif 0 counter drop {% endif %} + return } } diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf index 41e7627f5..b0026fdf3 100644 --- a/data/vyos-firewall-init.conf +++ b/data/vyos-firewall-init.conf @@ -19,6 +19,15 @@ table raw { type filter hook forward priority -300; policy accept; } + chain vyos_global_rpfilter { + return + } + + chain vyos_rpfilter { + type filter hook prerouting priority -300; policy accept; + counter jump vyos_global_rpfilter + } + chain PREROUTING { type filter hook prerouting priority -300; policy accept; counter jump VYOS_CT_IGNORE @@ -82,8 +91,13 @@ table ip6 raw { type filter hook forward priority -300; policy accept; } + chain vyos_global_rpfilter { + return + } + chain vyos_rpfilter { type filter hook prerouting priority -300; policy accept; + counter jump vyos_global_rpfilter } chain PREROUTING { -- cgit v1.2.3 From e8070a2e36e9101d52d7db4025f7ff37a00625e8 Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Tue, 5 Sep 2023 16:09:45 +0200 Subject: firewall: T3509: Split IPv4 and IPv6 reverse path filtering like on interfaces --- data/templates/firewall/nftables.j2 | 4 +-- .../include/firewall/global-options.xml.i | 32 +++++++++++++++++++--- smoketest/scripts/cli/test_firewall.py | 8 ++++-- 3 files changed, 36 insertions(+), 8 deletions(-) (limited to 'data') diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index d7660c37b..a82a5537b 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -29,9 +29,9 @@ table ip6 raw { } chain vyos_global_rpfilter { -{% if global_options.source_validation is vyos_defined('loose') %} +{% if global_options.ipv6_source_validation is vyos_defined('loose') %} fib saddr oif 0 counter drop -{% elif global_options.source_validation is vyos_defined('strict') %} +{% elif global_options.ipv6_source_validation is vyos_defined('strict') %} fib saddr . iif oif 0 counter drop {% endif %} return diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i index a63874cb0..e655cd6ac 100644 --- a/interface-definitions/include/firewall/global-options.xml.i +++ b/interface-definitions/include/firewall/global-options.xml.i @@ -145,21 +145,21 @@ - Policy for source validation by reversed path, as specified in RFC3704 + Policy for IPv4 source validation by reversed path, as specified in RFC3704 strict loose disable strict - Enable Strict Reverse Path Forwarding as defined in RFC3704 + Enable IPv4 Strict Reverse Path Forwarding as defined in RFC3704 loose - Enable Loose Reverse Path Forwarding as defined in RFC3704 + Enable IPv4 Loose Reverse Path Forwarding as defined in RFC3704 disable - No source validation + No IPv4 source validation (strict|loose|disable) @@ -227,6 +227,30 @@ disable + + + Policy for IPv6 source validation by reversed path, as specified in RFC3704 + + strict loose disable + + + strict + Enable IPv6 Strict Reverse Path Forwarding as defined in RFC3704 + + + loose + Enable IPv6 Loose Reverse Path Forwarding as defined in RFC3704 + + + disable + No IPv6 source validation + + + (strict|loose|disable) + + + disable + Policy for handling IPv6 packets with routing extension header diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index ee6ccb710..6f9093f4d 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -529,23 +529,27 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): def test_source_validation(self): # Strict self.cli_set(['firewall', 'global-options', 'source-validation', 'strict']) + self.cli_set(['firewall', 'global-options', 'ipv6-source-validation', 'strict']) self.cli_commit() nftables_strict_search = [ ['fib saddr . iif oif 0', 'drop'] ] - self.verify_nftables(nftables_strict_search, 'inet vyos_global_rpfilter') + self.verify_nftables_chain(nftables_strict_search, 'ip raw', 'vyos_global_rpfilter') + self.verify_nftables_chain(nftables_strict_search, 'ip6 raw', 'vyos_global_rpfilter') # Loose self.cli_set(['firewall', 'global-options', 'source-validation', 'loose']) + self.cli_set(['firewall', 'global-options', 'ipv6-source-validation', 'loose']) self.cli_commit() nftables_loose_search = [ ['fib saddr oif 0', 'drop'] ] - self.verify_nftables(nftables_loose_search, 'inet vyos_global_rpfilter') + self.verify_nftables_chain(nftables_loose_search, 'ip raw', 'vyos_global_rpfilter') + self.verify_nftables_chain(nftables_loose_search, 'ip6 raw', 'vyos_global_rpfilter') def test_sysfs(self): for name, conf in sysfs_config.items(): -- cgit v1.2.3