From 2ee8d0eef88acab60b42d0424c034414de47bddd Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Tue, 5 Sep 2023 14:51:16 +0200
Subject: interface: T5550: Interface source-validation priority over global
value
- Migrate IPv4 source-validation to nftables
- Interface source-validation value takes priority, fallback to global value
---
data/templates/firewall/nftables.j2 | 21 ++++++++++++++-------
data/vyos-firewall-init.conf | 14 ++++++++++++++
2 files changed, 28 insertions(+), 7 deletions(-)
(limited to 'data')
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index 0fbddfaa9..d7660c37b 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -5,29 +5,36 @@
flush chain raw FW_CONNTRACK
flush chain ip6 raw FW_CONNTRACK
+flush chain raw vyos_global_rpfilter
+flush chain ip6 raw vyos_global_rpfilter
+
table raw {
chain FW_CONNTRACK {
{{ ipv4_conntrack_action }}
}
+
+ chain vyos_global_rpfilter {
+{% if global_options.source_validation is vyos_defined('loose') %}
+ fib saddr oif 0 counter drop
+{% elif global_options.source_validation is vyos_defined('strict') %}
+ fib saddr . iif oif 0 counter drop
+{% endif %}
+ return
+ }
}
table ip6 raw {
chain FW_CONNTRACK {
{{ ipv6_conntrack_action }}
}
-}
-{% if first_install is not vyos_defined %}
-delete table inet vyos_global_rpfilter
-{% endif %}
-table inet vyos_global_rpfilter {
- chain PREROUTING {
- type filter hook prerouting priority -300; policy accept;
+ chain vyos_global_rpfilter {
{% if global_options.source_validation is vyos_defined('loose') %}
fib saddr oif 0 counter drop
{% elif global_options.source_validation is vyos_defined('strict') %}
fib saddr . iif oif 0 counter drop
{% endif %}
+ return
}
}
diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf
index 41e7627f5..b0026fdf3 100644
--- a/data/vyos-firewall-init.conf
+++ b/data/vyos-firewall-init.conf
@@ -19,6 +19,15 @@ table raw {
type filter hook forward priority -300; policy accept;
}
+ chain vyos_global_rpfilter {
+ return
+ }
+
+ chain vyos_rpfilter {
+ type filter hook prerouting priority -300; policy accept;
+ counter jump vyos_global_rpfilter
+ }
+
chain PREROUTING {
type filter hook prerouting priority -300; policy accept;
counter jump VYOS_CT_IGNORE
@@ -82,8 +91,13 @@ table ip6 raw {
type filter hook forward priority -300; policy accept;
}
+ chain vyos_global_rpfilter {
+ return
+ }
+
chain vyos_rpfilter {
type filter hook prerouting priority -300; policy accept;
+ counter jump vyos_global_rpfilter
}
chain PREROUTING {
--
cgit v1.2.3
From e8070a2e36e9101d52d7db4025f7ff37a00625e8 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Tue, 5 Sep 2023 16:09:45 +0200
Subject: firewall: T3509: Split IPv4 and IPv6 reverse path filtering like on
interfaces
---
data/templates/firewall/nftables.j2 | 4 +--
.../include/firewall/global-options.xml.i | 32 +++++++++++++++++++---
smoketest/scripts/cli/test_firewall.py | 8 ++++--
3 files changed, 36 insertions(+), 8 deletions(-)
(limited to 'data')
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index d7660c37b..a82a5537b 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -29,9 +29,9 @@ table ip6 raw {
}
chain vyos_global_rpfilter {
-{% if global_options.source_validation is vyos_defined('loose') %}
+{% if global_options.ipv6_source_validation is vyos_defined('loose') %}
fib saddr oif 0 counter drop
-{% elif global_options.source_validation is vyos_defined('strict') %}
+{% elif global_options.ipv6_source_validation is vyos_defined('strict') %}
fib saddr . iif oif 0 counter drop
{% endif %}
return
diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i
index a63874cb0..e655cd6ac 100644
--- a/interface-definitions/include/firewall/global-options.xml.i
+++ b/interface-definitions/include/firewall/global-options.xml.i
@@ -145,21 +145,21 @@
- Policy for source validation by reversed path, as specified in RFC3704
+ Policy for IPv4 source validation by reversed path, as specified in RFC3704
strict loose disable
strict
- Enable Strict Reverse Path Forwarding as defined in RFC3704
+ Enable IPv4 Strict Reverse Path Forwarding as defined in RFC3704
loose
- Enable Loose Reverse Path Forwarding as defined in RFC3704
+ Enable IPv4 Loose Reverse Path Forwarding as defined in RFC3704
disable
- No source validation
+ No IPv4 source validation
(strict|loose|disable)
@@ -227,6 +227,30 @@
disable
+
+
+ Policy for IPv6 source validation by reversed path, as specified in RFC3704
+
+ strict loose disable
+
+
+ strict
+ Enable IPv6 Strict Reverse Path Forwarding as defined in RFC3704
+
+
+ loose
+ Enable IPv6 Loose Reverse Path Forwarding as defined in RFC3704
+
+
+ disable
+ No IPv6 source validation
+
+
+ (strict|loose|disable)
+
+
+ disable
+
Policy for handling IPv6 packets with routing extension header
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index ee6ccb710..6f9093f4d 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -529,23 +529,27 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
def test_source_validation(self):
# Strict
self.cli_set(['firewall', 'global-options', 'source-validation', 'strict'])
+ self.cli_set(['firewall', 'global-options', 'ipv6-source-validation', 'strict'])
self.cli_commit()
nftables_strict_search = [
['fib saddr . iif oif 0', 'drop']
]
- self.verify_nftables(nftables_strict_search, 'inet vyos_global_rpfilter')
+ self.verify_nftables_chain(nftables_strict_search, 'ip raw', 'vyos_global_rpfilter')
+ self.verify_nftables_chain(nftables_strict_search, 'ip6 raw', 'vyos_global_rpfilter')
# Loose
self.cli_set(['firewall', 'global-options', 'source-validation', 'loose'])
+ self.cli_set(['firewall', 'global-options', 'ipv6-source-validation', 'loose'])
self.cli_commit()
nftables_loose_search = [
['fib saddr oif 0', 'drop']
]
- self.verify_nftables(nftables_loose_search, 'inet vyos_global_rpfilter')
+ self.verify_nftables_chain(nftables_loose_search, 'ip raw', 'vyos_global_rpfilter')
+ self.verify_nftables_chain(nftables_loose_search, 'ip6 raw', 'vyos_global_rpfilter')
def test_sysfs(self):
for name, conf in sysfs_config.items():
--
cgit v1.2.3