diff options
| author | Nicolas Fort <nicolasfort1988@gmail.com> | 2024-07-24 17:40:28 +0000 |
|---|---|---|
| committer | Nicolas Fort <nicolasfort1988@gmail.com> | 2024-08-01 13:25:39 -0300 |
| commit | a8a9cfe750da719605ab90ce8c83c42276ab07f3 (patch) | |
| tree | abbb27d6b224a216bf9f19eecfa233d6f72d97ba | |
| parent | 7a18c719df1b3f2515baff8bdecc8784f1d935b1 (diff) | |
| download | vyos-1x-a8a9cfe750da719605ab90ce8c83c42276ab07f3.tar.gz vyos-1x-a8a9cfe750da719605ab90ce8c83c42276ab07f3.zip | |
T6570: firewall: add global-option to configure sysctl parameter for enabling/disabling sending traffic from bridge layer to ipvX layer
| -rw-r--r-- | data/templates/firewall/sysctl-firewall.conf.j2 | 8 | ||||
| -rw-r--r-- | interface-definitions/include/firewall/global-options.xml.i | 19 | ||||
| -rw-r--r-- | src/etc/sysctl.d/30-vyos-router.conf | 5 |
3 files changed, 32 insertions, 0 deletions
diff --git a/data/templates/firewall/sysctl-firewall.conf.j2 b/data/templates/firewall/sysctl-firewall.conf.j2 index b9c3311e2..119c6577b 100644 --- a/data/templates/firewall/sysctl-firewall.conf.j2 +++ b/data/templates/firewall/sysctl-firewall.conf.j2 @@ -13,6 +13,14 @@ net.ipv4.conf.*.send_redirects = {{ 1 if global_options.send_redirects == 'enabl net.ipv4.tcp_syncookies = {{ 1 if global_options.syn_cookies == 'enable' else 0 }} net.ipv4.tcp_rfc1337 = {{ 1 if global_options.twa_hazards_protection == 'enable' else 0 }} +{% if global_options.apply_for_bridge is vyos_defined %} +net.bridge.bridge-nf-call-iptables = {{ 1 if global_options.apply_for_bridge.ipv4 is vyos_defined else 0 }} +net.bridge.bridge-nf-call-ip6tables = {{ 1 if global_options.apply_for_bridge.ipv6 is vyos_defined else 0 }} +{% else %} +net.bridge.bridge-nf-call-iptables =0 +net.bridge.bridge-nf-call-ip6tables = 0 +{% endif %} + ## Timeout values: net.netfilter.nf_conntrack_icmp_timeout = {{ global_options.timeout.icmp }} net.netfilter.nf_conntrack_generic_timeout = {{ global_options.timeout.other }} diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i index 9039b76fd..1f2899672 100644 --- a/interface-definitions/include/firewall/global-options.xml.i +++ b/interface-definitions/include/firewall/global-options.xml.i @@ -44,6 +44,25 @@ </properties> <defaultValue>disable</defaultValue> </leafNode> + <node name="apply-for-bridge"> + <properties> + <help>Apply configured firewall rules to traffic switched by bridges</help> + </properties> + <children> + <leafNode name="ipv4"> + <properties> + <help>Apply configured IPv4 firewall rules</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="ipv6"> + <properties> + <help>Apply configured IPv6 firewall rules</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> <leafNode name="directed-broadcast"> <properties> <help>Policy for handling IPv4 directed broadcast forwarding on all interfaces</help> diff --git a/src/etc/sysctl.d/30-vyos-router.conf b/src/etc/sysctl.d/30-vyos-router.conf index c9b8ef8fe..76be41ddc 100644 --- a/src/etc/sysctl.d/30-vyos-router.conf +++ b/src/etc/sysctl.d/30-vyos-router.conf @@ -110,3 +110,8 @@ net.ipv6.conf.all.seg6_enabled = 0 net.ipv6.conf.default.seg6_enabled = 0 net.vrf.strict_mode = 1 + +# https://vyos.dev/T6570 +# By default, do not forward traffic from bridge to IPvX layer +net.bridge.bridge-nf-call-iptables = 0 +net.bridge.bridge-nf-call-ip6tables = 0
\ No newline at end of file |