ip: T4517: add option to enable directed broadcast forwarding

Directed broadcast is described in rfc1812#section-5.3.5.2 and rfc2644. By default Linux kernel doesn't forward directed broadcast packets unless both of `/proc/sys/net/ipv4/conf/all/bc_forwarding` and `/proc/sys/net/ipv4/conf/$iface/bc_forwarding` are set to 1.
author: Yuxiang Zhu <vfreex@gmail.com> 2022-07-09 17:38:29 +0800
committer: GitHub <noreply@github.com> 2022-07-09 11:38:29 +0200
commit: 07a4920b17c3741b50ffcb596d4433b54f7e529e (patch)
tree: 9b1a886424fe862b31bfd612cf3944b30bfc73ba
parent: 0e761c303145d2440a9ecd730c530333ef7b777f (diff)
download: vyos-1x-07a4920b17c3741b50ffcb596d4433b54f7e529e.tar.gz
vyos-1x-07a4920b17c3741b50ffcb596d4433b54f7e529e.zip
8 files changed, 61 insertions, 1 deletions
diff --git a/interface-definitions/include/interface/enable-directed-broadcast.xml.i b/interface-definitions/include/interface/enable-directed-broadcast.xml.i
new file mode 100644
index 000000000..a87395806
--- /dev/null
+++ b/interface-definitions/include/interface/enable-directed-broadcast.xml.i
@@ -0,0 +1,8 @@
+<!-- include start from interface/enable-directed-broadcast.xml.i -->
+<leafNode name="enable-directed-broadcast">
+  <properties>
+    <help>Enable directed broadcast forwarding on this interface</help>
+    <valueless/>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/interface/ipv4-options.xml.i b/interface-definitions/include/interface/ipv4-options.xml.i
index bca1229c6..eda77e851 100644
--- a/interface-definitions/include/interface/ipv4-options.xml.i
+++ b/interface-definitions/include/interface/ipv4-options.xml.i
@@ -8,6 +8,7 @@
     #include <include/interface/arp-cache-timeout.xml.i>
     #include <include/interface/disable-arp-filter.xml.i>
     #include <include/interface/disable-forwarding.xml.i>
+    #include <include/interface/enable-directed-broadcast.xml.i>
     #include <include/interface/enable-arp-accept.xml.i>
     #include <include/interface/enable-arp-announce.xml.i>
     #include <include/interface/enable-arp-ignore.xml.i>
diff --git a/interface-definitions/system-ip.xml.in b/interface-definitions/system-ip.xml.in
index 21d70694b..75fe1c20a 100644
--- a/interface-definitions/system-ip.xml.in
+++ b/interface-definitions/system-ip.xml.in
@@ -23,6 +23,12 @@
               <valueless/>
             </properties>
           </leafNode>
+          <leafNode name="disable-directed-broadcast-forwarding">
+            <properties>
+              <help>Disable IPv4 directed broadcast forwarding on all interfaces</help>
+              <valueless/>
+            </properties>
+          </leafNode>
           <node name="multipath">
             <properties>
               <help>IPv4 multipath settings</help>
diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py
index 22441d1d2..33a7f9a2d 100644
--- a/python/vyos/ifconfig/interface.py
+++ b/python/vyos/ifconfig/interface.py
@@ -168,6 +168,10 @@ class Interface(Control):
             'validate': assert_boolean,
             'location': '/proc/sys/net/ipv4/conf/{ifname}/forwarding',
         },
+        'ipv4_directed_broadcast': {
+            'validate': assert_boolean,
+            'location': '/proc/sys/net/ipv4/conf/{ifname}/bc_forwarding',
+        },
         'rp_filter': {
             'validate': lambda flt: assert_range(flt,0,3),
             'location': '/proc/sys/net/ipv4/conf/{ifname}/rp_filter',
@@ -234,6 +238,9 @@ class Interface(Control):
         'ipv4_forwarding': {
             'location': '/proc/sys/net/ipv4/conf/{ifname}/forwarding',
         },
+        'ipv4_directed_broadcast': {
+            'location': '/proc/sys/net/ipv4/conf/{ifname}/bc_forwarding',
+        },
         'rp_filter': {
             'location': '/proc/sys/net/ipv4/conf/{ifname}/rp_filter',
         },
@@ -713,6 +720,13 @@ class Interface(Control):
             return None
         return self.set_interface('ipv4_forwarding', forwarding)
 
+    def set_ipv4_directed_broadcast(self, forwarding):
+        """ Configure IPv4 directed broadcast forwarding. """
+        tmp = self.get_interface('ipv4_directed_broadcast')
+        if tmp == forwarding:
+            return None
+        return self.set_interface('ipv4_directed_broadcast', forwarding)
+
     def set_ipv4_source_validation(self, value):
         """
         Help prevent attacks used by Spoofing IP Addresses. Reverse path
@@ -1498,6 +1512,11 @@ class Interface(Control):
         value = '0' if (tmp != None) else '1'
         self.set_ipv4_forwarding(value)
 
+        # IPv4 directed broadcast forwarding
+        tmp = dict_search('ip.enable_directed_broadcast', config)
+        value = '1' if (tmp != None) else '0'
+        self.set_ipv4_directed_broadcast(value)
+
         # IPv4 source-validation
         tmp = dict_search('ip.source_validation', config)
         value = tmp if (tmp != None) else '0'
diff --git a/smoketest/scripts/cli/base_interfaces_test.py b/smoketest/scripts/cli/base_interfaces_test.py
index 8acf52243..55343b893 100644
--- a/smoketest/scripts/cli/base_interfaces_test.py
+++ b/smoketest/scripts/cli/base_interfaces_test.py
@@ -638,6 +638,7 @@ class BasicInterfaceTest:
                 self.cli_set(path + ['ip', 'arp-cache-timeout', arp_tmo])
                 self.cli_set(path + ['ip', 'disable-arp-filter'])
                 self.cli_set(path + ['ip', 'disable-forwarding'])
+                self.cli_set(path + ['ip', 'enable-directed-broadcast'])
                 self.cli_set(path + ['ip', 'enable-arp-accept'])
                 self.cli_set(path + ['ip', 'enable-arp-announce'])
                 self.cli_set(path + ['ip', 'enable-arp-ignore'])
@@ -674,6 +675,9 @@ class BasicInterfaceTest:
                 tmp = read_file(f'{proc_base}/forwarding')
                 self.assertEqual('0', tmp)
 
+                tmp = read_file(f'{proc_base}/bc_forwarding')
+                self.assertEqual('1', tmp)
+
                 tmp = read_file(f'{proc_base}/proxy_arp')
                 self.assertEqual('1', tmp)
 
diff --git a/smoketest/scripts/cli/test_system_ip.py b/smoketest/scripts/cli/test_system_ip.py
index 83df9d99e..00fce654c 100755
--- a/smoketest/scripts/cli/test_system_ip.py
+++ b/smoketest/scripts/cli/test_system_ip.py
@@ -28,7 +28,7 @@ class TestSystemIP(VyOSUnitTestSHIM.TestCase):
 
     def test_system_ip_forwarding(self):
         # Test if IPv4 forwarding can be disabled globally, default is '1'
-        # which means forwearding enabled
+        # which means forwarding enabled
         all_forwarding = '/proc/sys/net/ipv4/conf/all/forwarding'
         self.assertEqual(read_file(all_forwarding), '1')
 
@@ -37,6 +37,17 @@ class TestSystemIP(VyOSUnitTestSHIM.TestCase):
 
         self.assertEqual(read_file(all_forwarding), '0')
 
+    def test_system_ip_directed_broadcast_forwarding(self):
+        # Test if IPv4 directed broadcast forwarding can be disabled globally, default is '1'
+        # which means forwarding enabled
+        bc_forwarding = '/proc/sys/net/ipv4/conf/all/bc_forwarding'
+        self.assertEqual(read_file(bc_forwarding), '1')
+
+        self.cli_set(base_path + ['disable-directed-broadcast-forwarding'])
+        self.cli_commit()
+
+        self.assertEqual(read_file(bc_forwarding), '0')
+
     def test_system_ip_multipath(self):
         # Test IPv4 multipathing options, options default to off -> '0'
         use_neigh = '/proc/sys/net/ipv4/fib_multipath_use_neigh'
diff --git a/src/conf_mode/system-ip.py b/src/conf_mode/system-ip.py
index 05fc3a97a..a0e1e0e50 100755
--- a/src/conf_mode/system-ip.py
+++ b/src/conf_mode/system-ip.py
@@ -64,6 +64,11 @@ def apply(opt):
     value = '0' if (tmp != None) else '1'
     write_file('/proc/sys/net/ipv4/conf/all/forwarding', value)
 
+    # enable/disable IPv4 directed broadcast forwarding
+    tmp = dict_search('disable_directed_broadcast_forwarding', opt)
+    value = '0' if (tmp != None) else '1'
+    write_file('/proc/sys/net/ipv4/conf/all/bc_forwarding', value)
+
     # configure multipath
     tmp = dict_search('multipath.ignore_unreachable_nexthops', opt)
     value = '1' if (tmp != None) else '0'
diff --git a/src/etc/sysctl.d/30-vyos-router.conf b/src/etc/sysctl.d/30-vyos-router.conf
index e03d3a29c..4feb7e09a 100644
--- a/src/etc/sysctl.d/30-vyos-router.conf
+++ b/src/etc/sysctl.d/30-vyos-router.conf
@@ -27,6 +27,12 @@ net.ipv4.conf.all.arp_announce=2
 # Enable packet forwarding for IPv4
 net.ipv4.ip_forward=1
 
+# Enable directed broadcast forwarding feature described in rfc1812#section-5.3.5.2 and rfc2644.
+# Note that setting the 'all' entry to 1 doesn't enable directed broadcast forwarding on all interfaces.
+# To enable directed broadcast forwarding on an interface, both the 'all' entry and the input interface entry should be set to 1.
+net.ipv4.conf.all.bc_forwarding=1
+net.ipv4.conf.default.bc_forwarding=0
+
 # if a primary address is removed from an interface promote the
 # secondary address if available
 net.ipv4.conf.all.promote_secondaries=1
author	Yuxiang Zhu <vfreex@gmail.com>	2022-07-09 17:38:29 +0800
committer	GitHub <noreply@github.com>	2022-07-09 11:38:29 +0200
commit	07a4920b17c3741b50ffcb596d4433b54f7e529e (patch)
tree	9b1a886424fe862b31bfd612cf3944b30bfc73ba
parent	0e761c303145d2440a9ecd730c530333ef7b777f (diff)
download	vyos-1x-07a4920b17c3741b50ffcb596d4433b54f7e529e.tar.gz vyos-1x-07a4920b17c3741b50ffcb596d4433b54f7e529e.zip