summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-12-19 19:32:45 +0100
committerGitHub <noreply@github.com>2022-12-19 19:32:45 +0100
commit71d2c583e3b8331e877bbb2f364b6da5c0a587a0 (patch)
tree41069c9cf16f53091ee13812aed97cf3f2194ff0
parentc4097097487467300a0a63c8a75f670dc0429f7c (diff)
parentd9c9092dcdc430b26a326345934c4513534bff9b (diff)
downloadvyos-1x-71d2c583e3b8331e877bbb2f364b6da5c0a587a0.tar.gz
vyos-1x-71d2c583e3b8331e877bbb2f364b6da5c0a587a0.zip
Merge pull request #1718 from nicolas-fort/T4886_conn_mark
T4886: Firewall and route policy: Add connection-mark feature to vyos.
-rw-r--r--interface-definitions/firewall.xml.in2
-rw-r--r--interface-definitions/include/firewall/connection-mark.xml.i15
-rw-r--r--interface-definitions/include/policy/route-common.xml.i12
-rw-r--r--interface-definitions/policy-route.xml.in2
-rw-r--r--python/vyos/firewall.py7
-rwxr-xr-xsmoketest/scripts/cli/test_firewall.py6
-rwxr-xr-xsmoketest/scripts/cli/test_policy_route.py21
7 files changed, 64 insertions, 1 deletions
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index c964abb41..7d7e0a38f 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -461,6 +461,7 @@
#include <include/firewall/dscp.xml.i>
#include <include/firewall/packet-length.xml.i>
#include <include/firewall/hop-limit.xml.i>
+ #include <include/firewall/connection-mark.xml.i>
<node name="icmpv6">
<properties>
<help>ICMPv6 type and code information</help>
@@ -628,6 +629,7 @@
#include <include/firewall/common-rule.xml.i>
#include <include/firewall/dscp.xml.i>
#include <include/firewall/packet-length.xml.i>
+ #include <include/firewall/connection-mark.xml.i>
<node name="icmp">
<properties>
<help>ICMP type and code information</help>
diff --git a/interface-definitions/include/firewall/connection-mark.xml.i b/interface-definitions/include/firewall/connection-mark.xml.i
new file mode 100644
index 000000000..2cb826635
--- /dev/null
+++ b/interface-definitions/include/firewall/connection-mark.xml.i
@@ -0,0 +1,15 @@
+<!-- include start from firewall/connection-mark.xml.i -->
+<leafNode name="connection-mark">
+ <properties>
+ <help>Connection mark</help>
+ <valueHelp>
+ <format>u32:1-2147483647</format>
+ <description>Connection-mark to match</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-2147483647"/>
+ </constraint>
+ <multi/>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/policy/route-common.xml.i b/interface-definitions/include/policy/route-common.xml.i
index 8b959c2a4..6973d7a8f 100644
--- a/interface-definitions/include/policy/route-common.xml.i
+++ b/interface-definitions/include/policy/route-common.xml.i
@@ -159,6 +159,18 @@
<help>Packet modifications</help>
</properties>
<children>
+ <leafNode name="connection-mark">
+ <properties>
+ <help>Connection marking</help>
+ <valueHelp>
+ <format>u32:1-2147483647</format>
+ <description>Connection marking</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-2147483647"/>
+ </constraint>
+ </properties>
+ </leafNode>
<leafNode name="dscp">
<properties>
<help>Packet Differentiated Services Codepoint (DSCP)</help>
diff --git a/interface-definitions/policy-route.xml.in b/interface-definitions/policy-route.xml.in
index 48a5bf7d1..d7b159839 100644
--- a/interface-definitions/policy-route.xml.in
+++ b/interface-definitions/policy-route.xml.in
@@ -52,6 +52,7 @@
#include <include/firewall/dscp.xml.i>
#include <include/firewall/packet-length.xml.i>
#include <include/firewall/hop-limit.xml.i>
+ #include <include/firewall/connection-mark.xml.i>
</children>
</tagNode>
</children>
@@ -106,6 +107,7 @@
#include <include/firewall/dscp.xml.i>
#include <include/firewall/packet-length.xml.i>
#include <include/firewall/ttl.xml.i>
+ #include <include/firewall/connection-mark.xml.i>
</children>
</tagNode>
</children>
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 429c44802..b4b9e67bb 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -322,6 +322,10 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
if tcp_mss:
output.append(f'tcp option maxseg size {tcp_mss}')
+ if 'connection_mark' in rule_conf:
+ conn_mark_str = ','.join(rule_conf['connection_mark'])
+ output.append(f'ct mark {{{conn_mark_str}}}')
+
output.append('counter')
if 'set' in rule_conf:
@@ -368,6 +372,9 @@ def parse_time(time):
def parse_policy_set(set_conf, def_suffix):
out = []
+ if 'connection_mark' in set_conf:
+ conn_mark = set_conf['connection_mark']
+ out.append(f'ct mark set {conn_mark}')
if 'dscp' in set_conf:
dscp = set_conf['dscp']
out.append(f'ip{def_suffix} dscp set {dscp}')
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 9b28eb81b..f1c18d761 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -199,6 +199,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
name = 'smoketest'
interface = 'eth0'
mss_range = '501-1460'
+ conn_mark = '555'
self.cli_set(['firewall', 'name', name, 'default-action', 'drop'])
self.cli_set(['firewall', 'name', name, 'enable-default-log'])
@@ -234,11 +235,14 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_set(['firewall', 'name', name, 'rule', '6', 'action', 'return'])
self.cli_set(['firewall', 'name', name, 'rule', '6', 'protocol', 'gre'])
self.cli_set(['firewall', 'name', name, 'rule', '6', 'outbound-interface', 'interface-name', interface])
+ self.cli_set(['firewall', 'name', name, 'rule', '6', 'connection-mark', conn_mark])
self.cli_set(['firewall', 'interface', interface, 'in', 'name', name])
self.cli_commit()
+ mark_hex = "{0:#010x}".format(int(conn_mark))
+
nftables_search = [
[f'iifname "{interface}"', f'jump NAME_{name}'],
['saddr 172.16.20.10', 'daddr 172.16.10.10', 'log prefix "[smoketest-1-A]" level debug', 'ip ttl 15', 'return'],
@@ -247,7 +251,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
['log prefix "[smoketest-default-D]"','smoketest default-action', 'drop'],
['tcp dport 22', 'add @RECENT_smoketest_4 { ip saddr limit rate over 10/minute burst 10 packets }', 'drop'],
['tcp flags & syn == syn', f'tcp option maxseg size {mss_range}', f'iifname "{interface}"'],
- ['meta l4proto gre', f'oifname "{interface}"', 'return']
+ ['meta l4proto gre', f'oifname "{interface}"', f'ct mark {mark_hex}', 'return']
]
self.verify_nftables(nftables_search, 'ip vyos_filter')
diff --git a/smoketest/scripts/cli/test_policy_route.py b/smoketest/scripts/cli/test_policy_route.py
index 11b3c678e..cb48a84ff 100755
--- a/smoketest/scripts/cli/test_policy_route.py
+++ b/smoketest/scripts/cli/test_policy_route.py
@@ -21,6 +21,8 @@ from base_vyostest_shim import VyOSUnitTestSHIM
from vyos.util import cmd
mark = '100'
+conn_mark = '555'
+conn_mark_set = '111'
table_mark_offset = 0x7fffffff
table_id = '101'
interface = 'eth0'
@@ -122,6 +124,25 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
self.verify_nftables(nftables_search, 'ip vyos_mangle')
+ def test_pbr_mark_connection(self):
+ self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'source', 'address', '172.16.20.10'])
+ self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'destination', 'address', '172.16.10.10'])
+ self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'connection-mark', conn_mark])
+ self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'set', 'connection-mark', conn_mark_set])
+ self.cli_set(['policy', 'route', 'smoketest', 'interface', interface])
+
+ self.cli_commit()
+
+ mark_hex = "{0:#010x}".format(int(conn_mark))
+ mark_hex_set = "{0:#010x}".format(int(conn_mark_set))
+
+ nftables_search = [
+ [f'iifname "{interface}"','jump VYOS_PBR_smoketest'],
+ ['ip daddr 172.16.10.10', 'ip saddr 172.16.20.10', 'ct mark ' + mark_hex, 'ct mark set ' + mark_hex_set],
+ ]
+
+ self.verify_nftables(nftables_search, 'ip vyos_mangle')
+
def test_pbr_table(self):
self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'protocol', 'tcp'])
self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'destination', 'port', '8888'])