T5160: firewall refactor: change default value for <default-action> from <drop> to <accept> if default-action is not specified in base chains

author: Nicolas Fort <nicolasfort1988@gmail.com> 2023-07-04 10:44:45 +0000
committer: Nicolas Fort <nicolasfort1988@gmail.com> 2023-08-11 11:50:00 -0300
commit: a07a46d5d4ace155bc540aee6c745b600d6498b0 (patch)
tree: 768d35a2829f2f148466996f739898c3fe9731b1
parent: 0300bf433d9aaff81fdecf9eeaabba8d06c1999f (diff)
download: vyos-1x-a07a46d5d4ace155bc540aee6c745b600d6498b0.tar.gz
vyos-1x-a07a46d5d4ace155bc540aee6c745b600d6498b0.zip
2 files changed, 7 insertions, 7 deletions
diff --git a/interface-definitions/include/firewall/default-action-base-chains.xml.i b/interface-definitions/include/firewall/default-action-base-chains.xml.i
index ba7c63cd6..aa62abf3d 100644
--- a/interface-definitions/include/firewall/default-action-base-chains.xml.i
+++ b/interface-definitions/include/firewall/default-action-base-chains.xml.i
@@ -17,6 +17,6 @@
       <regex>(drop|accept)</regex>
     </constraint>
   </properties>
-  <defaultValue>drop</defaultValue>
+  <defaultValue>accept</defaultValue>
 </leafNode>
 <!-- include end -->
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 9412ce984..7a13f396f 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -254,7 +254,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
             ['tcp dport 22', 'limit rate 5/minute', 'accept'],
             ['tcp dport 22', 'add @RECENT_FWD_filter_4 { ip saddr limit rate over 10/minute burst 10 packets }', 'meta pkttype host', 'drop'],
             ['chain VYOS_INPUT_filter'],
-            ['type filter hook input priority filter; policy drop;'],
+            ['type filter hook input priority filter; policy accept;'],
             ['tcp flags & syn == syn', f'tcp option maxseg size {mss_range}', f'iifname "{interface}"', 'meta pkttype broadcast', 'accept'],
             ['meta l4proto gre', f'ct mark {mark_hex}', 'return'],
             ['chain VYOS_OUTPUT_filter'],
@@ -294,7 +294,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'dscp', '3-11'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'dscp-exclude', '21-25'])
 
-        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'default-action', 'accept'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'default-action', 'drop'])
         self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'source', 'address', '198.51.100.1'])
         self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'action', 'jump'])
         self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'jump-target', name])
@@ -312,10 +312,10 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
 
         nftables_search = [
             ['chain VYOS_FORWARD_filter'],
-            ['type filter hook forward priority filter; policy accept;'],
+            ['type filter hook forward priority filter; policy drop;'],
             ['ip saddr 198.51.100.1', f'jump NAME_{name}'],
             ['chain VYOS_INPUT_filter'],
-            ['type filter hook input priority filter; policy drop;'],
+            ['type filter hook input priority filter; policy accept;'],
             [f'meta l4proto tcp','queue to 3'],
             [f'meta l4proto udp','queue flags bypass,fanout to 0-15'],
             [f'chain NAME_{name}'],
@@ -394,7 +394,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
             ['type filter hook forward priority filter; policy accept;'],
             ['meta l4proto { tcp, udp }', 'th dport 8888', f'iifname "{interface}"', 'reject'],
             ['chain VYOS_IPV6_INPUT_filter'],
-            ['type filter hook input priority filter; policy drop;'],
+            ['type filter hook input priority filter; policy accept;'],
             ['meta l4proto udp', 'ip6 saddr 2002::1:2', f'iifname "{interface}"', 'accept'],
             ['chain VYOS_IPV6_OUTPUT_filter'],
             ['type filter hook output priority filter; policy drop;'],
@@ -436,7 +436,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
 
         nftables_search = [
             ['chain VYOS_IPV6_FORWARD_filter'],
-            ['type filter hook forward priority filter; policy drop;'],
+            ['type filter hook forward priority filter; policy accept;'],
             ['ip6 length 1-1999', 'ip6 length != 60000-65535', 'ip6 dscp 0x04-0x0e', 'ip6 dscp != 0x1f-0x23', 'accept'],
             ['chain VYOS_IPV6_INPUT_filter'],
             ['type filter hook input priority filter; policy accept;'],
author	Nicolas Fort <nicolasfort1988@gmail.com>	2023-07-04 10:44:45 +0000
committer	Nicolas Fort <nicolasfort1988@gmail.com>	2023-08-11 11:50:00 -0300
commit	a07a46d5d4ace155bc540aee6c745b600d6498b0 (patch)
tree	768d35a2829f2f148466996f739898c3fe9731b1
parent	0300bf433d9aaff81fdecf9eeaabba8d06c1999f (diff)
download	vyos-1x-a07a46d5d4ace155bc540aee6c745b600d6498b0.tar.gz vyos-1x-a07a46d5d4ace155bc540aee6c745b600d6498b0.zip