diff options
author | Christian Poessinger <christian@poessinger.com> | 2020-10-17 17:17:43 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-10-17 17:17:43 +0200 |
commit | 60109764cc18ae50802313716ce9197c9bd36e15 (patch) | |
tree | bde6678bf0d361207af70e4f3864d3b6a4eb868a | |
parent | fcf90cd860ba806c9a06526b5e1d88ca18d6f575 (diff) | |
parent | 2e436854d91e3adb7ac1bb24c64ec7189eb21bee (diff) | |
download | vyos-1x-60109764cc18ae50802313716ce9197c9bd36e15.tar.gz vyos-1x-60109764cc18ae50802313716ce9197c9bd36e15.zip |
Merge pull request #576 from sever-sever/T752
sysctl-forwarding: T752: Add disable forwarding for ipv4
-rw-r--r-- | interface-definitions/include/interface-disable-forwarding.xml.i | 8 | ||||
-rw-r--r-- | interface-definitions/include/interface-ipv4.xml.i | 1 | ||||
-rw-r--r-- | interface-definitions/include/vif.xml.i | 1 | ||||
-rw-r--r-- | interface-definitions/interfaces-bonding.xml.in | 1 | ||||
-rw-r--r-- | interface-definitions/interfaces-bridge.xml.in | 1 | ||||
-rw-r--r-- | interface-definitions/interfaces-ethernet.xml.in | 1 | ||||
-rw-r--r-- | interface-definitions/interfaces-pseudo-ethernet.xml.in | 1 | ||||
-rw-r--r-- | interface-definitions/interfaces-vxlan.xml.in | 1 | ||||
-rw-r--r-- | interface-definitions/interfaces-wireless.xml.in | 1 | ||||
-rw-r--r-- | python/vyos/ifconfig/interface.py | 15 | ||||
-rw-r--r-- | smoketest/scripts/cli/base_interfaces_test.py | 4 |
11 files changed, 35 insertions, 0 deletions
diff --git a/interface-definitions/include/interface-disable-forwarding.xml.i b/interface-definitions/include/interface-disable-forwarding.xml.i new file mode 100644 index 000000000..7cbb726ec --- /dev/null +++ b/interface-definitions/include/interface-disable-forwarding.xml.i @@ -0,0 +1,8 @@ +<!-- included start from interface-disable-forwarding.xml.i --> +<leafNode name="disable-forwarding"> + <properties> + <help>Disable IPv4 forwarding on this interface</help> + <valueless/> + </properties> +</leafNode> +<!-- included end --> diff --git a/interface-definitions/include/interface-ipv4.xml.i b/interface-definitions/include/interface-ipv4.xml.i index 551059247..66842ab9b 100644 --- a/interface-definitions/include/interface-ipv4.xml.i +++ b/interface-definitions/include/interface-ipv4.xml.i @@ -5,6 +5,7 @@ </properties> <children> #include <include/interface-disable-arp-filter.xml.i> + #include <include/interface-disable-forwarding.xml.i> #include <include/interface-enable-arp-accept.xml.i> #include <include/interface-enable-arp-announce.xml.i> #include <include/interface-enable-arp-ignore.xml.i> diff --git a/interface-definitions/include/vif.xml.i b/interface-definitions/include/vif.xml.i index 15c453fcc..a0f7c0bc8 100644 --- a/interface-definitions/include/vif.xml.i +++ b/interface-definitions/include/vif.xml.i @@ -47,6 +47,7 @@ <children> #include <include/interface-arp-cache-timeout.xml.i> #include <include/interface-disable-arp-filter.xml.i> + #include <include/interface-disable-forwarding.xml.i> #include <include/interface-enable-arp-accept.xml.i> #include <include/interface-enable-arp-announce.xml.i> #include <include/interface-enable-arp-ignore.xml.i> diff --git a/interface-definitions/interfaces-bonding.xml.in b/interface-definitions/interfaces-bonding.xml.in index b28be387b..4e2c61d07 100644 --- a/interface-definitions/interfaces-bonding.xml.in +++ b/interface-definitions/interfaces-bonding.xml.in @@ -84,6 +84,7 @@ <children> #include <include/interface-arp-cache-timeout.xml.i> #include <include/interface-disable-arp-filter.xml.i> + #include <include/interface-disable-forwarding.xml.i> #include <include/interface-enable-arp-accept.xml.i> #include <include/interface-enable-arp-announce.xml.i> #include <include/interface-enable-arp-ignore.xml.i> diff --git a/interface-definitions/interfaces-bridge.xml.in b/interface-definitions/interfaces-bridge.xml.in index 92356d696..787e856d7 100644 --- a/interface-definitions/interfaces-bridge.xml.in +++ b/interface-definitions/interfaces-bridge.xml.in @@ -85,6 +85,7 @@ <children> #include <include/interface-arp-cache-timeout.xml.i> #include <include/interface-enable-arp-accept.xml.i> + #include <include/interface-disable-forwarding.xml.i> #include <include/interface-enable-arp-announce.xml.i> #include <include/interface-enable-arp-ignore.xml.i> #include <include/interface-disable-arp-filter.xml.i> diff --git a/interface-definitions/interfaces-ethernet.xml.in b/interface-definitions/interfaces-ethernet.xml.in index 0aef0d332..a19a766d3 100644 --- a/interface-definitions/interfaces-ethernet.xml.in +++ b/interface-definitions/interfaces-ethernet.xml.in @@ -63,6 +63,7 @@ <children> #include <include/interface-arp-cache-timeout.xml.i> #include <include/interface-disable-arp-filter.xml.i> + #include <include/interface-disable-forwarding.xml.i> #include <include/interface-enable-arp-accept.xml.i> #include <include/interface-enable-arp-announce.xml.i> #include <include/interface-enable-arp-ignore.xml.i> diff --git a/interface-definitions/interfaces-pseudo-ethernet.xml.in b/interface-definitions/interfaces-pseudo-ethernet.xml.in index 4382db598..3fceb70b6 100644 --- a/interface-definitions/interfaces-pseudo-ethernet.xml.in +++ b/interface-definitions/interfaces-pseudo-ethernet.xml.in @@ -27,6 +27,7 @@ <children> #include <include/interface-arp-cache-timeout.xml.i> #include <include/interface-disable-arp-filter.xml.i> + #include <include/interface-disable-forwarding.xml.i> #include <include/interface-enable-arp-accept.xml.i> #include <include/interface-enable-arp-announce.xml.i> #include <include/interface-enable-arp-ignore.xml.i> diff --git a/interface-definitions/interfaces-vxlan.xml.in b/interface-definitions/interfaces-vxlan.xml.in index 67001174f..7fdead16a 100644 --- a/interface-definitions/interfaces-vxlan.xml.in +++ b/interface-definitions/interfaces-vxlan.xml.in @@ -39,6 +39,7 @@ <children> #include <include/interface-arp-cache-timeout.xml.i> #include <include/interface-disable-arp-filter.xml.i> + #include <include/interface-disable-forwarding.xml.i> #include <include/interface-enable-arp-accept.xml.i> #include <include/interface-enable-arp-announce.xml.i> #include <include/interface-enable-arp-ignore.xml.i> diff --git a/interface-definitions/interfaces-wireless.xml.in b/interface-definitions/interfaces-wireless.xml.in index 90d0675da..423ec7ba2 100644 --- a/interface-definitions/interfaces-wireless.xml.in +++ b/interface-definitions/interfaces-wireless.xml.in @@ -465,6 +465,7 @@ <children> #include <include/interface-arp-cache-timeout.xml.i> #include <include/interface-disable-arp-filter.xml.i> + #include <include/interface-disable-forwarding.xml.i> #include <include/interface-enable-arp-accept.xml.i> #include <include/interface-enable-arp-announce.xml.i> #include <include/interface-enable-arp-ignore.xml.i> diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py index d200fc7a8..47ec94bd3 100644 --- a/python/vyos/ifconfig/interface.py +++ b/python/vyos/ifconfig/interface.py @@ -147,6 +147,10 @@ class Interface(Control): 'validate': assert_boolean, 'location': '/proc/sys/net/ipv4/conf/{ifname}/arp_ignore', }, + 'ipv4_forwarding': { + 'validate': assert_boolean, + 'location': '/proc/sys/net/ipv4/conf/{ifname}/forwarding', + }, 'ipv6_accept_ra': { 'validate': lambda ara: assert_range(ara,0,3), 'location': '/proc/sys/net/ipv6/conf/{ifname}/accept_ra', @@ -461,6 +465,12 @@ class Interface(Control): """ return self.set_interface('arp_ignore', arp_ignore) + def set_ipv4_forwarding(self, forwarding): + """ + Configure IPv4 forwarding. + """ + return self.set_interface('ipv4_forwarding', forwarding) + def set_ipv6_accept_ra(self, accept_ra): """ Accept Router Advertisements; autoconfigure using them. @@ -974,6 +984,11 @@ class Interface(Control): value = '1' if (tmp != None) else '0' self.set_proxy_arp_pvlan(value) + # IPv4 forwarding + tmp = vyos_dict_search('ip.disable_forwarding', config) + value = '0' if (tmp != None) else '1' + self.set_ipv4_forwarding(value) + # IPv6 forwarding tmp = vyos_dict_search('ipv6.disable_forwarding', config) value = '0' if (tmp != None) else '1' diff --git a/smoketest/scripts/cli/base_interfaces_test.py b/smoketest/scripts/cli/base_interfaces_test.py index 047c19dd0..d94a5d962 100644 --- a/smoketest/scripts/cli/base_interfaces_test.py +++ b/smoketest/scripts/cli/base_interfaces_test.py @@ -241,6 +241,7 @@ class BasicInterfaceTest: # Options self.session.set(path + ['ip', 'arp-cache-timeout', arp_tmo]) self.session.set(path + ['ip', 'disable-arp-filter']) + self.session.set(path + ['ip', 'disable-forwarding']) self.session.set(path + ['ip', 'enable-arp-accept']) self.session.set(path + ['ip', 'enable-arp-announce']) self.session.set(path + ['ip', 'enable-arp-ignore']) @@ -266,6 +267,9 @@ class BasicInterfaceTest: tmp = read_file(f'/proc/sys/net/ipv4/conf/{interface}/arp_ignore') self.assertEqual('1', tmp) + tmp = read_file(f'/proc/sys/net/ipv4/conf/{interface}/forwarding') + self.assertEqual('0', tmp) + tmp = read_file(f'/proc/sys/net/ipv4/conf/{interface}/proxy_arp') self.assertEqual('1', tmp) |