summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-10-17 17:17:43 +0200
committerGitHub <noreply@github.com>2020-10-17 17:17:43 +0200
commit60109764cc18ae50802313716ce9197c9bd36e15 (patch)
treebde6678bf0d361207af70e4f3864d3b6a4eb868a
parentfcf90cd860ba806c9a06526b5e1d88ca18d6f575 (diff)
parent2e436854d91e3adb7ac1bb24c64ec7189eb21bee (diff)
downloadvyos-1x-60109764cc18ae50802313716ce9197c9bd36e15.tar.gz
vyos-1x-60109764cc18ae50802313716ce9197c9bd36e15.zip
Merge pull request #576 from sever-sever/T752
sysctl-forwarding: T752: Add disable forwarding for ipv4
-rw-r--r--interface-definitions/include/interface-disable-forwarding.xml.i8
-rw-r--r--interface-definitions/include/interface-ipv4.xml.i1
-rw-r--r--interface-definitions/include/vif.xml.i1
-rw-r--r--interface-definitions/interfaces-bonding.xml.in1
-rw-r--r--interface-definitions/interfaces-bridge.xml.in1
-rw-r--r--interface-definitions/interfaces-ethernet.xml.in1
-rw-r--r--interface-definitions/interfaces-pseudo-ethernet.xml.in1
-rw-r--r--interface-definitions/interfaces-vxlan.xml.in1
-rw-r--r--interface-definitions/interfaces-wireless.xml.in1
-rw-r--r--python/vyos/ifconfig/interface.py15
-rw-r--r--smoketest/scripts/cli/base_interfaces_test.py4
11 files changed, 35 insertions, 0 deletions
diff --git a/interface-definitions/include/interface-disable-forwarding.xml.i b/interface-definitions/include/interface-disable-forwarding.xml.i
new file mode 100644
index 000000000..7cbb726ec
--- /dev/null
+++ b/interface-definitions/include/interface-disable-forwarding.xml.i
@@ -0,0 +1,8 @@
+<!-- included start from interface-disable-forwarding.xml.i -->
+<leafNode name="disable-forwarding">
+ <properties>
+ <help>Disable IPv4 forwarding on this interface</help>
+ <valueless/>
+ </properties>
+</leafNode>
+<!-- included end -->
diff --git a/interface-definitions/include/interface-ipv4.xml.i b/interface-definitions/include/interface-ipv4.xml.i
index 551059247..66842ab9b 100644
--- a/interface-definitions/include/interface-ipv4.xml.i
+++ b/interface-definitions/include/interface-ipv4.xml.i
@@ -5,6 +5,7 @@
</properties>
<children>
#include <include/interface-disable-arp-filter.xml.i>
+ #include <include/interface-disable-forwarding.xml.i>
#include <include/interface-enable-arp-accept.xml.i>
#include <include/interface-enable-arp-announce.xml.i>
#include <include/interface-enable-arp-ignore.xml.i>
diff --git a/interface-definitions/include/vif.xml.i b/interface-definitions/include/vif.xml.i
index 15c453fcc..a0f7c0bc8 100644
--- a/interface-definitions/include/vif.xml.i
+++ b/interface-definitions/include/vif.xml.i
@@ -47,6 +47,7 @@
<children>
#include <include/interface-arp-cache-timeout.xml.i>
#include <include/interface-disable-arp-filter.xml.i>
+ #include <include/interface-disable-forwarding.xml.i>
#include <include/interface-enable-arp-accept.xml.i>
#include <include/interface-enable-arp-announce.xml.i>
#include <include/interface-enable-arp-ignore.xml.i>
diff --git a/interface-definitions/interfaces-bonding.xml.in b/interface-definitions/interfaces-bonding.xml.in
index b28be387b..4e2c61d07 100644
--- a/interface-definitions/interfaces-bonding.xml.in
+++ b/interface-definitions/interfaces-bonding.xml.in
@@ -84,6 +84,7 @@
<children>
#include <include/interface-arp-cache-timeout.xml.i>
#include <include/interface-disable-arp-filter.xml.i>
+ #include <include/interface-disable-forwarding.xml.i>
#include <include/interface-enable-arp-accept.xml.i>
#include <include/interface-enable-arp-announce.xml.i>
#include <include/interface-enable-arp-ignore.xml.i>
diff --git a/interface-definitions/interfaces-bridge.xml.in b/interface-definitions/interfaces-bridge.xml.in
index 92356d696..787e856d7 100644
--- a/interface-definitions/interfaces-bridge.xml.in
+++ b/interface-definitions/interfaces-bridge.xml.in
@@ -85,6 +85,7 @@
<children>
#include <include/interface-arp-cache-timeout.xml.i>
#include <include/interface-enable-arp-accept.xml.i>
+ #include <include/interface-disable-forwarding.xml.i>
#include <include/interface-enable-arp-announce.xml.i>
#include <include/interface-enable-arp-ignore.xml.i>
#include <include/interface-disable-arp-filter.xml.i>
diff --git a/interface-definitions/interfaces-ethernet.xml.in b/interface-definitions/interfaces-ethernet.xml.in
index 0aef0d332..a19a766d3 100644
--- a/interface-definitions/interfaces-ethernet.xml.in
+++ b/interface-definitions/interfaces-ethernet.xml.in
@@ -63,6 +63,7 @@
<children>
#include <include/interface-arp-cache-timeout.xml.i>
#include <include/interface-disable-arp-filter.xml.i>
+ #include <include/interface-disable-forwarding.xml.i>
#include <include/interface-enable-arp-accept.xml.i>
#include <include/interface-enable-arp-announce.xml.i>
#include <include/interface-enable-arp-ignore.xml.i>
diff --git a/interface-definitions/interfaces-pseudo-ethernet.xml.in b/interface-definitions/interfaces-pseudo-ethernet.xml.in
index 4382db598..3fceb70b6 100644
--- a/interface-definitions/interfaces-pseudo-ethernet.xml.in
+++ b/interface-definitions/interfaces-pseudo-ethernet.xml.in
@@ -27,6 +27,7 @@
<children>
#include <include/interface-arp-cache-timeout.xml.i>
#include <include/interface-disable-arp-filter.xml.i>
+ #include <include/interface-disable-forwarding.xml.i>
#include <include/interface-enable-arp-accept.xml.i>
#include <include/interface-enable-arp-announce.xml.i>
#include <include/interface-enable-arp-ignore.xml.i>
diff --git a/interface-definitions/interfaces-vxlan.xml.in b/interface-definitions/interfaces-vxlan.xml.in
index 67001174f..7fdead16a 100644
--- a/interface-definitions/interfaces-vxlan.xml.in
+++ b/interface-definitions/interfaces-vxlan.xml.in
@@ -39,6 +39,7 @@
<children>
#include <include/interface-arp-cache-timeout.xml.i>
#include <include/interface-disable-arp-filter.xml.i>
+ #include <include/interface-disable-forwarding.xml.i>
#include <include/interface-enable-arp-accept.xml.i>
#include <include/interface-enable-arp-announce.xml.i>
#include <include/interface-enable-arp-ignore.xml.i>
diff --git a/interface-definitions/interfaces-wireless.xml.in b/interface-definitions/interfaces-wireless.xml.in
index 90d0675da..423ec7ba2 100644
--- a/interface-definitions/interfaces-wireless.xml.in
+++ b/interface-definitions/interfaces-wireless.xml.in
@@ -465,6 +465,7 @@
<children>
#include <include/interface-arp-cache-timeout.xml.i>
#include <include/interface-disable-arp-filter.xml.i>
+ #include <include/interface-disable-forwarding.xml.i>
#include <include/interface-enable-arp-accept.xml.i>
#include <include/interface-enable-arp-announce.xml.i>
#include <include/interface-enable-arp-ignore.xml.i>
diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py
index d200fc7a8..47ec94bd3 100644
--- a/python/vyos/ifconfig/interface.py
+++ b/python/vyos/ifconfig/interface.py
@@ -147,6 +147,10 @@ class Interface(Control):
'validate': assert_boolean,
'location': '/proc/sys/net/ipv4/conf/{ifname}/arp_ignore',
},
+ 'ipv4_forwarding': {
+ 'validate': assert_boolean,
+ 'location': '/proc/sys/net/ipv4/conf/{ifname}/forwarding',
+ },
'ipv6_accept_ra': {
'validate': lambda ara: assert_range(ara,0,3),
'location': '/proc/sys/net/ipv6/conf/{ifname}/accept_ra',
@@ -461,6 +465,12 @@ class Interface(Control):
"""
return self.set_interface('arp_ignore', arp_ignore)
+ def set_ipv4_forwarding(self, forwarding):
+ """
+ Configure IPv4 forwarding.
+ """
+ return self.set_interface('ipv4_forwarding', forwarding)
+
def set_ipv6_accept_ra(self, accept_ra):
"""
Accept Router Advertisements; autoconfigure using them.
@@ -974,6 +984,11 @@ class Interface(Control):
value = '1' if (tmp != None) else '0'
self.set_proxy_arp_pvlan(value)
+ # IPv4 forwarding
+ tmp = vyos_dict_search('ip.disable_forwarding', config)
+ value = '0' if (tmp != None) else '1'
+ self.set_ipv4_forwarding(value)
+
# IPv6 forwarding
tmp = vyos_dict_search('ipv6.disable_forwarding', config)
value = '0' if (tmp != None) else '1'
diff --git a/smoketest/scripts/cli/base_interfaces_test.py b/smoketest/scripts/cli/base_interfaces_test.py
index 047c19dd0..d94a5d962 100644
--- a/smoketest/scripts/cli/base_interfaces_test.py
+++ b/smoketest/scripts/cli/base_interfaces_test.py
@@ -241,6 +241,7 @@ class BasicInterfaceTest:
# Options
self.session.set(path + ['ip', 'arp-cache-timeout', arp_tmo])
self.session.set(path + ['ip', 'disable-arp-filter'])
+ self.session.set(path + ['ip', 'disable-forwarding'])
self.session.set(path + ['ip', 'enable-arp-accept'])
self.session.set(path + ['ip', 'enable-arp-announce'])
self.session.set(path + ['ip', 'enable-arp-ignore'])
@@ -266,6 +267,9 @@ class BasicInterfaceTest:
tmp = read_file(f'/proc/sys/net/ipv4/conf/{interface}/arp_ignore')
self.assertEqual('1', tmp)
+ tmp = read_file(f'/proc/sys/net/ipv4/conf/{interface}/forwarding')
+ self.assertEqual('0', tmp)
+
tmp = read_file(f'/proc/sys/net/ipv4/conf/{interface}/proxy_arp')
self.assertEqual('1', tmp)