diff options
author | Nicolas Fort <nicolasfort1988@gmail.com> | 2023-05-31 15:07:42 +0000 |
---|---|---|
committer | Nicolas Fort <nicolasfort1988@gmail.com> | 2023-08-11 11:49:54 -0300 |
commit | 68d14fe80145542ffd08a5f7d5cde6c090a0de07 (patch) | |
tree | 3a915a4bd61d41117b92c16d00455681f2dffebf | |
parent | 342db936a02a02ba04867f932137638485ef0a6f (diff) | |
download | vyos-1x-68d14fe80145542ffd08a5f7d5cde6c090a0de07.tar.gz vyos-1x-68d14fe80145542ffd08a5f7d5cde6c090a0de07.zip |
T5160: firewall refactor: change firewall ip to firewall ipv4
-rw-r--r-- | data/templates/firewall/nftables.j2 | 30 | ||||
-rw-r--r-- | interface-definitions/firewall.xml.in | 2 | ||||
-rw-r--r-- | interface-definitions/include/firewall/ipv4-custom-name.xml.i | 6 | ||||
-rw-r--r-- | interface-definitions/include/firewall/ipv4-hook-forward.xml.i | 4 | ||||
-rw-r--r-- | interface-definitions/include/firewall/ipv4-hook-input.xml.i | 4 | ||||
-rw-r--r-- | interface-definitions/include/firewall/ipv4-hook-output.xml.i | 4 | ||||
-rw-r--r-- | interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i | 10 | ||||
-rw-r--r-- | op-mode-definitions/firewall.xml.in | 12 | ||||
-rw-r--r-- | python/vyos/firewall.py | 4 | ||||
-rwxr-xr-x | smoketest/scripts/cli/test_firewall.py | 254 | ||||
-rwxr-xr-x | src/conf_mode/firewall.py | 53 | ||||
-rwxr-xr-x | src/migration-scripts/firewall/10-to-11 | 110 | ||||
-rwxr-xr-x | src/op_mode/firewall.py | 20 |
13 files changed, 273 insertions, 240 deletions
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index dcfe71a58..98ceebaa5 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -1,16 +1,15 @@ #!/usr/sbin/nft -f {% import 'firewall/nftables-defines.j2' as group_tmpl %} -{% import 'firewall/nftables-zone.j2' as zone_tmpl %} {% if first_install is not vyos_defined %} delete table ip vyos_filter {% endif %} table ip vyos_filter { -{% if ip is vyos_defined %} -{% if ip.forward is vyos_defined %} +{% if ipv4 is vyos_defined %} +{% if ipv4.forward is vyos_defined %} {% set ns = namespace(sets=[]) %} -{% for prior, conf in ip.forward.items() %} +{% for prior, conf in ipv4.forward.items() %} {% set def_action = conf.default_action %} chain VYOS_FORWARD_{{ prior }} { type filter hook forward priority {{ prior }}; policy {{ def_action }}; @@ -33,9 +32,9 @@ table ip vyos_filter { {% endfor %} {% endif %} -{% if ip.input is vyos_defined %} +{% if ipv4.input is vyos_defined %} {% set ns = namespace(sets=[]) %} -{% for prior, conf in ip.input.items() %} +{% for prior, conf in ipv4.input.items() %} {% set def_action = conf.default_action %} chain VYOS_INPUT_{{ prior }} { type filter hook input priority {{ prior }}; policy {{ def_action }}; @@ -58,9 +57,9 @@ table ip vyos_filter { {% endfor %} {% endif %} -{% if ip.output is vyos_defined %} +{% if ipv4.output is vyos_defined %} {% set ns = namespace(sets=[]) %} -{% for prior, conf in ip.output.items() %} +{% for prior, conf in ipv4.output.items() %} {% set def_action = conf.default_action %} chain VYOS_OUTPUT_{{ prior }} { type filter hook output priority {{ prior }}; policy {{ def_action }}; @@ -87,9 +86,9 @@ table ip vyos_filter { type filter hook prerouting priority -450; policy accept; ip frag-off & 0x3fff != 0 meta mark set 0xffff1 return } -{% if ip.prerouting is vyos_defined %} +{% if ipv4.prerouting is vyos_defined %} {% set ns = namespace(sets=[]) %} -{% for prior, conf in ip.prerouting.items() %} +{% for prior, conf in ipv4.prerouting.items() %} chain VYOS_PREROUTING_{{ prior }} { type filter hook prerouting priority {{ prior }}; policy accept; {% if conf.rule is vyos_defined %} @@ -112,9 +111,9 @@ table ip vyos_filter { } {% endfor %} {% endif %} -{% if ip.name is vyos_defined %} +{% if ipv4.name is vyos_defined %} {% set ns = namespace(sets=[]) %} -{% for name_text, conf in ip.name.items() %} +{% for name_text, conf in ipv4.name.items() %} chain NAME_{{ name_text }} { {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} @@ -152,10 +151,6 @@ table ip vyos_filter { {% endif %} {{ group_tmpl.groups(group, False) }} - -{% if zone is vyos_defined %} -{{ zone_tmpl.zone_chains(zone, state_policy is vyos_defined, False) }} -{% endif %} } {% if first_install is not vyos_defined %} @@ -283,7 +278,4 @@ table ip6 vyos_filter { {{ group_tmpl.groups(group, True) }} -{% if zone is vyos_defined %} -{{ zone_tmpl.zone_chains(zone, state_policy is vyos_defined, True) }} -{% endif %} }
\ No newline at end of file diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in index 9b36f92e8..127f4b7e7 100644 --- a/interface-definitions/firewall.xml.in +++ b/interface-definitions/firewall.xml.in @@ -284,7 +284,7 @@ </tagNode> </children> </node> - <node name="ip"> + <node name="ipv4"> <properties> <help>IPv4 firewall</help> </properties> diff --git a/interface-definitions/include/firewall/ipv4-custom-name.xml.i b/interface-definitions/include/firewall/ipv4-custom-name.xml.i index b2f8271f7..7fd802f3b 100644 --- a/interface-definitions/include/firewall/ipv4-custom-name.xml.i +++ b/interface-definitions/include/firewall/ipv4-custom-name.xml.i @@ -14,13 +14,13 @@ <properties> <help>Set jump target. Action jump must be defined in default-action to use this setting</help> <completionHelp> - <path>firewall ip name</path> + <path>firewall ipv4 name</path> </completionHelp> </properties> </leafNode> <tagNode name="rule"> <properties> - <help>IP Firewall custom rule number</help> + <help>IPv4 Firewall custom rule number</help> <valueHelp> <format>u32:1-999999</format> <description>Number for this firewall rule</description> @@ -38,7 +38,7 @@ <properties> <help>Set jump target. Action jump must be defined to use this setting</help> <completionHelp> - <path>firewall ip name</path> + <path>firewall ipv4 name</path> </completionHelp> </properties> </leafNode> diff --git a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i index 6179afe31..beb9df64e 100644 --- a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i +++ b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i @@ -13,7 +13,7 @@ #include <include/generic-description.xml.i> <tagNode name="rule"> <properties> - <help>IP Firewall forward filter rule number</help> + <help>IPv4 Firewall forward filter rule number</help> <valueHelp> <format>u32:1-999999</format> <description>Number for this firewall rule</description> @@ -31,7 +31,7 @@ <properties> <help>Set jump target. Action jump must be defined to use this setting</help> <completionHelp> - <path>firewall ip name</path> + <path>firewall ipv4 name</path> </completionHelp> </properties> </leafNode> diff --git a/interface-definitions/include/firewall/ipv4-hook-input.xml.i b/interface-definitions/include/firewall/ipv4-hook-input.xml.i index f9746378b..1a2e1399f 100644 --- a/interface-definitions/include/firewall/ipv4-hook-input.xml.i +++ b/interface-definitions/include/firewall/ipv4-hook-input.xml.i @@ -13,7 +13,7 @@ #include <include/generic-description.xml.i> <tagNode name="rule"> <properties> - <help>IP Firewall input filter rule number</help> + <help>IPv4 Firewall input filter rule number</help> <valueHelp> <format>u32:1-999999</format> <description>Number for this firewall rule</description> @@ -30,7 +30,7 @@ <properties> <help>Set jump target. Action jump must be defined to use this setting</help> <completionHelp> - <path>firewall ip name</path> + <path>firewall ipv4 name</path> </completionHelp> </properties> </leafNode> diff --git a/interface-definitions/include/firewall/ipv4-hook-output.xml.i b/interface-definitions/include/firewall/ipv4-hook-output.xml.i index a1820f314..e870e2b79 100644 --- a/interface-definitions/include/firewall/ipv4-hook-output.xml.i +++ b/interface-definitions/include/firewall/ipv4-hook-output.xml.i @@ -13,7 +13,7 @@ #include <include/generic-description.xml.i> <tagNode name="rule"> <properties> - <help>IP Firewall output filter rule number</help> + <help>IPv4 Firewall output filter rule number</help> <valueHelp> <format>u32:1-999999</format> <description>Number for this firewall rule</description> @@ -30,7 +30,7 @@ <properties> <help>Set jump target. Action jump must be defined to use this setting</help> <completionHelp> - <path>firewall ip name</path> + <path>firewall ipv4 name</path> </completionHelp> </properties> </leafNode> diff --git a/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i index 229a25ef4..c38918375 100644 --- a/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i +++ b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i @@ -13,7 +13,7 @@ #include <include/generic-description.xml.i> <tagNode name="rule"> <properties> - <help>IP Firewall prerouting filter rule number</help> + <help>IPv4 Firewall prerouting filter rule number</help> <valueHelp> <format>u32:1-999999</format> <description>Number for this firewall rule</description> @@ -30,7 +30,7 @@ <properties> <help>Set jump target. Action jump must be defined to use this setting</help> <completionHelp> - <path>firewall ip name</path> + <path>firewall ipv4 name</path> </completionHelp> </properties> </leafNode> @@ -49,13 +49,13 @@ <properties> <help>Set jump target. Action jump must be defined in default-action to use this setting</help> <completionHelp> - <path>firewall ip name</path> + <path>firewall ipv4 name</path> </completionHelp> </properties> </leafNode> <tagNode name="rule"> <properties> - <help>IP Firewall prerouting raw rule number</help> + <help>IPv4 Firewall prerouting raw rule number</help> <valueHelp> <format>u32:1-999999</format> <description>Number for this firewall rule</description> @@ -72,7 +72,7 @@ <properties> <help>Set jump target. Action jump must be defined to use this setting</help> <completionHelp> - <path>firewall ip name</path> + <path>firewall ipv4 name</path> </completionHelp> </properties> </leafNode> diff --git a/op-mode-definitions/firewall.xml.in b/op-mode-definitions/firewall.xml.in index b29e93f5e..164ce6b60 100644 --- a/op-mode-definitions/firewall.xml.in +++ b/op-mode-definitions/firewall.xml.in @@ -231,7 +231,7 @@ </children> <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_family --family $3</command> </node> - <node name="ip"> + <node name="ipv4"> <properties> <help>Show IPv4 firewall</help> </properties> @@ -250,7 +250,7 @@ <properties> <help>Show summary of IPv4 forward filter firewall rules</help> <completionHelp> - <path>firewall ip forward filter rule</path> + <path>firewall ipv4 forward filter rule</path> </completionHelp> </properties> <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7</command> @@ -274,7 +274,7 @@ <properties> <help>Show summary of IPv4 input filter firewall rules</help> <completionHelp> - <path>firewall ip input filter rule</path> + <path>firewall ipv4 input filter rule</path> </completionHelp> </properties> <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7</command> @@ -298,7 +298,7 @@ <properties> <help>Show summary of IPv4 output filter firewall rules</help> <completionHelp> - <path>firewall ip output filter rule</path> + <path>firewall ipv4 output filter rule</path> </completionHelp> </properties> <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7</command> @@ -312,7 +312,7 @@ <properties> <help>Show IPv4 custom firewall chains</help> <completionHelp> - <path>firewall ip name</path> + <path>firewall ipv4 name</path> </completionHelp> </properties> <children> @@ -320,7 +320,7 @@ <properties> <help>Show summary of IPv4 custom firewall ruleset</help> <completionHelp> - <path>firewall ip name ${COMP_WORDS[6]} rule</path> + <path>firewall ipv4 name ${COMP_WORDS[6]} rule</path> </completionHelp> </properties> <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7</command> diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 86a324062..bb32556af 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -49,7 +49,7 @@ def fqdn_config_parse(firewall): suffix = path[5][0] set_name = f'{hook_name}_{priority}_{rule}_{suffix}' - if (path[0] == 'ip') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'): + if (path[0] == 'ipv4') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'): firewall['ip_fqdn'][set_name] = domain elif (path[0] == 'ipv6') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'ipv6_name'): if path[1] == 'ipv6_name': @@ -521,7 +521,7 @@ def geoip_update(firewall, force=False): set_name = f'GEOIP_CC_{path[1]}_{path[2]}_{path[4]}' if path[1] == 'ipv6_name': set_name = f'GEOIP_CC_name6_{path[2]}_{path[4]}' - if ( path[0] == 'ip' ) and ( path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name' ): + if ( path[0] == 'ipv4' ) and ( path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name' ): for code in codes: ipv4_codes.setdefault(code, []).append(set_name) elif ( path[0] == 'ipv6' ) and ( path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'ipv6_name' ): diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index 640b7971c..7a7628873 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -90,13 +90,13 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): return False def test_geoip(self): - self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '1', 'action', 'drop']) - self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'se']) - self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'gb']) - self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '2', 'action', 'accept']) - self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'de']) - self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'fr']) - self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'inverse-match']) + self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'action', 'drop']) + self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'se']) + self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'gb']) + self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '2', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'de']) + self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'fr']) + self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'inverse-match']) self.cli_commit() @@ -127,17 +127,17 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'group', 'interface-group', 'smoketest_interface', 'interface', 'eth0']) self.cli_set(['firewall', 'group', 'interface-group', 'smoketest_interface', 'interface', 'vtun0']) - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '1', 'action', 'accept']) - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network']) - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '1', 'destination', 'address', '172.16.10.10']) - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port']) - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '1', 'protocol', 'tcp_udp']) - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '2', 'action', 'accept']) - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '2', 'source', 'group', 'mac-group', 'smoketest_mac']) - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '3', 'action', 'accept']) - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '3', 'source', 'group', 'domain-group', 'smoketest_domain']) - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '4', 'action', 'accept']) - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '4', 'outbound-interface', 'interface-group', 'smoketest_interface']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'destination', 'address', '172.16.10.10']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'protocol', 'tcp_udp']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '2', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '2', 'source', 'group', 'mac-group', 'smoketest_mac']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'source', 'group', 'domain-group', 'smoketest_domain']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'outbound-interface', 'interface-group', 'smoketest_interface']) self.cli_commit() @@ -167,10 +167,10 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port', 'port', '53']) self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port1', 'port', '123']) self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port1', 'include', 'smoketest_port']) - self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '1', 'action', 'accept']) - self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network1']) - self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port1']) - self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '1', 'protocol', 'tcp_udp']) + self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network1']) + self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port1']) + self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'protocol', 'tcp_udp']) self.cli_commit() @@ -196,53 +196,53 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): mss_range = '501-1460' conn_mark = '555' - self.cli_set(['firewall', 'ip', 'name', name, 'default-action', 'drop']) - self.cli_set(['firewall', 'ip', 'name', name, 'enable-default-log']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'action', 'accept']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'source', 'address', '172.16.20.10']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'destination', 'address', '172.16.10.10']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'log', 'enable']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'log-options', 'level', 'debug']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'ttl', 'eq', '15']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'action', 'reject']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'protocol', 'tcp']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'destination', 'port', '8888']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'log', 'enable']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'log-options', 'level', 'err']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'tcp', 'flags', 'syn']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'tcp', 'flags', 'not', 'ack']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'ttl', 'gt', '102']) - - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'default-action', 'drop']) - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '3', 'action', 'accept']) - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '3', 'protocol', 'tcp']) - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '3', 'destination', 'port', '22']) - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '3', 'limit', 'rate', '5/minute']) - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '3', 'log', 'disable']) - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '4', 'action', 'drop']) - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '4', 'protocol', 'tcp']) - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '4', 'destination', 'port', '22']) - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '4', 'recent', 'count', '10']) - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '4', 'recent', 'time', 'minute']) - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '4', 'packet-type', 'host']) - - self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '5', 'action', 'accept']) - self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '5', 'protocol', 'tcp']) - self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '5', 'tcp', 'flags', 'syn']) - self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '5', 'tcp', 'mss', mss_range]) - self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '5', 'packet-type', 'broadcast']) - self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '5', 'inbound-interface', 'interface-name', interface]) - self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '6', 'action', 'return']) - self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '6', 'protocol', 'gre']) - self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '6', 'connection-mark', conn_mark]) - - self.cli_set(['firewall', 'ip', 'output', 'filter', 'default-action', 'accept']) - self.cli_set(['firewall', 'ip', 'output', 'filter', 'rule', '5', 'action', 'drop']) - self.cli_set(['firewall', 'ip', 'output', 'filter', 'rule', '5', 'protocol', 'gre']) - self.cli_set(['firewall', 'ip', 'output', 'filter', 'rule', '5', 'outbound-interface', 'interface-name', interface_wc]) - self.cli_set(['firewall', 'ip', 'output', 'filter', 'rule', '6', 'action', 'return']) - self.cli_set(['firewall', 'ip', 'output', 'filter', 'rule', '6', 'protocol', 'icmp']) - self.cli_set(['firewall', 'ip', 'output', 'filter', 'rule', '6', 'connection-mark', conn_mark]) + self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'enable-default-log']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'source', 'address', '172.16.20.10']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'destination', 'address', '172.16.10.10']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'log', 'enable']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'log-options', 'level', 'debug']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'ttl', 'eq', '15']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'action', 'reject']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'protocol', 'tcp']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'destination', 'port', '8888']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'log', 'enable']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'log-options', 'level', 'err']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'tcp', 'flags', 'syn']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'tcp', 'flags', 'not', 'ack']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'ttl', 'gt', '102']) + + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'default-action', 'drop']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'protocol', 'tcp']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'destination', 'port', '22']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'limit', 'rate', '5/minute']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'log', 'disable']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'action', 'drop']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'protocol', 'tcp']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'destination', 'port', '22']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'recent', 'count', '10']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'recent', 'time', 'minute']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'packet-type', 'host']) + + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'protocol', 'tcp']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'tcp', 'flags', 'syn']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'tcp', 'mss', mss_range]) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'packet-type', 'broadcast']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'inbound-interface', 'interface-name', interface]) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '6', 'action', 'return']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '6', 'protocol', 'gre']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '6', 'connection-mark', conn_mark]) + + self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'default-action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '5', 'action', 'drop']) + self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '5', 'protocol', 'gre']) + self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '5', 'outbound-interface', 'interface-name', interface_wc]) + self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '6', 'action', 'return']) + self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '6', 'protocol', 'icmp']) + self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '6', 'connection-mark', conn_mark]) self.cli_commit() @@ -274,39 +274,39 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): name2 = 'smoketest-adv2' interface = 'eth0' - self.cli_set(['firewall', 'ip', 'name', name, 'default-action', 'drop']) - self.cli_set(['firewall', 'ip', 'name', name, 'enable-default-log']) - - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'action', 'accept']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'packet-length', '64']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'packet-length', '512']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'packet-length', '1024']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'dscp', '17']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'dscp', '52']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'log', 'enable']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'log-options', 'group', '66']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'log-options', 'snapshot-length', '6666']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'log-options', 'queue-threshold','32000']) - - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '7', 'action', 'accept']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '7', 'packet-length', '1-30000']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '7', 'packet-length-exclude', '60000-65535']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '7', 'dscp', '3-11']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '7', 'dscp-exclude', '21-25']) - - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'default-action', 'accept']) - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '1', 'source', 'address', '198.51.100.1']) - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '1', 'action', 'jump']) - self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '1', 'jump-target', name]) - - self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '2', 'protocol', 'tcp']) - self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '2', 'action', 'queue']) - self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '2', 'queue', '3']) - self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '3', 'protocol', 'udp']) - self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '3', 'action', 'queue']) - self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '3', 'queue-options', 'fanout']) - self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '3', 'queue-options', 'bypass']) - self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '3', 'queue', '0-15']) + self.cli_set(['firewall', 'ip4', 'name', name, 'default-action', 'drop']) + self.cli_set(['firewall', 'ip4', 'name', name, 'enable-default-log']) + + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'packet-length', '64']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'packet-length', '512']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'packet-length', '1024']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'dscp', '17']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'dscp', '52']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log', 'enable']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log-options', 'group', '66']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log-options', 'snapshot-length', '6666']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log-options', 'queue-threshold','32000']) + + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'packet-length', '1-30000']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'packet-length-exclude', '60000-65535']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'dscp', '3-11']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'dscp-exclude', '21-25']) + + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'default-action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'source', 'address', '198.51.100.1']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'action', 'jump']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'jump-target', name]) + + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'protocol', 'tcp']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'action', 'queue']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'queue', '3']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'protocol', 'udp']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'action', 'queue']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'queue-options', 'fanout']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'queue-options', 'bypass']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'queue', '0-15']) self.cli_commit() @@ -332,20 +332,20 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'group', 'address-group', 'mask_group', 'address', '1.1.1.1']) - self.cli_set(['firewall', 'ip', 'name', name, 'default-action', 'drop']) - self.cli_set(['firewall', 'ip', 'name', name, 'enable-default-log']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'enable-default-log']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'action', 'drop']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'destination', 'address', '0.0.1.2']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'destination', 'address-mask', '0.0.255.255']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'action', 'drop']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'destination', 'address', '0.0.1.2']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'destination', 'address-mask', '0.0.255.255']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'action', 'accept']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'source', 'address', '!0.0.3.4']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'source', 'address-mask', '0.0.255.255']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'source', 'address', '!0.0.3.4']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'source', 'address-mask', '0.0.255.255']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '3', 'action', 'drop']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '3', 'source', 'group', 'address-group', 'mask_group']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '3', 'source', 'address-mask', '0.0.255.255']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'action', 'drop']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'source', 'group', 'address-group', 'mask_group']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'source', 'address-mask', '0.0.255.255']) self.cli_commit() @@ -483,20 +483,20 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): name = 'smoketest-state' interface = 'eth0' - self.cli_set(['firewall', 'ip', 'name', name, 'default-action', 'drop']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'action', 'accept']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'state', 'established', 'enable']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'state', 'related', 'enable']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'action', 'reject']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'state', 'invalid', 'enable']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '3', 'action', 'accept']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '3', 'state', 'new', 'enable']) - - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '3', 'connection-status', 'nat', 'destination']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '4', 'action', 'accept']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '4', 'state', 'new', 'enable']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '4', 'state', 'established', 'enable']) - self.cli_set(['firewall', 'ip', 'name', name, 'rule', '4', 'connection-status', 'nat', 'source']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'state', 'established', 'enable']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'state', 'related', 'enable']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'action', 'reject']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'state', 'invalid', 'enable']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'state', 'new', 'enable']) + + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'connection-status', 'nat', 'destination']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'state', 'new', 'enable']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'state', 'established', 'enable']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'connection-status', 'nat', 'source']) self.cli_commit() diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index 4c5341e22..a50ae2ec6 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -101,7 +101,7 @@ def geoip_updated(conf, firewall): if path[1] == 'ipv6_name': set_name = f'GEOIP_CC_name6_{path[2]}_{path[4]}' - if (path[0] == 'ip') and ( path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name' ): + if (path[0] == 'ipv4') and ( path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name' ): out['name'].append(set_name) elif (path[0] == 'ipv6') and ( path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'ipv6_name' ): out['ipv6_name'].append(set_name) @@ -133,6 +133,47 @@ def get_config(config=None): get_first_key=True, with_recursive_defaults=True) + # We have gathered the dict representation of the CLI, but there are + # default options which we need to update into the dictionary retrived. + # XXX: T2665: we currently have no nice way for defaults under tag + # nodes, thus we load the defaults "by hand" + default_values = defaults(base) + + for family in ['ipv4', 'ipv6']: + for tmp in ['name', 'ipv6_name', 'forward', 'input', 'output', 'prerouting']: + if tmp in default_values[family]: + del default_values[family][tmp] + + + firewall = dict_merge(default_values, firewall) + + # Merge in defaults for IPv4 ruleset + if 'name' in firewall['ipv4']: + default_values = defaults(base + ['ipv4'] + ['name']) + for name in firewall['ipv4']['name']: + firewall['ipv4']['name'][name] = dict_merge(default_values, + firewall['ipv4']['name'][name]) + for hook in ['forward', 'input', 'output', 'prerouting']: + if hook in firewall['ipv4']: + for priority in ['filter', 'mangle', 'raw']: + if priority in firewall['ipv4'][hook]: + default_values = defaults(base + ['ipv4'] + [hook] + [priority]) + firewall['ipv4'][hook][priority] = dict_merge(default_values, + firewall['ipv4'][hook][priority]) + + # Merge in defaults for IPv6 ruleset + if 'ipv6_name' in firewall['ipv6']: + default_values = defaults(base + ['ipv6'] + ['ipv6-name']) + for ipv6_name in firewall['ipv6']['ipv6_name']: + firewall['ipv6']['ipv6_name'][ipv6_name] = dict_merge(default_values, + firewall['ipv6']['ipv6_name'][ipv6_name]) + for hook in ['forward', 'input', 'output', 'prerouting']: + if hook in firewall['ipv6']: + for priority in ['filter', 'mangle', 'raw']: + if priority in firewall['ipv6'][hook]: + default_values = defaults(base + ['ipv6'] + [hook] + [priority]) + firewall['ipv6'][hook][priority] = dict_merge(default_values, + firewall['ipv6'][hook][priority]) firewall['group_resync'] = bool('group' in firewall or node_changed(conf, base + ['group'])) if firewall['group_resync']: @@ -165,7 +206,7 @@ def verify_rule(firewall, rule_conf, ipv6): raise ConfigError('jump-target defined, but action jump needed and it is not defined') target = rule_conf['jump_target'] if not ipv6: - if target not in dict_search_args(firewall, 'ip', 'name'): + if target not in dict_search_args(firewall, 'ipv4', 'name'): raise ConfigError(f'Invalid jump-target. Firewall name {target} does not exist on the system') else: if target not in dict_search_args(firewall, 'ipv6', 'ipv6_name'): @@ -297,10 +338,10 @@ def verify(firewall): for group_name, group in groups.items(): verify_nested_group(group_name, group, groups, []) - if 'ip' in firewall: + if 'ipv4' in firewall: for name in ['name','forward','input','output']: - if name in firewall['ip']: - for name_id, name_conf in firewall['ip'][name].items(): + if name in firewall['ipv4']: + for name_id, name_conf in firewall['ipv4'][name].items(): if 'jump' in name_conf['default_action'] and 'default_jump_target' not in name_conf: raise ConfigError('default-action set to jump, but no default-jump-target specified') if 'default_jump_target' in name_conf: @@ -310,7 +351,7 @@ def verify(firewall): if name_conf['default_jump_target'] == name_id: raise ConfigError(f'Loop detected on default-jump-target.') ## Now need to check that default-jump-target exists (other firewall chain/name) - if target not in dict_search_args(firewall['ip'], 'name'): + if target not in dict_search_args(firewall['ipv4'], 'name'): raise ConfigError(f'Invalid jump-target. Firewall name {target} does not exist on the system') if 'rule' in name_conf: diff --git a/src/migration-scripts/firewall/10-to-11 b/src/migration-scripts/firewall/10-to-11 index b2880afac..9dad86b62 100755 --- a/src/migration-scripts/firewall/10-to-11 +++ b/src/migration-scripts/firewall/10-to-11 @@ -20,22 +20,22 @@ # set firewall name <name> ... # set firewall ipv6-name <name> ... # To -# set firewall ip name <name> +# set firewall ipv4 name <name> # set firewall ipv6 ipv6-name <name> ## Also from 'firewall interface' removed. ## in and out: # set firewall interface <iface> [in|out] [name | ipv6-name] <name> # To - # set firewall [ip | ipv6] forward filter rule <5,10,15,...> [inbound-interface | outboubd-interface] interface-name <iface> - # set firewall [ip | ipv6] forward filter rule <5,10,15,...> action jump - # set firewall [ip | ipv6] forward filter rule <5,10,15,...> jump-target <name> + # set firewall [ipv4 | ipv6] forward filter rule <5,10,15,...> [inbound-interface | outboubd-interface] interface-name <iface> + # set firewall [ipv4 | ipv6] forward filter rule <5,10,15,...> action jump + # set firewall [ipv4 | ipv6] forward filter rule <5,10,15,...> jump-target <name> ## local: # set firewall interface <iface> local [name | ipv6-name] <name> # To - # set firewall [ip | ipv6] input filter rule <5,10,15,...> inbound-interface interface-name <iface> - # set firewall [ip | ipv6] input filter rule <5,10,15,...> action jump - # set firewall [ip | ipv6] input filter rule <5,10,15,...> jump-target <name> + # set firewall [ipv4 | ipv6] input filter rule <5,10,15,...> inbound-interface interface-name <iface> + # set firewall [ipv4 | ipv6] input filter rule <5,10,15,...> action jump + # set firewall [ipv4 | ipv6] input filter rule <5,10,15,...> jump-target <name> import re @@ -63,7 +63,7 @@ if not config.exists(base): ### Migration of state policies if config.exists(base + ['state-policy']): - for family in ['ip', 'ipv6']: + for family in ['ipv4', 'ipv6']: for hook in ['forward', 'input', 'output']: for priority in ['filter']: # Add default-action== accept for compatibility reasons: @@ -89,11 +89,11 @@ for option in ['all-ping', 'broadcast-ping', 'config-trap', 'ip-src-route', 'ipv ### Migration of firewall name and ipv6-name if config.exists(base + ['name']): - config.set(['firewall', 'ip', 'name']) - config.set_tag(['firewall', 'ip', 'name']) + config.set(['firewall', 'ipv4', 'name']) + config.set_tag(['firewall', 'ipv4', 'name']) for ipv4name in config.list_nodes(base + ['name']): - config.copy(base + ['name', ipv4name], base + ['ip', 'name', ipv4name]) + config.copy(base + ['name', ipv4name], base + ['ipv4', 'name', ipv4name]) config.delete(base + ['name']) if config.exists(base + ['ipv6-name']): @@ -117,8 +117,8 @@ if config.exists(base + ['interface']): target = config.return_value(base + ['interface', iface, direction, 'name']) if direction == 'in': # Add default-action== accept for compatibility reasons: - config.set(base + ['ip', 'forward', 'filter', 'default-action'], value='accept') - new_base = base + ['ip', 'forward', 'filter', 'rule'] + config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept') + new_base = base + ['ipv4', 'forward', 'filter', 'rule'] config.set(new_base) config.set_tag(new_base) config.set(new_base + [fwd_ipv4_rule, 'inbound-interface', 'interface-name'], value=iface) @@ -127,8 +127,8 @@ if config.exists(base + ['interface']): fwd_ipv4_rule = fwd_ipv4_rule + 5 elif direction == 'out': # Add default-action== accept for compatibility reasons: - config.set(base + ['ip', 'forward', 'filter', 'default-action'], value='accept') - new_base = base + ['ip', 'forward', 'filter', 'rule'] + config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept') + new_base = base + ['ipv4', 'forward', 'filter', 'rule'] config.set(new_base) config.set_tag(new_base) config.set(new_base + [fwd_ipv4_rule, 'outbound-interface', 'interface-name'], value=iface) @@ -137,8 +137,8 @@ if config.exists(base + ['interface']): fwd_ipv4_rule = fwd_ipv4_rule + 5 else: # Add default-action== accept for compatibility reasons: - config.set(base + ['ip', 'input', 'filter', 'default-action'], value='accept') - new_base = base + ['ip', 'input', 'filter', 'rule'] + config.set(base + ['ipv4', 'input', 'filter', 'default-action'], value='accept') + new_base = base + ['ipv4', 'input', 'filter', 'rule'] config.set(new_base) config.set_tag(new_base) config.set(new_base + [inp_ipv4_rule, 'inbound-interface', 'interface-name'], value=iface) @@ -197,20 +197,20 @@ if config.exists(base + ['zone']): if config.exists(base + ['zone', zone, 'local-zone']): local_zone = 'True' # Add default-action== accept for compatibility reasons: - config.set(base + ['ip', 'input', 'filter', 'default-action'], value='accept') + config.set(base + ['ipv4', 'input', 'filter', 'default-action'], value='accept') config.set(base + ['ipv6', 'input', 'filter', 'default-action'], value='accept') - config.set(base + ['ip', 'output', 'filter', 'default-action'], value='accept') + config.set(base + ['ipv4', 'output', 'filter', 'default-action'], value='accept') config.set(base + ['ipv6', 'output', 'filter', 'default-action'], value='accept') for from_zone in config.list_nodes(base + ['zone', zone, 'from']): group_name = 'IG_' + from_zone if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'name']): # ipv4 input ruleset target_ipv4_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'name']) - config.set(base + ['ip', 'input', 'filter', 'rule']) - config.set_tag(base + ['ip', 'input', 'filter', 'rule']) - config.set(base + ['ip', 'input', 'filter', 'rule', inp_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name) - config.set(base + ['ip', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value='jump') - config.set(base + ['ip', 'input', 'filter', 'rule', inp_ipv4_rule, 'jump-target'], value=target_ipv4_chain) + config.set(base + ['ipv4', 'input', 'filter', 'rule']) + config.set_tag(base + ['ipv4', 'input', 'filter', 'rule']) + config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name) + config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value='jump') + config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'jump-target'], value=target_ipv4_chain) inp_ipv4_rule = inp_ipv4_rule + 5 if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name']): # ipv6 input ruleset @@ -228,21 +228,21 @@ if config.exists(base + ['zone']): local_def_action = config.return_value(base + ['zone', zone, 'default-action']) else: local_def_action = 'drop' - config.set(base + ['ip', 'input', 'filter', 'rule']) - config.set_tag(base + ['ip', 'input', 'filter', 'rule']) - config.set(base + ['ip', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value=local_def_action) + config.set(base + ['ipv4', 'input', 'filter', 'rule']) + config.set_tag(base + ['ipv4', 'input', 'filter', 'rule']) + config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value=local_def_action) config.set(base + ['ipv6', 'input', 'filter', 'rule']) config.set_tag(base + ['ipv6', 'input', 'filter', 'rule']) config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'action'], value=local_def_action) if config.exists(base + ['zone', zone, 'enable-default-log']): - config.set(base + ['ip', 'input', 'filter', 'rule', inp_ipv4_rule, 'log'], value='enable') + config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'log'], value='enable') config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'log'], value='enable') else: # It's not a local zone group_name = 'IG_' + zone # Add default-action== accept for compatibility reasons: - config.set(base + ['ip', 'forward', 'filter', 'default-action'], value='accept') + config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept') config.set(base + ['ipv6', 'forward', 'filter', 'default-action'], value='accept') # intra-filtering migration. By default accept intra_zone_ipv4_action = 'accept' @@ -258,11 +258,11 @@ if config.exists(base + ['zone']): if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']): intra_zone_ipv6_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']) intra_zone_ipv6_action = 'jump' - config.set(base + ['ip', 'forward', 'filter', 'rule']) - config.set_tag(base + ['ip', 'forward', 'filter', 'rule']) - config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name) - config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name) - config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=intra_zone_ipv4_action) + config.set(base + ['ipv4', 'forward', 'filter', 'rule']) + config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule']) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=intra_zone_ipv4_action) config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule']) config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name) config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'inbound-interface', 'interface-group'], value=group_name) @@ -270,7 +270,7 @@ if config.exists(base + ['zone']): if intra_zone_ipv4_action == 'jump': if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name']): intra_zone_ipv4_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name']) - config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=intra_zone_ipv4_target) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=intra_zone_ipv4_target) if intra_zone_ipv6_action == 'jump': if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']): intra_zone_ipv6_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']) @@ -293,20 +293,20 @@ if config.exists(base + ['zone']): target_ipv4_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'name']) if config.exists(base + ['zone', from_zone, 'local-zone']): # It's from LOCAL zone -> Output filtering - config.set(base + ['ip', 'output', 'filter', 'rule']) - config.set_tag(base + ['ip', 'output', 'filter', 'rule']) - config.set(base + ['ip', 'output', 'filter', 'rule', out_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name) - config.set(base + ['ip', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value='jump') - config.set(base + ['ip', 'output', 'filter', 'rule', out_ipv4_rule, 'jump-target'], value=target_ipv4_chain) + config.set(base + ['ipv4', 'output', 'filter', 'rule']) + config.set_tag(base + ['ipv4', 'output', 'filter', 'rule']) + config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name) + config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value='jump') + config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'jump-target'], value=target_ipv4_chain) out_ipv4_rule = out_ipv4_rule + 5 else: # It's not LOCAL zone -> forward filtering - config.set(base + ['ip', 'forward', 'filter', 'rule']) - config.set_tag(base + ['ip', 'forward', 'filter', 'rule']) - config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name) - config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=from_group) - config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value='jump') - config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=target_ipv4_chain) + config.set(base + ['ipv4', 'forward', 'filter', 'rule']) + config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule']) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=from_group) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value='jump') + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=target_ipv4_chain) fwd_ipv4_rule = fwd_ipv4_rule + 5 if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name']): target_ipv6_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name']) @@ -333,12 +333,12 @@ if config.exists(base + ['zone']): def_action = config.return_value(base + ['zone', zone, 'default-action']) else: def_action = 'drop' - config.set(base + ['ip', 'forward', 'filter', 'rule']) - config.set_tag(base + ['ip', 'forward', 'filter', 'rule']) - config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name) - config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=def_action) + config.set(base + ['ipv4', 'forward', 'filter', 'rule']) + config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule']) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=def_action) description = 'zone_' + zone + ' default-action' - config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'description'], value=description) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'description'], value=description) config.set(base + ['ipv6', 'forward', 'filter', 'rule']) config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule']) config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name) @@ -346,7 +346,7 @@ if config.exists(base + ['zone']): config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'description'], value=description) if config.exists(base + ['zone', zone, 'enable-default-log']): - config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'log'], value='enable') + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'log'], value='enable') config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'log'], value='enable') fwd_ipv4_rule = fwd_ipv4_rule + 5 fwd_ipv6_rule = fwd_ipv6_rule + 5 @@ -354,9 +354,9 @@ if config.exists(base + ['zone']): # Migrate default-action (force to be drop in output chain) if local zone is defined if local_zone == 'True': # General drop in output change if needed - config.set(base + ['ip', 'output', 'filter', 'rule']) - config.set_tag(base + ['ip', 'output', 'filter', 'rule']) - config.set(base + ['ip', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value=local_def_action) + config.set(base + ['ipv4', 'output', 'filter', 'rule']) + config.set_tag(base + ['ipv4', 'output', 'filter', 'rule']) + config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value=local_def_action) config.set(base + ['ipv6', 'output', 'filter', 'rule']) config.set_tag(base + ['ipv6', 'output', 'filter', 'rule']) config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'action'], value=local_def_action) diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py index 8eb883f81..ff7e2f398 100755 --- a/src/op_mode/firewall.py +++ b/src/op_mode/firewall.py @@ -27,7 +27,7 @@ from vyos.utils.dict import dict_search_args def get_config_firewall(conf, hook=None, priority=None, ipv6=False, interfaces=True): config_path = ['firewall'] if hook: - config_path += ['ipv6' if ipv6 else 'ip', hook] + config_path += ['ipv6' if ipv6 else 'ipv4', hook] if priority: config_path += [priority] @@ -160,9 +160,9 @@ def show_firewall(): if not firewall: return - if 'ip' in firewall: - for hook, hook_conf in firewall['ip'].items(): - for prior, prior_conf in firewall['ip'][hook].items(): + if 'ipv4' in firewall: + for hook, hook_conf in firewall['ipv4'].items(): + for prior, prior_conf in firewall['ipv4'][hook].items(): output_firewall_name(hook, prior, prior_conf, ipv6=False) if 'ipv6' in firewall: @@ -265,9 +265,9 @@ def show_summary(): v4_out = [] v6_out = [] - if 'ip' in firewall: - for hook, hook_conf in firewall['ip'].items(): - for prior, prior_conf in firewall['ip'][hook].items(): + if 'ipv4' in firewall: + for hook, hook_conf in firewall['ipv4'].items(): + for prior, prior_conf in firewall['ipv4'][hook].items(): description = prior_conf.get('description', '') v4_out.append([hook, prior, description]) @@ -296,9 +296,9 @@ def show_statistics(): if not firewall: return - if 'ip' in firewall: - for hook, hook_conf in firewall['ip'].items(): - for prior, prior_conf in firewall['ip'][hook].items(): + if 'ipv4' in firewall: + for hook, hook_conf in firewall['ipv4'].items(): + for prior, prior_conf in firewall['ipv4'][hook].items(): output_firewall_name_statistics(hook,prior, prior_conf, ipv6=False) if 'ipv6' in firewall: |