summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNicolas Fort <nicolasfort1988@gmail.com>2023-05-31 15:07:42 +0000
committerNicolas Fort <nicolasfort1988@gmail.com>2023-08-11 11:49:54 -0300
commit68d14fe80145542ffd08a5f7d5cde6c090a0de07 (patch)
tree3a915a4bd61d41117b92c16d00455681f2dffebf
parent342db936a02a02ba04867f932137638485ef0a6f (diff)
downloadvyos-1x-68d14fe80145542ffd08a5f7d5cde6c090a0de07.tar.gz
vyos-1x-68d14fe80145542ffd08a5f7d5cde6c090a0de07.zip
T5160: firewall refactor: change firewall ip to firewall ipv4
-rw-r--r--data/templates/firewall/nftables.j230
-rw-r--r--interface-definitions/firewall.xml.in2
-rw-r--r--interface-definitions/include/firewall/ipv4-custom-name.xml.i6
-rw-r--r--interface-definitions/include/firewall/ipv4-hook-forward.xml.i4
-rw-r--r--interface-definitions/include/firewall/ipv4-hook-input.xml.i4
-rw-r--r--interface-definitions/include/firewall/ipv4-hook-output.xml.i4
-rw-r--r--interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i10
-rw-r--r--op-mode-definitions/firewall.xml.in12
-rw-r--r--python/vyos/firewall.py4
-rwxr-xr-xsmoketest/scripts/cli/test_firewall.py254
-rwxr-xr-xsrc/conf_mode/firewall.py53
-rwxr-xr-xsrc/migration-scripts/firewall/10-to-11110
-rwxr-xr-xsrc/op_mode/firewall.py20
13 files changed, 273 insertions, 240 deletions
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index dcfe71a58..98ceebaa5 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -1,16 +1,15 @@
#!/usr/sbin/nft -f
{% import 'firewall/nftables-defines.j2' as group_tmpl %}
-{% import 'firewall/nftables-zone.j2' as zone_tmpl %}
{% if first_install is not vyos_defined %}
delete table ip vyos_filter
{% endif %}
table ip vyos_filter {
-{% if ip is vyos_defined %}
-{% if ip.forward is vyos_defined %}
+{% if ipv4 is vyos_defined %}
+{% if ipv4.forward is vyos_defined %}
{% set ns = namespace(sets=[]) %}
-{% for prior, conf in ip.forward.items() %}
+{% for prior, conf in ipv4.forward.items() %}
{% set def_action = conf.default_action %}
chain VYOS_FORWARD_{{ prior }} {
type filter hook forward priority {{ prior }}; policy {{ def_action }};
@@ -33,9 +32,9 @@ table ip vyos_filter {
{% endfor %}
{% endif %}
-{% if ip.input is vyos_defined %}
+{% if ipv4.input is vyos_defined %}
{% set ns = namespace(sets=[]) %}
-{% for prior, conf in ip.input.items() %}
+{% for prior, conf in ipv4.input.items() %}
{% set def_action = conf.default_action %}
chain VYOS_INPUT_{{ prior }} {
type filter hook input priority {{ prior }}; policy {{ def_action }};
@@ -58,9 +57,9 @@ table ip vyos_filter {
{% endfor %}
{% endif %}
-{% if ip.output is vyos_defined %}
+{% if ipv4.output is vyos_defined %}
{% set ns = namespace(sets=[]) %}
-{% for prior, conf in ip.output.items() %}
+{% for prior, conf in ipv4.output.items() %}
{% set def_action = conf.default_action %}
chain VYOS_OUTPUT_{{ prior }} {
type filter hook output priority {{ prior }}; policy {{ def_action }};
@@ -87,9 +86,9 @@ table ip vyos_filter {
type filter hook prerouting priority -450; policy accept;
ip frag-off & 0x3fff != 0 meta mark set 0xffff1 return
}
-{% if ip.prerouting is vyos_defined %}
+{% if ipv4.prerouting is vyos_defined %}
{% set ns = namespace(sets=[]) %}
-{% for prior, conf in ip.prerouting.items() %}
+{% for prior, conf in ipv4.prerouting.items() %}
chain VYOS_PREROUTING_{{ prior }} {
type filter hook prerouting priority {{ prior }}; policy accept;
{% if conf.rule is vyos_defined %}
@@ -112,9 +111,9 @@ table ip vyos_filter {
}
{% endfor %}
{% endif %}
-{% if ip.name is vyos_defined %}
+{% if ipv4.name is vyos_defined %}
{% set ns = namespace(sets=[]) %}
-{% for name_text, conf in ip.name.items() %}
+{% for name_text, conf in ipv4.name.items() %}
chain NAME_{{ name_text }} {
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
@@ -152,10 +151,6 @@ table ip vyos_filter {
{% endif %}
{{ group_tmpl.groups(group, False) }}
-
-{% if zone is vyos_defined %}
-{{ zone_tmpl.zone_chains(zone, state_policy is vyos_defined, False) }}
-{% endif %}
}
{% if first_install is not vyos_defined %}
@@ -283,7 +278,4 @@ table ip6 vyos_filter {
{{ group_tmpl.groups(group, True) }}
-{% if zone is vyos_defined %}
-{{ zone_tmpl.zone_chains(zone, state_policy is vyos_defined, True) }}
-{% endif %}
} \ No newline at end of file
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index 9b36f92e8..127f4b7e7 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -284,7 +284,7 @@
</tagNode>
</children>
</node>
- <node name="ip">
+ <node name="ipv4">
<properties>
<help>IPv4 firewall</help>
</properties>
diff --git a/interface-definitions/include/firewall/ipv4-custom-name.xml.i b/interface-definitions/include/firewall/ipv4-custom-name.xml.i
index b2f8271f7..7fd802f3b 100644
--- a/interface-definitions/include/firewall/ipv4-custom-name.xml.i
+++ b/interface-definitions/include/firewall/ipv4-custom-name.xml.i
@@ -14,13 +14,13 @@
<properties>
<help>Set jump target. Action jump must be defined in default-action to use this setting</help>
<completionHelp>
- <path>firewall ip name</path>
+ <path>firewall ipv4 name</path>
</completionHelp>
</properties>
</leafNode>
<tagNode name="rule">
<properties>
- <help>IP Firewall custom rule number</help>
+ <help>IPv4 Firewall custom rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number for this firewall rule</description>
@@ -38,7 +38,7 @@
<properties>
<help>Set jump target. Action jump must be defined to use this setting</help>
<completionHelp>
- <path>firewall ip name</path>
+ <path>firewall ipv4 name</path>
</completionHelp>
</properties>
</leafNode>
diff --git a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
index 6179afe31..beb9df64e 100644
--- a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
+++ b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
@@ -13,7 +13,7 @@
#include <include/generic-description.xml.i>
<tagNode name="rule">
<properties>
- <help>IP Firewall forward filter rule number</help>
+ <help>IPv4 Firewall forward filter rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number for this firewall rule</description>
@@ -31,7 +31,7 @@
<properties>
<help>Set jump target. Action jump must be defined to use this setting</help>
<completionHelp>
- <path>firewall ip name</path>
+ <path>firewall ipv4 name</path>
</completionHelp>
</properties>
</leafNode>
diff --git a/interface-definitions/include/firewall/ipv4-hook-input.xml.i b/interface-definitions/include/firewall/ipv4-hook-input.xml.i
index f9746378b..1a2e1399f 100644
--- a/interface-definitions/include/firewall/ipv4-hook-input.xml.i
+++ b/interface-definitions/include/firewall/ipv4-hook-input.xml.i
@@ -13,7 +13,7 @@
#include <include/generic-description.xml.i>
<tagNode name="rule">
<properties>
- <help>IP Firewall input filter rule number</help>
+ <help>IPv4 Firewall input filter rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number for this firewall rule</description>
@@ -30,7 +30,7 @@
<properties>
<help>Set jump target. Action jump must be defined to use this setting</help>
<completionHelp>
- <path>firewall ip name</path>
+ <path>firewall ipv4 name</path>
</completionHelp>
</properties>
</leafNode>
diff --git a/interface-definitions/include/firewall/ipv4-hook-output.xml.i b/interface-definitions/include/firewall/ipv4-hook-output.xml.i
index a1820f314..e870e2b79 100644
--- a/interface-definitions/include/firewall/ipv4-hook-output.xml.i
+++ b/interface-definitions/include/firewall/ipv4-hook-output.xml.i
@@ -13,7 +13,7 @@
#include <include/generic-description.xml.i>
<tagNode name="rule">
<properties>
- <help>IP Firewall output filter rule number</help>
+ <help>IPv4 Firewall output filter rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number for this firewall rule</description>
@@ -30,7 +30,7 @@
<properties>
<help>Set jump target. Action jump must be defined to use this setting</help>
<completionHelp>
- <path>firewall ip name</path>
+ <path>firewall ipv4 name</path>
</completionHelp>
</properties>
</leafNode>
diff --git a/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i
index 229a25ef4..c38918375 100644
--- a/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i
+++ b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i
@@ -13,7 +13,7 @@
#include <include/generic-description.xml.i>
<tagNode name="rule">
<properties>
- <help>IP Firewall prerouting filter rule number</help>
+ <help>IPv4 Firewall prerouting filter rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number for this firewall rule</description>
@@ -30,7 +30,7 @@
<properties>
<help>Set jump target. Action jump must be defined to use this setting</help>
<completionHelp>
- <path>firewall ip name</path>
+ <path>firewall ipv4 name</path>
</completionHelp>
</properties>
</leafNode>
@@ -49,13 +49,13 @@
<properties>
<help>Set jump target. Action jump must be defined in default-action to use this setting</help>
<completionHelp>
- <path>firewall ip name</path>
+ <path>firewall ipv4 name</path>
</completionHelp>
</properties>
</leafNode>
<tagNode name="rule">
<properties>
- <help>IP Firewall prerouting raw rule number</help>
+ <help>IPv4 Firewall prerouting raw rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number for this firewall rule</description>
@@ -72,7 +72,7 @@
<properties>
<help>Set jump target. Action jump must be defined to use this setting</help>
<completionHelp>
- <path>firewall ip name</path>
+ <path>firewall ipv4 name</path>
</completionHelp>
</properties>
</leafNode>
diff --git a/op-mode-definitions/firewall.xml.in b/op-mode-definitions/firewall.xml.in
index b29e93f5e..164ce6b60 100644
--- a/op-mode-definitions/firewall.xml.in
+++ b/op-mode-definitions/firewall.xml.in
@@ -231,7 +231,7 @@
</children>
<command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_family --family $3</command>
</node>
- <node name="ip">
+ <node name="ipv4">
<properties>
<help>Show IPv4 firewall</help>
</properties>
@@ -250,7 +250,7 @@
<properties>
<help>Show summary of IPv4 forward filter firewall rules</help>
<completionHelp>
- <path>firewall ip forward filter rule</path>
+ <path>firewall ipv4 forward filter rule</path>
</completionHelp>
</properties>
<command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7</command>
@@ -274,7 +274,7 @@
<properties>
<help>Show summary of IPv4 input filter firewall rules</help>
<completionHelp>
- <path>firewall ip input filter rule</path>
+ <path>firewall ipv4 input filter rule</path>
</completionHelp>
</properties>
<command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7</command>
@@ -298,7 +298,7 @@
<properties>
<help>Show summary of IPv4 output filter firewall rules</help>
<completionHelp>
- <path>firewall ip output filter rule</path>
+ <path>firewall ipv4 output filter rule</path>
</completionHelp>
</properties>
<command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7</command>
@@ -312,7 +312,7 @@
<properties>
<help>Show IPv4 custom firewall chains</help>
<completionHelp>
- <path>firewall ip name</path>
+ <path>firewall ipv4 name</path>
</completionHelp>
</properties>
<children>
@@ -320,7 +320,7 @@
<properties>
<help>Show summary of IPv4 custom firewall ruleset</help>
<completionHelp>
- <path>firewall ip name ${COMP_WORDS[6]} rule</path>
+ <path>firewall ipv4 name ${COMP_WORDS[6]} rule</path>
</completionHelp>
</properties>
<command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7</command>
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 86a324062..bb32556af 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -49,7 +49,7 @@ def fqdn_config_parse(firewall):
suffix = path[5][0]
set_name = f'{hook_name}_{priority}_{rule}_{suffix}'
- if (path[0] == 'ip') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'):
+ if (path[0] == 'ipv4') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'):
firewall['ip_fqdn'][set_name] = domain
elif (path[0] == 'ipv6') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'ipv6_name'):
if path[1] == 'ipv6_name':
@@ -521,7 +521,7 @@ def geoip_update(firewall, force=False):
set_name = f'GEOIP_CC_{path[1]}_{path[2]}_{path[4]}'
if path[1] == 'ipv6_name':
set_name = f'GEOIP_CC_name6_{path[2]}_{path[4]}'
- if ( path[0] == 'ip' ) and ( path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name' ):
+ if ( path[0] == 'ipv4' ) and ( path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name' ):
for code in codes:
ipv4_codes.setdefault(code, []).append(set_name)
elif ( path[0] == 'ipv6' ) and ( path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'ipv6_name' ):
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 640b7971c..7a7628873 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -90,13 +90,13 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
return False
def test_geoip(self):
- self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '1', 'action', 'drop'])
- self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'se'])
- self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'gb'])
- self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '2', 'action', 'accept'])
- self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'de'])
- self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'fr'])
- self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'inverse-match'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'se'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'gb'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '2', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'de'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'fr'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'inverse-match'])
self.cli_commit()
@@ -127,17 +127,17 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_set(['firewall', 'group', 'interface-group', 'smoketest_interface', 'interface', 'eth0'])
self.cli_set(['firewall', 'group', 'interface-group', 'smoketest_interface', 'interface', 'vtun0'])
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '1', 'action', 'accept'])
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network'])
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '1', 'destination', 'address', '172.16.10.10'])
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port'])
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '1', 'protocol', 'tcp_udp'])
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '2', 'action', 'accept'])
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '2', 'source', 'group', 'mac-group', 'smoketest_mac'])
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '3', 'action', 'accept'])
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '3', 'source', 'group', 'domain-group', 'smoketest_domain'])
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '4', 'action', 'accept'])
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '4', 'outbound-interface', 'interface-group', 'smoketest_interface'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'destination', 'address', '172.16.10.10'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'protocol', 'tcp_udp'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '2', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '2', 'source', 'group', 'mac-group', 'smoketest_mac'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'source', 'group', 'domain-group', 'smoketest_domain'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'outbound-interface', 'interface-group', 'smoketest_interface'])
self.cli_commit()
@@ -167,10 +167,10 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port', 'port', '53'])
self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port1', 'port', '123'])
self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port1', 'include', 'smoketest_port'])
- self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '1', 'action', 'accept'])
- self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network1'])
- self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port1'])
- self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '1', 'protocol', 'tcp_udp'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network1'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port1'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'protocol', 'tcp_udp'])
self.cli_commit()
@@ -196,53 +196,53 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
mss_range = '501-1460'
conn_mark = '555'
- self.cli_set(['firewall', 'ip', 'name', name, 'default-action', 'drop'])
- self.cli_set(['firewall', 'ip', 'name', name, 'enable-default-log'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'action', 'accept'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'source', 'address', '172.16.20.10'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'destination', 'address', '172.16.10.10'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'log', 'enable'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'log-options', 'level', 'debug'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'ttl', 'eq', '15'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'action', 'reject'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'protocol', 'tcp'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'destination', 'port', '8888'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'log', 'enable'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'log-options', 'level', 'err'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'tcp', 'flags', 'syn'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'tcp', 'flags', 'not', 'ack'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'ttl', 'gt', '102'])
-
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'default-action', 'drop'])
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '3', 'action', 'accept'])
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '3', 'protocol', 'tcp'])
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '3', 'destination', 'port', '22'])
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '3', 'limit', 'rate', '5/minute'])
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '3', 'log', 'disable'])
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '4', 'action', 'drop'])
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '4', 'protocol', 'tcp'])
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '4', 'destination', 'port', '22'])
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '4', 'recent', 'count', '10'])
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '4', 'recent', 'time', 'minute'])
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '4', 'packet-type', 'host'])
-
- self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '5', 'action', 'accept'])
- self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '5', 'protocol', 'tcp'])
- self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '5', 'tcp', 'flags', 'syn'])
- self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '5', 'tcp', 'mss', mss_range])
- self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '5', 'packet-type', 'broadcast'])
- self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '5', 'inbound-interface', 'interface-name', interface])
- self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '6', 'action', 'return'])
- self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '6', 'protocol', 'gre'])
- self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '6', 'connection-mark', conn_mark])
-
- self.cli_set(['firewall', 'ip', 'output', 'filter', 'default-action', 'accept'])
- self.cli_set(['firewall', 'ip', 'output', 'filter', 'rule', '5', 'action', 'drop'])
- self.cli_set(['firewall', 'ip', 'output', 'filter', 'rule', '5', 'protocol', 'gre'])
- self.cli_set(['firewall', 'ip', 'output', 'filter', 'rule', '5', 'outbound-interface', 'interface-name', interface_wc])
- self.cli_set(['firewall', 'ip', 'output', 'filter', 'rule', '6', 'action', 'return'])
- self.cli_set(['firewall', 'ip', 'output', 'filter', 'rule', '6', 'protocol', 'icmp'])
- self.cli_set(['firewall', 'ip', 'output', 'filter', 'rule', '6', 'connection-mark', conn_mark])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'enable-default-log'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'source', 'address', '172.16.20.10'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'destination', 'address', '172.16.10.10'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'log', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'log-options', 'level', 'debug'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'ttl', 'eq', '15'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'action', 'reject'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'protocol', 'tcp'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'destination', 'port', '8888'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'log', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'log-options', 'level', 'err'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'tcp', 'flags', 'syn'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'tcp', 'flags', 'not', 'ack'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'ttl', 'gt', '102'])
+
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'protocol', 'tcp'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'destination', 'port', '22'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'limit', 'rate', '5/minute'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'log', 'disable'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'protocol', 'tcp'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'destination', 'port', '22'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'recent', 'count', '10'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'recent', 'time', 'minute'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'packet-type', 'host'])
+
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'protocol', 'tcp'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'tcp', 'flags', 'syn'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'tcp', 'mss', mss_range])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'packet-type', 'broadcast'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'inbound-interface', 'interface-name', interface])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '6', 'action', 'return'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '6', 'protocol', 'gre'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '6', 'connection-mark', conn_mark])
+
+ self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'default-action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '5', 'action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '5', 'protocol', 'gre'])
+ self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '5', 'outbound-interface', 'interface-name', interface_wc])
+ self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '6', 'action', 'return'])
+ self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '6', 'protocol', 'icmp'])
+ self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '6', 'connection-mark', conn_mark])
self.cli_commit()
@@ -274,39 +274,39 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
name2 = 'smoketest-adv2'
interface = 'eth0'
- self.cli_set(['firewall', 'ip', 'name', name, 'default-action', 'drop'])
- self.cli_set(['firewall', 'ip', 'name', name, 'enable-default-log'])
-
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'action', 'accept'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'packet-length', '64'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'packet-length', '512'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'packet-length', '1024'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'dscp', '17'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'dscp', '52'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'log', 'enable'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'log-options', 'group', '66'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'log-options', 'snapshot-length', '6666'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'log-options', 'queue-threshold','32000'])
-
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '7', 'action', 'accept'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '7', 'packet-length', '1-30000'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '7', 'packet-length-exclude', '60000-65535'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '7', 'dscp', '3-11'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '7', 'dscp-exclude', '21-25'])
-
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'default-action', 'accept'])
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '1', 'source', 'address', '198.51.100.1'])
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '1', 'action', 'jump'])
- self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '1', 'jump-target', name])
-
- self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '2', 'protocol', 'tcp'])
- self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '2', 'action', 'queue'])
- self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '2', 'queue', '3'])
- self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '3', 'protocol', 'udp'])
- self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '3', 'action', 'queue'])
- self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '3', 'queue-options', 'fanout'])
- self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '3', 'queue-options', 'bypass'])
- self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '3', 'queue', '0-15'])
+ self.cli_set(['firewall', 'ip4', 'name', name, 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ip4', 'name', name, 'enable-default-log'])
+
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'packet-length', '64'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'packet-length', '512'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'packet-length', '1024'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'dscp', '17'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'dscp', '52'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log-options', 'group', '66'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log-options', 'snapshot-length', '6666'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log-options', 'queue-threshold','32000'])
+
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'packet-length', '1-30000'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'packet-length-exclude', '60000-65535'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'dscp', '3-11'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'dscp-exclude', '21-25'])
+
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'default-action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'source', 'address', '198.51.100.1'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'action', 'jump'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'jump-target', name])
+
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'protocol', 'tcp'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'action', 'queue'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'queue', '3'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'protocol', 'udp'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'action', 'queue'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'queue-options', 'fanout'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'queue-options', 'bypass'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'queue', '0-15'])
self.cli_commit()
@@ -332,20 +332,20 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_set(['firewall', 'group', 'address-group', 'mask_group', 'address', '1.1.1.1'])
- self.cli_set(['firewall', 'ip', 'name', name, 'default-action', 'drop'])
- self.cli_set(['firewall', 'ip', 'name', name, 'enable-default-log'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'enable-default-log'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'action', 'drop'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'destination', 'address', '0.0.1.2'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'destination', 'address-mask', '0.0.255.255'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'destination', 'address', '0.0.1.2'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'destination', 'address-mask', '0.0.255.255'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'action', 'accept'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'source', 'address', '!0.0.3.4'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'source', 'address-mask', '0.0.255.255'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'source', 'address', '!0.0.3.4'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'source', 'address-mask', '0.0.255.255'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '3', 'action', 'drop'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '3', 'source', 'group', 'address-group', 'mask_group'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '3', 'source', 'address-mask', '0.0.255.255'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'source', 'group', 'address-group', 'mask_group'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'source', 'address-mask', '0.0.255.255'])
self.cli_commit()
@@ -483,20 +483,20 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
name = 'smoketest-state'
interface = 'eth0'
- self.cli_set(['firewall', 'ip', 'name', name, 'default-action', 'drop'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'action', 'accept'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'state', 'established', 'enable'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'state', 'related', 'enable'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'action', 'reject'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'state', 'invalid', 'enable'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '3', 'action', 'accept'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '3', 'state', 'new', 'enable'])
-
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '3', 'connection-status', 'nat', 'destination'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '4', 'action', 'accept'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '4', 'state', 'new', 'enable'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '4', 'state', 'established', 'enable'])
- self.cli_set(['firewall', 'ip', 'name', name, 'rule', '4', 'connection-status', 'nat', 'source'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'state', 'established', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'state', 'related', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'action', 'reject'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'state', 'invalid', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'state', 'new', 'enable'])
+
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'connection-status', 'nat', 'destination'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'state', 'new', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'state', 'established', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'connection-status', 'nat', 'source'])
self.cli_commit()
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 4c5341e22..a50ae2ec6 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -101,7 +101,7 @@ def geoip_updated(conf, firewall):
if path[1] == 'ipv6_name':
set_name = f'GEOIP_CC_name6_{path[2]}_{path[4]}'
- if (path[0] == 'ip') and ( path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name' ):
+ if (path[0] == 'ipv4') and ( path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name' ):
out['name'].append(set_name)
elif (path[0] == 'ipv6') and ( path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'ipv6_name' ):
out['ipv6_name'].append(set_name)
@@ -133,6 +133,47 @@ def get_config(config=None):
get_first_key=True,
with_recursive_defaults=True)
+ # We have gathered the dict representation of the CLI, but there are
+ # default options which we need to update into the dictionary retrived.
+ # XXX: T2665: we currently have no nice way for defaults under tag
+ # nodes, thus we load the defaults "by hand"
+ default_values = defaults(base)
+
+ for family in ['ipv4', 'ipv6']:
+ for tmp in ['name', 'ipv6_name', 'forward', 'input', 'output', 'prerouting']:
+ if tmp in default_values[family]:
+ del default_values[family][tmp]
+
+
+ firewall = dict_merge(default_values, firewall)
+
+ # Merge in defaults for IPv4 ruleset
+ if 'name' in firewall['ipv4']:
+ default_values = defaults(base + ['ipv4'] + ['name'])
+ for name in firewall['ipv4']['name']:
+ firewall['ipv4']['name'][name] = dict_merge(default_values,
+ firewall['ipv4']['name'][name])
+ for hook in ['forward', 'input', 'output', 'prerouting']:
+ if hook in firewall['ipv4']:
+ for priority in ['filter', 'mangle', 'raw']:
+ if priority in firewall['ipv4'][hook]:
+ default_values = defaults(base + ['ipv4'] + [hook] + [priority])
+ firewall['ipv4'][hook][priority] = dict_merge(default_values,
+ firewall['ipv4'][hook][priority])
+
+ # Merge in defaults for IPv6 ruleset
+ if 'ipv6_name' in firewall['ipv6']:
+ default_values = defaults(base + ['ipv6'] + ['ipv6-name'])
+ for ipv6_name in firewall['ipv6']['ipv6_name']:
+ firewall['ipv6']['ipv6_name'][ipv6_name] = dict_merge(default_values,
+ firewall['ipv6']['ipv6_name'][ipv6_name])
+ for hook in ['forward', 'input', 'output', 'prerouting']:
+ if hook in firewall['ipv6']:
+ for priority in ['filter', 'mangle', 'raw']:
+ if priority in firewall['ipv6'][hook]:
+ default_values = defaults(base + ['ipv6'] + [hook] + [priority])
+ firewall['ipv6'][hook][priority] = dict_merge(default_values,
+ firewall['ipv6'][hook][priority])
firewall['group_resync'] = bool('group' in firewall or node_changed(conf, base + ['group']))
if firewall['group_resync']:
@@ -165,7 +206,7 @@ def verify_rule(firewall, rule_conf, ipv6):
raise ConfigError('jump-target defined, but action jump needed and it is not defined')
target = rule_conf['jump_target']
if not ipv6:
- if target not in dict_search_args(firewall, 'ip', 'name'):
+ if target not in dict_search_args(firewall, 'ipv4', 'name'):
raise ConfigError(f'Invalid jump-target. Firewall name {target} does not exist on the system')
else:
if target not in dict_search_args(firewall, 'ipv6', 'ipv6_name'):
@@ -297,10 +338,10 @@ def verify(firewall):
for group_name, group in groups.items():
verify_nested_group(group_name, group, groups, [])
- if 'ip' in firewall:
+ if 'ipv4' in firewall:
for name in ['name','forward','input','output']:
- if name in firewall['ip']:
- for name_id, name_conf in firewall['ip'][name].items():
+ if name in firewall['ipv4']:
+ for name_id, name_conf in firewall['ipv4'][name].items():
if 'jump' in name_conf['default_action'] and 'default_jump_target' not in name_conf:
raise ConfigError('default-action set to jump, but no default-jump-target specified')
if 'default_jump_target' in name_conf:
@@ -310,7 +351,7 @@ def verify(firewall):
if name_conf['default_jump_target'] == name_id:
raise ConfigError(f'Loop detected on default-jump-target.')
## Now need to check that default-jump-target exists (other firewall chain/name)
- if target not in dict_search_args(firewall['ip'], 'name'):
+ if target not in dict_search_args(firewall['ipv4'], 'name'):
raise ConfigError(f'Invalid jump-target. Firewall name {target} does not exist on the system')
if 'rule' in name_conf:
diff --git a/src/migration-scripts/firewall/10-to-11 b/src/migration-scripts/firewall/10-to-11
index b2880afac..9dad86b62 100755
--- a/src/migration-scripts/firewall/10-to-11
+++ b/src/migration-scripts/firewall/10-to-11
@@ -20,22 +20,22 @@
# set firewall name <name> ...
# set firewall ipv6-name <name> ...
# To
-# set firewall ip name <name>
+# set firewall ipv4 name <name>
# set firewall ipv6 ipv6-name <name>
## Also from 'firewall interface' removed.
## in and out:
# set firewall interface <iface> [in|out] [name | ipv6-name] <name>
# To
- # set firewall [ip | ipv6] forward filter rule <5,10,15,...> [inbound-interface | outboubd-interface] interface-name <iface>
- # set firewall [ip | ipv6] forward filter rule <5,10,15,...> action jump
- # set firewall [ip | ipv6] forward filter rule <5,10,15,...> jump-target <name>
+ # set firewall [ipv4 | ipv6] forward filter rule <5,10,15,...> [inbound-interface | outboubd-interface] interface-name <iface>
+ # set firewall [ipv4 | ipv6] forward filter rule <5,10,15,...> action jump
+ # set firewall [ipv4 | ipv6] forward filter rule <5,10,15,...> jump-target <name>
## local:
# set firewall interface <iface> local [name | ipv6-name] <name>
# To
- # set firewall [ip | ipv6] input filter rule <5,10,15,...> inbound-interface interface-name <iface>
- # set firewall [ip | ipv6] input filter rule <5,10,15,...> action jump
- # set firewall [ip | ipv6] input filter rule <5,10,15,...> jump-target <name>
+ # set firewall [ipv4 | ipv6] input filter rule <5,10,15,...> inbound-interface interface-name <iface>
+ # set firewall [ipv4 | ipv6] input filter rule <5,10,15,...> action jump
+ # set firewall [ipv4 | ipv6] input filter rule <5,10,15,...> jump-target <name>
import re
@@ -63,7 +63,7 @@ if not config.exists(base):
### Migration of state policies
if config.exists(base + ['state-policy']):
- for family in ['ip', 'ipv6']:
+ for family in ['ipv4', 'ipv6']:
for hook in ['forward', 'input', 'output']:
for priority in ['filter']:
# Add default-action== accept for compatibility reasons:
@@ -89,11 +89,11 @@ for option in ['all-ping', 'broadcast-ping', 'config-trap', 'ip-src-route', 'ipv
### Migration of firewall name and ipv6-name
if config.exists(base + ['name']):
- config.set(['firewall', 'ip', 'name'])
- config.set_tag(['firewall', 'ip', 'name'])
+ config.set(['firewall', 'ipv4', 'name'])
+ config.set_tag(['firewall', 'ipv4', 'name'])
for ipv4name in config.list_nodes(base + ['name']):
- config.copy(base + ['name', ipv4name], base + ['ip', 'name', ipv4name])
+ config.copy(base + ['name', ipv4name], base + ['ipv4', 'name', ipv4name])
config.delete(base + ['name'])
if config.exists(base + ['ipv6-name']):
@@ -117,8 +117,8 @@ if config.exists(base + ['interface']):
target = config.return_value(base + ['interface', iface, direction, 'name'])
if direction == 'in':
# Add default-action== accept for compatibility reasons:
- config.set(base + ['ip', 'forward', 'filter', 'default-action'], value='accept')
- new_base = base + ['ip', 'forward', 'filter', 'rule']
+ config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept')
+ new_base = base + ['ipv4', 'forward', 'filter', 'rule']
config.set(new_base)
config.set_tag(new_base)
config.set(new_base + [fwd_ipv4_rule, 'inbound-interface', 'interface-name'], value=iface)
@@ -127,8 +127,8 @@ if config.exists(base + ['interface']):
fwd_ipv4_rule = fwd_ipv4_rule + 5
elif direction == 'out':
# Add default-action== accept for compatibility reasons:
- config.set(base + ['ip', 'forward', 'filter', 'default-action'], value='accept')
- new_base = base + ['ip', 'forward', 'filter', 'rule']
+ config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept')
+ new_base = base + ['ipv4', 'forward', 'filter', 'rule']
config.set(new_base)
config.set_tag(new_base)
config.set(new_base + [fwd_ipv4_rule, 'outbound-interface', 'interface-name'], value=iface)
@@ -137,8 +137,8 @@ if config.exists(base + ['interface']):
fwd_ipv4_rule = fwd_ipv4_rule + 5
else:
# Add default-action== accept for compatibility reasons:
- config.set(base + ['ip', 'input', 'filter', 'default-action'], value='accept')
- new_base = base + ['ip', 'input', 'filter', 'rule']
+ config.set(base + ['ipv4', 'input', 'filter', 'default-action'], value='accept')
+ new_base = base + ['ipv4', 'input', 'filter', 'rule']
config.set(new_base)
config.set_tag(new_base)
config.set(new_base + [inp_ipv4_rule, 'inbound-interface', 'interface-name'], value=iface)
@@ -197,20 +197,20 @@ if config.exists(base + ['zone']):
if config.exists(base + ['zone', zone, 'local-zone']):
local_zone = 'True'
# Add default-action== accept for compatibility reasons:
- config.set(base + ['ip', 'input', 'filter', 'default-action'], value='accept')
+ config.set(base + ['ipv4', 'input', 'filter', 'default-action'], value='accept')
config.set(base + ['ipv6', 'input', 'filter', 'default-action'], value='accept')
- config.set(base + ['ip', 'output', 'filter', 'default-action'], value='accept')
+ config.set(base + ['ipv4', 'output', 'filter', 'default-action'], value='accept')
config.set(base + ['ipv6', 'output', 'filter', 'default-action'], value='accept')
for from_zone in config.list_nodes(base + ['zone', zone, 'from']):
group_name = 'IG_' + from_zone
if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'name']):
# ipv4 input ruleset
target_ipv4_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'name'])
- config.set(base + ['ip', 'input', 'filter', 'rule'])
- config.set_tag(base + ['ip', 'input', 'filter', 'rule'])
- config.set(base + ['ip', 'input', 'filter', 'rule', inp_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ip', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value='jump')
- config.set(base + ['ip', 'input', 'filter', 'rule', inp_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
+ config.set(base + ['ipv4', 'input', 'filter', 'rule'])
+ config.set_tag(base + ['ipv4', 'input', 'filter', 'rule'])
+ config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name)
+ config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value='jump')
+ config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
inp_ipv4_rule = inp_ipv4_rule + 5
if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name']):
# ipv6 input ruleset
@@ -228,21 +228,21 @@ if config.exists(base + ['zone']):
local_def_action = config.return_value(base + ['zone', zone, 'default-action'])
else:
local_def_action = 'drop'
- config.set(base + ['ip', 'input', 'filter', 'rule'])
- config.set_tag(base + ['ip', 'input', 'filter', 'rule'])
- config.set(base + ['ip', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value=local_def_action)
+ config.set(base + ['ipv4', 'input', 'filter', 'rule'])
+ config.set_tag(base + ['ipv4', 'input', 'filter', 'rule'])
+ config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value=local_def_action)
config.set(base + ['ipv6', 'input', 'filter', 'rule'])
config.set_tag(base + ['ipv6', 'input', 'filter', 'rule'])
config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'action'], value=local_def_action)
if config.exists(base + ['zone', zone, 'enable-default-log']):
- config.set(base + ['ip', 'input', 'filter', 'rule', inp_ipv4_rule, 'log'], value='enable')
+ config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'log'], value='enable')
config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'log'], value='enable')
else:
# It's not a local zone
group_name = 'IG_' + zone
# Add default-action== accept for compatibility reasons:
- config.set(base + ['ip', 'forward', 'filter', 'default-action'], value='accept')
+ config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept')
config.set(base + ['ipv6', 'forward', 'filter', 'default-action'], value='accept')
# intra-filtering migration. By default accept
intra_zone_ipv4_action = 'accept'
@@ -258,11 +258,11 @@ if config.exists(base + ['zone']):
if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']):
intra_zone_ipv6_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name'])
intra_zone_ipv6_action = 'jump'
- config.set(base + ['ip', 'forward', 'filter', 'rule'])
- config.set_tag(base + ['ip', 'forward', 'filter', 'rule'])
- config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=intra_zone_ipv4_action)
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule'])
+ config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule'])
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name)
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=intra_zone_ipv4_action)
config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule'])
config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name)
config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'inbound-interface', 'interface-group'], value=group_name)
@@ -270,7 +270,7 @@ if config.exists(base + ['zone']):
if intra_zone_ipv4_action == 'jump':
if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name']):
intra_zone_ipv4_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name'])
- config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=intra_zone_ipv4_target)
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=intra_zone_ipv4_target)
if intra_zone_ipv6_action == 'jump':
if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']):
intra_zone_ipv6_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name'])
@@ -293,20 +293,20 @@ if config.exists(base + ['zone']):
target_ipv4_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'name'])
if config.exists(base + ['zone', from_zone, 'local-zone']):
# It's from LOCAL zone -> Output filtering
- config.set(base + ['ip', 'output', 'filter', 'rule'])
- config.set_tag(base + ['ip', 'output', 'filter', 'rule'])
- config.set(base + ['ip', 'output', 'filter', 'rule', out_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ip', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value='jump')
- config.set(base + ['ip', 'output', 'filter', 'rule', out_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
+ config.set(base + ['ipv4', 'output', 'filter', 'rule'])
+ config.set_tag(base + ['ipv4', 'output', 'filter', 'rule'])
+ config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
+ config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value='jump')
+ config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
out_ipv4_rule = out_ipv4_rule + 5
else:
# It's not LOCAL zone -> forward filtering
- config.set(base + ['ip', 'forward', 'filter', 'rule'])
- config.set_tag(base + ['ip', 'forward', 'filter', 'rule'])
- config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=from_group)
- config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value='jump')
- config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule'])
+ config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule'])
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=from_group)
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value='jump')
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
fwd_ipv4_rule = fwd_ipv4_rule + 5
if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name']):
target_ipv6_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name'])
@@ -333,12 +333,12 @@ if config.exists(base + ['zone']):
def_action = config.return_value(base + ['zone', zone, 'default-action'])
else:
def_action = 'drop'
- config.set(base + ['ip', 'forward', 'filter', 'rule'])
- config.set_tag(base + ['ip', 'forward', 'filter', 'rule'])
- config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=def_action)
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule'])
+ config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule'])
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=def_action)
description = 'zone_' + zone + ' default-action'
- config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'description'], value=description)
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'description'], value=description)
config.set(base + ['ipv6', 'forward', 'filter', 'rule'])
config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule'])
config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name)
@@ -346,7 +346,7 @@ if config.exists(base + ['zone']):
config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'description'], value=description)
if config.exists(base + ['zone', zone, 'enable-default-log']):
- config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'log'], value='enable')
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'log'], value='enable')
config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'log'], value='enable')
fwd_ipv4_rule = fwd_ipv4_rule + 5
fwd_ipv6_rule = fwd_ipv6_rule + 5
@@ -354,9 +354,9 @@ if config.exists(base + ['zone']):
# Migrate default-action (force to be drop in output chain) if local zone is defined
if local_zone == 'True':
# General drop in output change if needed
- config.set(base + ['ip', 'output', 'filter', 'rule'])
- config.set_tag(base + ['ip', 'output', 'filter', 'rule'])
- config.set(base + ['ip', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value=local_def_action)
+ config.set(base + ['ipv4', 'output', 'filter', 'rule'])
+ config.set_tag(base + ['ipv4', 'output', 'filter', 'rule'])
+ config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value=local_def_action)
config.set(base + ['ipv6', 'output', 'filter', 'rule'])
config.set_tag(base + ['ipv6', 'output', 'filter', 'rule'])
config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'action'], value=local_def_action)
diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py
index 8eb883f81..ff7e2f398 100755
--- a/src/op_mode/firewall.py
+++ b/src/op_mode/firewall.py
@@ -27,7 +27,7 @@ from vyos.utils.dict import dict_search_args
def get_config_firewall(conf, hook=None, priority=None, ipv6=False, interfaces=True):
config_path = ['firewall']
if hook:
- config_path += ['ipv6' if ipv6 else 'ip', hook]
+ config_path += ['ipv6' if ipv6 else 'ipv4', hook]
if priority:
config_path += [priority]
@@ -160,9 +160,9 @@ def show_firewall():
if not firewall:
return
- if 'ip' in firewall:
- for hook, hook_conf in firewall['ip'].items():
- for prior, prior_conf in firewall['ip'][hook].items():
+ if 'ipv4' in firewall:
+ for hook, hook_conf in firewall['ipv4'].items():
+ for prior, prior_conf in firewall['ipv4'][hook].items():
output_firewall_name(hook, prior, prior_conf, ipv6=False)
if 'ipv6' in firewall:
@@ -265,9 +265,9 @@ def show_summary():
v4_out = []
v6_out = []
- if 'ip' in firewall:
- for hook, hook_conf in firewall['ip'].items():
- for prior, prior_conf in firewall['ip'][hook].items():
+ if 'ipv4' in firewall:
+ for hook, hook_conf in firewall['ipv4'].items():
+ for prior, prior_conf in firewall['ipv4'][hook].items():
description = prior_conf.get('description', '')
v4_out.append([hook, prior, description])
@@ -296,9 +296,9 @@ def show_statistics():
if not firewall:
return
- if 'ip' in firewall:
- for hook, hook_conf in firewall['ip'].items():
- for prior, prior_conf in firewall['ip'][hook].items():
+ if 'ipv4' in firewall:
+ for hook, hook_conf in firewall['ipv4'].items():
+ for prior, prior_conf in firewall['ipv4'][hook].items():
output_firewall_name_statistics(hook,prior, prior_conf, ipv6=False)
if 'ipv6' in firewall: