diff options
author | Nicolas Fort <nicolasfort1988@gmail.com> | 2024-07-24 14:08:19 +0000 |
---|---|---|
committer | Nicolas Fort <nicolasfort1988@gmail.com> | 2024-08-01 13:25:31 -0300 |
commit | 20551379e8e2b4b6e342b39ea67738876e559bbf (patch) | |
tree | bf8237ba1039c90a079ebafa848fcff4193fcaae | |
parent | 962ead698e191ff413aaa1585270dfed48100547 (diff) | |
download | vyos-1x-20551379e8e2b4b6e342b39ea67738876e559bbf.tar.gz vyos-1x-20551379e8e2b4b6e342b39ea67738876e559bbf.zip |
T4072: firewall: extend firewall bridge capabilities, in order to include new chains, priorities, and firewall groups
16 files changed, 589 insertions, 129 deletions
diff --git a/data/templates/firewall/nftables-bridge.j2 b/data/templates/firewall/nftables-bridge.j2 index dec027bf9..1975fb9b0 100644 --- a/data/templates/firewall/nftables-bridge.j2 +++ b/data/templates/firewall/nftables-bridge.j2 @@ -1,9 +1,13 @@ +{% import 'firewall/nftables-defines.j2' as group_tmpl %} {% macro bridge(bridge) %} {% set ns = namespace(sets=[]) %} {% if bridge.forward is vyos_defined %} {% for prior, conf in bridge.forward.items() %} chain VYOS_FORWARD_{{ prior }} { type filter hook forward priority {{ prior }}; policy accept; +{% if global_options.state_policy is vyos_defined %} + jump VYOS_STATE_POLICY +{% endif %} {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} {{ rule_conf | nft_rule('FWD', prior, rule_id, 'bri') }} @@ -17,6 +21,46 @@ {% endfor %} {% endif %} +{% if bridge.input is vyos_defined %} +{% for prior, conf in bridge.input.items() %} + chain VYOS_INPUT_{{ prior }} { + type filter hook input priority {{ prior }}; policy accept; +{% if global_options.state_policy is vyos_defined %} + jump VYOS_STATE_POLICY +{% endif %} +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('INP', prior, rule_id, 'bri') }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['INP_' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} + {{ conf | nft_default_rule('INP-filter', 'bri') }} + } +{% endfor %} +{% endif %} + +{% if bridge.output is vyos_defined %} +{% for prior, conf in bridge.output.items() %} + chain VYOS_OUTUT_{{ prior }} { + type filter hook output priority {{ prior }}; policy accept; +{% if global_options.state_policy is vyos_defined %} + jump VYOS_STATE_POLICY +{% endif %} +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('OUT', prior, rule_id, 'bri') }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['OUT_' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} + {{ conf | nft_default_rule('OUT-filter', 'bri') }} + } +{% endfor %} +{% endif %} + {% if bridge.name is vyos_defined %} {% for name_text, conf in bridge.name.items() %} chain NAME_{{ name_text }} { @@ -32,4 +76,45 @@ } {% endfor %} {% endif %} + +{% for set_name in ns.sets %} + set RECENT_{{ set_name }} { + type ipv4_addr + size 65535 + flags dynamic + } +{% endfor %} +{% for set_name in ip_fqdn %} + set FQDN_{{ set_name }} { + type ipv4_addr + flags interval + } +{% endfor %} +{% if geoip_updated.name is vyos_defined %} +{% for setname in geoip_updated.name %} + set {{ setname }} { + type ipv4_addr + flags interval + } +{% endfor %} +{% endif %} + +{{ group_tmpl.groups(group, False, True) }} +{{ group_tmpl.groups(group, True, True) }} + +{% if global_options.state_policy is vyos_defined %} + chain VYOS_STATE_POLICY { +{% if global_options.state_policy.established is vyos_defined %} + {{ global_options.state_policy.established | nft_state_policy('established') }} +{% endif %} +{% if global_options.state_policy.invalid is vyos_defined %} + {{ global_options.state_policy.invalid | nft_state_policy('invalid') }} +{% endif %} +{% if global_options.state_policy.related is vyos_defined %} + {{ global_options.state_policy.related | nft_state_policy('related') }} +{% endif %} + return + } +{% endif %} + {% endmacro %} diff --git a/data/templates/firewall/nftables-defines.j2 b/data/templates/firewall/nftables-defines.j2 index 8a75ab2d6..fa6cd74c0 100644 --- a/data/templates/firewall/nftables-defines.j2 +++ b/data/templates/firewall/nftables-defines.j2 @@ -1,7 +1,7 @@ {% macro groups(group, is_ipv6, is_l3) %} {% if group is vyos_defined %} {% set ip_type = 'ipv6_addr' if is_ipv6 else 'ipv4_addr' %} -{% if group.address_group is vyos_defined and not is_ipv6 and is_l3 %} +{% if group.address_group is vyos_defined and not is_ipv6 %} {% for group_name, group_conf in group.address_group.items() %} {% set includes = group_conf.include if group_conf.include is vyos_defined else [] %} set A_{{ group_name }} { @@ -14,7 +14,7 @@ } {% endfor %} {% endif %} -{% if group.ipv6_address_group is vyos_defined and is_ipv6 and is_l3 %} +{% if group.ipv6_address_group is vyos_defined and is_ipv6 %} {% for group_name, group_conf in group.ipv6_address_group.items() %} {% set includes = group_conf.include if group_conf.include is vyos_defined else [] %} set A6_{{ group_name }} { @@ -46,7 +46,7 @@ } {% endfor %} {% endif %} -{% if group.network_group is vyos_defined and not is_ipv6 and is_l3 %} +{% if group.network_group is vyos_defined and not is_ipv6 %} {% for group_name, group_conf in group.network_group.items() %} {% set includes = group_conf.include if group_conf.include is vyos_defined else [] %} set N_{{ group_name }} { @@ -59,7 +59,7 @@ } {% endfor %} {% endif %} -{% if group.ipv6_network_group is vyos_defined and is_ipv6 and is_l3 %} +{% if group.ipv6_network_group is vyos_defined and is_ipv6 %} {% for group_name, group_conf in group.ipv6_network_group.items() %} {% set includes = group_conf.include if group_conf.include is vyos_defined else [] %} set N6_{{ group_name }} { @@ -72,7 +72,7 @@ } {% endfor %} {% endif %} -{% if group.port_group is vyos_defined and is_l3 %} +{% if group.port_group is vyos_defined %} {% for group_name, group_conf in group.port_group.items() %} {% set includes = group_conf.include if group_conf.include is vyos_defined else [] %} set P_{{ group_name }} { diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 68a3bfd87..82dcefac0 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -339,7 +339,104 @@ table ip6 vyos_filter { delete table bridge vyos_filter {% endif %} table bridge vyos_filter { -{{ bridge_tmpl.bridge(bridge) }} +{% if bridge is vyos_defined %} +{% if bridge.forward is vyos_defined %} +{% for prior, conf in bridge.forward.items() %} + chain VYOS_FORWARD_{{ prior }} { + type filter hook forward priority {{ prior }}; policy accept; +{% if global_options.state_policy is vyos_defined %} + jump VYOS_STATE_POLICY +{% endif %} +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('FWD', prior, rule_id, 'bri') }} +{% endfor %} +{% endif %} + {{ conf | nft_default_rule('FWD-' + prior, 'bri') }} + } +{% endfor %} +{% endif %} + +{% if bridge.input is vyos_defined %} +{% for prior, conf in bridge.input.items() %} + chain VYOS_INPUT_{{ prior }} { + type filter hook input priority {{ prior }}; policy accept; +{% if global_options.state_policy is vyos_defined %} + jump VYOS_STATE_POLICY +{% endif %} +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('INP', prior, rule_id, 'bri') }} +{% endfor %} +{% endif %} + {{ conf | nft_default_rule('INP-' + prior, 'bri') }} + } +{% endfor %} +{% endif %} + +{% if bridge.output is vyos_defined %} +{% for prior, conf in bridge.output.items() %} + chain VYOS_OUTUT_{{ prior }} { + type filter hook output priority {{ prior }}; policy accept; +{% if global_options.state_policy is vyos_defined %} + jump VYOS_STATE_POLICY +{% endif %} +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('OUT', prior, rule_id, 'bri') }} +{% endfor %} +{% endif %} + {{ conf | nft_default_rule('OUT-' + prior, 'bri') }} + } +{% endfor %} +{% endif %} + +{% if bridge.prerouting is vyos_defined %} +{% for prior, conf in bridge.prerouting.items() %} + chain VYOS_PREROUTING_{{ prior }} { + type filter hook prerouting priority {{ prior }}; policy accept; +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('PRE', prior, rule_id, 'bri') }} +{% endfor %} +{% endif %} + {{ conf | nft_default_rule('PRE-' + prior, 'bri') }} + } +{% endfor %} +{% endif %} + +{% if bridge.name is vyos_defined %} +{% for name_text, conf in bridge.name.items() %} + chain NAME_{{ name_text }} { +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('NAM', name_text, rule_id, 'bri') }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['NAM_' + name_text + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} + {{ conf | nft_default_rule(name_text, 'bri') }} + } +{% endfor %} +{% endif %} + +{% endif %} {{ group_tmpl.groups(group, False, False) }} +{{ group_tmpl.groups(group, True, False) }} -} +{% if global_options.state_policy is vyos_defined %} + chain VYOS_STATE_POLICY { +{% if global_options.state_policy.established is vyos_defined %} + {{ global_options.state_policy.established | nft_state_policy('established') }} +{% endif %} +{% if global_options.state_policy.invalid is vyos_defined %} + {{ global_options.state_policy.invalid | nft_state_policy('invalid') }} +{% endif %} +{% if global_options.state_policy.related is vyos_defined %} + {{ global_options.state_policy.related | nft_state_policy('related') }} +{% endif %} + return + } +{% endif %} +}
\ No newline at end of file diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in index dc4625af0..816dd1855 100644 --- a/interface-definitions/firewall.xml.in +++ b/interface-definitions/firewall.xml.in @@ -367,6 +367,9 @@ </properties> <children> #include <include/firewall/bridge-hook-forward.xml.i> + #include <include/firewall/bridge-hook-input.xml.i> + #include <include/firewall/bridge-hook-output.xml.i> + #include <include/firewall/bridge-hook-prerouting.xml.i> #include <include/firewall/bridge-custom-name.xml.i> </children> </node> diff --git a/interface-definitions/include/firewall/address-inet.xml.i b/interface-definitions/include/firewall/address-inet.xml.i new file mode 100644 index 000000000..02ed8f6e4 --- /dev/null +++ b/interface-definitions/include/firewall/address-inet.xml.i @@ -0,0 +1,63 @@ +<!-- include start from firewall/address-inet.xml.i --> +<leafNode name="address"> + <properties> + <help>IP address, subnet, or range</help> + <valueHelp> + <format>ipv4</format> + <description>IPv4 address to match</description> + </valueHelp> + <valueHelp> + <format>ipv4net</format> + <description>IPv4 prefix to match</description> + </valueHelp> + <valueHelp> + <format>ipv4range</format> + <description>IPv4 address range to match</description> + </valueHelp> + <valueHelp> + <format>!ipv4</format> + <description>Match everything except the specified address</description> + </valueHelp> + <valueHelp> + <format>!ipv4net</format> + <description>Match everything except the specified prefix</description> + </valueHelp> + <valueHelp> + <format>!ipv4range</format> + <description>Match everything except the specified range</description> + </valueHelp> + <valueHelp> + <format>ipv6net</format> + <description>Subnet to match</description> + </valueHelp> + <valueHelp> + <format>ipv6range</format> + <description>IP range to match</description> + </valueHelp> + <valueHelp> + <format>!ipv6</format> + <description>Match everything except the specified address</description> + </valueHelp> + <valueHelp> + <format>!ipv6net</format> + <description>Match everything except the specified prefix</description> + </valueHelp> + <valueHelp> + <format>!ipv6range</format> + <description>Match everything except the specified range</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + <validator name="ipv4-prefix"/> + <validator name="ipv4-range"/> + <validator name="ipv4-address-exclude"/> + <validator name="ipv4-prefix-exclude"/> + <validator name="ipv4-range-exclude"/> + <validator name="ipv6"/> + <validator name="ipv6-exclude"/> + <validator name="ipv6-range"/> + <validator name="ipv6-range-exclude"/> + </constraint> + </properties> +</leafNode> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/address-mask-inet.xml.i b/interface-definitions/include/firewall/address-mask-inet.xml.i new file mode 100644 index 000000000..e2a5927ab --- /dev/null +++ b/interface-definitions/include/firewall/address-mask-inet.xml.i @@ -0,0 +1,19 @@ +<!-- include start from firewall/address-mask-inet.xml.i --> +<leafNode name="address-mask"> + <properties> + <help>IP mask</help> + <valueHelp> + <format>ipv4</format> + <description>IPv4 mask to apply</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>IP mask to apply</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + <validator name="ipv6"/> + </constraint> + </properties> +</leafNode> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/bridge-custom-name.xml.i b/interface-definitions/include/firewall/bridge-custom-name.xml.i index 654493c0e..48d48949e 100644 --- a/interface-definitions/include/firewall/bridge-custom-name.xml.i +++ b/interface-definitions/include/firewall/bridge-custom-name.xml.i @@ -32,6 +32,11 @@ </properties> <children> #include <include/firewall/common-rule-bridge.xml.i> + #include <include/firewall/connection-mark.xml.i> + #include <include/firewall/connection-status.xml.i> + #include <include/firewall/state.xml.i> + #include <include/firewall/inbound-interface.xml.i> + #include <include/firewall/outbound-interface.xml.i> </children> </tagNode> </children> diff --git a/interface-definitions/include/firewall/bridge-hook-forward.xml.i b/interface-definitions/include/firewall/bridge-hook-forward.xml.i index 99f66ec77..0bc1fc357 100644 --- a/interface-definitions/include/firewall/bridge-hook-forward.xml.i +++ b/interface-definitions/include/firewall/bridge-hook-forward.xml.i @@ -26,6 +26,11 @@ </properties> <children> #include <include/firewall/common-rule-bridge.xml.i> + #include <include/firewall/connection-mark.xml.i> + #include <include/firewall/connection-status.xml.i> + #include <include/firewall/state.xml.i> + #include <include/firewall/inbound-interface.xml.i> + #include <include/firewall/outbound-interface.xml.i> </children> </tagNode> </children> diff --git a/interface-definitions/include/firewall/bridge-hook-input.xml.i b/interface-definitions/include/firewall/bridge-hook-input.xml.i new file mode 100644 index 000000000..32de14d54 --- /dev/null +++ b/interface-definitions/include/firewall/bridge-hook-input.xml.i @@ -0,0 +1,39 @@ +<!-- include start from firewall/bridge-hook-input.xml.i --> +<node name="input"> + <properties> + <help>Bridge input firewall</help> + </properties> + <children> + <node name="filter"> + <properties> + <help>Bridge firewall input filter</help> + </properties> + <children> + #include <include/firewall/default-action-base-chains.xml.i> + #include <include/firewall/default-log.xml.i> + #include <include/generic-description.xml.i> + <tagNode name="rule"> + <properties> + <help>Bridge Firewall input filter rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number for this firewall rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> + </properties> + <children> + #include <include/firewall/common-rule-bridge.xml.i> + #include <include/firewall/connection-mark.xml.i> + #include <include/firewall/connection-status.xml.i> + #include <include/firewall/state.xml.i> + #include <include/firewall/inbound-interface.xml.i> + </children> + </tagNode> + </children> + </node> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/firewall/bridge-hook-output.xml.i b/interface-definitions/include/firewall/bridge-hook-output.xml.i new file mode 100644 index 000000000..da0c02470 --- /dev/null +++ b/interface-definitions/include/firewall/bridge-hook-output.xml.i @@ -0,0 +1,39 @@ +<!-- include start from firewall/bridge-hook-output.xml.i --> +<node name="output"> + <properties> + <help>Bridge output firewall</help> + </properties> + <children> + <node name="filter"> + <properties> + <help>Bridge firewall output filter</help> + </properties> + <children> + #include <include/firewall/default-action-base-chains.xml.i> + #include <include/firewall/default-log.xml.i> + #include <include/generic-description.xml.i> + <tagNode name="rule"> + <properties> + <help>Bridge Firewall output filter rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number for this firewall rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> + </properties> + <children> + #include <include/firewall/common-rule-bridge.xml.i> + #include <include/firewall/connection-mark.xml.i> + #include <include/firewall/connection-status.xml.i> + #include <include/firewall/state.xml.i> + #include <include/firewall/outbound-interface.xml.i> + </children> + </tagNode> + </children> + </node> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/firewall/bridge-hook-prerouting.xml.i b/interface-definitions/include/firewall/bridge-hook-prerouting.xml.i new file mode 100644 index 000000000..b6c1fe87a --- /dev/null +++ b/interface-definitions/include/firewall/bridge-hook-prerouting.xml.i @@ -0,0 +1,37 @@ +<!-- include start from firewall/bridge-hook-prerouting.xml.i --> +<node name="prerouting"> + <properties> + <help>Bridge prerouting firewall</help> + </properties> + <children> + <node name="filter"> + <properties> + <help>Bridge firewall prerouting filter</help> + </properties> + <children> + #include <include/firewall/default-action-base-chains.xml.i> + #include <include/firewall/default-log.xml.i> + #include <include/generic-description.xml.i> + <tagNode name="rule"> + <properties> + <help>Bridge Firewall prerouting filter rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number for this firewall rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> + </properties> + <children> + #include <include/firewall/common-rule-bridge.xml.i> + #include <include/firewall/set-packet-modifications.xml.i> + #include <include/firewall/inbound-interface.xml.i> + </children> + </tagNode> + </children> + </node> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/firewall/common-rule-bridge.xml.i b/interface-definitions/include/firewall/common-rule-bridge.xml.i index dcdd970ac..b47408aa8 100644 --- a/interface-definitions/include/firewall/common-rule-bridge.xml.i +++ b/interface-definitions/include/firewall/common-rule-bridge.xml.i @@ -1,15 +1,37 @@ <!-- include start from firewall/common-rule-bridge.xml.i --> +#include <include/generic-description.xml.i> +#include <include/generic-disable-node.xml.i> #include <include/firewall/action-l2.xml.i> +#include <include/firewall/dscp.xml.i> +#include <include/firewall/firewall-mark.xml.i> +#include <include/firewall/fragment.xml.i> +#include <include/firewall/hop-limit.xml.i> +#include <include/firewall/icmp.xml.i> +#include <include/firewall/icmpv6.xml.i> +#include <include/firewall/limit.xml.i> +#include <include/firewall/log.xml.i> +#include <include/firewall/log-options.xml.i> +#include <include/firewall/match-ipsec.xml.i> +#include <include/firewall/match-vlan.xml.i> #include <include/firewall/nft-queue.xml.i> +#include <include/firewall/packet-options.xml.i> +#include <include/firewall/protocol.xml.i> +#include <include/firewall/tcp-flags.xml.i> +#include <include/firewall/tcp-mss.xml.i> +#include <include/firewall/time.xml.i> +#include <include/firewall/ttl.xml.i> <node name="destination"> <properties> <help>Destination parameters</help> </properties> <children> #include <include/firewall/mac-address.xml.i> + #include <include/firewall/address-inet.xml.i> + #include <include/firewall/address-mask-inet.xml.i> + #include <include/firewall/port.xml.i> + #include <include/firewall/source-destination-group-inet.xml.i> </children> </node> -#include <include/generic-disable-node.xml.i> <leafNode name="jump-target"> <properties> <help>Set jump target. Action jump must be defined to use this setting</help> @@ -18,17 +40,16 @@ </completionHelp> </properties> </leafNode> -#include <include/firewall/log.xml.i> -#include <include/firewall/log-options.xml.i> <node name="source"> <properties> <help>Source parameters</help> </properties> <children> #include <include/firewall/mac-address.xml.i> + #include <include/firewall/address-inet.xml.i> + #include <include/firewall/address-mask-inet.xml.i> + #include <include/firewall/port.xml.i> + #include <include/firewall/source-destination-group-inet.xml.i> </children> </node> -#include <include/firewall/inbound-interface.xml.i> -#include <include/firewall/outbound-interface.xml.i> -#include <include/firewall/match-vlan.xml.i> <!-- include end --> diff --git a/interface-definitions/include/firewall/set-packet-modifications.xml.i b/interface-definitions/include/firewall/set-packet-modifications.xml.i new file mode 100644 index 000000000..eda568a0e --- /dev/null +++ b/interface-definitions/include/firewall/set-packet-modifications.xml.i @@ -0,0 +1,78 @@ +<!-- include start from firewall/set-packet-modifications.xml.i --> +<node name="set"> + <properties> + <help>Packet modifications</help> + </properties> + <children> + <leafNode name="connection-mark"> + <properties> + <help>Connection marking</help> + <valueHelp> + <format>u32:0-2147483647</format> + <description>Connection marking</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-2147483647"/> + </constraint> + </properties> + </leafNode> + <leafNode name="dscp"> + <properties> + <help>Packet Differentiated Services Codepoint (DSCP)</help> + <valueHelp> + <format>u32:0-63</format> + <description>DSCP number</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-63"/> + </constraint> + </properties> + </leafNode> + <leafNode name="mark"> + <properties> + <help>Packet marking</help> + <valueHelp> + <format>u32:1-2147483647</format> + <description>Packet marking</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-2147483647"/> + </constraint> + </properties> + </leafNode> + <leafNode name="table"> + <properties> + <help>Routing table to forward packet with</help> + <valueHelp> + <format>u32:1-200</format> + <description>Table number</description> + </valueHelp> + <valueHelp> + <format>main</format> + <description>Main table</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-200"/> + <regex>(main)</regex> + </constraint> + <completionHelp> + <list>main</list> + <path>protocols static table</path> + </completionHelp> + </properties> + </leafNode> + <leafNode name="tcp-mss"> + <properties> + <help>TCP Maximum Segment Size</help> + <valueHelp> + <format>u32:500-1460</format> + <description>Explicitly set TCP MSS value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 500-1460"/> + </constraint> + </properties> + </leafNode> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/source-destination-group-inet.xml.i b/interface-definitions/include/firewall/source-destination-group-inet.xml.i new file mode 100644 index 000000000..174051624 --- /dev/null +++ b/interface-definitions/include/firewall/source-destination-group-inet.xml.i @@ -0,0 +1,50 @@ +<!-- include start from firewall/source-destination-group-inet.xml.i --> +<node name="group"> + <properties> + <help>Group</help> + </properties> + <children> + <leafNode name="ipv4-address-group"> + <properties> + <help>Group of IPv4 addresses</help> + <completionHelp> + <path>firewall group address-group</path> + </completionHelp> + </properties> + </leafNode> + <leafNode name="ipv6-address-group"> + <properties> + <help>Group of IPv6 addresses</help> + <completionHelp> + <path>firewall group ipv6-address-group</path> + </completionHelp> + </properties> + </leafNode> + #include <include/firewall/mac-group.xml.i> + <leafNode name="ipv4-network-group"> + <properties> + <help>Group of IPv4 networks</help> + <completionHelp> + <path>firewall group network-group</path> + </completionHelp> + </properties> + </leafNode> + <leafNode name="ipv6-network-group"> + <properties> + <help>Group of IPv6 networks</help> + <completionHelp> + <path>firewall group ipv6-network-group</path> + </completionHelp> + </properties> + </leafNode> + <leafNode name="port-group"> + <properties> + <help>Group of ports</help> + <completionHelp> + <path>firewall group port-group</path> + </completionHelp> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/policy/route-common.xml.i b/interface-definitions/include/policy/route-common.xml.i index 203be73e7..19ffc0506 100644 --- a/interface-definitions/include/policy/route-common.xml.i +++ b/interface-definitions/include/policy/route-common.xml.i @@ -66,100 +66,7 @@ </leafNode> </children> </node> -<node name="set"> - <properties> - <help>Packet modifications</help> - </properties> - <children> - <leafNode name="connection-mark"> - <properties> - <help>Connection marking</help> - <valueHelp> - <format>u32:0-2147483647</format> - <description>Connection marking</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-2147483647"/> - </constraint> - </properties> - </leafNode> - <leafNode name="dscp"> - <properties> - <help>Packet Differentiated Services Codepoint (DSCP)</help> - <valueHelp> - <format>u32:0-63</format> - <description>DSCP number</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-63"/> - </constraint> - </properties> - </leafNode> - <leafNode name="mark"> - <properties> - <help>Packet marking</help> - <valueHelp> - <format>u32:1-2147483647</format> - <description>Packet marking</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-2147483647"/> - </constraint> - </properties> - </leafNode> - <leafNode name="table"> - <properties> - <help>Routing table to forward packet with</help> - <valueHelp> - <format>u32:1-200</format> - <description>Table number</description> - </valueHelp> - <valueHelp> - <format>main</format> - <description>Main table</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-200"/> - <regex>(main)</regex> - </constraint> - <completionHelp> - <list>main</list> - <path>protocols static table</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="vrf"> - <properties> - <help>VRF to forward packet with</help> - <valueHelp> - <format>txt</format> - <description>VRF instance name</description> - </valueHelp> - <valueHelp> - <format>default</format> - <description>Forward into default global VRF</description> - </valueHelp> - <completionHelp> - <list>default</list> - <path>vrf name</path> - </completionHelp> - #include <include/constraint/vrf.xml.i> - </properties> - </leafNode> - <leafNode name="tcp-mss"> - <properties> - <help>TCP Maximum Segment Size</help> - <valueHelp> - <format>u32:500-1460</format> - <description>Explicitly set TCP MSS value</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 500-1460"/> - </constraint> - </properties> - </leafNode> - </children> -</node> +#include <include/firewall/set-packet-modifications.xml.i> #include <include/firewall/state.xml.i> #include <include/firewall/tcp-flags.xml.i> #include <include/firewall/tcp-mss.xml.i> diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index facd498ca..cac6d2953 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -167,7 +167,10 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name): if address_mask: operator = '!=' if exclude else '==' operator = f'& {address_mask} {operator} ' - output.append(f'{ip_name} {prefix}addr {operator}{suffix}') + if is_ipv4(suffix): + output.append(f'ip {prefix}addr {operator}{suffix}') + else: + output.append(f'ip6 {prefix}addr {operator}{suffix}') if 'fqdn' in side_conf: fqdn = side_conf['fqdn'] @@ -236,22 +239,38 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name): if 'group' in side_conf: group = side_conf['group'] - if 'address_group' in group: - group_name = group['address_group'] - operator = '' - exclude = group_name[0] == "!" - if exclude: - operator = '!=' - group_name = group_name[1:] - if address_mask: - operator = '!=' if exclude else '==' - operator = f'& {address_mask} {operator}' - output.append(f'{ip_name} {prefix}addr {operator} @A{def_suffix}_{group_name}') - elif 'dynamic_address_group' in group: + for ipvx_address_group in ['address_group', 'ipv4_address_group', 'ipv6_address_group']: + if ipvx_address_group in group: + group_name = group[ipvx_address_group] + operator = '' + exclude = group_name[0] == "!" + if exclude: + operator = '!=' + group_name = group_name[1:] + if address_mask: + operator = '!=' if exclude else '==' + operator = f'& {address_mask} {operator}' + # for bridge, change ip_name + if ip_name == 'bri': + ip_name = 'ip' if ipvx_address_group == 'ipv4_address_group' else 'ip6' + def_suffix = '6' if ipvx_address_group == 'ipv6_address_group' else '' + output.append(f'{ip_name} {prefix}addr {operator} @A{def_suffix}_{group_name}') + for ipvx_network_group in ['network_group', 'ipv4_network_group', 'ipv6_network_group']: + if ipvx_network_group in group: + group_name = group[ipvx_network_group] + operator = '' + if group_name[0] == "!": + operator = '!=' + group_name = group_name[1:] + # for bridge, change ip_name + if ip_name == 'bri': + ip_name = 'ip' if ipvx_network_group == 'ipv4_network_group' else 'ip6' + def_suffix = '6' if ipvx_network_group == 'ipv6_network_group' else '' + output.append(f'{ip_name} {prefix}addr {operator} @N{def_suffix}_{group_name}') + if 'dynamic_address_group' in group: group_name = group['dynamic_address_group'] operator = '' - exclude = group_name[0] == "!" - if exclude: + if group_name[0] == "!": operator = '!=' group_name = group_name[1:] output.append(f'{ip_name} {prefix}addr {operator} @DA{def_suffix}_{group_name}') @@ -263,13 +282,6 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name): operator = '!=' group_name = group_name[1:] output.append(f'{ip_name} {prefix}addr {operator} @D_{group_name}') - elif 'network_group' in group: - group_name = group['network_group'] - operator = '' - if group_name[0] == '!': - operator = '!=' - group_name = group_name[1:] - output.append(f'{ip_name} {prefix}addr {operator} @N{def_suffix}_{group_name}') if 'mac_group' in group: group_name = group['mac_group'] operator = '' |