diff options
| author | Daniil Baturin <daniil@vyos.io> | 2024-10-04 12:21:51 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-10-04 12:21:51 +0100 |
| commit | 2a46c1cfb229f0e473b91aeaf8dfd278527ccda6 (patch) | |
| tree | c7b547b5ddd9f3a34d402cf09f22c238677ff087 | |
| parent | 43f646d6046e6edf62456f9e414cf1e1f1638e40 (diff) | |
| parent | e846d2c1500df83742eb803684980396857cc0f1 (diff) | |
| download | vyos-1x-2a46c1cfb229f0e473b91aeaf8dfd278527ccda6.tar.gz vyos-1x-2a46c1cfb229f0e473b91aeaf8dfd278527ccda6.zip | |
Merge pull request #4123 from nicolas-fort/fwall_set_commands
T6760: firewall: add packet modifications existing in policy route to regular firewall ruleset.
22 files changed, 262 insertions, 102 deletions
diff --git a/interface-definitions/include/firewall/bridge-hook-forward.xml.i b/interface-definitions/include/firewall/bridge-hook-forward.xml.i index fcc981925..03ac26cf6 100644 --- a/interface-definitions/include/firewall/bridge-hook-forward.xml.i +++ b/interface-definitions/include/firewall/bridge-hook-forward.xml.i @@ -32,6 +32,12 @@ #include <include/firewall/state.xml.i> #include <include/firewall/inbound-interface.xml.i> #include <include/firewall/outbound-interface.xml.i> + #include <include/firewall/set-packet-modifications-dscp.xml.i> + #include <include/firewall/set-packet-modifications-conn-mark.xml.i> + #include <include/firewall/set-packet-modifications-mark.xml.i> + #include <include/firewall/set-packet-modifications-tcp-mss.xml.i> + #include <include/firewall/set-packet-modifications-ttl.xml.i> + #include <include/firewall/set-packet-modifications-hop-limit.xml.i> </children> </tagNode> </children> diff --git a/interface-definitions/include/firewall/bridge-hook-output.xml.i b/interface-definitions/include/firewall/bridge-hook-output.xml.i index 38b8b08ca..853315989 100644 --- a/interface-definitions/include/firewall/bridge-hook-output.xml.i +++ b/interface-definitions/include/firewall/bridge-hook-output.xml.i @@ -31,6 +31,12 @@ #include <include/firewall/connection-status.xml.i> #include <include/firewall/state.xml.i> #include <include/firewall/outbound-interface.xml.i> + #include <include/firewall/set-packet-modifications-dscp.xml.i> + #include <include/firewall/set-packet-modifications-conn-mark.xml.i> + #include <include/firewall/set-packet-modifications-mark.xml.i> + #include <include/firewall/set-packet-modifications-tcp-mss.xml.i> + #include <include/firewall/set-packet-modifications-ttl.xml.i> + #include <include/firewall/set-packet-modifications-hop-limit.xml.i> </children> </tagNode> </children> diff --git a/interface-definitions/include/firewall/bridge-hook-prerouting.xml.i b/interface-definitions/include/firewall/bridge-hook-prerouting.xml.i index ea567644f..7a45f5cd1 100644 --- a/interface-definitions/include/firewall/bridge-hook-prerouting.xml.i +++ b/interface-definitions/include/firewall/bridge-hook-prerouting.xml.i @@ -28,6 +28,11 @@ #include <include/firewall/common-rule-bridge.xml.i> #include <include/firewall/action-and-notrack.xml.i> #include <include/firewall/inbound-interface.xml.i> + #include <include/firewall/set-packet-modifications-dscp.xml.i> + #include <include/firewall/set-packet-modifications-mark.xml.i> + #include <include/firewall/set-packet-modifications-tcp-mss.xml.i> + #include <include/firewall/set-packet-modifications-ttl.xml.i> + #include <include/firewall/set-packet-modifications-hop-limit.xml.i> </children> </tagNode> </children> diff --git a/interface-definitions/include/firewall/ipv4-custom-name.xml.i b/interface-definitions/include/firewall/ipv4-custom-name.xml.i index 8046b2d6c..b08262e2d 100644 --- a/interface-definitions/include/firewall/ipv4-custom-name.xml.i +++ b/interface-definitions/include/firewall/ipv4-custom-name.xml.i @@ -36,6 +36,12 @@ #include <include/firewall/match-ipsec.xml.i> #include <include/firewall/offload-target.xml.i> #include <include/firewall/outbound-interface.xml.i> + #include <include/firewall/set-packet-modifications-dscp.xml.i> + #include <include/firewall/set-packet-modifications-conn-mark.xml.i> + #include <include/firewall/set-packet-modifications-mark.xml.i> + #include <include/firewall/set-packet-modifications-tcp-mss.xml.i> + #include <include/firewall/set-packet-modifications-ttl.xml.i> + </children> </tagNode> </children> diff --git a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i index b0e240a03..a2da4b701 100644 --- a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i +++ b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i @@ -31,6 +31,11 @@ #include <include/firewall/match-ipsec.xml.i> #include <include/firewall/offload-target.xml.i> #include <include/firewall/outbound-interface.xml.i> + #include <include/firewall/set-packet-modifications-dscp.xml.i> + #include <include/firewall/set-packet-modifications-conn-mark.xml.i> + #include <include/firewall/set-packet-modifications-mark.xml.i> + #include <include/firewall/set-packet-modifications-tcp-mss.xml.i> + #include <include/firewall/set-packet-modifications-ttl.xml.i> </children> </tagNode> </children> diff --git a/interface-definitions/include/firewall/ipv4-hook-output.xml.i b/interface-definitions/include/firewall/ipv4-hook-output.xml.i index ee9157592..f68136557 100644 --- a/interface-definitions/include/firewall/ipv4-hook-output.xml.i +++ b/interface-definitions/include/firewall/ipv4-hook-output.xml.i @@ -28,6 +28,11 @@ #include <include/firewall/common-rule-ipv4.xml.i> #include <include/firewall/match-ipsec-out.xml.i> #include <include/firewall/outbound-interface.xml.i> + #include <include/firewall/set-packet-modifications-dscp.xml.i> + #include <include/firewall/set-packet-modifications-conn-mark.xml.i> + #include <include/firewall/set-packet-modifications-mark.xml.i> + #include <include/firewall/set-packet-modifications-tcp-mss.xml.i> + #include <include/firewall/set-packet-modifications-ttl.xml.i> </children> </tagNode> </children> @@ -56,6 +61,11 @@ #include <include/firewall/common-rule-ipv4-raw.xml.i> #include <include/firewall/match-ipsec-out.xml.i> #include <include/firewall/outbound-interface.xml.i> + #include <include/firewall/set-packet-modifications-dscp.xml.i> + #include <include/firewall/set-packet-modifications-conn-mark.xml.i> + #include <include/firewall/set-packet-modifications-mark.xml.i> + #include <include/firewall/set-packet-modifications-tcp-mss.xml.i> + #include <include/firewall/set-packet-modifications-ttl.xml.i> </children> </tagNode> </children> diff --git a/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i index b431303ae..6f9fe6842 100644 --- a/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i +++ b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i @@ -35,6 +35,10 @@ #include <include/firewall/common-rule-ipv4-raw.xml.i> #include <include/firewall/match-ipsec-in.xml.i> #include <include/firewall/inbound-interface.xml.i> + #include <include/firewall/set-packet-modifications-dscp.xml.i> + #include <include/firewall/set-packet-modifications-mark.xml.i> + #include <include/firewall/set-packet-modifications-tcp-mss.xml.i> + #include <include/firewall/set-packet-modifications-ttl.xml.i> <leafNode name="jump-target"> <properties> <help>Set jump target. Action jump must be defined to use this setting</help> diff --git a/interface-definitions/include/firewall/ipv6-custom-name.xml.i b/interface-definitions/include/firewall/ipv6-custom-name.xml.i index fb8740c38..d49267b52 100644 --- a/interface-definitions/include/firewall/ipv6-custom-name.xml.i +++ b/interface-definitions/include/firewall/ipv6-custom-name.xml.i @@ -36,6 +36,11 @@ #include <include/firewall/match-ipsec.xml.i> #include <include/firewall/offload-target.xml.i> #include <include/firewall/outbound-interface.xml.i> + #include <include/firewall/set-packet-modifications-dscp.xml.i> + #include <include/firewall/set-packet-modifications-conn-mark.xml.i> + #include <include/firewall/set-packet-modifications-mark.xml.i> + #include <include/firewall/set-packet-modifications-tcp-mss.xml.i> + #include <include/firewall/set-packet-modifications-hop-limit.xml.i> </children> </tagNode> </children> diff --git a/interface-definitions/include/firewall/ipv6-hook-forward.xml.i b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i index 7efc2614e..79898d691 100644 --- a/interface-definitions/include/firewall/ipv6-hook-forward.xml.i +++ b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i @@ -31,6 +31,11 @@ #include <include/firewall/match-ipsec.xml.i> #include <include/firewall/offload-target.xml.i> #include <include/firewall/outbound-interface.xml.i> + #include <include/firewall/set-packet-modifications-dscp.xml.i> + #include <include/firewall/set-packet-modifications-conn-mark.xml.i> + #include <include/firewall/set-packet-modifications-mark.xml.i> + #include <include/firewall/set-packet-modifications-tcp-mss.xml.i> + #include <include/firewall/set-packet-modifications-hop-limit.xml.i> </children> </tagNode> </children> diff --git a/interface-definitions/include/firewall/ipv6-hook-output.xml.i b/interface-definitions/include/firewall/ipv6-hook-output.xml.i index d3c4c1ead..9a6d0bb77 100644 --- a/interface-definitions/include/firewall/ipv6-hook-output.xml.i +++ b/interface-definitions/include/firewall/ipv6-hook-output.xml.i @@ -28,6 +28,11 @@ #include <include/firewall/common-rule-ipv6.xml.i> #include <include/firewall/match-ipsec-out.xml.i> #include <include/firewall/outbound-interface.xml.i> + #include <include/firewall/set-packet-modifications-dscp.xml.i> + #include <include/firewall/set-packet-modifications-conn-mark.xml.i> + #include <include/firewall/set-packet-modifications-mark.xml.i> + #include <include/firewall/set-packet-modifications-tcp-mss.xml.i> + #include <include/firewall/set-packet-modifications-hop-limit.xml.i> </children> </tagNode> </children> @@ -56,6 +61,11 @@ #include <include/firewall/common-rule-ipv6-raw.xml.i> #include <include/firewall/match-ipsec-out.xml.i> #include <include/firewall/outbound-interface.xml.i> + #include <include/firewall/set-packet-modifications-dscp.xml.i> + #include <include/firewall/set-packet-modifications-conn-mark.xml.i> + #include <include/firewall/set-packet-modifications-mark.xml.i> + #include <include/firewall/set-packet-modifications-tcp-mss.xml.i> + #include <include/firewall/set-packet-modifications-hop-limit.xml.i> </children> </tagNode> </children> diff --git a/interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i b/interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i index 21f8de6f9..15454bbbf 100644 --- a/interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i +++ b/interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i @@ -35,6 +35,10 @@ #include <include/firewall/common-rule-ipv6-raw.xml.i> #include <include/firewall/match-ipsec-in.xml.i> #include <include/firewall/inbound-interface.xml.i> + #include <include/firewall/set-packet-modifications-dscp.xml.i> + #include <include/firewall/set-packet-modifications-mark.xml.i> + #include <include/firewall/set-packet-modifications-tcp-mss.xml.i> + #include <include/firewall/set-packet-modifications-hop-limit.xml.i> <leafNode name="jump-target"> <properties> <help>Set jump target. Action jump must be defined to use this setting</help> diff --git a/interface-definitions/include/firewall/set-packet-modifications-conn-mark.xml.i b/interface-definitions/include/firewall/set-packet-modifications-conn-mark.xml.i new file mode 100644 index 000000000..dff95d324 --- /dev/null +++ b/interface-definitions/include/firewall/set-packet-modifications-conn-mark.xml.i @@ -0,0 +1,21 @@ +<!-- include start from firewall/set-packet-modifications-conn-mark.xml.i --> +<node name="set"> + <properties> + <help>Packet modifications</help> + </properties> + <children> + <leafNode name="connection-mark"> + <properties> + <help>Set connection mark</help> + <valueHelp> + <format>u32:0-2147483647</format> + <description>Connection mark</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-2147483647"/> + </constraint> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/firewall/set-packet-modifications-dscp.xml.i b/interface-definitions/include/firewall/set-packet-modifications-dscp.xml.i new file mode 100644 index 000000000..5082806fb --- /dev/null +++ b/interface-definitions/include/firewall/set-packet-modifications-dscp.xml.i @@ -0,0 +1,21 @@ +<!-- include start from firewall/set-packet-modifications-dscp.xml.i --> +<node name="set"> + <properties> + <help>Packet modifications</help> + </properties> + <children> + <leafNode name="dscp"> + <properties> + <help>Set DSCP (Packet Differentiated Services Codepoint) bits</help> + <valueHelp> + <format>u32:0-63</format> + <description>DSCP number</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-63"/> + </constraint> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/firewall/set-packet-modifications-hop-limit.xml.i b/interface-definitions/include/firewall/set-packet-modifications-hop-limit.xml.i new file mode 100755 index 000000000..8a6e5347a --- /dev/null +++ b/interface-definitions/include/firewall/set-packet-modifications-hop-limit.xml.i @@ -0,0 +1,21 @@ +<!-- include start from firewall/set-packet-modifications-hop-limit.xml.i --> +<node name="set"> + <properties> + <help>Packet modifications</help> + </properties> + <children> + <leafNode name="hop-limit"> + <properties> + <help>Set hop limit</help> + <valueHelp> + <format>u32:0-255</format> + <description>Hop limit number</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/firewall/set-packet-modifications-mark.xml.i b/interface-definitions/include/firewall/set-packet-modifications-mark.xml.i new file mode 100644 index 000000000..b229d0579 --- /dev/null +++ b/interface-definitions/include/firewall/set-packet-modifications-mark.xml.i @@ -0,0 +1,21 @@ +<!-- include start from firewall/set-packet-modifications-mark.xml.i --> +<node name="set"> + <properties> + <help>Packet modifications</help> + </properties> + <children> + <leafNode name="mark"> + <properties> + <help>Set packet mark</help> + <valueHelp> + <format>u32:1-2147483647</format> + <description>Packet mark</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-2147483647"/> + </constraint> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/firewall/set-packet-modifications-table-and-vrf.xml.i b/interface-definitions/include/firewall/set-packet-modifications-table-and-vrf.xml.i new file mode 100644 index 000000000..c7875b31d --- /dev/null +++ b/interface-definitions/include/firewall/set-packet-modifications-table-and-vrf.xml.i @@ -0,0 +1,48 @@ +<!-- include start from firewall/set-packet-modifications-table-and-vrf.xml.i --> +<node name="set"> + <properties> + <help>Packet modifications</help> + </properties> + <children> + <leafNode name="table"> + <properties> + <help>Set the routing table for matched packets</help> + <valueHelp> + <format>u32:1-200</format> + <description>Table number</description> + </valueHelp> + <valueHelp> + <format>main</format> + <description>Main table</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-200"/> + <regex>(main)</regex> + </constraint> + <completionHelp> + <list>main</list> + <path>protocols static table</path> + </completionHelp> + </properties> + </leafNode> + <leafNode name="vrf"> + <properties> + <help>VRF to forward packet with</help> + <valueHelp> + <format>txt</format> + <description>VRF instance name</description> + </valueHelp> + <valueHelp> + <format>default</format> + <description>Forward into default global VRF</description> + </valueHelp> + <completionHelp> + <list>default</list> + <path>vrf name</path> + </completionHelp> + #include <include/constraint/vrf.xml.i> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/firewall/set-packet-modifications-tcp-mss.xml.i b/interface-definitions/include/firewall/set-packet-modifications-tcp-mss.xml.i new file mode 100644 index 000000000..06ffdfede --- /dev/null +++ b/interface-definitions/include/firewall/set-packet-modifications-tcp-mss.xml.i @@ -0,0 +1,21 @@ +<!-- include start from firewall/set-packet-modifications-tcp-mss.xml.i --> +<node name="set"> + <properties> + <help>Packet modifications</help> + </properties> + <children> + <leafNode name="tcp-mss"> + <properties> + <help>Set TCP Maximum Segment Size</help> + <valueHelp> + <format>u32:500-1460</format> + <description>Explicitly set TCP MSS value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 500-1460"/> + </constraint> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/firewall/set-packet-modifications-ttl.xml.i b/interface-definitions/include/firewall/set-packet-modifications-ttl.xml.i new file mode 100755 index 000000000..e2f14050b --- /dev/null +++ b/interface-definitions/include/firewall/set-packet-modifications-ttl.xml.i @@ -0,0 +1,21 @@ +<!-- include start from firewall/set-packet-modifications-ttl.xml.i --> +<node name="set"> + <properties> + <help>Packet modifications</help> + </properties> + <children> + <leafNode name="ttl"> + <properties> + <help>Set TTL (time to live)</help> + <valueHelp> + <format>u32:0-255</format> + <description>TTL number</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/firewall/set-packet-modifications.xml.i b/interface-definitions/include/firewall/set-packet-modifications.xml.i deleted file mode 100644 index ee019b64e..000000000 --- a/interface-definitions/include/firewall/set-packet-modifications.xml.i +++ /dev/null @@ -1,96 +0,0 @@ -<!-- include start from firewall/set-packet-modifications.xml.i --> -<node name="set"> - <properties> - <help>Packet modifications</help> - </properties> - <children> - <leafNode name="connection-mark"> - <properties> - <help>Set connection mark</help> - <valueHelp> - <format>u32:0-2147483647</format> - <description>Connection mark</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-2147483647"/> - </constraint> - </properties> - </leafNode> - <leafNode name="dscp"> - <properties> - <help>Set DSCP (Packet Differentiated Services Codepoint) bits</help> - <valueHelp> - <format>u32:0-63</format> - <description>DSCP number</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-63"/> - </constraint> - </properties> - </leafNode> - <leafNode name="mark"> - <properties> - <help>Set packet mark</help> - <valueHelp> - <format>u32:1-2147483647</format> - <description>Packet mark</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-2147483647"/> - </constraint> - </properties> - </leafNode> - <leafNode name="table"> - <properties> - <help>Set the routing table for matched packets</help> - <valueHelp> - <format>u32:1-200</format> - <description>Table number</description> - </valueHelp> - <valueHelp> - <format>main</format> - <description>Main table</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-200"/> - <regex>(main)</regex> - </constraint> - <completionHelp> - <list>main</list> - <path>protocols static table</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="vrf"> - <properties> - <help>VRF to forward packet with</help> - <valueHelp> - <format>txt</format> - <description>VRF instance name</description> - </valueHelp> - <valueHelp> - <format>default</format> - <description>Forward into default global VRF</description> - </valueHelp> - <completionHelp> - <list>default</list> - <path>vrf name</path> - </completionHelp> - #include <include/constraint/vrf.xml.i> - </properties> - </leafNode> - <leafNode name="tcp-mss"> - <properties> - <help>Set TCP Maximum Segment Size</help> - <valueHelp> - <format>u32:500-1460</format> - <description>Explicitly set TCP MSS value</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 500-1460"/> - </constraint> - </properties> - </leafNode> - </children> -</node> -<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/policy/route-common.xml.i b/interface-definitions/include/policy/route-common.xml.i index 19ffc0506..5c69a5279 100644 --- a/interface-definitions/include/policy/route-common.xml.i +++ b/interface-definitions/include/policy/route-common.xml.i @@ -66,7 +66,11 @@ </leafNode> </children> </node> -#include <include/firewall/set-packet-modifications.xml.i> +#include <include/firewall/set-packet-modifications-conn-mark.xml.i> +#include <include/firewall/set-packet-modifications-dscp.xml.i> +#include <include/firewall/set-packet-modifications-mark.xml.i> +#include <include/firewall/set-packet-modifications-table-and-vrf.xml.i> +#include <include/firewall/set-packet-modifications-tcp-mss.xml.i> #include <include/firewall/state.xml.i> #include <include/firewall/tcp-flags.xml.i> #include <include/firewall/tcp-mss.xml.i> diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 34d0b73f6..314e8dfe3 100755 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -583,6 +583,12 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name): if 'tcp_mss' in rule_conf['set']: mss = rule_conf['set']['tcp_mss'] output.append(f'tcp option maxseg size set {mss}') + if 'ttl' in rule_conf['set']: + ttl = rule_conf['set']['ttl'] + output.append(f'ip ttl set {ttl}') + if 'hop_limit' in rule_conf['set']: + hoplimit = rule_conf['set']['hop_limit'] + output.append(f'ip6 hoplimit set {hoplimit}') if 'action' in rule_conf: if rule_conf['action'] == 'offload': diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index 3e9ec2935..2d18f0495 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -248,6 +248,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'ipv4', 'prerouting', 'raw', 'rule', '1', 'action', 'notrack']) self.cli_set(['firewall', 'ipv4', 'prerouting', 'raw', 'rule', '1', 'protocol', 'tcp']) self.cli_set(['firewall', 'ipv4', 'prerouting', 'raw', 'rule', '1', 'destination', 'port', '23']) + self.cli_set(['firewall', 'ipv4', 'prerouting', 'raw', 'rule', '1', 'set', 'mark', '55']) self.cli_commit() @@ -275,7 +276,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): ['OUT-raw default-action drop', 'drop'], ['chain VYOS_PREROUTING_raw'], ['type filter hook prerouting priority raw; policy accept;'], - ['tcp dport 23', 'notrack'], + ['tcp dport 23', 'meta mark set 0x00000037', 'notrack'], ['PRE-raw default-action accept', 'accept'], ['chain NAME_smoketest'], ['saddr 172.16.20.10', 'daddr 172.16.10.10', 'log prefix "[ipv4-NAM-smoketest-1-A]" log level debug', 'ip ttl 15', 'accept'], @@ -315,6 +316,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'mark', '1010']) self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'action', 'jump']) self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'jump-target', name]) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'set', 'dscp', '32']) self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'protocol', 'tcp']) self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'mark', '!98765']) @@ -331,7 +333,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): nftables_search = [ ['chain VYOS_FORWARD_filter'], ['type filter hook forward priority filter; policy accept;'], - ['ip saddr 198.51.100.1-198.51.100.50', 'meta mark 0x000003f2', f'jump NAME_{name}'], + ['ip saddr 198.51.100.1-198.51.100.50', 'meta mark 0x000003f2', 'ip dscp set cs4', f'jump NAME_{name}'], ['FWD-filter default-action drop', 'drop'], ['chain VYOS_INPUT_filter'], ['type filter hook input priority filter; policy accept;'], @@ -485,6 +487,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'ipv6', 'prerouting', 'raw', 'rule', '1', 'action', 'drop']) self.cli_set(['firewall', 'ipv6', 'prerouting', 'raw', 'rule', '1', 'protocol', 'tcp']) self.cli_set(['firewall', 'ipv6', 'prerouting', 'raw', 'rule', '1', 'destination', 'port', '23']) + self.cli_set(['firewall', 'ipv6', 'prerouting', 'raw', 'rule', '1', 'set', 'hop-limit', '79']) self.cli_commit() @@ -507,7 +510,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): ['OUT-raw default-action drop', 'drop'], ['chain VYOS_IPV6_PREROUTING_raw'], ['type filter hook prerouting priority raw; policy accept;'], - ['tcp dport 23', 'drop'], + ['tcp dport 23', 'ip6 hoplimit set 79', 'drop'], ['PRE-raw default-action accept', 'accept'], [f'chain NAME6_{name}'], ['saddr 2002::1-2002::10', 'daddr 2002::1:1', 'log prefix "[ipv6-NAM-v6-smoketest-1-A]" log level crit', 'accept'], @@ -722,9 +725,12 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '1', 'action', 'accept']) self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '1', 'vlan', 'id', vlan_id]) self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '1', 'vlan', 'ethernet-type', 'ipv4']) + self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '1', 'set', 'connection-mark', '123123']) + self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '2', 'action', 'jump']) self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '2', 'jump-target', name]) self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '2', 'vlan', 'priority', vlan_prior]) + self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '2', 'set', 'ttl', '128']) self.cli_set(['firewall', 'bridge', 'input', 'filter', 'rule', '1', 'action', 'accept']) self.cli_set(['firewall', 'bridge', 'input', 'filter', 'rule', '1', 'inbound-interface', 'name', interface_in]) @@ -746,8 +752,8 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): ['chain VYOS_FORWARD_filter'], ['type filter hook forward priority filter; policy accept;'], ['jump VYOS_STATE_POLICY'], - [f'vlan id {vlan_id}', 'vlan type ip', 'accept'], - [f'vlan pcp {vlan_prior}', f'jump NAME_{name}'], + [f'vlan id {vlan_id}', 'vlan type ip', 'ct mark set 0x0001e0f3', 'accept'], + [f'vlan pcp {vlan_prior}', 'ip ttl set 128', f'jump NAME_{name}'], ['log prefix "[bri-FWD-filter-default-D]"', 'drop', 'FWD-filter default-action drop'], [f'chain NAME_{name}'], [f'ether saddr {mac_address}', f'iifname "{interface_in}"', f'log prefix "[bri-NAM-{name}-1-A]" log level crit', 'accept'], |