Merge pull request #1718 from nicolas-fort/T4886_conn_mark

T4886: Firewall and route policy: Add connection-mark feature to vyos.
author: Christian Poessinger <christian@poessinger.com> 2022-12-19 19:32:45 +0100
committer: GitHub <noreply@github.com> 2022-12-19 19:32:45 +0100
commit: 71d2c583e3b8331e877bbb2f364b6da5c0a587a0 (patch)
tree: 41069c9cf16f53091ee13812aed97cf3f2194ff0
parent: c4097097487467300a0a63c8a75f670dc0429f7c (diff)
parent: d9c9092dcdc430b26a326345934c4513534bff9b (diff)
download: vyos-1x-71d2c583e3b8331e877bbb2f364b6da5c0a587a0.tar.gz
vyos-1x-71d2c583e3b8331e877bbb2f364b6da5c0a587a0.zip
7 files changed, 64 insertions, 1 deletions
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index c964abb41..7d7e0a38f 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -461,6 +461,7 @@
               #include <include/firewall/dscp.xml.i>
               #include <include/firewall/packet-length.xml.i>
               #include <include/firewall/hop-limit.xml.i>
+              #include <include/firewall/connection-mark.xml.i>
               <node name="icmpv6">
                 <properties>
                   <help>ICMPv6 type and code information</help>
@@ -628,6 +629,7 @@
               #include <include/firewall/common-rule.xml.i>
               #include <include/firewall/dscp.xml.i>
               #include <include/firewall/packet-length.xml.i>
+              #include <include/firewall/connection-mark.xml.i>
               <node name="icmp">
                 <properties>
                   <help>ICMP type and code information</help>
diff --git a/interface-definitions/include/firewall/connection-mark.xml.i b/interface-definitions/include/firewall/connection-mark.xml.i
new file mode 100644
index 000000000..2cb826635
--- /dev/null
+++ b/interface-definitions/include/firewall/connection-mark.xml.i
@@ -0,0 +1,15 @@
+<!-- include start from firewall/connection-mark.xml.i -->
+<leafNode name="connection-mark">
+  <properties>
+    <help>Connection mark</help>
+    <valueHelp>
+      <format>u32:1-2147483647</format>
+      <description>Connection-mark to match</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 1-2147483647"/>
+    </constraint>
+    <multi/>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/policy/route-common.xml.i b/interface-definitions/include/policy/route-common.xml.i
index 8b959c2a4..6973d7a8f 100644
--- a/interface-definitions/include/policy/route-common.xml.i
+++ b/interface-definitions/include/policy/route-common.xml.i
@@ -159,6 +159,18 @@
     <help>Packet modifications</help>
   </properties>
   <children>
+    <leafNode name="connection-mark">
+      <properties>
+        <help>Connection marking</help>
+        <valueHelp>
+          <format>u32:1-2147483647</format>
+          <description>Connection marking</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-2147483647"/>
+        </constraint>
+      </properties>
+    </leafNode>
     <leafNode name="dscp">
       <properties>
         <help>Packet Differentiated Services Codepoint (DSCP)</help>
diff --git a/interface-definitions/policy-route.xml.in b/interface-definitions/policy-route.xml.in
index 48a5bf7d1..d7b159839 100644
--- a/interface-definitions/policy-route.xml.in
+++ b/interface-definitions/policy-route.xml.in
@@ -52,6 +52,7 @@
               #include <include/firewall/dscp.xml.i>
               #include <include/firewall/packet-length.xml.i>
               #include <include/firewall/hop-limit.xml.i>
+              #include <include/firewall/connection-mark.xml.i>
             </children>
           </tagNode>
         </children>
@@ -106,6 +107,7 @@
               #include <include/firewall/dscp.xml.i>
               #include <include/firewall/packet-length.xml.i>
               #include <include/firewall/ttl.xml.i>
+              #include <include/firewall/connection-mark.xml.i>
             </children>
           </tagNode>
         </children>
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 429c44802..b4b9e67bb 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -322,6 +322,10 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
     if tcp_mss:
         output.append(f'tcp option maxseg size {tcp_mss}')
 
+    if 'connection_mark' in rule_conf:
+        conn_mark_str = ','.join(rule_conf['connection_mark'])
+        output.append(f'ct mark {{{conn_mark_str}}}')
+
     output.append('counter')
 
     if 'set' in rule_conf:
@@ -368,6 +372,9 @@ def parse_time(time):
 
 def parse_policy_set(set_conf, def_suffix):
     out = []
+    if 'connection_mark' in set_conf:
+        conn_mark = set_conf['connection_mark']
+        out.append(f'ct mark set {conn_mark}')
     if 'dscp' in set_conf:
         dscp = set_conf['dscp']
         out.append(f'ip{def_suffix} dscp set {dscp}')
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 9b28eb81b..f1c18d761 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -199,6 +199,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         name = 'smoketest'
         interface = 'eth0'
         mss_range = '501-1460'
+        conn_mark = '555'
 
         self.cli_set(['firewall', 'name', name, 'default-action', 'drop'])
         self.cli_set(['firewall', 'name', name, 'enable-default-log'])
@@ -234,11 +235,14 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['firewall', 'name', name, 'rule', '6', 'action', 'return'])
         self.cli_set(['firewall', 'name', name, 'rule', '6', 'protocol', 'gre'])
         self.cli_set(['firewall', 'name', name, 'rule', '6', 'outbound-interface', 'interface-name', interface])
+        self.cli_set(['firewall', 'name', name, 'rule', '6', 'connection-mark', conn_mark])
 
         self.cli_set(['firewall', 'interface', interface, 'in', 'name', name])
 
         self.cli_commit()
 
+        mark_hex = "{0:#010x}".format(int(conn_mark))
+
         nftables_search = [
             [f'iifname "{interface}"', f'jump NAME_{name}'],
             ['saddr 172.16.20.10', 'daddr 172.16.10.10', 'log prefix "[smoketest-1-A]" level debug', 'ip ttl 15', 'return'],
@@ -247,7 +251,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
             ['log prefix "[smoketest-default-D]"','smoketest default-action', 'drop'],
             ['tcp dport 22', 'add @RECENT_smoketest_4 { ip saddr limit rate over 10/minute burst 10 packets }', 'drop'],
             ['tcp flags & syn == syn', f'tcp option maxseg size {mss_range}', f'iifname "{interface}"'],
-            ['meta l4proto gre', f'oifname "{interface}"', 'return']
+            ['meta l4proto gre', f'oifname "{interface}"', f'ct mark {mark_hex}', 'return']
         ]
 
         self.verify_nftables(nftables_search, 'ip vyos_filter')
diff --git a/smoketest/scripts/cli/test_policy_route.py b/smoketest/scripts/cli/test_policy_route.py
index 11b3c678e..cb48a84ff 100755
--- a/smoketest/scripts/cli/test_policy_route.py
+++ b/smoketest/scripts/cli/test_policy_route.py
@@ -21,6 +21,8 @@ from base_vyostest_shim import VyOSUnitTestSHIM
 from vyos.util import cmd
 
 mark = '100'
+conn_mark = '555'
+conn_mark_set = '111'
 table_mark_offset = 0x7fffffff
 table_id = '101'
 interface = 'eth0'
@@ -122,6 +124,25 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
 
         self.verify_nftables(nftables_search, 'ip vyos_mangle')
 
+    def test_pbr_mark_connection(self):
+        self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'source', 'address', '172.16.20.10'])
+        self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'destination', 'address', '172.16.10.10'])
+        self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'connection-mark', conn_mark])
+        self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'set', 'connection-mark', conn_mark_set])
+        self.cli_set(['policy', 'route', 'smoketest', 'interface', interface])
+
+        self.cli_commit()
+
+        mark_hex = "{0:#010x}".format(int(conn_mark))
+        mark_hex_set = "{0:#010x}".format(int(conn_mark_set))
+
+        nftables_search = [
+            [f'iifname "{interface}"','jump VYOS_PBR_smoketest'],
+            ['ip daddr 172.16.10.10', 'ip saddr 172.16.20.10', 'ct mark ' + mark_hex, 'ct mark set ' + mark_hex_set],
+        ]
+
+        self.verify_nftables(nftables_search, 'ip vyos_mangle')
+
     def test_pbr_table(self):
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'protocol', 'tcp'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'destination', 'port', '8888'])
author	Christian Poessinger <christian@poessinger.com>	2022-12-19 19:32:45 +0100
committer	GitHub <noreply@github.com>	2022-12-19 19:32:45 +0100
commit	71d2c583e3b8331e877bbb2f364b6da5c0a587a0 (patch)
tree	41069c9cf16f53091ee13812aed97cf3f2194ff0
parent	c4097097487467300a0a63c8a75f670dc0429f7c (diff)
parent	d9c9092dcdc430b26a326345934c4513534bff9b (diff)
download	vyos-1x-71d2c583e3b8331e877bbb2f364b6da5c0a587a0.tar.gz vyos-1x-71d2c583e3b8331e877bbb2f364b6da5c0a587a0.zip