diff options
author | zsdc <taras@vyos.io> | 2021-07-12 22:59:48 +0300 |
---|---|---|
committer | zsdc <taras@vyos.io> | 2021-07-17 22:36:39 +0300 |
commit | 22791e26f444766dc9f9e1729b72893208f58079 (patch) | |
tree | e412fd0e8247c3fc11b9f90d33646aafaf29247c /data/templates/firewall | |
parent | 83721c1ce672b76d40c710f38b0ab05c370a2191 (diff) | |
download | vyos-1x-22791e26f444766dc9f9e1729b72893208f58079.tar.gz vyos-1x-22791e26f444766dc9f9e1729b72893208f58079.zip |
VRF: T3655: proper connection tracking for VRFs
Currently, all VRFs share the same connection tracking table, which can
lead to problems:
- traffic leaks to a wrong VRF
- improper NAT rules handling when multiple VRFs contain the same IP
networks
- stateful firewall rules issues
The commit implements connection tracking zones support. Each VRF
utilizes its own zone, so connections will never mix up.
It also adds some restrictions to VRF names and assigned table numbers,
because of nftables and conntrack requirements:
- VRF name should always start from a letter (interfaces that start from
numbers are not supported in nftables rules)
- table number must be in the 100-65535 range because conntrack supports
only 65535 zones
Diffstat (limited to 'data/templates/firewall')
-rw-r--r-- | data/templates/firewall/nftables-vrf-zones.tmpl | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/data/templates/firewall/nftables-vrf-zones.tmpl b/data/templates/firewall/nftables-vrf-zones.tmpl new file mode 100644 index 000000000..eecf47b78 --- /dev/null +++ b/data/templates/firewall/nftables-vrf-zones.tmpl @@ -0,0 +1,17 @@ +table inet vrf_zones { + # Map of interfaces and connections tracking zones + map ct_iface_map { + typeof iifname : ct zone + } + # Assign unique zones for each VRF + # Chain for inbound traffic + chain vrf_zones_ct_in { + type filter hook prerouting priority raw; policy accept; + counter ct zone set iifname map @ct_iface_map + } + # Chain for locally-generated traffic + chain vrf_zones_ct_out { + type filter hook output priority raw; policy accept; + counter ct zone set oifname map @ct_iface_map + } +} |