diff options
| author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2023-08-25 13:54:47 +0200 | 
|---|---|---|
| committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2023-08-25 16:51:49 +0200 | 
| commit | b6f742716da5f89c7f3f3501220e0f3ae1df45d8 (patch) | |
| tree | adf25225d76d2a65c6c5ba34e1a39ff40b511013 /python | |
| parent | d62f8ed1e3608d82e3e4fb7566817839023aa39c (diff) | |
| download | vyos-1x-b6f742716da5f89c7f3f3501220e0f3ae1df45d8.tar.gz vyos-1x-b6f742716da5f89c7f3f3501220e0f3ae1df45d8.zip | |
interface: T3509: Add per-interface IPv6 source validation
Diffstat (limited to 'python')
| -rw-r--r-- | python/vyos/ifconfig/interface.py | 29 | 
1 files changed, 29 insertions, 0 deletions
| diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py index ddac387e7..41ce352ad 100644 --- a/python/vyos/ifconfig/interface.py +++ b/python/vyos/ifconfig/interface.py @@ -777,6 +777,30 @@ class Interface(Control):              return None          return self.set_interface('rp_filter', value) +    def _cleanup_ipv6_source_validation_rules(self, ifname): +        commands = [] +        results = self._cmd(f'nft -a list chain ip6 raw vyos_rpfilter').split("\n") +        for line in results: +            if f'iifname "{ifname}"' in line: +                handle_search = re.search('handle (\d+)', line) +                if handle_search: +                    self._cmd(f'nft delete rule ip6 raw vyos_rpfilter handle {handle_search[1]}') + +    def set_ipv6_source_validation(self, mode): +        """ +        Set IPv6 reverse path validation + +        Example: +        >>> from vyos.ifconfig import Interface +        >>> Interface('eth0').set_ipv6_source_validation('strict') +        """ +        self._cleanup_ipv6_source_validation_rules(self.ifname) +        nft_prefix = f'nft add rule ip6 raw vyos_rpfilter iifname "{self.ifname}"' +        if mode == 'strict': +            self._cmd(f"{nft_prefix} fib saddr . iif oif 0 counter drop") +        elif mode == 'loose': +            self._cmd(f"{nft_prefix} fib saddr oif 0 counter drop") +      def set_ipv6_accept_ra(self, accept_ra):          """          Accept Router Advertisements; autoconfigure using them. @@ -1568,6 +1592,11 @@ class Interface(Control):          value = tmp if (tmp != None) else '0'          self.set_ipv4_source_validation(value) +        # IPv6 source-validation +        tmp = dict_search('ipv6.source_validation', config) +        value = tmp if (tmp != None) else '0' +        self.set_ipv6_source_validation(value) +          # MTU - Maximum Transfer Unit has a default value. It must ALWAYS be set          # before mangling any IPv6 option. If MTU is less then 1280 IPv6 will be          # automatically disabled by the kernel. Also MTU must be increased before | 
