T6841: firewall: improve config parsing for ZBF when using VRFs and interfaces attached to VRFs

author: Nicolas Fort <nicolasfort1988@gmail.com> 2024-10-29 19:05:52 +0000
committer: Christian Breunig <christian@breunig.cc> 2025-01-06 12:05:22 +0100
commit: df176d9b9b4cc67ae509ae2ff17a02f2520cc881 (patch)
tree: ddc5d1f8ba92d87dc43bfd37e30c4e7e5f040833 /src
parent: 9c091f0f601d1a24e386ad0d883c6dd2f2c51b63 (diff)
download: vyos-1x-df176d9b9b4cc67ae509ae2ff17a02f2520cc881.tar.gz
vyos-1x-df176d9b9b4cc67ae509ae2ff17a02f2520cc881.zip
3 files changed, 60 insertions, 4 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 10d389d73..c09f934aa 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -34,6 +34,8 @@ from vyos.utils.dict import dict_search_recursive
 from vyos.utils.process import call
 from vyos.utils.process import cmd
 from vyos.utils.process import rc_cmd
+from vyos.utils.network import get_vrf_members
+from vyos.utils.network import get_interface_vrf
 from vyos import ConfigError
 from vyos import airbag
 from pathlib import Path
@@ -441,6 +443,7 @@ def verify(firewall):
 
     local_zone = False
     zone_interfaces = []
+    zone_vrf = []
 
     if 'zone' in firewall:
         for zone, zone_conf in firewall['zone'].items():
@@ -457,12 +460,23 @@ def verify(firewall):
                 local_zone = True
 
             if 'interface' in zone_conf:
-                found_duplicates = [intf for intf in zone_conf['interface'] if intf in zone_interfaces]
+                if 'name'in zone_conf['interface']:
 
-                if found_duplicates:
-                    raise ConfigError(f'Interfaces cannot be assigned to multiple zones')
+                    for iface in zone_conf['interface']['name']:
 
-                zone_interfaces += zone_conf['interface']
+                        if iface in zone_interfaces:
+                            raise ConfigError(f'Interfaces cannot be assigned to multiple zones')
+
+                        iface_vrf = get_interface_vrf(iface)
+                        if iface_vrf != 'default':
+                            Warning(f"Interface {iface} assigned to zone {zone} is in VRF {iface_vrf}. This might not work as expected.")
+                        zone_interfaces += iface
+
+                if 'vrf' in zone_conf['interface']:
+                    for vrf in zone_conf['interface']['vrf']:
+                        if vrf in zone_vrf:
+                            raise ConfigError(f'VRF cannot be assigned to multiple zones')
+                        zone_vrf += vrf
 
             if 'intra_zone_filtering' in zone_conf:
                 intra_zone = zone_conf['intra_zone_filtering']
@@ -504,6 +518,12 @@ def generate(firewall):
     if 'zone' in firewall:
         for local_zone, local_zone_conf in firewall['zone'].items():
             if 'local_zone' not in local_zone_conf:
+                # Get physical interfaces assigned to the zone if vrf is used:
+                if 'vrf' in local_zone_conf['interface']:
+                    local_zone_conf['vrf_interfaces'] = {}
+                    for vrf_name in local_zone_conf['interface']['vrf']:
+                        local_zone_conf['vrf_interfaces'][vrf_name] = ','.join(get_vrf_members(vrf_name))
+                        #local_zone_conf['interface']['vrf'][vrf_name] = ''.join(get_vrf_members(vrf_name))
                 continue
 
             local_zone_conf['from_local'] = {}
diff --git a/src/migration-scripts/firewall/16-to-17 b/src/migration-scripts/firewall/16-to-17
index ad0706f04..ad0706f04 100755..100644
--- a/src/migration-scripts/firewall/16-to-17
+++ b/src/migration-scripts/firewall/16-to-17
diff --git a/src/migration-scripts/firewall/17-to-18 b/src/migration-scripts/firewall/17-to-18
new file mode 100755
index 000000000..af16ba8ec
--- /dev/null
+++ b/src/migration-scripts/firewall/17-to-18
@@ -0,0 +1,36 @@
+# Copyright (C) 2024 VyOS maintainers and contributors
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# From
+    # set firewall zone <zone> interface <iface>
+# To
+    # set firewall zone <zone> interface name <iface>
+    # or
+    # set firewall zone <zone> interface vrf <vrf>
+
+
+from vyos.configtree import ConfigTree
+
+base = ['firewall', 'zone']
+
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(base):
+        # Nothing to do
+        return
+
+    for zone in config.list_nodes(base):
+        if config.exists(base + [zone, 'interface']):
+            for iface in config.return_values(base + [zone, 'interface']):
+                config.set(base + [zone, 'interface', 'name'], value=iface, replace=False)
+\ No newline at end of file
author	Nicolas Fort <nicolasfort1988@gmail.com>	2024-10-29 19:05:52 +0000
committer	Christian Breunig <christian@breunig.cc>	2025-01-06 12:05:22 +0100
commit	df176d9b9b4cc67ae509ae2ff17a02f2520cc881 (patch)
tree	ddc5d1f8ba92d87dc43bfd37e30c4e7e5f040833 /src
parent	9c091f0f601d1a24e386ad0d883c6dd2f2c51b63 (diff)
download	vyos-1x-df176d9b9b4cc67ae509ae2ff17a02f2520cc881.tar.gz vyos-1x-df176d9b9b4cc67ae509ae2ff17a02f2520cc881.zip