diff options
| -rw-r--r-- | data/templates/firewall/nftables.tmpl | 4 | ||||
| -rw-r--r-- | data/templates/zone_policy/nftables.tmpl | 12 | ||||
| -rw-r--r-- | python/vyos/template.py | 3 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_firewall.py | 6 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_zone_policy.py | 4 | ||||
| -rwxr-xr-x | src/conf_mode/firewall-interface.py | 11 | ||||
| -rwxr-xr-x | src/conf_mode/firewall.py | 7 | ||||
| -rwxr-xr-x | src/op_mode/firewall.py | 3 | 
8 files changed, 29 insertions, 21 deletions
| diff --git a/data/templates/firewall/nftables.tmpl b/data/templates/firewall/nftables.tmpl index 33c821e84..468a5a32f 100644 --- a/data/templates/firewall/nftables.tmpl +++ b/data/templates/firewall/nftables.tmpl @@ -32,7 +32,7 @@ table ip filter {  {% endif %}  {% if name is defined %}  {%   for name_text, conf in name.items() %} -    chain {{ name_text }} { +    chain NAME_{{ name_text }} {  {%     if conf.rule is defined %}  {%       for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not defined %}          {{ rule_conf | nft_rule(name_text, rule_id) }} @@ -82,7 +82,7 @@ table ip6 filter {  {% endif %}  {% if ipv6_name is defined %}  {%   for name_text, conf in ipv6_name.items() %} -    chain {{ name_text }} { +    chain NAME6_{{ name_text }} {  {%     if conf.rule is defined %}  {%       for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not defined %}          {{ rule_conf | nft_rule(name_text, rule_id, 'ip6') }} diff --git a/data/templates/zone_policy/nftables.tmpl b/data/templates/zone_policy/nftables.tmpl index e59208a0d..093da6bd8 100644 --- a/data/templates/zone_policy/nftables.tmpl +++ b/data/templates/zone_policy/nftables.tmpl @@ -13,7 +13,7 @@ table ip filter {      chain VZONE_{{ zone_name }}_IN {          iifname lo counter return  {%       for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is defined %} -        iifname { {{ zone[from_zone].interface | join(",") }} } counter jump {{ from_conf.firewall.name }} +        iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }}          iifname { {{ zone[from_zone].interface | join(",") }} } counter return  {%       endfor %}          counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }} @@ -21,7 +21,7 @@ table ip filter {      chain VZONE_{{ zone_name }}_OUT {          oifname lo counter return  {%         for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.name is defined %} -        oifname { {{ zone[from_zone].interface | join(",") }} } counter jump {{ from_conf.firewall.name }} +        oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }}          oifname { {{ zone[from_zone].interface | join(",") }} } counter return  {%         endfor %}          counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }} @@ -34,7 +34,7 @@ table ip filter {  {%       endif %}  {%       for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is defined %}  {%         if zone[from_zone].local_zone is not defined %} -        iifname { {{ zone[from_zone].interface | join(",") }} } counter jump {{ from_conf.firewall.name }} +        iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }}          iifname { {{ zone[from_zone].interface | join(",") }} } counter return  {%         endif %}  {%       endfor %} @@ -50,7 +50,7 @@ table ip6 filter {      chain VZONE6_{{ zone_name }}_IN {          iifname lo counter return  {%       for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is defined %} -        iifname { {{ zone[from_zone].interface | join(",") }} } counter jump {{ from_conf.firewall.ipv6_name }} +        iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }}          iifname { {{ zone[from_zone].interface | join(",") }} } counter return  {%       endfor %}          counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }} @@ -58,7 +58,7 @@ table ip6 filter {      chain VZONE6_{{ zone_name }}_OUT {          oifname lo counter return  {%         for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.ipv6_name is defined %} -        oifname { {{ zone[from_zone].interface | join(",") }} } counter jump {{ from_conf.firewall.ipv6_name }} +        oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }}          oifname { {{ zone[from_zone].interface | join(",") }} } counter return  {%         endfor %}          counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }} @@ -71,7 +71,7 @@ table ip6 filter {  {%       endif %}  {%       for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is defined %}  {%         if zone[from_zone].local_zone is not defined %} -        iifname { {{ zone[from_zone].interface | join(",") }} } counter jump {{ from_conf.firewall.ipv6_name }} +        iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }}          iifname { {{ zone[from_zone].interface | join(",") }} } counter return  {%         endif %}  {%       endfor %} diff --git a/python/vyos/template.py b/python/vyos/template.py index 633b28ade..3675aef5d 100644 --- a/python/vyos/template.py +++ b/python/vyos/template.py @@ -548,6 +548,7 @@ def nft_intra_zone_action(zone_conf, ipv6=False):      if 'intra_zone_filtering' in zone_conf:          intra_zone = zone_conf['intra_zone_filtering']          fw_name = 'ipv6_name' if ipv6 else 'name' +        name_prefix = 'NAME6_' if ipv6 else 'NAME_'          if 'action' in intra_zone:              if intra_zone['action'] == 'accept': @@ -555,5 +556,5 @@ def nft_intra_zone_action(zone_conf, ipv6=False):              return intra_zone['action']          elif dict_search_args(intra_zone, 'firewall', fw_name):              name = dict_search_args(intra_zone, 'firewall', fw_name) -            return f'jump {name}' +            return f'jump {name_prefix}{name}'      return 'return' diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index 6b74e6c92..ecc0c29a0 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -63,7 +63,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):          self.cli_commit()          nftables_search = [ -            ['iifname "eth0"', 'jump smoketest'], +            ['iifname "eth0"', 'jump NAME_smoketest'],              ['ip saddr { 172.16.99.0/24 }', 'ip daddr 172.16.10.10', 'th dport { 53, 123 }', 'return'],              ['ether saddr { 00:01:02:03:04:05 }', 'return']          ] @@ -94,7 +94,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):          self.cli_commit()          nftables_search = [ -            ['iifname "eth0"', 'jump smoketest'], +            ['iifname "eth0"', 'jump NAME_smoketest'],              ['saddr 172.16.20.10', 'daddr 172.16.10.10', 'return'],              ['tcp flags & (syn | ack) == syn', 'tcp dport { 8888 }', 'reject'],              ['smoketest default-action', 'drop'] @@ -124,7 +124,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):          self.cli_commit()          nftables_search = [ -            ['iifname "eth0"', 'jump v6-smoketest'], +            ['iifname "eth0"', 'jump NAME6_v6-smoketest'],              ['saddr 2002::1', 'daddr 2002::1:1', 'return'],              ['meta l4proto { tcp, udp }', 'th dport { 8888 }', 'reject'],              ['smoketest default-action', 'drop'] diff --git a/smoketest/scripts/cli/test_zone_policy.py b/smoketest/scripts/cli/test_zone_policy.py index c0af6164b..00dfe0182 100755 --- a/smoketest/scripts/cli/test_zone_policy.py +++ b/smoketest/scripts/cli/test_zone_policy.py @@ -44,8 +44,8 @@ class TestZonePolicy(VyOSUnitTestSHIM.TestCase):              ['oifname { "eth0" }', 'jump VZONE_smoketest-eth0'],              ['jump VZONE_smoketest-local_IN'],              ['jump VZONE_smoketest-local_OUT'], -            ['iifname { "eth0" }', 'jump smoketest'], -            ['oifname { "eth0" }', 'jump smoketest'] +            ['iifname { "eth0" }', 'jump NAME_smoketest'], +            ['oifname { "eth0" }', 'jump NAME_smoketest']          ]          nftables_output = cmd('sudo nft list table ip filter') diff --git a/src/conf_mode/firewall-interface.py b/src/conf_mode/firewall-interface.py index a7442ecbd..9a5d278e9 100755 --- a/src/conf_mode/firewall-interface.py +++ b/src/conf_mode/firewall-interface.py @@ -31,6 +31,9 @@ from vyos import ConfigError  from vyos import airbag  airbag.enable() +NAME_PREFIX = 'NAME_' +NAME6_PREFIX = 'NAME6_' +  NFT_CHAINS = {      'in': 'VYOS_FW_FORWARD',      'out': 'VYOS_FW_FORWARD', @@ -127,7 +130,7 @@ def apply(if_firewall):          name = dict_search_args(if_firewall, direction, 'name')          if name: -            rule_exists = cleanup_rule('ip filter', chain, if_prefix, ifname, name) +            rule_exists = cleanup_rule('ip filter', chain, if_prefix, ifname, f'{NAME_PREFIX}{name}')              if not rule_exists:                  rule_action = 'insert' @@ -138,13 +141,13 @@ def apply(if_firewall):                      rule_action = 'add'                      rule_prefix = f'position {handle}' -                run(f'nft {rule_action} rule ip filter {chain} {rule_prefix} {if_prefix}ifname {ifname} counter jump {name}') +                run(f'nft {rule_action} rule ip filter {chain} {rule_prefix} {if_prefix}ifname {ifname} counter jump {NAME_PREFIX}{name}')          else:              cleanup_rule('ip filter', chain, if_prefix, ifname)          ipv6_name = dict_search_args(if_firewall, direction, 'ipv6_name')          if ipv6_name: -            rule_exists = cleanup_rule('ip6 filter', ipv6_chain, if_prefix, ifname, ipv6_name) +            rule_exists = cleanup_rule('ip6 filter', ipv6_chain, if_prefix, ifname, f'{NAME6_PREFIX}{ipv6_name}')              if not rule_exists:                  rule_action = 'insert' @@ -155,7 +158,7 @@ def apply(if_firewall):                      rule_action = 'add'                      rule_prefix = f'position {handle}' -                run(f'nft {rule_action} rule ip6 filter {ipv6_chain} {rule_prefix} {if_prefix}ifname {ifname} counter jump {ipv6_name}') +                run(f'nft {rule_action} rule ip6 filter {ipv6_chain} {rule_prefix} {if_prefix}ifname {ifname} counter jump {NAME6_PREFIX}{ipv6_name}')          else:              cleanup_rule('ip6 filter', ipv6_chain, if_prefix, ifname) diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index 358b938e3..5b6c57d04 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -54,6 +54,9 @@ sysfs_config = {      'twa_hazards_protection': {'sysfs': '/proc/sys/net/ipv4/tcp_rfc1337'}  } +NAME_PREFIX = 'NAME_' +NAME6_PREFIX = 'NAME6_' +  preserve_chains = [      'INPUT',      'FORWARD', @@ -281,9 +284,9 @@ def cleanup_commands(firewall):                      else:                          commands.append(f'flush chain {table} {chain}')                  elif chain not in preserve_chains and not chain.startswith("VZONE"): -                    if table == 'ip filter' and dict_search_args(firewall, 'name', chain): +                    if table == 'ip filter' and dict_search_args(firewall, 'name', chain.replace(NAME_PREFIX, "", 1)):                          commands.append(f'flush chain {table} {chain}') -                    elif table == 'ip6 filter' and dict_search_args(firewall, 'ipv6_name', chain): +                    elif table == 'ip6 filter' and dict_search_args(firewall, 'ipv6_name', chain.replace(NAME6_PREFIX, "", 1)):                          commands.append(f'flush chain {table} {chain}')                      else:                          commands += cleanup_rule(table, chain) diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py index b6bb5b802..3146fc357 100755 --- a/src/op_mode/firewall.py +++ b/src/op_mode/firewall.py @@ -88,7 +88,8 @@ def get_config_firewall(conf, name=None, ipv6=False, interfaces=True):  def get_nftables_details(name, ipv6=False):      suffix = '6' if ipv6 else '' -    command = f'sudo nft list chain ip{suffix} filter {name}' +    name_prefix = 'NAME6_' if ipv6 else 'NAME_' +    command = f'sudo nft list chain ip{suffix} filter {name_prefix}{name}'      try:          results = cmd(command)      except: | 
