summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--data/templates/firewall/nftables-zone.j213
-rw-r--r--data/templates/firewall/nftables.j24
-rw-r--r--data/templates/grub/grub_common.j24
-rw-r--r--data/templates/grub/grub_vyos_version.j211
-rwxr-xr-xsmoketest/scripts/cli/test_firewall.py34
-rwxr-xr-xsrc/op_mode/image_installer.py1
-rw-r--r--src/system/grub_update.py3
7 files changed, 43 insertions, 27 deletions
diff --git a/data/templates/firewall/nftables-zone.j2 b/data/templates/firewall/nftables-zone.j2
index 5e55099ca..e78725079 100644
--- a/data/templates/firewall/nftables-zone.j2
+++ b/data/templates/firewall/nftables-zone.j2
@@ -1,13 +1,6 @@
-
-{% macro zone_chains(zone, family, state_policy=False) %}
-{% if family == 'ipv6' %}
-{% set fw_name = 'ipv6_name' %}
-{% set suffix = '6' %}
-{% else %}
-{% set fw_name = 'name' %}
-{% set suffix = '' %}
-{% endif %}
-
+{% macro zone_chains(zone, ipv6=False, state_policy=False) %}
+{% set fw_name = 'ipv6_name' if ipv6 else 'name' %}
+{% set suffix = '6' if ipv6 else '' %}
chain VYOS_ZONE_FORWARD {
type filter hook forward priority 1; policy accept;
{% if state_policy %}
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index e0ad0e00a..833df3a67 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -163,7 +163,7 @@ table ip vyos_filter {
{{ group_tmpl.groups(group, False, True) }}
{% if zone is vyos_defined %}
-{{ zone_tmpl.zone_chains(zone, 'ipv4', global_options.state_policy is vyos_defined) }}
+{{ zone_tmpl.zone_chains(zone, False, global_options.state_policy is vyos_defined) }}
{% endif %}
{% if global_options.state_policy is vyos_defined %}
chain VYOS_STATE_POLICY {
@@ -298,7 +298,7 @@ table ip6 vyos_filter {
{% endif %}
{{ group_tmpl.groups(group, True, True) }}
{% if zone is vyos_defined %}
-{{ zone_tmpl.zone_chains(zone, 'ipv6', global_options.state_policy is vyos_defined) }}
+{{ zone_tmpl.zone_chains(zone, True, global_options.state_policy is vyos_defined) }}
{% endif %}
{% if global_options.state_policy is vyos_defined %}
chain VYOS_STATE_POLICY6 {
diff --git a/data/templates/grub/grub_common.j2 b/data/templates/grub/grub_common.j2
index 278ffbf2c..29c2ab879 100644
--- a/data/templates/grub/grub_common.j2
+++ b/data/templates/grub/grub_common.j2
@@ -8,9 +8,9 @@ fi
function setup_serial {
# initialize the first serial port by default
if [ "${console_type}" == "ttyS" ]; then
- serial --unit=${console_num}
+ serial --unit=${console_num} --speed=${console_speed}
else
- serial --unit=0
+ serial --unit=0 --speed=${console_speed}
fi
terminal_output --append serial console
terminal_input --append serial console
diff --git a/data/templates/grub/grub_vyos_version.j2 b/data/templates/grub/grub_vyos_version.j2
index 97fbe8473..62688e68b 100644
--- a/data/templates/grub/grub_vyos_version.j2
+++ b/data/templates/grub/grub_vyos_version.j2
@@ -6,16 +6,21 @@
{% endif %}
menuentry "{{ version_name }}" --id {{ version_uuid }} {
set boot_opts="{{ boot_opts_rendered }}"
+ if [ "${console_type}" == "ttyS" ]; then
+ set console_opts="console=${console_type}${console_num},${console_speed}"
+ else
+ set console_opts="console=${console_type}${console_num}"
+ fi
# load rootfs to RAM
if [ "${boot_toram}" == "yes" ]; then
set boot_opts="${boot_opts} toram"
fi
if [ "${bootmode}" == "pw_reset" ]; then
- set boot_opts="${boot_opts} console=${console_type}${console_num} init=/usr/libexec/vyos/system/standalone_root_pw_reset"
+ set boot_opts="${boot_opts} ${console_opts} init=/usr/libexec/vyos/system/standalone_root_pw_reset"
elif [ "${bootmode}" == "recovery" ]; then
- set boot_opts="${boot_opts} console=${console_type}${console_num} init=/usr/bin/busybox init"
+ set boot_opts="${boot_opts} ${console_opts} init=/usr/bin/busybox init"
else
- set boot_opts="${boot_opts} console=${console_type}${console_num}"
+ set boot_opts="${boot_opts} ${console_opts}"
fi
linux "/boot/{{ version_name }}/vmlinuz" ${boot_opts}
initrd "/boot/{{ version_name }}/initrd.img"
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 2be616da1..72fbdb37d 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -671,8 +671,10 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
### Zone
def test_zone_basic(self):
self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv6', 'name', 'smoketestv6', 'default-action', 'drop'])
self.cli_set(['firewall', 'zone', 'smoketest-eth0', 'interface', 'eth0'])
self.cli_set(['firewall', 'zone', 'smoketest-eth0', 'from', 'smoketest-local', 'firewall', 'name', 'smoketest'])
+ self.cli_set(['firewall', 'zone', 'smoketest-eth0', 'intra-zone-filtering', 'firewall', 'ipv6-name', 'smoketestv6'])
self.cli_set(['firewall', 'zone', 'smoketest-local', 'local-zone'])
self.cli_set(['firewall', 'zone', 'smoketest-local', 'from', 'smoketest-eth0', 'firewall', 'name', 'smoketest'])
self.cli_set(['firewall', 'global-options', 'state-policy', 'established', 'action', 'accept'])
@@ -704,16 +706,30 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
['ct state related', 'accept']
]
- nftables_output = cmd('sudo nft list table ip vyos_filter')
-
- for search in nftables_search:
- matched = False
- for line in nftables_output.split("\n"):
- if all(item in line for item in search):
- matched = True
- break
- self.assertTrue(matched)
+ nftables_search_v6 = [
+ ['chain VYOS_ZONE_FORWARD'],
+ ['type filter hook forward priority filter + 1'],
+ ['chain VYOS_ZONE_OUTPUT'],
+ ['type filter hook output priority filter + 1'],
+ ['chain VYOS_ZONE_LOCAL'],
+ ['type filter hook input priority filter + 1'],
+ ['chain VZONE_smoketest-eth0'],
+ ['chain VZONE_smoketest-local_IN'],
+ ['chain VZONE_smoketest-local_OUT'],
+ ['oifname "eth0"', 'jump VZONE_smoketest-eth0'],
+ ['jump VZONE_smoketest-local_IN'],
+ ['jump VZONE_smoketest-local_OUT'],
+ ['iifname "eth0"', 'jump NAME6_smoketestv6'],
+ ['jump VYOS_STATE_POLICY6'],
+ ['chain VYOS_STATE_POLICY6'],
+ ['ct state established', 'log prefix "[STATE-POLICY-EST-A]"', 'accept'],
+ ['ct state invalid', 'drop'],
+ ['ct state related', 'accept']
+ ]
+ nftables_output = cmd('sudo nft list table ip vyos_filter')
+ self.verify_nftables(nftables_search, 'ip vyos_filter')
+ self.verify_nftables(nftables_search_v6, 'ip6 vyos_filter')
def test_flow_offload(self):
self.cli_set(['firewall', 'flowtable', 'smoketest', 'interface', 'eth0'])
diff --git a/src/op_mode/image_installer.py b/src/op_mode/image_installer.py
index 791d76718..fad6face7 100755
--- a/src/op_mode/image_installer.py
+++ b/src/op_mode/image_installer.py
@@ -93,6 +93,7 @@ DEFAULT_BOOT_VARS: dict[str, str] = {
'timeout': '5',
'console_type': 'tty',
'console_num': '0',
+ 'console_speed': '115200',
'bootmode': 'normal'
}
diff --git a/src/system/grub_update.py b/src/system/grub_update.py
index 3c851f0e0..4d5e0b6ae 100644
--- a/src/system/grub_update.py
+++ b/src/system/grub_update.py
@@ -68,7 +68,8 @@ if __name__ == '__main__':
'default': grub.gen_version_uuid(default_entry['version']),
'bootmode': default_entry['bootmode'],
'console_type': default_entry['console_type'],
- 'console_num': default_entry['console_num']
+ 'console_num': default_entry['console_num'],
+ 'console_speed': '115200'
}
vars.update(default_settings)