| Age | Commit message (Collapse) | Author |
|---|
|
* For VRF create/delete:
* Simple dquoting, as before, was parsed away by the shell
* Just escaping the double quotes could cause issues with the shell mangling
VRF names (however unlikely)
* Wrapping original quotes in shell-escaped single quotes is a quick & easy
way to guard against both improper shell parsing and string names being
taken as nft keywords.
* Firewall configuration:
* Firewall "interface name" rules support VRF ifnames and used them unquoted,
fixed for nft_rule template tags (parse_rule)
* Went through and quoted all iif/oifname usage by zones and interface
groups. VRF ifnames weren't available for all cases, but there is
no harm in completeness.
* For this, also created a simple quoted_join template filter to replace
any use of |join(',')
* PBR calls nft but doesn't mind the "vni" name - table IDs used instead
I may have missed some niche nft use-cases that would be exposed to this problem.
|
|
firewalls should always accept
|
|
|
|
Allow accepting invalid packets for ethernet types `8021q` and `8021ad`
in addition to ARP and UDP types so that stateful bridge firewall works
for VLAN-aware bridges in addition to regular bridges.
|
|
remote groups
|
|
firewall: T7358: add offload option to global state policy
|
|
- fixed CI smoketest failures (again)
|
|
- Fixed CI smoketest failures
|
|
Since the jump to the global state chain is inserted before all rules,
it wasn't possible to use offload with the global state policies
This commit adds a new chain for offloaded traffic in the forward
chain and jumps to that chain. Please enter the commit message for your changes. Lines starting
|
|
|
|
|
|
|
|
Improve config parsing for ZBF when using VRFs and interfaces attached to VRFs
|
|
interfaces attached to VRFs
|
|
|
|
T6687: add fqdn support to nat rules.
|
|
|
|
|
|
stateful bridge firewall. This patch is needed because ARP and DHCP are marked as invalid connections. Also, add ehternet-type matcher in bridge firewall.
|
|
default-action in order to match same structure as in rules. This way op-mode command for showing firewall log prints logs for default-actions too
|
|
prerouting chain; re introduce <set vrf> in policy; change global options for passing traffic to IPvX firewall; update smoketest
|
|
|
|
enabling/disabling sending traffic from bridge layer to ipvX layer
|
|
new chains, priorities, and firewall groups
|
|
|
|
policy on OUTUT_raw
|
|
T3900: Add support for raw tables in firewall
|
|
timeout parameters defined in conntrack to firewall global-opton section.
|
|
|
|
Remove `service upnp` as it never worked as expected, nft rules do
not integrated and custom patches do not seem like a suitable
solution for now.
Security:
UPnP has been historically associated with security risks due to its automatic
and potentially unauthenticated nature.
UPnP devices might be vulnerable to unauthorized access or exploitation.
|
|
Add PoC for generating CGNAT rules
https://datatracker.ietf.org/doc/html/rfc6888
Not all requirements are implemented, but some of them.
Implemented:
REQ-2
```
A CGN MUST have a default "IP address pooling" behavior of "Paired"
CGN must use the same external IP
address mapping for all sessions associated with the same internal
IP address, be they TCP, UDP, ICMP, something else, or a mix of
different protocols.
```
REQ-3
```
The CGN function SHOULD NOT have any limitations on the size
or the contiguity of the external address pool
```
REQ-4
```
A CGN MUST support limiting the number of external ports (or,
equivalently, "identifiers" for ICMP) that are assigned per
subscriber
```
CLI:
```
set nat cgnat pool external ext1 external-port-range '1024-65535'
set nat cgnat pool external ext1 per-user-limit port '1000'
set nat cgnat pool external ext1 range 192.0.2.222/32
set nat cgnat pool internal int1 range '100.64.0.0/28'
set nat cgnat rule 10 source pool 'int1'
set nat cgnat rule 10 translation pool 'ext1'
```
|
|
|
|
T4839: firewall: Add dynamic address group in firewall configuration
|
|
appropiate commands to populate such groups using source and destination address of the packet.
|
|
There is no need to add and remove this table during runtime - it can lurk
in the standard firewall init code.
|
|
smoketest
|
|
One can now do `set policy route foo default-log` which will add log
to the policy route chain.
|
|
included in <set firewall global-options state-policy> node.
|
|
to be able to catch logs using separte rule for default-action
|
|
T5541: firewall zone: re add firewall zone-base firewall
|
|
|
|
enables log capabilities for default-action in base chains. And of course, add option for enabling log for default-action
|
|
A commit that removes `firewall bridge` will delete the table and not re-create it. Therefore any further firewall commit will fail trying to delete the non-existent bridge table. This commit ensures the table is always present (even if empty) to ensure successful commit.
|
|
`set firewall flowtable <name> interface <ifname>`
`set firewall flowtable <name> offload [software|hardware]`
`set firewall [ipv4|ipv6] forward filter rule N action offload`
`set firewall [ipv4|ipv6] forward filter rule N offload-target <name>`
|
|
firewall, nat, nat66
|
|
When rebasing https://github.com/vyos/vyos-1x/pull/2062, some additional
lines are mistakenly included.
https://github.com/vyos/vyos-1x/commit/45cfd569119b66abd2f0dfb954042b57921881bd
has removed the extra `}`, but the `{{ group_tmpl.groups(group, True)
}}` line needs to be removed as well.
|
|
|
|
T4502: firewall: Add software flow offload using flowtable
|
|
Linux netfilter patch https://patchwork.ozlabs.org/project/netfilter-devel/patch/d0f84a97f9c86bec4d537536a26d0150873e640d.1439559328.git.daniel@iogearbox.net/
adds direction support for conntrack zones, which makes it possible to
do NAT with conflicting IP address/port tuples from multiple, isolated tenants on a host.
According to the description of the kernel patch:
> ... overlapping tuples can be made unique with the zone identifier in
original direction, where the NAT engine will then allocate a unique
tuple in the commonly shared default zone for the reply direction.
I did some basic tests in my lab and it worked fine to forward packets
from eth0 to pppoe0.
- eth0 192.168.1.1/24 in VRF red
- pppoe0 dynamic public IP from ISP VRF default
- set vrf name red protocols static route 0.0.0.0/0 interface pppoe0 vrf 'default'
- set protocols static route 192.168.1.0/24 interface eth0 vrf 'red'
`conntrack -L` shows something like:
```
tcp 6 113 ESTABLISHED src=192.168.1.2 dst=1.1.1.1 sport=58946 dport=80 zone-orig=250 packets=6 bytes=391 src=1.1.1.1 dst=<my-public-ip> sport=80 dport=58946 packets=4 bytes=602 [ASSURED] mark=0 helper=tns use=1
```
It would be much appreciated if someone could test this with more
complex VRF setup.
|
|
The following commands will enable nftables flowtable offload on interfaces eth0 eth1:
```
set firewall global-options flow-offload software interface <name>
set firewall global-options flow-offload hardware interface <name>
```
Generated nftables rules:
```
table inet vyos_offload {
flowtable VYOS_FLOWTABLE_software {
hook ingress priority filter - 1; devices = { eth0, eth1, eth2, eth3 };
counter
}
chain VYOS_OFFLOAD_software {
type filter hook forward priority filter - 1; policy accept;
ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_software
}
}
```
Use this option to count packets and bytes for each offloaded flow:
```
set system conntrack flow-accounting
```
To verify a connection is offloaded, run
```
cat /proc/net/nf_conntrack|grep OFFLOAD
```
This PR follows firewalld's implementation: https://github.com/firewalld/firewalld/blob/e748b97787d685d0ca93f58e8d4292e87d3f0da6/src/firewall/core/nftables.py#L590
A good introduction to nftables flowtable: https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath
|
