From be3d2f9f6623396f2e9c6543f67d81161c7ad94b Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Tue, 5 Sep 2023 16:09:45 +0200
Subject: firewall: T3509: Split IPv4 and IPv6 reverse path filtering like on
interfaces
---
data/templates/firewall/nftables.j2 | 4 +--
.../include/firewall/global-options.xml.i | 32 +++++++++++++++++++---
smoketest/scripts/cli/test_firewall.py | 8 ++++--
3 files changed, 36 insertions(+), 8 deletions(-)
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index d7660c37b..a82a5537b 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -29,9 +29,9 @@ table ip6 raw {
}
chain vyos_global_rpfilter {
-{% if global_options.source_validation is vyos_defined('loose') %}
+{% if global_options.ipv6_source_validation is vyos_defined('loose') %}
fib saddr oif 0 counter drop
-{% elif global_options.source_validation is vyos_defined('strict') %}
+{% elif global_options.ipv6_source_validation is vyos_defined('strict') %}
fib saddr . iif oif 0 counter drop
{% endif %}
return
diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i
index a63874cb0..e655cd6ac 100644
--- a/interface-definitions/include/firewall/global-options.xml.i
+++ b/interface-definitions/include/firewall/global-options.xml.i
@@ -145,21 +145,21 @@
- Policy for source validation by reversed path, as specified in RFC3704
+ Policy for IPv4 source validation by reversed path, as specified in RFC3704
strict loose disable
strict
- Enable Strict Reverse Path Forwarding as defined in RFC3704
+ Enable IPv4 Strict Reverse Path Forwarding as defined in RFC3704
loose
- Enable Loose Reverse Path Forwarding as defined in RFC3704
+ Enable IPv4 Loose Reverse Path Forwarding as defined in RFC3704
disable
- No source validation
+ No IPv4 source validation
(strict|loose|disable)
@@ -227,6 +227,30 @@
disable
+
+
+ Policy for IPv6 source validation by reversed path, as specified in RFC3704
+
+ strict loose disable
+
+
+ strict
+ Enable IPv6 Strict Reverse Path Forwarding as defined in RFC3704
+
+
+ loose
+ Enable IPv6 Loose Reverse Path Forwarding as defined in RFC3704
+
+
+ disable
+ No IPv6 source validation
+
+
+ (strict|loose|disable)
+
+
+ disable
+
Policy for handling IPv6 packets with routing extension header
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index ee6ccb710..6f9093f4d 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -529,23 +529,27 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
def test_source_validation(self):
# Strict
self.cli_set(['firewall', 'global-options', 'source-validation', 'strict'])
+ self.cli_set(['firewall', 'global-options', 'ipv6-source-validation', 'strict'])
self.cli_commit()
nftables_strict_search = [
['fib saddr . iif oif 0', 'drop']
]
- self.verify_nftables(nftables_strict_search, 'inet vyos_global_rpfilter')
+ self.verify_nftables_chain(nftables_strict_search, 'ip raw', 'vyos_global_rpfilter')
+ self.verify_nftables_chain(nftables_strict_search, 'ip6 raw', 'vyos_global_rpfilter')
# Loose
self.cli_set(['firewall', 'global-options', 'source-validation', 'loose'])
+ self.cli_set(['firewall', 'global-options', 'ipv6-source-validation', 'loose'])
self.cli_commit()
nftables_loose_search = [
['fib saddr oif 0', 'drop']
]
- self.verify_nftables(nftables_loose_search, 'inet vyos_global_rpfilter')
+ self.verify_nftables_chain(nftables_loose_search, 'ip raw', 'vyos_global_rpfilter')
+ self.verify_nftables_chain(nftables_loose_search, 'ip6 raw', 'vyos_global_rpfilter')
def test_sysfs(self):
for name, conf in sysfs_config.items():
--
cgit v1.2.3