From d62f8ed1e3608d82e3e4fb7566817839023aa39c Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Thu, 29 Sep 2022 13:59:10 +0200
Subject: firewall: T3509: Add support for IPv6 return path filtering

---
 data/templates/firewall/nftables.j2    | 14 ++++++++++++++
 smoketest/scripts/cli/test_firewall.py | 21 +++++++++++++++++++++
 src/conf_mode/firewall.py              |  1 -
 3 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index 10cbc68cb..d889a505d 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -2,6 +2,20 @@
 
 {% import 'firewall/nftables-defines.j2' as group_tmpl %}
 
+{% if first_install is not vyos_defined %}
+delete table inet vyos_rpfilter
+{% endif %}
+table inet vyos_rpfilter {
+    chain PREROUTING {
+        type filter hook prerouting priority -300; policy accept;
+{% if global_options.source_validation is vyos_defined('loose') %}
+        fib saddr oif 0 counter drop
+{% elif global_options.source_validation is vyos_defined('strict') %}
+        fib saddr . iif oif 0 counter drop
+{% endif %}
+    }
+}
+
 {% if first_install is not vyos_defined %}
 delete table ip vyos_filter
 {% endif %}
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index b2076c077..c6514210b 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -511,6 +511,27 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
 
         self.verify_nftables(nftables_search, 'ip vyos_filter')
 
+    def test_source_validation(self):
+        # Strict
+        self.cli_set(['firewall', 'global-options', 'source-validation', 'strict'])
+        self.cli_commit()
+
+        nftables_strict_search = [
+            ['fib saddr . iif oif 0', 'drop']
+        ]
+
+        self.verify_nftables(nftables_strict_search, 'inet vyos_global_rpfilter')
+
+        # Loose
+        self.cli_set(['firewall', 'global-options', 'source-validation', 'loose'])
+        self.cli_commit()
+
+        nftables_loose_search = [
+            ['fib saddr oif 0', 'drop']
+        ]
+
+        self.verify_nftables(nftables_loose_search, 'inet vyos_global_rpfilter')
+
     def test_sysfs(self):
         for name, conf in sysfs_config.items():
             paths = glob(conf['sysfs'])
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 8ad3f27fc..62116358e 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -54,7 +54,6 @@ sysfs_config = {
     'log_martians': {'sysfs': '/proc/sys/net/ipv4/conf/all/log_martians'},
     'receive_redirects': {'sysfs': '/proc/sys/net/ipv4/conf/*/accept_redirects'},
     'send_redirects': {'sysfs': '/proc/sys/net/ipv4/conf/*/send_redirects'},
-    'source_validation': {'sysfs': '/proc/sys/net/ipv4/conf/*/rp_filter', 'disable': '0', 'strict': '1', 'loose': '2'},
     'syn_cookies': {'sysfs': '/proc/sys/net/ipv4/tcp_syncookies'},
     'twa_hazards_protection': {'sysfs': '/proc/sys/net/ipv4/tcp_rfc1337'}
 }
-- 
cgit v1.2.3