From 37cfa8cdb1c6a1d395109aabd3ee29e83db151da Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Sat, 27 Aug 2022 15:35:52 +0000 Subject: Firewall: T4651: Add options to match packet size on firewall rules. --- python/vyos/firewall.py | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'python') diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 663c4394a..a4fd64830 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -265,6 +265,32 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if 'type' in rule_conf[icmp]: output.append(icmp + ' type ' + rule_conf[icmp]['type']) + + if 'ip_length' in rule_conf: + #proto = rule_conf['protocol'] + length = rule_conf['ip_length'].split(',') + + lengths = [] + negated_lengths = [] + + for p in length: + if p[0] == '!': + negated_lengths.append(p[1:]) + else: + lengths.append(p) + + #if proto == 'tcp_udp': + # proto = 'th' + + if lengths: + lengths_str = ','.join(lengths) + output.append(f'ip{def_suffix} length {{{lengths_str}}}') + + if negated_lengths: + negated_lengths_str = ','.join(negated_lengths) + output.append(f'ip{def_suffix} length != {{{negated_lengths_str}}}') + + if 'ipsec' in rule_conf: if 'match_ipsec' in rule_conf['ipsec']: output.append('meta ipsec == 1') -- cgit v1.2.3 From 312ee15058fbb26feb6a93520417f0d5343ad15b Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Thu, 1 Sep 2022 19:08:37 +0000 Subject: Firewall: T4651: Change proposed cli from ip-length to packet-length --- interface-definitions/firewall.xml.in | 42 ++-------------------- .../include/firewall/packet-length.xml.i | 18 ++++++++++ python/vyos/firewall.py | 7 ++-- smoketest/scripts/cli/test_firewall.py | 12 +++---- src/validators/ip-length | 29 --------------- src/validators/packet-length | 29 +++++++++++++++ 6 files changed, 57 insertions(+), 80 deletions(-) create mode 100644 interface-definitions/include/firewall/packet-length.xml.i delete mode 100755 src/validators/ip-length create mode 100755 src/validators/packet-length (limited to 'python') diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in index f838f1b88..ed84acbb7 100644 --- a/interface-definitions/firewall.xml.in +++ b/interface-definitions/firewall.xml.in @@ -383,26 +383,7 @@ #include - - - Payload size in bytes, including any extension header - - u32:1-65535 - Numbered packet length - - - <start-end> - Packet length range (e.g. 1001-1005) - - - - \n\n Multiple values can be specified as a comma-separated list.\n For example: '64, 512,1001-1005' - - - - - - + #include Hop Limit @@ -591,26 +572,7 @@ #include - - - Packet size in bytes, including header and data - - u32:1-65535 - Numbered packet length - - - <start-end> - Packet length range (e.g. 1001-1005) - - - - \n\n Multiple values can be specified as a comma-separated list.\n For example: '64, 512,1001-1005' - - - - - - + #include ICMP type and code information diff --git a/interface-definitions/include/firewall/packet-length.xml.i b/interface-definitions/include/firewall/packet-length.xml.i new file mode 100644 index 000000000..866a76bbb --- /dev/null +++ b/interface-definitions/include/firewall/packet-length.xml.i @@ -0,0 +1,18 @@ + + + + Payload size in bytes, including header and data + + u32:1-65535 + Packet length value. Multiple values can be specified as a comma-separated list. Inverted match is also supported + + + <start-end> + Packet length range. Inverted match is also supported (e.g. 1001-1005 or !1001-1005) + + + + + + + diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index a4fd64830..ea28aa91d 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -266,9 +266,9 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): output.append(icmp + ' type ' + rule_conf[icmp]['type']) - if 'ip_length' in rule_conf: + if 'packet_length' in rule_conf: #proto = rule_conf['protocol'] - length = rule_conf['ip_length'].split(',') + length = rule_conf['packet_length'].split(',') lengths = [] negated_lengths = [] @@ -279,9 +279,6 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): else: lengths.append(p) - #if proto == 'tcp_udp': - # proto = 'th' - if lengths: lengths_str = ','.join(lengths) output.append(f'ip{def_suffix} length {{{lengths_str}}}') diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index 5ca00eafa..8b6c221e3 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -210,11 +210,11 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'name', 'smoketest', 'rule', '5', 'tcp', 'mss', mss_range]) self.cli_set(['firewall', 'name', 'smoketest', 'rule', '6', 'action', 'accept']) - self.cli_set(['firewall', 'name', 'smoketest', 'rule', '6', 'ip-length', '64,512,1024']) + self.cli_set(['firewall', 'name', 'smoketest', 'rule', '6', 'packet-length', '64,512,1024']) self.cli_set(['firewall', 'name', 'smoketest', 'rule', '7', 'action', 'accept']) - self.cli_set(['firewall', 'name', 'smoketest', 'rule', '7', 'ip-length', '0-30000']) + self.cli_set(['firewall', 'name', 'smoketest', 'rule', '7', 'packet-length', '0-30000']) self.cli_set(['firewall', 'name', 'smoketest', 'rule', '8', 'action', 'accept']) - self.cli_set(['firewall', 'name', 'smoketest', 'rule', '8', 'ip-length', '!60000-65535']) + self.cli_set(['firewall', 'name', 'smoketest', 'rule', '8', 'packet-length', '!60000-65535']) self.cli_set(['interfaces', 'ethernet', 'eth0', 'firewall', 'in', 'name', 'smoketest']) @@ -250,11 +250,11 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '2', 'destination', 'port', '8888']) self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '3', 'action', 'accept']) - self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '3', 'ip-length', '64,512,1024']) + self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '3', 'packet-length', '64,512,1024']) self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '4', 'action', 'accept']) - self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '4', 'ip-length', '0-30000']) + self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '4', 'packet-length', '0-30000']) self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '5', 'action', 'accept']) - self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '5', 'ip-length', '!60000-65535']) + self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '5', 'packet-length', '!60000-65535']) self.cli_set(['interfaces', 'ethernet', 'eth0', 'firewall', 'in', 'ipv6-name', 'v6-smoketest']) diff --git a/src/validators/ip-length b/src/validators/ip-length deleted file mode 100755 index d96093849..000000000 --- a/src/validators/ip-length +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/python3 - -from sys import argv -from sys import exit -import re - -if __name__ == '__main__': - if len(argv)>1: - lengths = argv[1].split(",") - - for length in lengths: - if length and length[0] == '!': - length = length[1:] - if re.match('^[0-9]{1,5}-[0-9]{1,5}$', length): - length_1, length_2 = length.split('-') - if int(length_1) not in range(0, 65536) or int(length_2) not in range(0, 65536): - print(f'Error: {length} is not a valid length range') - exit(1) - if int(length_1) > int(length_2): - print(f'Error: {length} is not a valid length range') - exit(1) - elif length.isnumeric(): - if int(length) not in range(0, 65536): - print(f'Error: {length} is not a valid length value') - exit(1) - else: - exit(2) - - exit(0) \ No newline at end of file diff --git a/src/validators/packet-length b/src/validators/packet-length new file mode 100755 index 000000000..d96093849 --- /dev/null +++ b/src/validators/packet-length @@ -0,0 +1,29 @@ +#!/usr/bin/python3 + +from sys import argv +from sys import exit +import re + +if __name__ == '__main__': + if len(argv)>1: + lengths = argv[1].split(",") + + for length in lengths: + if length and length[0] == '!': + length = length[1:] + if re.match('^[0-9]{1,5}-[0-9]{1,5}$', length): + length_1, length_2 = length.split('-') + if int(length_1) not in range(0, 65536) or int(length_2) not in range(0, 65536): + print(f'Error: {length} is not a valid length range') + exit(1) + if int(length_1) > int(length_2): + print(f'Error: {length} is not a valid length range') + exit(1) + elif length.isnumeric(): + if int(length) not in range(0, 65536): + print(f'Error: {length} is not a valid length value') + exit(1) + else: + exit(2) + + exit(0) \ No newline at end of file -- cgit v1.2.3 From d9eb48a0ced1eb60bd00fe2f18559b3c780ee98a Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 3 Sep 2022 20:37:10 +0200 Subject: firewall: T4651: re-implement packet-length CLI option to use --- .../include/firewall/packet-length.xml.i | 28 ++++++++-- python/vyos/firewall.py | 25 +++------ smoketest/scripts/cli/test_firewall.py | 59 +++++++++++++++++++++- src/validators/packet-length | 29 ----------- 4 files changed, 88 insertions(+), 53 deletions(-) delete mode 100755 src/validators/packet-length (limited to 'python') diff --git a/interface-definitions/include/firewall/packet-length.xml.i b/interface-definitions/include/firewall/packet-length.xml.i index 866a76bbb..043f56d16 100644 --- a/interface-definitions/include/firewall/packet-length.xml.i +++ b/interface-definitions/include/firewall/packet-length.xml.i @@ -1,18 +1,38 @@ - Payload size in bytes, including header and data + Payload size in bytes, including header and data to match u32:1-65535 - Packet length value. Multiple values can be specified as a comma-separated list. Inverted match is also supported + Packet length to match <start-end> - Packet length range. Inverted match is also supported (e.g. 1001-1005 or !1001-1005) + Packet length range to match - + + + + + + + + Payload size in bytes, including header and data not to match + + u32:1-65535 + Packet length not to match + + + <start-end> + Packet length range not to match + + + + + + diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index ea28aa91d..0bc5378db 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -150,7 +150,7 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if suffix[0] == '!': suffix = f'!= {suffix[1:]}' output.append(f'{ip_name} {prefix}addr {suffix}') - + if dict_search_args(side_conf, 'geoip', 'country_code'): operator = '' if dict_search_args(side_conf, 'geoip', 'inverse_match') != None: @@ -267,25 +267,12 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if 'packet_length' in rule_conf: - #proto = rule_conf['protocol'] - length = rule_conf['packet_length'].split(',') - - lengths = [] - negated_lengths = [] - - for p in length: - if p[0] == '!': - negated_lengths.append(p[1:]) - else: - lengths.append(p) - - if lengths: - lengths_str = ','.join(lengths) - output.append(f'ip{def_suffix} length {{{lengths_str}}}') + lengths_str = ','.join(rule_conf['packet_length']) + output.append(f'ip{def_suffix} length {{{lengths_str}}}') - if negated_lengths: - negated_lengths_str = ','.join(negated_lengths) - output.append(f'ip{def_suffix} length != {{{negated_lengths_str}}}') + if 'packet_length_exclude' in rule_conf: + negated_lengths_str = ','.join(rule_conf['packet_length_exclude']) + output.append(f'ip{def_suffix} length != {{{negated_lengths_str}}}') if 'ipsec' in rule_conf: diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index c5756a027..1517180de 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -48,7 +48,6 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): cls.cli_delete(cls, ['firewall']) cls.cli_set(cls, ['interfaces', 'ethernet', 'eth0', 'address', eth0_addr]) - cls.debug=True @classmethod def tearDownClass(cls): @@ -233,6 +232,35 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.verify_nftables(nftables_search, 'ip filter') + def test_ipv4_packet_length(self): + name = 'smoketest-plen' + interface = 'eth0' + + self.cli_set(['firewall', 'name', name, 'default-action', 'drop']) + self.cli_set(['firewall', 'name', name, 'enable-default-log']) + + self.cli_set(['firewall', 'name', name, 'rule', '6', 'action', 'accept']) + self.cli_set(['firewall', 'name', name, 'rule', '6', 'packet-length', '64']) + self.cli_set(['firewall', 'name', name, 'rule', '6', 'packet-length', '512']) + self.cli_set(['firewall', 'name', name, 'rule', '6', 'packet-length', '1024']) + + self.cli_set(['firewall', 'name', name, 'rule', '7', 'action', 'accept']) + self.cli_set(['firewall', 'name', name, 'rule', '7', 'packet-length', '1-30000']) + self.cli_set(['firewall', 'name', name, 'rule', '7', 'packet-length-exclude', '60000-65535']) + + self.cli_set(['interfaces', 'ethernet', interface, 'firewall', 'in', 'name', name]) + + self.cli_commit() + + nftables_search = [ + [f'iifname "{interface}"', f'jump NAME_{name}'], + ['ip length { 64, 512, 1024 }', 'return'], + ['ip length { 1-30000 }', 'ip length != { 60000-65535 }', 'return'], + [f'log prefix "[{name}-default-D]" drop'] + ] + + self.verify_nftables(nftables_search, 'ip filter') + def test_ipv6_basic_rules(self): name = 'v6-smoketest' interface = 'eth0' @@ -263,6 +291,35 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.verify_nftables(nftables_search, 'ip6 filter') + def test_ipv6_packet_length(self): + name = 'v6-smoketest-plen' + interface = 'eth0' + + self.cli_set(['firewall', 'ipv6-name', name, 'default-action', 'drop']) + self.cli_set(['firewall', 'ipv6-name', name, 'enable-default-log']) + + self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'action', 'accept']) + self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'packet-length', '65']) + self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'packet-length', '513']) + self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'packet-length', '1025']) + + self.cli_set(['firewall', 'ipv6-name', name, 'rule', '4', 'action', 'accept']) + self.cli_set(['firewall', 'ipv6-name', name, 'rule', '4', 'packet-length', '1-1999']) + self.cli_set(['firewall', 'ipv6-name', name, 'rule', '4', 'packet-length-exclude', '60000-65535']) + + self.cli_set(['interfaces', 'ethernet', interface, 'firewall', 'in', 'ipv6-name', name]) + + self.cli_commit() + + nftables_search = [ + [f'iifname "{interface}"', f'jump NAME6_{name}'], + ['ip6 length { 65, 513, 1025 }', 'return'], + ['ip6 length { 1-1999 }', 'ip6 length != { 60000-65535 }', 'return'], + [f'log prefix "[{name}-default-D]"', 'drop'] + ] + + self.verify_nftables(nftables_search, 'ip6 filter') + def test_state_policy(self): self.cli_set(['firewall', 'state-policy', 'established', 'action', 'accept']) self.cli_set(['firewall', 'state-policy', 'related', 'action', 'accept']) diff --git a/src/validators/packet-length b/src/validators/packet-length deleted file mode 100755 index d96093849..000000000 --- a/src/validators/packet-length +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/python3 - -from sys import argv -from sys import exit -import re - -if __name__ == '__main__': - if len(argv)>1: - lengths = argv[1].split(",") - - for length in lengths: - if length and length[0] == '!': - length = length[1:] - if re.match('^[0-9]{1,5}-[0-9]{1,5}$', length): - length_1, length_2 = length.split('-') - if int(length_1) not in range(0, 65536) or int(length_2) not in range(0, 65536): - print(f'Error: {length} is not a valid length range') - exit(1) - if int(length_1) > int(length_2): - print(f'Error: {length} is not a valid length range') - exit(1) - elif length.isnumeric(): - if int(length) not in range(0, 65536): - print(f'Error: {length} is not a valid length value') - exit(1) - else: - exit(2) - - exit(0) \ No newline at end of file -- cgit v1.2.3