From 2ee8d0eef88acab60b42d0424c034414de47bddd Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Tue, 5 Sep 2023 14:51:16 +0200
Subject: interface: T5550: Interface source-validation priority over global
value
- Migrate IPv4 source-validation to nftables
- Interface source-validation value takes priority, fallback to global value
---
smoketest/scripts/cli/base_interfaces_test.py | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
(limited to 'smoketest')
diff --git a/smoketest/scripts/cli/base_interfaces_test.py b/smoketest/scripts/cli/base_interfaces_test.py
index 820024dc9..51ccbc9e6 100644
--- a/smoketest/scripts/cli/base_interfaces_test.py
+++ b/smoketest/scripts/cli/base_interfaces_test.py
@@ -834,8 +834,12 @@ class BasicInterfaceTest:
self.assertEqual('1', tmp)
if cli_defined(self._base_path + ['ip'], 'source-validation'):
- tmp = read_file(f'{proc_base}/rp_filter')
- self.assertEqual('2', tmp)
+ base_options = f'iifname "{interface}"'
+ out = cmd('sudo nft list chain ip raw vyos_rpfilter')
+ for line in out.splitlines():
+ if line.startswith(base_options):
+ self.assertIn('fib saddr oif 0', line)
+ self.assertIn('drop', line)
def test_interface_ipv6_options(self):
if not self._test_ipv6:
--
cgit v1.2.3
From e8070a2e36e9101d52d7db4025f7ff37a00625e8 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Tue, 5 Sep 2023 16:09:45 +0200
Subject: firewall: T3509: Split IPv4 and IPv6 reverse path filtering like on
interfaces
---
data/templates/firewall/nftables.j2 | 4 +--
.../include/firewall/global-options.xml.i | 32 +++++++++++++++++++---
smoketest/scripts/cli/test_firewall.py | 8 ++++--
3 files changed, 36 insertions(+), 8 deletions(-)
(limited to 'smoketest')
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index d7660c37b..a82a5537b 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -29,9 +29,9 @@ table ip6 raw {
}
chain vyos_global_rpfilter {
-{% if global_options.source_validation is vyos_defined('loose') %}
+{% if global_options.ipv6_source_validation is vyos_defined('loose') %}
fib saddr oif 0 counter drop
-{% elif global_options.source_validation is vyos_defined('strict') %}
+{% elif global_options.ipv6_source_validation is vyos_defined('strict') %}
fib saddr . iif oif 0 counter drop
{% endif %}
return
diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i
index a63874cb0..e655cd6ac 100644
--- a/interface-definitions/include/firewall/global-options.xml.i
+++ b/interface-definitions/include/firewall/global-options.xml.i
@@ -145,21 +145,21 @@
- Policy for source validation by reversed path, as specified in RFC3704
+ Policy for IPv4 source validation by reversed path, as specified in RFC3704
strict loose disable
strict
- Enable Strict Reverse Path Forwarding as defined in RFC3704
+ Enable IPv4 Strict Reverse Path Forwarding as defined in RFC3704
loose
- Enable Loose Reverse Path Forwarding as defined in RFC3704
+ Enable IPv4 Loose Reverse Path Forwarding as defined in RFC3704
disable
- No source validation
+ No IPv4 source validation
(strict|loose|disable)
@@ -227,6 +227,30 @@
disable
+
+
+ Policy for IPv6 source validation by reversed path, as specified in RFC3704
+
+ strict loose disable
+
+
+ strict
+ Enable IPv6 Strict Reverse Path Forwarding as defined in RFC3704
+
+
+ loose
+ Enable IPv6 Loose Reverse Path Forwarding as defined in RFC3704
+
+
+ disable
+ No IPv6 source validation
+
+
+ (strict|loose|disable)
+
+
+ disable
+
Policy for handling IPv6 packets with routing extension header
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index ee6ccb710..6f9093f4d 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -529,23 +529,27 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
def test_source_validation(self):
# Strict
self.cli_set(['firewall', 'global-options', 'source-validation', 'strict'])
+ self.cli_set(['firewall', 'global-options', 'ipv6-source-validation', 'strict'])
self.cli_commit()
nftables_strict_search = [
['fib saddr . iif oif 0', 'drop']
]
- self.verify_nftables(nftables_strict_search, 'inet vyos_global_rpfilter')
+ self.verify_nftables_chain(nftables_strict_search, 'ip raw', 'vyos_global_rpfilter')
+ self.verify_nftables_chain(nftables_strict_search, 'ip6 raw', 'vyos_global_rpfilter')
# Loose
self.cli_set(['firewall', 'global-options', 'source-validation', 'loose'])
+ self.cli_set(['firewall', 'global-options', 'ipv6-source-validation', 'loose'])
self.cli_commit()
nftables_loose_search = [
['fib saddr oif 0', 'drop']
]
- self.verify_nftables(nftables_loose_search, 'inet vyos_global_rpfilter')
+ self.verify_nftables_chain(nftables_loose_search, 'ip raw', 'vyos_global_rpfilter')
+ self.verify_nftables_chain(nftables_loose_search, 'ip6 raw', 'vyos_global_rpfilter')
def test_sysfs(self):
for name, conf in sysfs_config.items():
--
cgit v1.2.3