From 2ee8d0eef88acab60b42d0424c034414de47bddd Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Tue, 5 Sep 2023 14:51:16 +0200 Subject: interface: T5550: Interface source-validation priority over global value - Migrate IPv4 source-validation to nftables - Interface source-validation value takes priority, fallback to global value --- smoketest/scripts/cli/base_interfaces_test.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'smoketest') diff --git a/smoketest/scripts/cli/base_interfaces_test.py b/smoketest/scripts/cli/base_interfaces_test.py index 820024dc9..51ccbc9e6 100644 --- a/smoketest/scripts/cli/base_interfaces_test.py +++ b/smoketest/scripts/cli/base_interfaces_test.py @@ -834,8 +834,12 @@ class BasicInterfaceTest: self.assertEqual('1', tmp) if cli_defined(self._base_path + ['ip'], 'source-validation'): - tmp = read_file(f'{proc_base}/rp_filter') - self.assertEqual('2', tmp) + base_options = f'iifname "{interface}"' + out = cmd('sudo nft list chain ip raw vyos_rpfilter') + for line in out.splitlines(): + if line.startswith(base_options): + self.assertIn('fib saddr oif 0', line) + self.assertIn('drop', line) def test_interface_ipv6_options(self): if not self._test_ipv6: -- cgit v1.2.3 From e8070a2e36e9101d52d7db4025f7ff37a00625e8 Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Tue, 5 Sep 2023 16:09:45 +0200 Subject: firewall: T3509: Split IPv4 and IPv6 reverse path filtering like on interfaces --- data/templates/firewall/nftables.j2 | 4 +-- .../include/firewall/global-options.xml.i | 32 +++++++++++++++++++--- smoketest/scripts/cli/test_firewall.py | 8 ++++-- 3 files changed, 36 insertions(+), 8 deletions(-) (limited to 'smoketest') diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index d7660c37b..a82a5537b 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -29,9 +29,9 @@ table ip6 raw { } chain vyos_global_rpfilter { -{% if global_options.source_validation is vyos_defined('loose') %} +{% if global_options.ipv6_source_validation is vyos_defined('loose') %} fib saddr oif 0 counter drop -{% elif global_options.source_validation is vyos_defined('strict') %} +{% elif global_options.ipv6_source_validation is vyos_defined('strict') %} fib saddr . iif oif 0 counter drop {% endif %} return diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i index a63874cb0..e655cd6ac 100644 --- a/interface-definitions/include/firewall/global-options.xml.i +++ b/interface-definitions/include/firewall/global-options.xml.i @@ -145,21 +145,21 @@ - Policy for source validation by reversed path, as specified in RFC3704 + Policy for IPv4 source validation by reversed path, as specified in RFC3704 strict loose disable strict - Enable Strict Reverse Path Forwarding as defined in RFC3704 + Enable IPv4 Strict Reverse Path Forwarding as defined in RFC3704 loose - Enable Loose Reverse Path Forwarding as defined in RFC3704 + Enable IPv4 Loose Reverse Path Forwarding as defined in RFC3704 disable - No source validation + No IPv4 source validation (strict|loose|disable) @@ -227,6 +227,30 @@ disable + + + Policy for IPv6 source validation by reversed path, as specified in RFC3704 + + strict loose disable + + + strict + Enable IPv6 Strict Reverse Path Forwarding as defined in RFC3704 + + + loose + Enable IPv6 Loose Reverse Path Forwarding as defined in RFC3704 + + + disable + No IPv6 source validation + + + (strict|loose|disable) + + + disable + Policy for handling IPv6 packets with routing extension header diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index ee6ccb710..6f9093f4d 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -529,23 +529,27 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): def test_source_validation(self): # Strict self.cli_set(['firewall', 'global-options', 'source-validation', 'strict']) + self.cli_set(['firewall', 'global-options', 'ipv6-source-validation', 'strict']) self.cli_commit() nftables_strict_search = [ ['fib saddr . iif oif 0', 'drop'] ] - self.verify_nftables(nftables_strict_search, 'inet vyos_global_rpfilter') + self.verify_nftables_chain(nftables_strict_search, 'ip raw', 'vyos_global_rpfilter') + self.verify_nftables_chain(nftables_strict_search, 'ip6 raw', 'vyos_global_rpfilter') # Loose self.cli_set(['firewall', 'global-options', 'source-validation', 'loose']) + self.cli_set(['firewall', 'global-options', 'ipv6-source-validation', 'loose']) self.cli_commit() nftables_loose_search = [ ['fib saddr oif 0', 'drop'] ] - self.verify_nftables(nftables_loose_search, 'inet vyos_global_rpfilter') + self.verify_nftables_chain(nftables_loose_search, 'ip raw', 'vyos_global_rpfilter') + self.verify_nftables_chain(nftables_loose_search, 'ip6 raw', 'vyos_global_rpfilter') def test_sysfs(self): for name, conf in sysfs_config.items(): -- cgit v1.2.3