Merge pull request vyos#4236 from opswill/current

T6918: Accept invalid PPPoE Session in stateful bridge firewall.
nvollmar · Dec 18, 2024 · 6074370 · 6074370
2 parents e0c6262 + 833d586
commit 6074370
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 2 deletions.
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
@@ -382,6 +382,7 @@ table bridge vyos_filter {
 {%                 if 'invalid_connections' in global_options.apply_to_bridged_traffic %}
         ct state invalid udp sport 67 udp dport 68 counter accept
         ct state invalid ether type arp counter accept
+        ct state invalid ether type 0x8864 counter accept
 {%                 endif %}
 {%             endif %}
 {%             if global_options.state_policy is vyos_defined %}
@@ -445,4 +446,4 @@ table bridge vyos_filter {
         return
     }
 {% endif %}
-}
+}
diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i
@@ -51,7 +51,7 @@
       <children>
         <leafNode name="invalid-connections">
           <properties>
-            <help>Accept ARP and DHCP despite they are marked as invalid connection</help>
+            <help>Accept ARP, DHCP and PPPoE despite they are marked as invalid connection</help>
             <valueless/>
           </properties>
         </leafNode>

diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
@@ -765,6 +765,7 @@ def test_bridge_firewall(self):
             ['type filter hook output priority filter; policy accept;'],
             ['ct state invalid', 'udp sport 67', 'udp dport 68', 'accept'],
             ['ct state invalid', 'ether type arp', 'accept'],
+            ['ct state invalid', 'ether type 0x8864', 'accept'],
             ['chain VYOS_PREROUTING_filter'],
             ['type filter hook prerouting priority filter; policy accept;'],
             ['ip6 daddr @A6_AGV6', 'notrack'],