Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

T5160: Firewall refactor #2016

Merged
merged 13 commits into from
Aug 11, 2023
Merged

T5160: Firewall refactor #2016

merged 13 commits into from
Aug 11, 2023

Conversation

nicolas-fort
Copy link
Contributor

@nicolas-fort nicolas-fort commented May 23, 2023
edited
Loading

Change Summary

Firewall refactor

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Component(s) name

firewall

Proposed changes

How to test

Some config migration were done.
Example on how new cli looks:

vyos@zone-mig:~$ conf
[edit]
vyos@zone-mig# set firewall
Possible completions:
 > global-options       Global Options
 > group                Firewall group
 > ipv4                   IPv4 firewall
 > ipv6                 IPv6 firewall


[edit]
vyos@zone-mig# set firewall ipv4
Possible completions:
 > forward              IPv4 forward firewall
 > input                IPv4 input firewall
+> name                 IPv4 custom firewall
 > output               IPv4 output firewall


[edit]
vyos@zone-mig# set firewall ipv4 input
Possible completions:
 > filter               IPv4 firewall input filter  


[edit]
vyos@zone-mig# set firewall ipv4 input filter rule 10 
Possible completions:
   action               Rule action
+  connection-mark      Connection mark
 > connection-status    Connection status
   description          Description

Some config example:

vyos@zone-mig:~$ show config comm | grep input
set firewall ipv4 input filter default-action 'accept'
set firewall ipv4 input filter rule 1 action 'accept'
set firewall ipv4 input filter rule 1 state established 'enable'
set firewall ipv4 input filter rule 2 action 'drop'
set firewall ipv4 input filter rule 2 state invalid 'enable'
set firewall ipv4 input filter rule 3 action 'accept'
set firewall ipv4 input filter rule 3 state related 'enable'
set firewall ipv4 input filter rule 101 action 'jump'
set firewall ipv4 input filter rule 101 inbound-interface interface-group 'IG_LAN'
set firewall ipv4 input filter rule 101 jump-target 'LAN-LOCAL'
set firewall ipv4 input filter rule 106 action 'jump'
set firewall ipv4 input filter rule 106 inbound-interface interface-group 'IG_OPENVPN'
set firewall ipv4 input filter rule 106 jump-target 'LOCAL-OPENVPN'
set firewall ipv4 input filter rule 111 action 'jump'
set firewall ipv4 input filter rule 111 inbound-interface interface-group 'IG_RRI'
set firewall ipv4 input filter rule 111 jump-target 'RRI-LOCAL'
set firewall ipv4 input filter rule 116 action 'jump'
set firewall ipv4 input filter rule 116 inbound-interface interface-group 'IG_WAN'
set firewall ipv4 input filter rule 116 jump-target 'WAN-LOCAL'
set firewall ipv4 input filter rule 121 action 'jump'
set firewall ipv4 input filter rule 121 inbound-interface interface-group 'IG_WG'
set firewall ipv4 input filter rule 121 jump-target 'LOCAL-WG'
set firewall ipv4 input filter rule 126 action 'reject'

## And nft ruleset for such config
vyos@zone-mig:~$ sudo nft list chain ip vyos_filter VYOS_INPUT_filter
table ip vyos_filter {
        chain VYOS_INPUT_filter {
                type filter hook input priority filter; policy accept;
                ct state established counter packets 0 bytes 0 accept comment "INP-filter-1"
                ct state invalid counter packets 0 bytes 0 drop comment "INP-filter-2"
                ct state related counter packets 30 bytes 2640 accept comment "INP-filter-3"
                iifname @I_IG_LAN counter packets 12632 bytes 2505599 jump NAME_LAN-LOCAL comment "INP-filter-101"
                iifname @I_IG_OPENVPN counter packets 0 bytes 0 jump NAME_LOCAL-OPENVPN comment "INP-filter-106"
                iifname @I_IG_RRI counter packets 0 bytes 0 jump NAME_RRI-LOCAL comment "INP-filter-111"
                iifname @I_IG_WAN counter packets 0 bytes 0 jump NAME_WAN-LOCAL comment "INP-filter-116"
                iifname @I_IG_WG counter packets 0 bytes 0 jump NAME_LOCAL-WG comment "INP-filter-121"
                counter packets 0 bytes 0 reject comment "INP-filter-126"
        }
}

Smoketest

root@zone-mig:/usr/libexec/vyos/tests/smoke/cli# ./test_firewall.py 
test_geoip (__main__.TestFirewall.test_geoip) ... Updating GeoIP. Please wait...
ok
test_groups (__main__.TestFirewall.test_groups) ... ok
test_ipv4_advanced (__main__.TestFirewall.test_ipv4_advanced) ... ok
test_ipv4_basic_rules (__main__.TestFirewall.test_ipv4_basic_rules) ... ok
test_ipv4_mask (__main__.TestFirewall.test_ipv4_mask) ... ok
test_ipv4_state_and_status_rules (__main__.TestFirewall.test_ipv4_state_and_status_rules) ... ok
test_ipv6_advanced (__main__.TestFirewall.test_ipv6_advanced) ... ok
test_ipv6_basic_rules (__main__.TestFirewall.test_ipv6_basic_rules) ... ok
test_ipv6_mask (__main__.TestFirewall.test_ipv6_mask) ... ok
test_nested_groups (__main__.TestFirewall.test_nested_groups) ... ok
test_sysfs (__main__.TestFirewall.test_sysfs) ... ok

----------------------------------------------------------------------
Ran 11 tests in 29.837s

OK
root@zone-mig:/usr/libexec/vyos/tests/smoke/cli#

Also smoketest for other features, such as policy_route and nat and were tested

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

I will start working on docs soon

@vyosbot vyosbot requested review from a team, dmbaturin, sarthurdev, zdc, jestabro, sever-sever and c-po and removed request for a team May 23, 2023 23:59
@c-po
Copy link
Member

c-po commented May 24, 2023

Should we use ipv4 over ip?

sarthurdev
sarthurdev reviewed May 24, 2023
View reviewed changes
Copy link
Member

@sarthurdev sarthurdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks really good. I'll build an iso and test it out!

python/vyos/firewall.py Outdated Show resolved Hide resolved
src/conf_mode/firewall.py Outdated Show resolved Hide resolved
data/templates/firewall/nftables.j2 Outdated Show resolved Hide resolved
data/templates/firewall/nftables.j2 Outdated Show resolved Hide resolved
@nicolas-fort
Copy link
Contributor Author

Should we use ipv4 over ip?

I prefer just using 'ip'. But if 'ipv4' is sounds better, I can change it

@nicolas-fort
Copy link
Contributor Author

Should we use ipv4 over ip?

Moved from ip to ipv4 as requeted!

@github-actions
Copy link

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@github-actions
Copy link

Conflicts have been resolved. A maintainer will review the pull request shortly.

@nicolas-fort nicolas-fort marked this pull request as ready for review June 13, 2023 12:34
@vyosbot vyosbot requested a review from a team June 13, 2023 12:34
@nicolas-fort nicolas-fort mentioned this pull request Jun 27, 2023
Merged
sever-sever
sever-sever requested changes Jul 1, 2023
View reviewed changes
interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
Comment on lines +132 to +143
<list>enable disable</list>
</completionHelp>
<valueHelp>
<format>enable</format>
<description>Enable log</description>
</valueHelp>
<valueHelp>
<format>disable</format>
<description>Disable log</description>
</valueHelp>
<constraint>
<regex>(enable|disable)</regex>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not use only log without enable/disable?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. First of all, raw is not in used. Just configured in some parts to see how it would be to add nodes in firewall.
  2. Main idea es refactor, is just to move from one structure to a new one. Fixing or changing this type of configuration will lead to a bigger change, more complex migration, and more failure points. So from my point of view, this is out of scope of this PR. Once we get new cli, I can start fixing or adding things as requested.

interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i Outdated Show resolved Hide resolved
interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
<help>Protocol to match (protocol name, number, or "all")</help>
<completionHelp>
<script>${vyos_completion_dir}/list_protocols.sh</script>
<list>all tcp_udp</list>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about replacing tcp_udp to tcp-udp?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Main idea es refactor, is just to move from one structure to a new one. Fixing or changing this type of configuration will lead to a bigger change, more complex migration, and more failure points. So from my point of view, this is out of scope of this PR. Once we get new cli, I can start fixing or adding things as requested.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tcp_udp looks ugly
We should change it anyway before or after this migration

interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i Show resolved Hide resolved
interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
</leafNode>
<leafNode name="weekdays">
<properties>
<help>Comma separated weekdays to match rule on</help>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we replace comma-separated weekdays with <multi/>?

interface-definitions/include/firewall/common-rule-ipv6.xml.i Outdated Show resolved Hide resolved
interface-definitions/include/firewall/default-action-base-chains.xml.i Show resolved Hide resolved
interface-definitions/include/firewall/global-options.xml.i
<properties>
<help>Policy for handling of all IPv4 ICMP echo requests</help>
<completionHelp>
<list>enable disable</list>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use it without enable/disable as all-ping defined explicitly
The same for the following nodes

interface-definitions/include/firewall/ipv4-hook-forward.xml.i Outdated Show resolved Hide resolved
interface-definitions/include/firewall/ipv6-custom-name.xml.i Outdated Show resolved Hide resolved
@sever-sever sever-sever mentioned this pull request Jul 1, 2023
Closed
12 tasks
@sever-sever
Copy link
Member

I wonder if should we accept by default other interfaces
For example, I set the default action reject for eth1 I don't expect drop for all other interfaces, maybe I'm wrong
For example I have 192.0.2.1 on eth1

vyos@r14# run show int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             192.168.122.14/24                 u/u  WAN
eth1             192.0.2.1/30                      u/u  
eth2             -                                 u/u

My firewall rule

set firewall ipv4 output filter rule 10 action 'reject'
set firewall ipv4 output filter rule 10 outbound-interface interface-name 'eth1'

So I expect reject messages, but I can't ping anything including localhost

vyos@r14# run ping 192.0.2.2 count 1
PING 192.0.2.2 (192.0.2.2) 56(84) bytes of data.

--- 192.0.2.2 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

[edit]
vyos@r14# 
[edit]
vyos@r14# run ping 192.0.2.1 count 1
PING 192.0.2.1 (192.0.2.1) 56(84) bytes of data.

--- 192.0.2.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

[edit]
vyos@r14# 
[edit]
vyos@r14# run ping 127.0.0.1 count 1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

[edit]
vyos@r14#

nft:

table ip vyos_filter {
	chain VYOS_OUTPUT_filter {
		type filter hook output priority filter; policy drop;
		oifname "eth1" counter packets 719 bytes 60396 reject comment "OUT-filter-10"
	}

@sever-sever
Copy link
Member

If I delete firewall I expect empty dictionary

vyos@r14# delete firewall 
[edit]
vyos@r14# commit
[ firewall ]
{'geoip_updated': False,
 'global_options': {'all_ping': 'enable',
                    'broadcast_ping': 'disable',
                    'config_trap': 'disable',
                    'ip_src_route': 'disable',
                    'ipv6_receive_redirects': 'disable',
                    'ipv6_src_route': 'disable',
                    'log_martians': 'enable',
                    'receive_redirects': 'disable',
                    'resolver_interval': '300',
                    'send_redirects': 'enable',
                    'source_validation': 'disable',
                    'syn_cookies': 'enable',
                    'twa_hazards_protection': 'disable'},
 'group_resync': False,
 'ip6_fqdn': {},
 'ip_fqdn': {},
 'ipv4': {},
 'ipv6': {}}

@nicolas-fort nicolas-fort mentioned this pull request Jul 3, 2023
Merged
12 tasks
@github-actions
Copy link

github-actions bot commented Jul 4, 2023

Conflicts have been resolved. A maintainer will review the pull request shortly.

@tumd
Copy link

tumd commented Jul 18, 2023
edited
Loading

Excuse my ignorance, but is the template-file firewall/nftables-zone.j2 used at all after this change? Else it probably should be removed?

@github-actions
Copy link

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@github-actions
Copy link

Conflicts have been resolved. A maintainer will review the pull request shortly.

sarthurdev
sarthurdev requested changes Jul 27, 2023
View reviewed changes
Copy link
Member

@sarthurdev sarthurdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would like to see the config-trap node migrated away and code/references removed, as it's a legacy component that belongs as some kind of global option for all nodes, not unique to firewall.

Otherwise, I think this is ready for broad testing in current.

sever-sever
sever-sever reviewed Aug 2, 2023
View reviewed changes
src/migration-scripts/firewall/10-to-11 Outdated
from vyos.configtree import ConfigTree
from vyos.ifconfig import Section

if (len(argv) < 1):
Copy link
Member

@sever-sever sever-sever Aug 2, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be len 2 if len(argv) < 2 T5427

@github-actions
Copy link

github-actions bot commented Aug 9, 2023

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@nicolas-fort nicolas-fort mentioned this pull request Aug 10, 2023
Merged
12 tasks
@nicolas-fort
T5160: firewall refactor: new cli structure. Update only all xml
1c2209c
@nicolas-fort
T5160: firewall refactor: new cli structure. Update jinja templates, …
a824492 
…python scripts and src firewall
@nicolas-fort
T5160: firewall refactor: new cli structure. Add migration script and…
ac5b9a4 
… update smoketest
@nicolas-fort
T5160: firewall refactor: re-add missing code in template.py which wa…
dbf7501 
…s accidentaly removed. Update smokestest: remove zone test and fix test_sysfs test
@nicolas-fort
T5160: firewall refactor. Update op-mode commands to new syntax.
342db93
@nicolas-fort
T5160: firewall refactor: change firewall ip to firewall ipv4
68d14fe
@nicolas-fort
T5160: T5250: while refactoring, fix reference column for op-mode com…
d898739 
…mand show_firewall_group.
@nicolas-fort
T5160: firewal refactor: fix tabulation for geo-ip parsing code. Typo…
68694d0 
… fix in firewall smoketest
@nicolas-fort
T5160: firewall refactor: fix firewall template for correct rule pars…
dbb0691 
…ing that contains fqnd and/or geo-ip in base chains. Fix mig script
@nicolas-fort
T5160: firewall refactor: move <set firewall ipv6 ipv6-name ...> to <…
0300bf4 
…set firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip.
@nicolas-fort
T5160: firewall refactor: change default value for <default-action> f…
a07a46d 
…rom <drop> to <accept> if default-action is not specified in base chains
@nicolas-fort
T5160: firewall refactor: fix regexep for connection-status. Create n…
f57ad85 
…ew file with common matcher for ipv4 and ipv6, and use include on all chains for all this comman matchers
@nicolas-fort
T5460: remove config-trap from firewall
4e07fa2
@github-actions
Copy link

Conflicts have been resolved. A maintainer will review the pull request shortly.

@c-po
Copy link
Member

c-po commented Aug 11, 2023

Merged as discussed in last maintainers meeting

@c-po c-po merged commit 482f7e3 into vyos:current Aug 11, 2023
5 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sever-sever sever-sever sever-sever requested changes

@sarthurdev sarthurdev sarthurdev approved these changes

@dmbaturin dmbaturin Awaiting requested review from dmbaturin dmbaturin is a code owner automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc is a code owner automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro is a code owner automatically assigned from vyos/reviewers

@c-po c-po Awaiting requested review from c-po c-po is a code owner automatically assigned from vyos/reviewers

Assignees

@nicolas-fort nicolas-fort

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@nicolas-fort @c-po @sever-sever @tumd @sarthurdev