T4072: add firewall bridge filtering.

[nicolas-fort]

Change Summary

Add firewall bridge.
First implementation only applies for forward chain and few matchers. Should be extended in the future.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

• https://vyos.dev/T4072
• https://vyos.dev/T5553

Component(s) name

firewall

Proposed changes

How to test

Configuration example and firewall table:

# Bridge Configuration
set interfaces bridge br0 enable-vlan
set interfaces bridge br0 member interface eth1 native-vlan '11'
set interfaces bridge br0 member interface eth2 native-vlan '22'
set interfaces bridge br0 member interface eth3 allowed-vlan '11-60'
set interfaces bridge br0 member interface eth3 native-vlan '1'
set interfaces bridge br0 member interface eth4 allowed-vlan '11-60'
set interfaces bridge br0 member interface eth4 native-vlan '1'

# Firewall configuration
vyos@ssh-serv:~$ show config comm | grep firewall
set firewall bridge forward filter rule 10 action 'continue'
set firewall bridge forward filter rule 10 inbound-interface interface-name 'eth2'
set firewall bridge forward filter rule 10 vlan id '22'
set firewall bridge forward filter rule 20 action 'drop'
set firewall bridge forward filter rule 20 inbound-interface interface-group 'TRUNK-RIGHT'
set firewall bridge forward filter rule 20 vlan id '60'
set firewall bridge forward filter rule 30 action 'jump'
set firewall bridge forward filter rule 30 jump-target 'TEST'
set firewall bridge forward filter rule 30 outbound-interface interface-name 'eth1'
set firewall bridge name TEST default-action 'accept'
set firewall bridge name TEST rule 10 action 'continue'
set firewall bridge name TEST rule 10 log 'enable'
set firewall bridge name TEST rule 10 vlan priority '0'
set firewall group interface-group TRUNK-RIGHT interface 'eth4'
vyos@ssh-serv:~$ 

## Ruleset:
vyos@ssh-serv:~$ sudo nft list table bridge vyos_filter
table bridge vyos_filter {
        set I_TRUNK-RIGHT {
                type ifname
                flags interval
                auto-merge
                elements = { "eth4" }
        }

        chain VYOS_FORWARD_filter {
                type filter hook forward priority filter; policy accept;
                iifname "eth2" vlan id 22 counter packets 13 bytes 756 continue comment "bri-FWD-filter-10"
                iifname @I_TRUNK-RIGHT vlan id 60 counter packets 12 bytes 504 drop comment "bri-FWD-filter-20"
                oifname "eth1" counter packets 15 bytes 924 jump NAME_TEST comment "bri-FWD-filter-30"
        }

        chain NAME_TEST {
                log prefix "[bri-NAM-TEST-10-C]" vlan pcp 0 counter packets 0 bytes 0 continue comment "bri-NAM-TEST-10"
                counter packets 15 bytes 924 accept comment "TEST default-action accept"
        }
}
vyos@ssh-serv:~$ 

Smoketest that have passed the tests:

• test_firewall.py
• test_nat.py
• test_nat66.py
• test_policy_route.py
• test_system_conntrack

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[sarthurdev]

This could be defaulted to True with is_l3=True so it only needs setting to False on the bridge template.

[fett0]

@c-po @sever-sever Could we back-port this feature 1.4 ? we have some customers interested in it.

[c-po]

@c-po @sever-sever Could we back-port this feature 1.4 ? we have some customers interested in it.

It‘s on our list of things to backport