Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

T4072: add firewall bridge filtering. #2222

Merged
merged 1 commit into from
Sep 8, 2023
Merged

T4072: add firewall bridge filtering. #2222

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions data/templates/firewall/nftables-bridge.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
{% macro bridge(bridge) %}
{% set ns = namespace(sets=[]) %}
{% if bridge.forward is vyos_defined %}
{% for prior, conf in bridge.forward.items() %}
{% set def_action = conf.default_action %}
chain VYOS_FORWARD_{{ prior }} {
type filter hook forward priority {{ prior }}; policy {{ def_action }};
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
{{ rule_conf | nft_rule('FWD', prior, rule_id, 'bri') }}
{% if rule_conf.recent is vyos_defined %}
{% set ns.sets = ns.sets + ['FWD_' + prior + '_' + rule_id] %}
{% endif %}
{% endfor %}
{% endif %}
}
{% endfor %}
{% endif %}

{% if bridge.name is vyos_defined %}
{% for name_text, conf in bridge.name.items() %}
chain NAME_{{ name_text }} {
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
{{ rule_conf | nft_rule('NAM', name_text, rule_id, 'bri') }}
{% if rule_conf.recent is vyos_defined %}
{% set ns.sets = ns.sets + ['NAM_' + name_text + '_' + rule_id] %}
{% endif %}
{% endfor %}
{% endif %}
{{ conf | nft_default_rule(name_text) }}
}
{% endfor %}
{% endif %}
{% endmacro %}
14 changes: 7 additions & 7 deletions data/templates/firewall/nftables-defines.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{% macro groups(group, is_ipv6) %}
{% macro groups(group, is_ipv6, is_l3) %}
{% if group is vyos_defined %}
Copy link
Member

@sarthurdev sarthurdev Sep 7, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could be defaulted to True with is_l3=True so it only needs setting to False on the bridge template.

{% set ip_type = 'ipv6_addr' if is_ipv6 else 'ipv4_addr' %}
{% if group.address_group is vyos_defined and not is_ipv6 %}
{% if group.address_group is vyos_defined and not is_ipv6 and is_l3 %}
{% for group_name, group_conf in group.address_group.items() %}
{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
set A_{{ group_name }} {
Expand All @@ -14,7 +14,7 @@
}
{% endfor %}
{% endif %}
{% if group.ipv6_address_group is vyos_defined and is_ipv6 %}
{% if group.ipv6_address_group is vyos_defined and is_ipv6 and is_l3 %}
{% for group_name, group_conf in group.ipv6_address_group.items() %}
{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
set A6_{{ group_name }} {
Expand All @@ -27,7 +27,7 @@
}
{% endfor %}
{% endif %}
{% if group.domain_group is vyos_defined %}
{% if group.domain_group is vyos_defined and is_l3 %}
{% for name, name_config in group.domain_group.items() %}
set D_{{ name }} {
type {{ ip_type }}
Expand All @@ -46,7 +46,7 @@
}
{% endfor %}
{% endif %}
{% if group.network_group is vyos_defined and not is_ipv6 %}
{% if group.network_group is vyos_defined and not is_ipv6 and is_l3 %}
{% for group_name, group_conf in group.network_group.items() %}
{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
set N_{{ group_name }} {
Expand All @@ -59,7 +59,7 @@
}
{% endfor %}
{% endif %}
{% if group.ipv6_network_group is vyos_defined and is_ipv6 %}
{% if group.ipv6_network_group is vyos_defined and is_ipv6 and is_l3 %}
{% for group_name, group_conf in group.ipv6_network_group.items() %}
{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
set N6_{{ group_name }} {
Expand All @@ -72,7 +72,7 @@
}
{% endfor %}
{% endif %}
{% if group.port_group is vyos_defined %}
{% if group.port_group is vyos_defined and is_l3 %}
{% for group_name, group_conf in group.port_group.items() %}
{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
set P_{{ group_name }} {
Expand Down
2 changes: 1 addition & 1 deletion data/templates/firewall/nftables-nat.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,6 @@ table ip vyos_nat {
return
}

{{ group_tmpl.groups(firewall_group, False) }}
{{ group_tmpl.groups(firewall_group, False, True) }}
}
{% endif %}
4 changes: 2 additions & 2 deletions data/templates/firewall/nftables-policy.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ table ip vyos_mangle {
{% endfor %}
{% endif %}

{{ group_tmpl.groups(firewall_group, False) }}
{{ group_tmpl.groups(firewall_group, False, True) }}
}

table ip6 vyos_mangle {
Expand Down Expand Up @@ -61,5 +61,5 @@ table ip6 vyos_mangle {
{% endfor %}
{% endif %}

{{ group_tmpl.groups(firewall_group, True) }}
{{ group_tmpl.groups(firewall_group, True, True) }}
}
18 changes: 15 additions & 3 deletions data/templates/firewall/nftables.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
#!/usr/sbin/nft -f

{% import 'firewall/nftables-defines.j2' as group_tmpl %}
{% import 'firewall/nftables-bridge.j2' as bridge_tmpl %}

flush chain raw FW_CONNTRACK
flush chain ip6 raw FW_CONNTRACK
Expand Down Expand Up @@ -147,7 +148,7 @@ table ip vyos_filter {
{% endfor %}
{% endif %}
{% endif %}
{{ group_tmpl.groups(group, False) }}
{{ group_tmpl.groups(group, False, True) }}
}

{% if first_install is not vyos_defined %}
Expand Down Expand Up @@ -250,5 +251,16 @@ table ip6 vyos_filter {
{% endfor %}
{% endif %}
{% endif %}
{{ group_tmpl.groups(group, True) }}
}
{{ group_tmpl.groups(group, True, True) }}
}

## Bridge Firewall
{% if first_install is not vyos_defined %}
delete table bridge vyos_filter
{% endif %}
{% if bridge is vyos_defined %}
table bridge vyos_filter {
{{ bridge_tmpl.bridge(bridge) }}
{{ group_tmpl.groups(group, False, False) }}
}
{% endif %}
9 changes: 9 additions & 0 deletions interface-definitions/firewall.xml.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -284,6 +284,15 @@
</tagNode>
</children>
</node>
<node name="bridge">
<properties>
<help>Bridge firewall</help>
</properties>
<children>
#include <include/firewall/bridge-hook-forward.xml.i>
#include <include/firewall/bridge-custom-name.xml.i>
</children>
</node>
<node name="ipv4">
<properties>
<help>IPv4 firewall</help>
Expand Down
37 changes: 37 additions & 0 deletions interface-definitions/include/firewall/action-l2.xml.i
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
<!-- include start from firewall/action.xml.i -->
<leafNode name="action">
<properties>
<help>Rule action</help>
<completionHelp>
<list>accept continue jump return drop queue</list>
</completionHelp>
<valueHelp>
<format>accept</format>
<description>Accept matching entries</description>
</valueHelp>
<valueHelp>
<format>continue</format>
<description>Continue parsing next rule</description>
</valueHelp>
<valueHelp>
<format>jump</format>
<description>Jump to another chain</description>
</valueHelp>
<valueHelp>
<format>return</format>
<description>Return from the current chain and continue at the next rule of the last chain</description>
</valueHelp>
<valueHelp>
<format>drop</format>
<description>Drop matching entries</description>
</valueHelp>
<valueHelp>
<format>queue</format>
<description>Enqueue packet to userspace</description>
</valueHelp>
<constraint>
<regex>(accept|continue|jump|return|drop|queue)</regex>
</constraint>
</properties>
</leafNode>
<!-- include end -->
8 changes: 6 additions & 2 deletions interface-definitions/include/firewall/action.xml.i
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,16 @@
<properties>
<help>Rule action</help>
<completionHelp>
<list>accept jump reject return drop queue</list>
<list>accept continue jump reject return drop queue</list>
</completionHelp>
<valueHelp>
<format>accept</format>
<description>Accept matching entries</description>
</valueHelp>
<valueHelp>
<format>continue</format>
<description>Continue parsing next rule</description>
</valueHelp>
<valueHelp>
<format>jump</format>
<description>Jump to another chain</description>
Expand All @@ -30,7 +34,7 @@
<description>Enqueue packet to userspace</description>
</valueHelp>
<constraint>
<regex>(accept|jump|reject|return|drop|queue)</regex>
<regex>(accept|continue|jump|reject|return|drop|queue)</regex>
</constraint>
</properties>
</leafNode>
Expand Down
39 changes: 39 additions & 0 deletions interface-definitions/include/firewall/bridge-custom-name.xml.i
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
<!-- include start from firewall/bridge-custom-name.xml.i -->
<tagNode name="name">
<properties>
<help>Bridge custom firewall</help>
<constraint>
<regex>[a-zA-Z0-9][\w\-\.]*</regex>
</constraint>
</properties>
<children>
#include <include/firewall/default-action.xml.i>
#include <include/firewall/enable-default-log.xml.i>
#include <include/generic-description.xml.i>
<leafNode name="default-jump-target">
<properties>
<help>Set jump target. Action jump must be defined in default-action to use this setting</help>
<completionHelp>
<path>firewall bridge name</path>
</completionHelp>
</properties>
</leafNode>
<tagNode name="rule">
<properties>
<help>Bridge Firewall forward filter rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number for this firewall rule</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-999999"/>
</constraint>
<constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
</properties>
<children>
#include <include/firewall/common-rule-bridge.xml.i>
</children>
</tagNode>
</children>
</tagNode>
<!-- include end -->
34 changes: 34 additions & 0 deletions interface-definitions/include/firewall/bridge-hook-forward.xml.i
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
<!-- include start from firewall/bridge-hook-forward.xml.i -->
<node name="forward">
<properties>
<help>Bridge forward firewall</help>
</properties>
<children>
<node name="filter">
<properties>
<help>Bridge firewall forward filter</help>
</properties>
<children>
#include <include/firewall/default-action-base-chains.xml.i>
#include <include/generic-description.xml.i>
<tagNode name="rule">
<properties>
<help>Bridge Firewall forward filter rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number for this firewall rule</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-999999"/>
</constraint>
<constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
</properties>
<children>
#include <include/firewall/common-rule-bridge.xml.i>
</children>
</tagNode>
</children>
</node>
</children>
</node>
<!-- include end -->
57 changes: 57 additions & 0 deletions interface-definitions/include/firewall/common-rule-bridge.xml.i
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
<!-- include start from firewall/common-rule-bridge.xml.i -->
#include <include/firewall/action-l2.xml.i>
#include <include/firewall/nft-queue.xml.i>
<node name="destination">
<properties>
<help>Destination parameters</help>
</properties>
<children>
#include <include/firewall/mac-address.xml.i>
</children>
</node>
<leafNode name="disable">
<properties>
<help>Option to disable firewall rule</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="jump-target">
<properties>
<help>Set jump target. Action jump must be defined to use this setting</help>
<completionHelp>
<path>firewall bridge name</path>
</completionHelp>
</properties>
</leafNode>
<leafNode name="log">
<properties>
<help>Option to log packets matching rule</help>
<completionHelp>
<list>enable disable</list>
</completionHelp>
<valueHelp>
<format>enable</format>
<description>Enable log</description>
</valueHelp>
<valueHelp>
<format>disable</format>
<description>Disable log</description>
</valueHelp>
<constraint>
<regex>(enable|disable)</regex>
</constraint>
</properties>
</leafNode>
#include <include/firewall/rule-log-options.xml.i>
<node name="source">
<properties>
<help>Source parameters</help>
</properties>
<children>
#include <include/firewall/mac-address.xml.i>
</children>
</node>
#include <include/firewall/inbound-interface.xml.i>
#include <include/firewall/outbound-interface.xml.i>
#include <include/firewall/match-vlan.xml.i>
<!-- include end -->
Loading
Loading