⚓ T2199 Rewrite firewall in new XML/Python style

Status	Subtype	Assigned	Task
Needs testing		sdev	T2199 Rewrite firewall in new XML/Python style
Resolved	BUG	c-po	T3456 firewall: rules that should be deleted seem to be still in use
Resolved	BUG	sdev	T1292 Issues while deleting all rules from a firewall
Resolved	FEATURE REQUEST	sdev	T3286 Switch the firewall from iptables to nftables
Open	FEATURE REQUEST	None	T1097 Make firewall groups work everywhere that's appropropriate
Open	BUG	None	T2503 IPv6 Firewall configuration error: Cannot delete rule set "GUEST-WAN-6" (still in use)
Resolved	FEATURE REQUEST	sdev	T3495 Modernising port/protocol definitions
Open	BUG	None	T3513 Attempting to remove firewall rule results in error
Resolved	BUG	zsdc	T1643 Deleting all firewall zones failed and locked out box
Resolved	FEATURE REQUEST	Viacheslav	T3568 Add XML for firewall conf-mode
Resolved	BUG	SrividyaA	T3569 Firewall wrong completion help values
Open	FEATURE REQUEST	None	T3580 Refactoring firewall ipv6 rule icmpv6
Resolved	FEATURE REQUEST	sdev	T3560 Ability to create groups of MAC addresses
Open	BUG	None	T3390 Expansion of a range in an address-group doesn't include the new addresses after commit
Needs testing	BUG	Dmitry	T2045 Can't commit due to with the same name, but different firewall groups types
Resolved		Viacheslav	T2194 "show firewall" garbled output
Open	BUG	None	T2251 VRF communication breaks when utilizing zone-based firewalling
Resolved	FEATURE REQUEST	sdev	T478 Firewall address group (multi and nesting)
Confirmed	BUG	None	T3933 The firewall does not filter incoming traffic on the interface with vrf.
Resolved	BUG	sdev	T4155 PBR: `set table main` fails in `firewall.py` with newer rolling releases
Resolved	BUG	sdev	T4159 Empty firewall group (address, network & port) generates invalid nftables config, commit fails
Resolved	BUG	bjw-s	T4174 Validation fails when entering port range with upper port 65535
Resolved	FEATURE REQUEST	sdev	T3762 Support network and address groups for policy ipv6-route

Viacheslav changed the status of subtask T3568: Add XML for firewall conf-mode from Open to Needs testing.May 25 2021, 8:20 PM

Viacheslav added a subtask: T3560: Ability to create groups of MAC addresses.May 26 2021, 3:45 PM

Viacheslav added a subtask: T3390: Expansion of a range in an address-group doesn't include the new addresses after commit.May 26 2021, 6:22 PM

Viacheslav added a subtask: T2045: Can't commit due to with the same name, but different firewall groups types.May 27 2021, 11:05 AM

Viacheslav added a subtask: T2194: "show firewall" garbled output.Aug 2 2021, 3:49 PM

Viacheslav closed subtask T1643: Deleting all firewall zones failed and locked out box as Resolved.Aug 17 2021, 4:00 PM

c-po added a subtask: T2251: VRF communication breaks when utilizing zone-based firewalling.Aug 27 2021, 5:16 PM

c-po closed subtask T3568: Add XML for firewall conf-mode as Resolved.

erkin set Issue type to Internal change (not visible to end users).Aug 30 2021, 7:48 AM

erkin removed a subscriber: Active contributors.

Viacheslav added a subtask: T478: Firewall address group (multi and nesting).Sep 13 2021, 1:14 PM

eronlloyd added a subscriber: eronlloyd.Sep 24 2021, 12:58 PM

nktech1135 added a subscriber: nktech1135.Sep 28 2021, 3:03 PM

sdev added a subscriber: sdev.Oct 19 2021, 9:42 PM

Draft PR: https://github.com/vyos/vyos-1x/pull/1033

Would appreciate any help testing this before marking the PR ready for merge.

Viacheslav added a subtask: T3933: The firewall does not filter incoming traffic on the interface with vrf..Nov 1 2021, 5:16 PM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Nov 6 2021, 11:25 AM

kyle833 added a subscriber: kyle833.Dec 25 2021, 5:23 AM

johannrichard added a subtask: T4155: PBR: `set table main` fails in `firewall.py` with newer rolling releases .Jan 9 2022, 7:59 PM

johannrichard added a subtask: T4159: Empty firewall group (address, network & port) generates invalid nftables config, commit fails.Jan 10 2022, 2:12 AM

sdev changed the status of subtask T4155: PBR: `set table main` fails in `firewall.py` with newer rolling releases from Open to Needs testing.Jan 10 2022, 6:40 PM

sdev changed the status of subtask T4159: Empty firewall group (address, network & port) generates invalid nftables config, commit fails from Open to Needs testing.Jan 11 2022, 2:48 PM

Viacheslav closed subtask T4174: Validation fails when entering port range with upper port 65535 as Resolved.Jan 12 2022, 11:29 AM

sdev changed the task status from Open to Needs testing.Jan 12 2022, 5:11 PM

sdev claimed this task.

@sdev: in your original commit for this task, recent rules are somehow semi-discarded (the time/counter condition will not be written out; however, the action will be written out) because of an apparent problem with nftables in this area.

My question here is how to deal with this: would it be possible (and desirable) to flag rules with recent conditions and discard them *entirely* (while issuing a warning) until a fix for this part of the code exists?

Presently, it's not clear to a user that recent won't work and will most likely even break a “typical” setup, for example by blocking all traffic matching the remaining conditions. In my opinion, asking to change all rule sets with recent conditions is impractical for something that ought to work anyway.

Background:

In python/vyos/firewall.py on L160-L186 one finds the following code & comment (abridged):

if 'recent' in rule_conf:
    count = rule_conf['recent']['count']
    time = rule_conf['recent']['time']
    # output.append(f'meter {fw_name}_{rule_id} {{ ip saddr and 255.255.255.255 limit rate over {count}/{time} burst {count} packets }}')
    # Waiting on input from nftables developers due to
    # bug with above line and atomic chain flushing.

# [...]

if 'set' in rule_conf:
    output.append(parse_policy_set(rule_conf['set'], def_suffix))

if 'action' in rule_conf:
    output.append(nft_action(rule_conf['action']))
else:
    output.append('return')

output.append(f'comment "{fw_name}-{rule_id}"')

This currently leads to a situation where a rule set like the following will lead to a complete drop of *any* packet that matches the remaining conditions (e.g. port/state in the example) because the recent counter / meter will be missing in the rule set.

set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 30 recent count '4'
set firewall name OUTSIDE-LOCAL rule 30 recent time '60'
set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'

Obviously, this breaks many existing rule sets with recent on one hand. But on the other, it's not a bug in VyOS (technically speaking) but a limitation of nftables for which you are waiting on input from the nftables project to solve / work-around it.

Viacheslav added a subtask: T3762: Support network and address groups for policy ipv6-route.Jan 14 2022, 8:18 PM

sdev changed the status of subtask T1292: Issues while deleting all rules from a firewall from Open to Needs testing.Jan 18 2022, 1:45 PM

sdev closed subtask T3286: Switch the firewall from iptables to nftables as Resolved.

sdev closed subtask T4155: PBR: `set table main` fails in `firewall.py` with newer rolling releases as Resolved.Jan 18 2022, 1:50 PM

sdev closed subtask T4159: Empty firewall group (address, network & port) generates invalid nftables config, commit fails as Resolved.

sdev changed the status of subtask T3560: Ability to create groups of MAC addresses from Open to Needs testing.Jan 18 2022, 5:35 PM

sdev closed subtask T3560: Ability to create groups of MAC addresses as Resolved.Jan 27 2022, 11:55 AM

sdev closed subtask T3495: Modernising port/protocol definitions as Resolved.Jan 27 2022, 3:25 PM

sdev closed subtask T3762: Support network and address groups for policy ipv6-route as Resolved.Jan 27 2022, 3:28 PM

sdev moved this task from Need Triage to In Progress on the VyOS 1.4 Sagitta board.

@johannrichard Hey sorry I didn't see your comment, I suggest we move the discussion to the dedicated task: https://phabricator.vyos.net/T4209

But you're right, we do need to figure this out asap.

n.fort closed subtask T1292: Issues while deleting all rules from a firewall as Resolved.Feb 15 2022, 6:51 PM

Viacheslav changed the status of subtask T2194: "show firewall" garbled output from Open to Needs testing.May 19 2022, 2:28 AM

Viacheslav closed subtask T2194: "show firewall" garbled output as Resolved.May 25 2022, 1:08 PM

sdev changed the status of subtask T478: Firewall address group (multi and nesting) from Open to Needs testing.Jun 10 2022, 7:23 PM

sdev closed subtask T478: Firewall address group (multi and nesting) as Resolved.Jul 5 2022, 11:41 PM

Rewrite firewall in new XML/Python style
Needs testing, WishlistPublic
Actions

Details

Related Objects
Search...

Event Timeline

	jjakob
	Apr 2 2020, 11:48 AM

Rewrite firewall in new XML/Python styleNeeds testing, WishlistPublicActions

Details

Related ObjectsSearch...

Event Timeline

Rewrite firewall in new XML/Python style
Needs testing, WishlistPublic
Actions

Related Objects
Search...