⚓ T2199 Rewrite firewall in new XML/Python style

Status	Subtype	Assigned	Task
Needs testing		sdev	T2199 Rewrite firewall in new XML/Python style
Resolved	BUG	c-po	T3456 firewall: rules that should be deleted seem to be still in use
Needs testing	BUG	sdev	T1292 Issues while deleting all rules from a firewall
Resolved	FEATURE REQUEST	sdev	T3286 Switch the firewall from iptables to nftables
Open	FEATURE REQUEST	None	T1097 Make firewall groups work everywhere that's appropropriate
Open	BUG	None	T2503 IPv6 Firewall configuration error: Cannot delete rule set "GUEST-WAN-6" (still in use)
Open	FEATURE REQUEST	None	T3495 Modernising port/protocol definitions
Open	BUG	None	T3513 Attempting to remove firewall rule results in error
Resolved	BUG	zsdc	T1643 Deleting all firewall zones failed and locked out box
Resolved	FEATURE REQUEST	Viacheslav	T3568 Add XML for firewall conf-mode
Resolved	BUG	SrividyaA	T3569 Firewall wrong completion help values
Open	FEATURE REQUEST	None	T3580 Refactoring firewall ipv6 rule icmpv6
Needs testing	FEATURE REQUEST	sdev	T3560 Ability to create groups of MAC addresses
Open	BUG	None	T3390 Expansion of a range in an address-group doesn't include the new addresses after commit
Needs testing	BUG	Dmitry	T2045 Can't commit due to with the same name, but different firewall groups types
Open		None	T2194 "show firewall" garbled output
Open	BUG	None	T2251 VRF communication breaks when utilizing zone-based firewalling
Open	FEATURE REQUEST	None	T478 Firewall address group (multi and nesting)
Confirmed	BUG	None	T3933 The firewall does not filter incoming traffic on the interface with vrf.
Resolved	BUG	sdev	T4155 PBR: `set table main` fails in `firewall.py` with newer rolling releases
Resolved	BUG	sdev	T4159 Empty firewall group (address, network & port) generates invalid nftables config, commit fails
Resolved	BUG	bjw-s	T4174 Validation fails when entering port range with upper port 65535
Open	FEATURE REQUEST	None	T3762 Support network and address groups for policy ipv6-route

Viacheslav changed the status of subtask T3568: Add XML for firewall conf-mode from Open to Needs testing.May 25 2021, 8:20 PM

Viacheslav added a subtask: T3560: Ability to create groups of MAC addresses.May 26 2021, 3:45 PM

Viacheslav added a subtask: T3390: Expansion of a range in an address-group doesn't include the new addresses after commit.May 26 2021, 6:22 PM

Viacheslav added a subtask: T2045: Can't commit due to with the same name, but different firewall groups types.May 27 2021, 11:05 AM

Viacheslav added a subtask: T2194: "show firewall" garbled output.Aug 2 2021, 3:49 PM

Viacheslav closed subtask T1643: Deleting all firewall zones failed and locked out box as Resolved.Aug 17 2021, 4:00 PM

c-po added a subtask: T2251: VRF communication breaks when utilizing zone-based firewalling.Aug 27 2021, 5:16 PM

c-po closed subtask T3568: Add XML for firewall conf-mode as Resolved.

erkin set Issue type to Internal change (not visible to end users).Aug 30 2021, 7:48 AM

erkin removed a subscriber: Active contributors.

Viacheslav added a subtask: T478: Firewall address group (multi and nesting).Sep 13 2021, 1:14 PM

eronlloyd added a subscriber: eronlloyd.Sep 24 2021, 12:58 PM

nktech1135 added a subscriber: nktech1135.Sep 28 2021, 3:03 PM

sdev added a subscriber: sdev.Oct 19 2021, 9:42 PM

Draft PR: https://github.com/vyos/vyos-1x/pull/1033

Would appreciate any help testing this before marking the PR ready for merge.

Viacheslav added a subtask: T3933: The firewall does not filter incoming traffic on the interface with vrf..Nov 1 2021, 5:16 PM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Nov 6 2021, 11:25 AM

kyle833 added a subscriber: kyle833.Sat, Dec 25, 5:23 AM

johannrichard added a subtask: T4155: PBR: `set table main` fails in `firewall.py` with newer rolling releases .Sun, Jan 9, 7:59 PM

johannrichard added a subtask: T4159: Empty firewall group (address, network & port) generates invalid nftables config, commit fails.Mon, Jan 10, 2:12 AM

sdev changed the status of subtask T4155: PBR: `set table main` fails in `firewall.py` with newer rolling releases from Open to Needs testing.Mon, Jan 10, 6:40 PM

sdev changed the status of subtask T4159: Empty firewall group (address, network & port) generates invalid nftables config, commit fails from Open to Needs testing.Tue, Jan 11, 2:48 PM

Viacheslav closed subtask T4174: Validation fails when entering port range with upper port 65535 as Resolved.Wed, Jan 12, 11:29 AM

sdev changed the task status from Open to Needs testing.Wed, Jan 12, 5:11 PM

sdev claimed this task.

@sdev: in your original commit for this task, recent rules are somehow semi-discarded (the time/counter condition will not be written out; however, the action will be written out) because of an apparent problem with nftables in this area.

My question here is how to deal with this: would it be possible (and desirable) to flag rules with recent conditions and discard them *entirely* (while issuing a warning) until a fix for this part of the code exists?

Presently, it's not clear to a user that recent won't work and will most likely even break a “typical” setup, for example by blocking all traffic matching the remaining conditions. In my opinion, asking to change all rule sets with recent conditions is impractical for something that ought to work anyway.

Background:

In python/vyos/firewall.py on L160-L186 one finds the following code & comment (abridged):

if 'recent' in rule_conf:
    count = rule_conf['recent']['count']
    time = rule_conf['recent']['time']
    # output.append(f'meter {fw_name}_{rule_id} {{ ip saddr and 255.255.255.255 limit rate over {count}/{time} burst {count} packets }}')
    # Waiting on input from nftables developers due to
    # bug with above line and atomic chain flushing.

# [...]

if 'set' in rule_conf:
    output.append(parse_policy_set(rule_conf['set'], def_suffix))

if 'action' in rule_conf:
    output.append(nft_action(rule_conf['action']))
else:
    output.append('return')

output.append(f'comment "{fw_name}-{rule_id}"')

This currently leads to a situation where a rule set like the following will lead to a complete drop of *any* packet that matches the remaining conditions (e.g. port/state in the example) because the recent counter / meter will be missing in the rule set.

set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 30 recent count '4'
set firewall name OUTSIDE-LOCAL rule 30 recent time '60'
set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'

Obviously, this breaks many existing rule sets with recent on one hand. But on the other, it's not a bug in VyOS (technically speaking) but a limitation of nftables for which you are waiting on input from the nftables project to solve / work-around it.

Viacheslav added a subtask: T3762: Support network and address groups for policy ipv6-route.Fri, Jan 14, 8:18 PM

sdev changed the status of subtask T1292: Issues while deleting all rules from a firewall from Open to Needs testing.Tue, Jan 18, 1:45 PM

sdev closed subtask T3286: Switch the firewall from iptables to nftables as Resolved.

sdev closed subtask T4155: PBR: `set table main` fails in `firewall.py` with newer rolling releases as Resolved.Tue, Jan 18, 1:50 PM

sdev closed subtask T4159: Empty firewall group (address, network & port) generates invalid nftables config, commit fails as Resolved.

sdev changed the status of subtask T3560: Ability to create groups of MAC addresses from Open to Needs testing.Tue, Jan 18, 5:35 PM