Add IPv6 firewall network groups
Closed, ResolvedPublic

Details

Difficulty level
Easy (less than an hour)
Version
1.2
afics created this task.Mar 31 2016, 5:27 PM
syncer triaged this task as Wishlist priority.

Firewall groups used ipset, it would be cool to use these groups in the nat rules too and soone (wlb test rules target address etc).
It is necessary to make global address groups based on ipset.

How about making firewall groups IPvAgnostic and have VyOS figure out which the correct IPvN is (depending on where you use it) in a somewhat systematic way. In FW it would be both in parallel, etc. The user would still be able to setup groups per IPvN as-is currently.

case:
voip and mail server behind vyos
log parser on both servers create black list on shared resouce
vyos (in all branches of company) have firewall rule with this black list
profit

rps awarded a token.Sep 15 2016, 10:19 AM
rps added a subscriber: rps.
rps added a comment.Sep 15 2016, 10:24 AM

After VRRPv3 (with some intelligent way to handle radvd) this is the major blocker for using VyOS as a production IPv6 firewall in my environment.

beamerblvd added a subscriber: beamerblvd.EditedOct 11 2017, 7:37 PM

I'd like to get some clarity on this, if possible. Will VyOS's firewall features just not work at all with IPv6? Or will it work, but you have to use something other than groups? Importantly: Is it still possible for me to secure my network if I enable IPv6?

Note: This appears to be a sufficient migration of this Bugzilla issue.

IPv6 firewall works fine on VyOS 1.1.X and 1.2.X, it is just that you can't use the GROUPS on IPv6 like you can on IPv4.

+1 for adding the groups to IPv6 to give more feature parity with IPv4.

syncer assigned this task to dmbaturin.Nov 4 2017, 10:57 AM
syncer raised the priority of this task from Wishlist to Normal.
syncer set Version to 1.2.
syncer moved this task from Needs Triage to Backlog on the VyOS 1.2.x (VyOS 1.2.0-rc1) board.
syncer changed the edit policy from "Public (No Login Required)" to "Custom Policy".Nov 4 2017, 11:13 AM

Just сheсked with @dmbaturin and it seems ipset loads v6 just fine.
So we will be implementing that soon

rps added a comment.Mar 2 2018, 10:29 PM

Just a quick bump as I'm reviewing 1.2 nightly builds for IPv6 support.

It looks like the easiest option would be to add ipv6-network-group and ipv6-address-group alongside network, address, and port under group in the configuration structure. The alternative would be to create ipv6-group alongside group but then port groups which apply to both IPv4 and IPv6 are not in a consistent place.

The hash:net and hash:ip types will support IPv6 without issue.

While ipset will allow groups to have mixed membership (both IPv4 and IPv6) and we could, in theory, just expand the valid input for existing network and address groups, I think it is more logical to encourage that dedicated groups for each address family are used.

One thing we will need to watch out for will be group name collisions. One option would be to add a specific prefix of suffix to group names as defined in ipset, but that would also require updating all group references; so the easier solution seems to be a configuration check to make sure a group name is unique across all group types.

Also note that /opt/vyatta/sbin/ipset-check-member does not appear to support IPv6, so for input validation we will need to consider using either something like /opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param or updating ipset-check-member to support IPv6.

@dmbaturin Which direction would we like to go?

bbabich added a subscriber: bbabich.Mar 5 2018, 1:22 PM

I've created a change that add support for ipv6 address and network groups to vyos. Please review it https://github.com/vyos/vyatta-cfg-firewall/pull/7 an provide your feedback.
@dmbaturin merged this to current branch 1.2.0-rc1

rps added a comment.Mar 12 2018, 2:01 PM

Thank you very very much. I will pull down the next nightly and test.

In T35#12629, @rps wrote:

Thank you very very much. I will pull down the next nightly and test.

+1 we have been looking forward to this one. Many thanks!

I've changed the code in order to have IPv6 address and network groups under global group configuration tree
Please take a look on the pull request I've created https://github.com/vyos/vyatta-cfg-firewall/pull/8 and please merge it to the current branch

I discovered an issue with port-group that have root cause the change implemented for ipv6 address and network groups.

The error when you try to create a port-group is "Use of uninitialized value $set_family in string eq at /opt/vyatta/sbin/vyatta-ipset.pl line 270."

I solved this issue and I issued a pull request for it https://github.com/vyos/vyatta-cfg-firewall/pull/9.

Please review it and merge the change if all looks good for you.

I have created a new pull request in order to solve an issue I noticed during tests for IPv6 firewall groups.
How to replicate the issue:

  • configure an address-group/network group for ipv6
  • configure an address-group/network group for ipv4
  • configure an ipv4 firewall rule
  • commit and save the cofig
  • reload the vyos

After reload the IPv6 address-groups/network-groups are deleted.

This happen because a check configured on the templating of firewall rule that prune the deleted sets.
I've created a change that solve this issue and you can find the pull request here https://github.com/vyos/vyatta-cfg-firewall/pull/10
Please review it and approve/merge the change to the current branch.

syncer closed this task as Resolved.Sun, Jun 10, 4:36 AM
syncer moved this task from Backlog to Finished on the VyOS 1.2.x (VyOS 1.2.0-rc1) board.