Page MenuHomeVyOS Platform

Integrate Firewall logic and implementation found on MikroTik RouterOS v6/v7
Open, WishlistPublicFEATURE REQUEST

Description

The current firewall implementation on VyOS does not allow rules to be natively injectively into the "raw table" of iptables or its nftables equivalent.

If we manually inject the rules via the post-boot script, functionality such as SSH/BGP etc breaks randomly and randomly works, while iptables counters remain at a clear "0".

MikroTik has a simplified logic that is both flexible and adaptable:

  1. They have an interface list logic: We can create "LAN" containing local interfaces and "WAN" containing public interfaces or any other combination (We can also add dynamic interfaces like PPPoE clients to an interface list, dynamically)
  2. They allow native use of filter input/forward/output and also native use of prerouting/output in the raw table
  3. We can then combine the above features to create comprehensive firewall rules that cover essentially all the bases.

Example:
https://help.mikrotik.com/docs/display/ROS/Building+Advanced+Firewall

We can always allow iptables logic like MikroTik in VyOS CLI, while we still convert them to nftables using scripts under the hood.

Details

Difficulty level
Hard (possibly days)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Behavior change
Issue type
Improvement (missing useful functionality)

Event Timeline

Viacheslav triaged this task as Wishlist priority.Mon, Oct 11, 9:23 AM
Viacheslav changed Difficulty level from Unknown (require assessment) to Hard (possibly days).