Page MenuHomeVyOS Platform

Feature Request: Firewall on bridge interfaces
Open, Requires assessmentPublicFEATURE REQUEST

Description

Currently, VyOS in bridge mode cannot filter traffic on interfaces in bridge mode

The basic idea is to use "table bridge filter" instead of "table ip filter". Maybe there are other ways.

Such functionality would be extremely useful in some scenarios.
Also, this support is desirable for VLAN subinterfaces

Traffic is not filtered at the moment:
set interfaces ethernet eth0 vif 705
set interfaces ethernet eth1 vif 706
set interfaces bridge br1 member interface eth0.705
set interfaces bridge br1 member interface eth1.706

set firewall name access_in rule 10 action 'drop'
set firewall name access_in rule 10 protocol 'ip'
set firewall name access_in rule 10 source address 0.0.0.0/0
set firewall name access_in rule 10 destination address 0.0.0.0/0

set interfaces ethernet eth1 vif 706 firewall in name 'access_in '
set interfaces ethernet eth0 vif 705 firewall in name 'access_in '

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.3.0-epa3
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

Viacheslav changed the subtype of this task from "Task" to "Feature Request".Dec 21 2021, 8:15 PM

Scenario proposed by @NikolayP gives next content in table ip filter:

table ip filter {
	chain VYOS_FW_FORWARD {
		type filter hook forward priority filter; policy accept;
		iifname "eth0.705" counter packets 0 bytes 0 jump access_in
		iifname "eth1.706" counter packets 0 bytes 0 jump access_in
		jump VYOS_POST_FW
	}

	chain VYOS_FW_LOCAL {
		type filter hook input priority filter; policy accept;
		jump VYOS_POST_FW
	}

	chain VYOS_FW_OUTPUT {
		type filter hook output priority filter; policy accept;
		jump VYOS_POST_FW
	}

	chain VYOS_POST_FW {
		return
	}

	chain VYOS_FRAG_MARK {
		type filter hook prerouting priority -450; policy accept;
		ip frag-off & 16383 != 0 meta mark set 0x000ffff1 return
	}

	chain access_in {
		meta l4proto ip ip daddr 0.0.0.0/0 ip saddr 0.0.0.0/0 counter packets 0 bytes 0 drop comment "access_in-10"
		return
	}
}

As mentioned, filtering do not happens, because it should be done in "bridge filter" table, and not in "ip filter" table, since interfaces eth0.705 and eth0.706 are member of bri1.

nft commands to get expected results:

sudo nft add table bridge filter
sudo nft add chain bridge filter FORWARD '{type filter hook forward priority filter; }'
sudo nft add rule bridge filter FORWARD iif { eth0.705, eth1.706 }  ip daddr 0.0.0.0/0 ip saddr 0.0.0.0/0 counter drop

Finally tables "ip filter" and "bridge filter" shows correct filtering on bridge table, while counter on "ip filter" remains in cero.

[email protected]# sudo nft list table ip filter
table ip filter {
	chain VYOS_FW_FORWARD {
		type filter hook forward priority filter; policy accept;
		iifname "eth0.705" counter packets 0 bytes 0 jump access_in
		iifname "eth1.706" counter packets 0 bytes 0 jump access_in
		jump VYOS_POST_FW
	}

	chain VYOS_FW_LOCAL {
		type filter hook input priority filter; policy accept;
		jump VYOS_POST_FW
	}

	chain VYOS_FW_OUTPUT {
		type filter hook output priority filter; policy accept;
		jump VYOS_POST_FW
	}

	chain VYOS_POST_FW {
		return
	}

	chain VYOS_FRAG_MARK {
		type filter hook prerouting priority -450; policy accept;
		ip frag-off & 16383 != 0 meta mark set 0x000ffff1 return
	}

	chain access_in {
		meta l4proto ip ip daddr 0.0.0.0/0 ip saddr 0.0.0.0/0 counter packets 0 bytes 0 drop comment "access_in-10"
		return
	}
}
[edit]
[email protected]# sudo nft list table bridge filter
table bridge filter {
	chain FORWARD {
		type filter hook forward priority filter; policy accept;
		iif { "eth0.705", "eth1.706" } ip daddr 0.0.0.0/0 ip saddr 0.0.0.0/0 counter packets 10 bytes 840 drop
	}
}

It would be good to start discussing how vyos cli should include bridge filtering. Could be something like:

set firewall ip|bridge name ....

This implies changing actual cli, but it would be easy to include more families filters, like:

set firewall ip|ipv6|inet|bridge|netdev name ....