Page MenuHomeVyOS Platform

Firewall increase maximum number of rules
Needs testing, Requires assessmentPublicFEATURE REQUEST

Description

Tested in VyOS 1.4-rolling-202112160318 and VyOS 1.3.0
There is currently a limit of 9999 rules.
Given the common practice of creating rules in increments of 10 (or even 100), that gives us 1000 (or only 100) rules. We have over 1300 rules in our existing Firewall. When trying to migrate to VyOS, we ran into this limitation.

If this restriction can be changed, it would be very useful for some installations.
For example, 999999 would be great

Details

Difficulty level
Unknown (require assessment)
Version
1.3.0, 1.4-rolling-202112160318
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Event Timeline

Viacheslav changed the task status from Open to Needs testing.Tue, Dec 28, 4:14 PM
Viacheslav assigned this task to NikolayP.
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.

Tested in VyOS 1.3-rolling-202201030317 & 1.4-rolling-202201070726

For simple rules everything works:

set firewall name OUTSIDE-LOCAL default-action 'drop'
set firewall name OUTSIDE-LOCAL rule 1 action 'accept'
set firewall name OUTSIDE-LOCAL rule 1 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 1 state related 'enable'
set firewall name OUTSIDE-LOCAL rule 200000 action 'accept'
set firewall name OUTSIDE-LOCAL rule 200000 icmp type-name 'echo-request'
set firewall name OUTSIDE-LOCAL rule 200000 protocol 'icmp'
set firewall name OUTSIDE-LOCAL rule 200000 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 999999 action 'accept'
set firewall name OUTSIDE-LOCAL rule 999999 protocol 'udp'

Check a real generated firewall iptables/nftables config
As 10000 it is the latest default rule, so your rules can be applied after default action with seq 10000

This comment was removed by n.fort.
vyos@vyos# run show config comm | grep fire
set firewall name FOO default-action 'accept'
set firewall name FOO rule 10 action 'accept'
set firewall name FOO rule 10 source address '198.51.100.0/24'
set firewall name FOO rule 999997 action 'drop'
set firewall name FOO rule 999997 source address '203.0.113.0/24'
[edit]

vyos@vyos# sudo nft list table ip filter
table ip filter {
	chain VYOS_FW_FORWARD {
		type filter hook forward priority filter; policy accept;
		jump VYOS_POST_FW
	}

	chain VYOS_FW_LOCAL {
		type filter hook input priority filter; policy accept;
		jump VYOS_POST_FW
	}

	chain VYOS_FW_OUTPUT {
		type filter hook output priority filter; policy accept;
		jump VYOS_POST_FW
	}

	chain VYOS_POST_FW {
		return
	}

	chain VYOS_FRAG_MARK {
		type filter hook prerouting priority -450; policy accept;
		ip frag-off & 16383 != 0 meta mark set 0x000ffff1 return
	}

	chain FOO {
		ip saddr 198.51.100.0/24 counter packets 0 bytes 0 return comment "FOO-10"
		ip saddr 203.0.113.0/24 counter packets 0 bytes 0 drop comment "FOO-999997"
		counter packets 0 bytes 0 return comment "FOO default-action accept"
	}
}
[edit]
vyos@vyos# run show ver

Version:          VyOS 1.4-rolling-202201060842
Release train:    sagitta

It requires checking for 1.3 as it was changed and it uses the old backend on Perl (links above).

In 1.3 (VyOS 1.3-rolling-202201030317) the rules are handled correctly (except for the numbers in description).

First commit:

set firewall name FOO default-action 'accept'
set firewall name FOO rule 10 action 'accept'
set firewall name FOO rule 10 source address '10.2.0.0/24'
set firewall name FOO rule 900000 action 'drop'
set firewall name FOO rule 900000 source address '10.0.0.0/24'
commit
Chain FOO (0 references)
target     prot opt source               destination
RETURN     all  --  10.1.0.0/24          anywhere             /* FOO-10 */
DROP       all  --  10.2.0.0/24          anywhere             /* FOO-900000 */
RETURN     all  --  anywhere             anywhere             /* FOO-10000 default-action accept */

Second commit:

set firewall name FOO rule 999999 action 'drop'
set firewall name FOO rule 999999 source address '10.0.0.0/24'
Chain FOO (1 references)
target     prot opt source               destination
RETURN     all  --  10.1.0.0/24          anywhere             /* FOO-10 */
DROP       all  --  10.2.0.0/24          anywhere             /* FOO-900000 */
DROP       all  --  10.0.0.0/24          anywhere             /* FOO-999999 */
RETURN     all  --  anywhere             anywhere             /* FOO-10000 default-action accept */

I think we will have a problem with such a large number of rules. Now, if there are 1500 vyos rules, it takes 30 minutes to load. If there are 999999 rules, it will take a very long time to load.

It is a different task, it extends only the range which you can to use for rule numbers.
For example, if you want 3 rules
Rule 100, rule 1000, rule 10000 etc.
Accepting time it is another task. B.t.w firewall was rewritten in 1.4, I hope that commit time was decreased.