Page MenuHomeVyOS Platform

Firewall change default table names
Open, Requires assessmentPublicFEATURE REQUEST

Description

We have default table names like

table ip    filter
table ip6   filter
table ip    nat
table ip6   nat
table inet  mangle
table ip    raw
table ip6   raw
table ip    mangle
table ip6   mangle

I propose to change names to vyos_xxx:

table ip    vyos_filter
table ip6   vyos_filter
table ip    vyos_nat
table ip6   vyos_nat
table inet  vyos_mangle
table ip    vyos_raw
table ip6   vyos_raw
table ip    vyos_mangle
table ip6   vyos_mangle

It can prevent overlap with some customer rules or some custom apps which can affect the firewall configuration

Just one example, tailscale by default can add its own firewall rules to filter and nat

[email protected]# sudo nft list table filter
table ip filter {
	chain VYOS_FW_FORWARD {
		type filter hook forward priority filter; policy accept;
		jump VYOS_POST_FW
	}

	chain VYOS_FW_LOCAL {
		type filter hook input priority filter; policy accept;
		jump VYOS_POST_FW
	}
...

	chain ts-input {
		iifname "lo" ip saddr 100.116.x.88 counter packets 0 bytes 0 accept
		iifname != "tailscale0" ip saddr 100.115.x.0/23 counter packets 0 bytes 0 return
		iifname != "tailscale0" ip saddr 100.64.0.0/10 counter packets 0 bytes 0 drop
	}

	chain ts-forward {
		iifname "tailscale0" counter packets 0 bytes 0 meta mark set 0x40000 
		mark 0x40000 counter packets 0 bytes 0 accept
		oifname "tailscale0" ip saddr 100.64.0.0/10 counter packets 0 bytes 0 drop
		oifname "tailscale0" counter packets 0 bytes 0 accept
	}
}
[edit]
[email protected]#
table ip nat {
	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
		counter packets 195 bytes 19483 jump VYOS_PRE_DNAT_HOOK
	}

...

	chain ts-postrouting {
		mark 0x40000 counter packets 0 bytes 0 masquerade

It will cause a commit error:

[email protected]# compare 
+firewall {
+    name FOO {
+        default-action drop
+        rule 10 {
+            action accept
+        }
+    }
+}
[edit]
[email protected]# commit
[ firewall ]
Failed to apply firewall

[[firewall]] failed
Commit failed
[edit]
[email protected]#

Rename tables to vyos_xxx can prevent such issues in the future.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Internal change (not visible to end users)

Event Timeline

While I'm for changing to prefixed tables, I think the issue of tailscale and custom apps should fall under the accepted risk of running custom scripts outside of the config.

For components managed by the CLI that use the firewall table, the firewall conf script has a preserve_chains list for chains to preserve/ignore.