Page MenuHomeVyOS Platform

Firewall address group (multi and nesting)
Closed, ResolvedPublicFEATURE REQUEST

Description

As requested here

https://phabricator.vyos.net/Q29#A166

Resubmitting as a feature request.

I understand that Ubiquiti fork does multiple address groups in a single firewall setting, and would like to be able to use that in VyOS.

Related request, can you make address groups be composable from other defined address groups rather than strictly IP based definitions? Like F = A+B and D = A+C.

Details

Difficulty level
Hard (possibly days)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (migratable)

Related Objects

Event Timeline

syncer triaged this task as Wishlist priority.Dec 21 2017, 9:14 PM

Groups need a big overhaul, but its probably out of the 1.2.0 scope.

dmbaturin changed Difficulty level from Unknown (require assessment) to Hard (possibly days).
dmbaturin set Is it a breaking change? to Config syntax change (migratable).

With nftables, this should in principle be possible with nested variables, and the firewall groups are based on these now.

From the man page:

SYMBOLIC VARIABLES

define variable = expr
$variable

Symbolic variables can be defined using the define statement. Variable references are expressions and can be used initialize other variables. The scope of a definition is the current block and all blocks contained within.

Using symbolic variables.

define int_if1 = eth0
define int_if2 = eth1
define int_ifs = { $int_if1, $int_if2 }

filter input iif $int_ifs accept

Not sure if and how nftables handles potentially recursive definitions and how that would be reflected in the CLI.

sarthurdev changed the task status from Open to Needs testing.Jun 10 2022, 7:23 PM
sarthurdev claimed this task.
sarthurdev moved this task from Need Triage to In Progress on the VyOS 1.4 Sagitta board.
sarthurdev added a subscriber: sarthurdev.
sarthurdev moved this task from In Progress to Finished on the VyOS 1.4 Sagitta board.