Firewall: Support combined ipv4&6 rules using netfilter family inet
Open, WishlistPublicFEATURE REQUEST
Actions

Assigned To

None

Authored By

	twan
	Aug 8 2023, 6:35 PM

Description

It would be very useful to be able to combine ipv4 & ipv6 rules into one ruleset. Nftables has support for this using the inet-family.

Support for this would considerably simplify firewall rules in a dual-stack environment.
This/similar functionality has also been requested in the forums a few times: 1 2

I don't think any automated configuration migrations would be necessary. Instead (like nftables) all variants should be supported (ipv4/ipv6/inet).
However, perhaps it may be possible to simplify manual migration from a ipv4/ipv6 based rules set to a common inet based ruleset. Maybe of some sort of rename or copy of ipv4/ipv6 based rulesets to inet based rules may be possible. Not sure how one would handle rule number collisions though.

Details

Difficulty level: Unknown (require assessment)
Version: -
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Feature (new functionality)

Event Timeline

twan created this task.Aug 8 2023, 6:35 PM

pasik added a subscriber: pasik.Aug 8 2023, 8:01 PM

dmbaturin triaged this task as Wishlist priority.Jan 11 2024, 11:55 AM

dmbaturin added a project: VyOS 1.5 Circinus.

kevinrausch added a subscriber: kevinrausch.Jan 16 2024, 3:14 PM

hsw0 added a subscriber: hsw0.Feb 17 2024, 12:34 PM

dmbaturin removed a project: VyOS 1.4 Sagitta.Fri, Apr 12, 2:27 PM

Firewall: Support combined ipv4&6 rules using netfilter family inetOpen, WishlistPublicFEATURE REQUESTActions

Description

Details

Event Timeline

Firewall: Support combined ipv4&6 rules using netfilter family inet
Open, WishlistPublicFEATURE REQUEST
Actions