Page MenuHomeVyOS Platform
Create Task
Maniphest T5550

Source validation on interface does not work properly
Closed, ResolvedPublicBUG
Actions

Description

If source validation on interfaces is 'loose' or 'disable' but in the firewall global option is 'strict' it works as 'strict' on these interfaces.
Network:

source_validation.jpg (555×589 px, 32 KB)

Trying ping R2 int Gi0/0 from VyOS with source of eth0.
If source validation is not configured then ping passes.

If

set firewall global-options source-validation 'loose'
set interfaces ethernet eth0 ip source-validation 'strict'
set interfaces ethernet eth1 ip source-validation 'strict'

it works as expected. Traffic does not pass.

If

set firewall global-options source-validation 'strict'
set interfaces ethernet eth0 ip source-validation 'loose'
set interfaces ethernet eth1 ip source-validation 'loose'

It does not work. Traffic does not pass.
The same issue with IPv6.

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202309040919
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

a.apostoliuk created this task.Sep 5 2023, 10:36 AM
a.apostoliuk attached a referenced file: F3846394: source_validation.jpg. (Show Details)
sarthurdev claimed this task.Sep 5 2023, 10:48 AM
sarthurdev changed the task status from Open to In progress.Sep 5 2023, 2:06 PM
sarthurdev moved this task from Need Triage to In Progress on the VyOS 1.4 Sagitta board.
sarthurdev changed the task status from In progress to Needs testing.Sep 5 2023, 6:36 PM

PR: https://github.com/vyos/vyos-1x/pull/2208

sarthurdev added a comment.Oct 26 2023, 12:38 PM

@a.apostoliuk Can you confirm this is working as expected?

n.fort added a subscriber: n.fort.Nov 8 2023, 7:04 PM

Can we mark this one as resolved for 1.5? Seems it wasn't back-ported yet to Saggita @sdev

pasik added a subscriber: pasik.Nov 8 2023, 8:44 PM
sarthurdev added a project: VyOS 1.5 Circinus.Jan 10 2024, 9:11 PM
sarthurdev moved this task from Need Triage to Finished on the VyOS 1.5 Circinus board.
sarthurdev added a comment.Jan 10 2024, 9:20 PM

1.4 PR: https://github.com/vyos/vyos-1x/pull/2793

Viacheslav closed this task as Resolved.Jan 20 2024, 1:15 PM
Viacheslav moved this task from In Progress to Finished on the VyOS 1.4 Sagitta board.
csszep mentioned this in T3224: Implement 'feasible' RPF.Mar 8 2024, 11:26 AM