Merge pull request #3578 from nicolas-fort/raw-hook

T3900: Add support for raw tables in firewall

Author: dmbaturin

data/templates/conntrack/sysctl.conf.j2

@@ -3,25 +3,7 @@
 
 net.netfilter.nf_conntrack_expect_max = {{ expect_table_size }}
 net.netfilter.nf_conntrack_max = {{ table_size }}
-
 net.ipv4.tcp_max_syn_backlog = {{ tcp.half_open_connections }}
-
 net.netfilter.nf_conntrack_tcp_loose = {{ '1' if tcp.loose is vyos_defined('enable') else '0' }}
 net.netfilter.nf_conntrack_tcp_max_retrans = {{ tcp.max_retrans }}
-
-net.netfilter.nf_conntrack_icmp_timeout = {{ timeout.icmp }}
-net.netfilter.nf_conntrack_generic_timeout = {{ timeout.other }}
-
-net.netfilter.nf_conntrack_tcp_timeout_close_wait = {{ timeout.tcp.close_wait }}
-net.netfilter.nf_conntrack_tcp_timeout_close = {{ timeout.tcp.close }}
-net.netfilter.nf_conntrack_tcp_timeout_established = {{ timeout.tcp.established }}
-net.netfilter.nf_conntrack_tcp_timeout_fin_wait = {{ timeout.tcp.fin_wait }}
-net.netfilter.nf_conntrack_tcp_timeout_last_ack = {{ timeout.tcp.last_ack }}
-net.netfilter.nf_conntrack_tcp_timeout_syn_recv = {{ timeout.tcp.syn_recv }}
-net.netfilter.nf_conntrack_tcp_timeout_syn_sent = {{ timeout.tcp.syn_sent }}
-net.netfilter.nf_conntrack_tcp_timeout_time_wait = {{ timeout.tcp.time_wait }}
-
-net.netfilter.nf_conntrack_udp_timeout = {{ timeout.udp.other }}
-net.netfilter.nf_conntrack_udp_timeout_stream = {{ timeout.udp.stream }}
-
-net.netfilter.nf_conntrack_acct = {{ '1' if flow_accounting is vyos_defined else '0' }}
+net.netfilter.nf_conntrack_acct = {{ '1' if flow_accounting is vyos_defined else '0' }}

data/templates/firewall/nftables.j2

@@ -57,7 +57,7 @@ table ip vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
-        {{ conf | nft_default_rule('FWD-filter', 'ipv4') }}
+        {{ conf | nft_default_rule('FWD-' + prior, 'ipv4') }}
     }
 {%         endfor %}
 {%     endif %}
@@ -77,7 +77,7 @@ table ip vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
-        {{ conf | nft_default_rule('INP-filter', 'ipv4') }}
+        {{ conf | nft_default_rule('INP-' + prior, 'ipv4') }}
     }
 {%         endfor %}
 {%     endif %}
@@ -97,14 +97,11 @@ table ip vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
-        {{ conf | nft_default_rule('OUT-filter', 'ipv4') }}
+        {{ conf | nft_default_rule('OUT-' + prior, 'ipv4') }}
     }
 {%         endfor %}
 {%     endif %}
-    chain VYOS_FRAG_MARK {
-        type filter hook prerouting priority -450; policy accept;
-        ip frag-off & 0x3fff != 0 meta mark set 0xffff1 return
-    }
+
 {%     if ipv4.prerouting is vyos_defined %}
 {%         for prior, conf in ipv4.prerouting.items() %}
     chain VYOS_PREROUTING_{{ prior }} {
@@ -117,11 +114,16 @@ table ip vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
-        {{ conf | nft_default_rule('PRE-filter', 'ipv4') }}
+        {{ conf | nft_default_rule('PRE-' + prior, 'ipv4') }}
     }
 {%         endfor %}
 {%     endif %}
 
+    chain VYOS_FRAG_MARK {
+        type filter hook prerouting priority -450; policy accept;
+        ip frag-off & 0x3fff != 0 meta mark set 0xffff1 return
+    }
+
 {%     if ipv4.name is vyos_defined %}
 {%         for name_text, conf in ipv4.name.items() %}
     chain NAME_{{ name_text }} {
@@ -202,13 +204,13 @@ table ip6 vyos_filter {
 {%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
-        {{ rule_conf | nft_rule('FWD', prior, rule_id ,'ip6') }}
+        {{ rule_conf | nft_rule('FWD', prior, rule_id, 'ip6') }}
 {%                     if rule_conf.recent is vyos_defined %}
 {%                         set ns.sets = ns.sets + ['FWD_' + prior + '_' + rule_id] %}
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
-        {{ conf | nft_default_rule('FWD-filter', 'ipv6') }}
+        {{ conf | nft_default_rule('FWD-' + prior, 'ipv6') }}
     }
 {%         endfor %}
 {%     endif %}
@@ -222,13 +224,13 @@ table ip6 vyos_filter {
 {%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
-        {{ rule_conf | nft_rule('INP', prior, rule_id ,'ip6') }}
+        {{ rule_conf | nft_rule('INP', prior, rule_id, 'ip6') }}
 {%                     if rule_conf.recent is vyos_defined %}
 {%                         set ns.sets = ns.sets + ['INP_' + prior + '_' + rule_id] %}
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
-        {{ conf | nft_default_rule('INP-filter', 'ipv6') }}
+        {{ conf | nft_default_rule('INP-' + prior, 'ipv6') }}
     }
 {%         endfor %}
 {%     endif %}
@@ -242,17 +244,33 @@ table ip6 vyos_filter {
 {%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
-        {{ rule_conf | nft_rule('OUT', prior, rule_id ,'ip6') }}
+        {{ rule_conf | nft_rule('OUT', prior, rule_id, 'ip6') }}
 {%                     if rule_conf.recent is vyos_defined %}
 {%                         set ns.sets = ns.sets + ['OUT_ ' + prior + '_' + rule_id] %}
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
-        {{ conf | nft_default_rule('OUT-filter', 'ipv6') }}
+        {{ conf | nft_default_rule('OUT-' + prior, 'ipv6') }}
     }
 {%         endfor %}
 {%     endif %}
 
+{%     if ipv6.prerouting is vyos_defined %}
+{%         for prior, conf in ipv6.prerouting.items() %}
+    chain VYOS_IPV6_PREROUTING_{{ prior }} {
+        type filter hook prerouting priority {{ prior }}; policy accept;
+{%             if conf.rule is vyos_defined %}
+{%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+        {{ rule_conf | nft_rule('PRE', prior, rule_id, 'ip6') }}
+{%                     if rule_conf.recent is vyos_defined %}
+{%                         set ns.sets = ns.sets + ['PRE_' + prior + '_' + rule_id] %}
+{%                     endif %}
+{%                 endfor %}
+{%             endif %}
+        {{ conf | nft_default_rule('PRE-' + prior, 'ipv6') }}
+    }
+{%         endfor %}
+{%     endif %}
     chain VYOS_FRAG6_MARK {
         type filter hook prerouting priority -450; policy accept;
         exthdr frag exists meta mark set 0xffff1 return

data/templates/firewall/sysctl-firewall.conf.j2

@@ -0,0 +1,28 @@
+# Autogenerated by firewall.py
+
+# gloabl options
+net.ipv4.icmp_echo_ignore_all = {{ 0 if global_options.all_ping == 'enable' else 1 }}
+net.ipv4.icmp_echo_ignore_broadcasts = {{ 0 if global_options.broadcast_ping == 'enable' else 1 }}
+net.ipv4.conf.all.bc_forwarding = {{ 1 if global_options.directed_broadcast == 'enable' else 0 }}
+net.ipv4.conf.*.accept_source_route = {{ 1 if global_options.ip_src_route == 'enable' else 0 }}
+net.ipv6.conf.*.accept_redirects = {{ 1 if global_options.ipv6_receive_redirects == 'enable' else 0 }}
+net.ipv6.conf.*.accept_source_route = {{ 0 if global_options.ipv6_src_route == 'enable' else -1 }}
+net.ipv4.conf.all.log_martians = {{ 1 if global_options.log_martians == 'enable' else 0 }}
+net.ipv4.conf.*.accept_redirects = {{ 1 if global_options.receive_redirects == 'enable' else 0 }}
+net.ipv4.conf.*.send_redirects = {{ 1 if global_options.send_redirects == 'enable' else 0 }}
+net.ipv4.tcp_syncookies = {{ 1 if global_options.syn_cookies == 'enable' else 0 }}
+net.ipv4.tcp_rfc1337 = {{ 1 if global_options.twa_hazards_protection == 'enable' else 0 }}
+
+## Timeout values:
+net.netfilter.nf_conntrack_icmp_timeout = {{ global_options.timeout.icmp }}
+net.netfilter.nf_conntrack_generic_timeout = {{ global_options.timeout.other }}
+net.netfilter.nf_conntrack_tcp_timeout_close_wait = {{ global_options.timeout.tcp.close_wait }}
+net.netfilter.nf_conntrack_tcp_timeout_close = {{ global_options.timeout.tcp.close }}
+net.netfilter.nf_conntrack_tcp_timeout_established = {{ global_options.timeout.tcp.established }}
+net.netfilter.nf_conntrack_tcp_timeout_fin_wait = {{ global_options.timeout.tcp.fin_wait }}
+net.netfilter.nf_conntrack_tcp_timeout_last_ack = {{ global_options.timeout.tcp.last_ack }}
+net.netfilter.nf_conntrack_tcp_timeout_syn_recv = {{ global_options.timeout.tcp.syn_recv }}
+net.netfilter.nf_conntrack_tcp_timeout_syn_sent = {{ global_options.timeout.tcp.syn_sent }}
+net.netfilter.nf_conntrack_tcp_timeout_time_wait = {{ global_options.timeout.tcp.time_wait }}
+net.netfilter.nf_conntrack_udp_timeout = {{ global_options.timeout.udp.other }}
+net.netfilter.nf_conntrack_udp_timeout_stream = {{ global_options.timeout.udp.stream }}

interface-definitions/firewall.xml.in

@@ -378,6 +378,7 @@
           #include <include/firewall/ipv4-hook-forward.xml.i>
           #include <include/firewall/ipv4-hook-input.xml.i>
           #include <include/firewall/ipv4-hook-output.xml.i>
+          #include <include/firewall/ipv4-hook-prerouting.xml.i>
           #include <include/firewall/ipv4-custom-name.xml.i>
         </children>
       </node>
@@ -389,6 +390,7 @@
           #include <include/firewall/ipv6-hook-forward.xml.i>
           #include <include/firewall/ipv6-hook-input.xml.i>
           #include <include/firewall/ipv6-hook-output.xml.i>
+          #include <include/firewall/ipv6-hook-prerouting.xml.i>
           #include <include/firewall/ipv6-custom-name.xml.i>
         </children>
       </node>

interface-definitions/include/firewall/action-and-notrack.xml.i

@@ -3,12 +3,16 @@
   <properties>
     <help>Rule action</help>
     <completionHelp>
-      <list>accept jump notrack reject return drop queue</list>
+      <list>accept continue jump notrack reject return drop queue</list>
     </completionHelp>
     <valueHelp>
       <format>accept</format>
       <description>Accept matching entries</description>
     </valueHelp>
+    <valueHelp>
+      <format>continue</format>
+      <description>Continue parsing next rule</description>
+    </valueHelp>
     <valueHelp>
       <format>jump</format>
       <description>Jump to another chain</description>
@@ -31,10 +35,10 @@
     </valueHelp>
     <valueHelp>
       <format>notrack</format>
-      <description>Igone connection tracking</description>
+      <description>Ignore connection tracking</description>
     </valueHelp>
     <constraint>
-      <regex>(accept|jump|notrack|reject|return|drop|queue)</regex>
+      <regex>(accept|continue|jump|notrack|reject|return|drop|queue)</regex>
     </constraint>
   </properties>
 </leafNode>

interface-definitions/include/firewall/add-addr-to-group-ipv4.xml.i

@@ -0,0 +1,25 @@
+<!-- include start from firewall/add-addr-to-group-ipv4.xml.i -->
+<node name="add-address-to-group">
+  <properties>
+    <help>Add ip address to dynamic address-group</help>
+  </properties>
+  <children>
+    <node name="source-address">
+      <properties>
+        <help>Add source ip addresses to dynamic address-group</help>
+      </properties>
+      <children>
+        #include <include/firewall/add-dynamic-address-groups.xml.i>
+      </children>
+    </node>
+    <node name="destination-address">
+      <properties>
+        <help>Add destination ip addresses to dynamic address-group</help>
+      </properties>
+      <children>
+        #include <include/firewall/add-dynamic-address-groups.xml.i>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->

interface-definitions/include/firewall/add-addr-to-group-ipv6.xml.i

@@ -0,0 +1,25 @@
+<!-- include start from firewall/add-addr-to-group-ipv6.xml.i -->
+<node name="add-address-to-group">
+  <properties>
+    <help>Add ipv6 address to dynamic ipv6-address-group</help>
+  </properties>
+  <children>
+    <node name="source-address">
+      <properties>
+        <help>Add source ipv6 addresses to dynamic ipv6-address-group</help>
+      </properties>
+      <children>
+        #include <include/firewall/add-dynamic-ipv6-address-groups.xml.i>
+      </children>
+    </node>
+    <node name="destination-address">
+      <properties>
+        <help>Add destination ipv6 addresses to dynamic ipv6-address-group</help>
+      </properties>
+      <children>
+        #include <include/firewall/add-dynamic-ipv6-address-groups.xml.i>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->