T3900: Add support for raw tables in firewall

[nicolas-fort]

Change Summary

Add support for raw tables in firewall
Migrate general conntrack timeouts to firewall global-options

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

• https://vyos.dev/T3900
• https://vyos.dev/T6394

Related PR(s)

Component(s) name

firewall, conntrack

Proposed changes

How to test

Sample config:

vyos@clear-legacy# run show config comm | grep firewall
set firewall global-options timeout icmp '45'
set firewall global-options timeout tcp established '125'
set firewall ipv4 prerouting raw rule 10 action 'notrack'
set firewall ipv4 prerouting raw rule 10 destination address '198.51.100.0/24'
set firewall ipv4 prerouting raw rule 20 action 'drop'
set firewall ipv4 prerouting raw rule 20 destination port '22'
set firewall ipv4 prerouting raw rule 20 protocol 'tcp'
set firewall ipv6 output raw rule 10 action 'accept'
set firewall ipv6 output raw rule 10 protocol 'udp'
set firewall ipv6 output raw rule 20 action 'notrack'
set firewall ipv6 output raw rule 20 outbound-interface name 'eth2'
[edit]
vyos@clear-legacy# 

Netfilter chains:

vyos@clear-legacy# sudo nft -S list chain ip vyos_filter VYOS_PREROUTING_raw
table ip vyos_filter {
        chain VYOS_PREROUTING_raw {
                type filter hook prerouting priority raw; policy accept;
                ip daddr 198.51.100.0/24 counter packets 0 bytes 0 notrack comment "ipv4-PRE-raw-10"
                tcp dport "ssh" counter packets 0 bytes 0 drop comment "ipv4-PRE-raw-20"
                counter packets 27 bytes 2508 accept comment "PRE-raw default-action accept"
        }
}
vyos@clear-legacy# sudo nft -S list chain ip6 vyos_filter VYOS_IPV6_OUTPUT_raw
table ip6 vyos_filter {
        chain VYOS_IPV6_OUTPUT_raw {
                type filter hook output priority raw; policy accept;
                meta l4proto udp counter packets 0 bytes 0 accept comment "ipv6-OUT-raw-10"
                oifname "eth2" counter packets 0 bytes 0 notrack comment "ipv6-OUT-raw-20"
                counter packets 0 bytes 0 accept comment "OUT-raw default-action accept"
        }
}
[edit]
vyos@clear-legacy# 

sysctl parameters:

vyos@clear-legacy# sudo sysctl -a | grep tcp_timeout_established
net.netfilter.nf_conntrack_tcp_timeout_established = 125
[edit]
vyos@clear-legacy# sudo sysctl -a | grep icmp_timeout
net.netfilter.nf_conntrack_icmp_timeout = 45
[edit]
vyos@clear-legacy# 

Smoketest result

test_firewall --> OK
test_system_conntrack.py --> OK

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[sarthurdev]

The firewall smoketest should be extended for the migrated timeout options.

Should we also consider migrating the ignore conntrack rules to instead use these new raw nodes?

[nicolas-fort]

The firewall smoketest should be extended for the migrated timeout options.

I was sure I added such tests in firewall smoketests, but seems I haven't.
I'll add it soon.

[nicolas-fort]

Should we also consider migrating the ignore conntrack rules to instead use these new raw nodes?

At least in this very first stage of adding this new feature, they can co-exist with legacy system conntrack ignore rules. However I've added a warning message that is preferable to define such rules in new firewall section.
New documentation should also advice to use such ignore rules in new section, and maybe extend warning message that system contnrack ignore rules will be deprecated later.