Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

T6841: firewall: improve config parsing for ZBF when using VRFs and interfaces attached to VRFs #4180

Merged
merged 4 commits into from
Jan 6, 2025
Merged

T6841: firewall: improve config parsing for ZBF when using VRFs and interfaces attached to VRFs #4180

merged 4 commits into from
Jan 6, 2025
+261 −73

Conversation

nicolas-fort
Copy link
Contributor

Change Summary

Improve config parsing for ZBF when using VRFs and interfaces attached to VRFs

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

firewall

Proposed changes

For zone based firewall, everything is related to matching inbound and outbound interface. The problem is that in Linux, if an interface is attached to a non-default VRF, then:

  • For matching inbound-interface, we need to specify <vrf_name> in firewall ruleset
  • For matching outbound-interface, we need to specify <physical_interface> in firewall ruleset.

Before this PR, what was written under set firewall zone <zone> interface <iface> was exactly written for inbound|outbound interface in nftables.
Now we have provide more options so we can specify interface name and interfave vrf while defining interfaces in a zone.

  • If using interface name <iface> --> it still writes exactly that interfaces for inbound|outbound interface in nftables
  • If using interface vrf <vrf_name> --> in nftables it writes:
    • <vrf_name> for matching inbound interface
    • <all_vrf_members> for matching outbound interface.

How to test

Smoketest result

root@zbf-vrfaware:/usr/libexec/vyos/tests/smoke/cli# ./test_firewall.py 
test_bridge_firewall (__main__.TestFirewall.test_bridge_firewall) ... ok
test_cyclic_jump_validation (__main__.TestFirewall.test_cyclic_jump_validation) ... ok
test_flow_offload (__main__.TestFirewall.test_flow_offload) ... ok
test_geoip (__main__.TestFirewall.test_geoip) ... ok
test_gre_match (__main__.TestFirewall.test_gre_match) ... ok
test_groups (__main__.TestFirewall.test_groups) ... ok
test_ipsec_metadata_match (__main__.TestFirewall.test_ipsec_metadata_match) ... ok
test_ipv4_advanced (__main__.TestFirewall.test_ipv4_advanced) ... ok
test_ipv4_basic_rules (__main__.TestFirewall.test_ipv4_basic_rules) ... ok
test_ipv4_dynamic_groups (__main__.TestFirewall.test_ipv4_dynamic_groups) ... ok
test_ipv4_global_state (__main__.TestFirewall.test_ipv4_global_state) ... ok
test_ipv4_mask (__main__.TestFirewall.test_ipv4_mask) ... ok
test_ipv4_state_and_status_rules (__main__.TestFirewall.test_ipv4_state_and_status_rules) ... ok
test_ipv4_synproxy (__main__.TestFirewall.test_ipv4_synproxy) ... ok
test_ipv6_advanced (__main__.TestFirewall.test_ipv6_advanced) ... ok
test_ipv6_basic_rules (__main__.TestFirewall.test_ipv6_basic_rules) ... ok
test_ipv6_dynamic_groups (__main__.TestFirewall.test_ipv6_dynamic_groups) ... ok
test_ipv6_mask (__main__.TestFirewall.test_ipv6_mask) ... ok
test_nested_groups (__main__.TestFirewall.test_nested_groups) ... ok
test_source_validation (__main__.TestFirewall.test_source_validation) ... ok
test_sysfs (__main__.TestFirewall.test_sysfs) ... ok
test_timeout_sysctl (__main__.TestFirewall.test_timeout_sysctl) ... ok
test_zone_basic (__main__.TestFirewall.test_zone_basic) ... ok
test_zone_flow_offload (__main__.TestFirewall.test_zone_flow_offload) ... ok
test_zone_with_vrf (__main__.TestFirewall.test_zone_with_vrf) ... ok

----------------------------------------------------------------------
Ran 25 tests in 136.776s

OK

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@nicolas-fort nicolas-fort requested a review from a team as a code owner October 29, 2024 19:18
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 29, 2024
edited
Loading

👍
No issues in PR Title / Commit Title

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 29, 2024
edited
Loading

✅ No issues found in unused-imports check.. Please refer the workflow run

@nicolas-fort
Copy link
Contributor Author

Should I also change these files?
https://github.com/search?q=repo%3Avyos%2Fvyos-1x+path%3A%2F%5Esmoketest%5C%2Fconfig-tests%5C%2F%2F+%22set+firewall+zone%22&type=code

dmbaturin
dmbaturin requested changes Nov 7, 2024
View reviewed changes
Copy link
Member

@dmbaturin dmbaturin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest a different syntax that I think is more intuitive (or less counter-intuitive ;) and there are some missing cases in the migration script logic.

interface-definitions/firewall.xml.in Outdated Show resolved Hide resolved
interface-definitions/firewall.xml.in Outdated Show resolved Hide resolved
smoketest/scripts/cli/test_firewall.py Outdated Show resolved Hide resolved
smoketest/scripts/cli/test_firewall.py Outdated Show resolved Hide resolved
smoketest/scripts/cli/test_firewall.py Outdated Show resolved Hide resolved
src/conf_mode/firewall.py Outdated Show resolved Hide resolved
src/migration-scripts/firewall/17-to-18 Outdated Show resolved Hide resolved
src/migration-scripts/firewall/17-to-18 Outdated Show resolved Hide resolved
src/migration-scripts/firewall/17-to-18 Outdated Show resolved Hide resolved
src/migration-scripts/firewall/17-to-18 Show resolved Hide resolved
@nicolas-fort nicolas-fort marked this pull request as draft November 19, 2024 12:32
@nicolas-fort nicolas-fort marked this pull request as ready for review December 18, 2024 11:16
@nicolas-fort nicolas-fort requested a review from c-po as a code owner December 18, 2024 11:16
c-po
c-po requested changes Dec 19, 2024
View reviewed changes
interface-definitions/firewall.xml.in Outdated Show resolved Hide resolved
@c-po c-po requested review from dmbaturin and c-po December 23, 2024 12:08
nicolas-fort and others added 4 commits January 6, 2025 12:05
@nicolas-fort @c-po
T6841: firewall: improve config parsing for ZBF when using VRFs and i…
df176d9 
…nterfaces attached to VRFs
@aapostoliuk @c-po
T6841: firewall: Fixed issues in ZBF when using VRFs
4a194b3 
Improve config parsing for ZBF when using VRFs and interfaces attached to VRFs
@c-po
T6841: firewall: re-use existing generic-interface-multi.xml.i XML bu…
3b04cc2 
…ilding block
@c-po
T6841: firewall: migrate existing VRF in zone based firewall
dda428f 
VRF support was introduced in VyOS 1.4.0. If a VRF is added as an interface in
the zone based firewall, it will be migrated to the new syntax.

OLD:
  set firewall zone FOO interface RED
  set firewall zone FOO interface eth0

NEW:
  set firewall zone FOO member vrf RED
  set firewall zone FOO member interface eth0
@c-po c-po merged commit 5ae3f05 into vyos:current Jan 6, 2025
9 of 10 checks passed
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 6, 2025

CI integration ❌ failed!

Details

CI logs

  • CLI Smoketests (no interfaces) ❌ failed
  • CLI Smoketests (interfaces only) 👍 passed
  • Config tests ❌ failed
  • RAID1 tests 👍 passed
  • TPM tests 👍 passed

@c-po c-po mentioned this pull request Jan 8, 2025
Merged
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@c-po c-po c-po approved these changes

@dmbaturin dmbaturin dmbaturin approved these changes

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev was automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc was automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro was automatically assigned from vyos/reviewers

@sever-sever sever-sever Awaiting requested review from sever-sever sever-sever was automatically assigned from vyos/reviewers

@fett0 fett0 Awaiting requested review from fett0 fett0 was automatically assigned from vyos/reviewers

Assignees

@nicolas-fort nicolas-fort

Labels
current
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@nicolas-fort @dmbaturin @c-po @aapostoliuk