Current configuration doesn't allow setting up firewall on L3 VIF subinterfaces on bridge. This should change.
Description
Details
- Difficulty level
- Unknown (require assessment)
- Version
- -
- Why the issue appeared?
- Will be filled on close
- Is it a breaking change?
- Perfectly compatible
- Issue type
- Feature (new functionality)
Related Objects
Event Timeline
Before that, should we consider completely migrating the vyos firewall implementation?
I met the same issue. Currently bridge vifs are missing firewall options.
It seems to me that it is very easy to add the those firewall options to the old firewall implementation so we don't have to wait for the new implementation. Just a few lines: https://github.com/vyos/vyatta-cfg-firewall/pull/25 https://github.com/vyos/vyatta-cfg-firewall/pull/26. Let me know if they are good to merge.
Filtering tested on version 1.4-rolling-202201060842
VyOS configuration:
# Bridge and vlans configuration set interfaces bridge br0 enable-vlan set interfaces bridge br0 member interface eth0 allowed-vlan '55' set interfaces bridge br0 member interface eth0 allowed-vlan '66' set interfaces bridge br0 member interface eth1 allowed-vlan '55' set interfaces bridge br0 member interface eth1 allowed-vlan '66' set interfaces bridge br0 vif 55 address '192.168.55.1/24' set interfaces bridge br0 vif 66 address '192.168.66.1/24' # Firewall configuration set firewall name BRI-VIF55 default-action 'accept' set firewall name BRI-VIF55 rule 10 action 'drop' set firewall name BRI-VIF55 rule 10 source address '192.168.55.0/24' set firewall name BRI-VIF55 rule 10 destination address '192.168.66.0/24' set interfaces bridge br0 vif 55 firewall in name 'BRI-VIF55'
Tests:
- Host from vlan 55 can't communicate to host located on vlan 66: correct behavior, counters increased correctly on nftables rules.
- Host from vlan 55 can reach internet (default action accept) and counters increased correctly
- Host located from vlan 55 under eth0 can communicate correctly with host located on same vlan, under eth1 (simple bridge test).
[email protected]# sudo nft list table ip filter table ip filter { chain VYOS_FW_FORWARD { type filter hook forward priority filter; policy accept; iifname "br0.55" counter packets 28 bytes 2352 jump BRI-VIF55 jump VYOS_POST_FW } chain VYOS_FW_LOCAL { type filter hook input priority filter; policy accept; jump VYOS_POST_FW } chain VYOS_FW_OUTPUT { type filter hook output priority filter; policy accept; jump VYOS_POST_FW } chain VYOS_POST_FW { return } chain VYOS_FRAG_MARK { type filter hook prerouting priority -450; policy accept; ip frag-off & 16383 != 0 meta mark set 0x000ffff1 return } chain FOO { log counter packets 0 bytes 0 return comment "FOO-10" return } chain BRI-VIF55 { ip daddr 192.168.66.0/24 ip saddr 192.168.55.0/24 counter packets 18 bytes 1512 drop comment "BRI-VIF55-10" counter packets 5 bytes 420 return comment "BRI-VIF55 default-action accept" } }
Previous example was expanded, in order to test filtering between native bridge interface and vlans interface on bridge.
Filtering rules:
- Filter traffic from vlan br0.55 to br0.66
- Filter traffic from vlan1 to br0.55
- Allow all
Configuration:
set interfaces bridge br0 address '192.168.1.1/24' set interfaces bridge br0 enable-vlan set interfaces bridge br0 member interface eth0 allowed-vlan '55' set interfaces bridge br0 member interface eth0 allowed-vlan '66' set interfaces bridge br0 member interface eth0 native-vlan '1' set interfaces bridge br0 member interface eth1 allowed-vlan '55' set interfaces bridge br0 member interface eth1 allowed-vlan '66' set interfaces bridge br0 member interface eth1 native-vlan '1' set interfaces bridge br0 vif 55 address '192.168.55.1/24' set interfaces bridge br0 vif 66 address '192.168.66.1/24' set firewall state-policy established action 'accept' set firewall state-policy invalid action 'drop' set firewall state-policy related action 'accept' set firewall name BRI-1 default-action 'accept' set firewall name BRI-1 rule 10 action 'drop' set firewall name BRI-1 rule 10 destination address '192.168.55.0/24' set firewall name BRI-1 rule 10 source address '192.168.1.0/24' set firewall name BRI-VIF55 default-action 'accept' set firewall name BRI-VIF55 rule 10 action 'drop' set firewall name BRI-VIF55 rule 10 destination address '192.168.66.0/24' set firewall name BRI-VIF55 rule 10 source address '192.168.55.0/24' set interfaces bridge br0 firewall in name 'BRI-1' set interfaces bridge br0 vif 55 firewall in name 'BRI-VIF55'
Content of table ip filter:
table ip filter { chain VYOS_FW_FORWARD { type filter hook forward priority filter; policy accept; jump VYOS_STATE_POLICY iifname "br0" counter packets 8 bytes 672 jump BRI-1 iifname "br0.55" counter packets 22 bytes 1848 jump BRI-VIF55 jump VYOS_POST_FW } chain VYOS_FW_LOCAL { type filter hook input priority filter; policy accept; jump VYOS_STATE_POLICY jump VYOS_POST_FW } chain VYOS_FW_OUTPUT { type filter hook output priority filter; policy accept; jump VYOS_STATE_POLICY jump VYOS_POST_FW } chain VYOS_POST_FW { return } chain VYOS_FRAG_MARK { type filter hook prerouting priority -450; policy accept; ip frag-off & 16383 != 0 meta mark set 0x000ffff1 return } chain BRI-VIF55 { ip daddr 192.168.66.0/24 ip saddr 192.168.55.0/24 counter packets 5 bytes 420 drop comment "BRI-VIF55-10" counter packets 0 bytes 0 return comment "BRI-VIF55 default-action accept" } chain VYOS_STATE_POLICY { ct state established counter packets 5 bytes 420 accept ct state invalid counter packets 0 bytes 0 drop ct state related counter packets 0 bytes 0 accept return } chain BRI-1 { ip daddr 192.168.55.0/24 ip saddr 192.168.1.0/24 counter packets 3 bytes 252 drop comment "BRI-1-10" counter packets 5 bytes 420 return comment "BRI-1 default-action accept" } }
Traffic was filtered as expected.