Page MenuHomeVyOS Platform

Add support for raw tables to firewall
Closed, ResolvedPublicFEATURE REQUEST

Description

The current firewall implementation on VyOS does not allow rules to be natively injectively into the "raw table" of iptables or its nftables equivalent.

If we manually inject the rules via the post-boot script, functionality such as SSH/BGP etc breaks randomly and randomly works, while iptables counters remain at a clear "0".

MikroTik has a simplified logic that is both flexible and adaptable:

  1. They have an interface list logic: We can create "LAN" containing local interfaces and "WAN" containing public interfaces or any other combination (We can also add dynamic interfaces like PPPoE clients to an interface list, dynamically)
  2. They allow native use of filter input/forward/output and also native use of prerouting/output in the raw table
  3. We can then combine the above features to create comprehensive firewall rules that cover essentially all the bases.

Example:
https://help.mikrotik.com/docs/display/ROS/Building+Advanced+Firewall

We can always allow iptables logic like MikroTik in VyOS CLI, while we still convert them to nftables using scripts under the hood.

Details

Difficulty level
Hard (possibly days)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Behavior change
Issue type
Improvement (missing useful functionality)

Event Timeline

Unknown Object (User) created this task.Oct 11 2021, 8:36 AM
Viacheslav triaged this task as Wishlist priority.Oct 11 2021, 9:23 AM
Viacheslav changed Difficulty level from Unknown (require assessment) to Hard (possibly days).
Unknown Object (User) updated the task description. (Show Details)Oct 11 2021, 9:25 AM
Unknown Object (User) added a subscriber: Viacheslav.Sep 2 2022, 6:30 PM

Has there been any updates on this? @Viacheslav, it would be great to have this functionality on VyOS.

@daryll-swer For your use case, you can use your tables/chains (not standard names like RAW/MANGLE INPUT/OUTPUT etc.), that won't be cleared by the VyOS firewall CLI

nft add table MYRAW
nft -- add chain ip MYRAW  my_chain '{ type filter hook prerouting priority raw; policy accept; }'
nft add rule ip MYRAW my_chain ip saddr 192.0.2.5 counter drop

Even if you delete the firewall by CLI, this table will be exist
Just do not use reserved table names, create your own.

vyos@r14# sudo nft -s list table ip MYRAW
table ip MYRAW {
	chain my_chain {
		type filter hook prerouting priority raw; policy accept;
		ip saddr 192.0.2.5 counter drop
	}
}

Regarding interface groups it will be possible later, after firewall re-design

Unknown Object (User) added a comment.Sep 3 2022, 11:09 AM

Regarding interface groups it will be possible later, after firewall re-design

Since you're re-designing the firewall anyway, why not include this proposed logic of mine though? It will benefit other people too for pure stateless filtering.

dmbaturin renamed this task from Integrate Firewall logic and implementation found on MikroTik RouterOS v6/v7 to Add support for raw tables to firewall.Feb 15 2024, 12:51 PM
dmbaturin added a project: VyOS 1.5 Circinus.
n.fort changed the task status from Open to In progress.May 14 2024, 12:31 PM
n.fort claimed this task.