Page MenuHomeVyOS Platform
Create Task
Maniphest T4072

Feature Request: Firewall on bridge interfaces
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Currently, VyOS in bridge mode cannot filter traffic on interfaces in bridge mode

image.png (130×793 px, 25 KB)

The basic idea is to use "table bridge filter" instead of "table ip filter". Maybe there are other ways.

Such functionality would be extremely useful in some scenarios.
Also, this support is desirable for VLAN subinterfaces

Traffic is not filtered at the moment:
set interfaces ethernet eth0 vif 705
set interfaces ethernet eth1 vif 706
set interfaces bridge br1 member interface eth0.705
set interfaces bridge br1 member interface eth1.706

set firewall name access_in rule 10 action 'drop'
set firewall name access_in rule 10 protocol 'ip'
set firewall name access_in rule 10 source address 0.0.0.0/0
set firewall name access_in rule 10 destination address 0.0.0.0/0

set interfaces ethernet eth1 vif 706 firewall in name 'access_in '
set interfaces ethernet eth0 vif 705 firewall in name 'access_in '

Details

Difficulty level
Unknown (require assessment)
Version
1.4-rolling-202311160309
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Related Objects

Event Timeline

Unknown Object (User) created this task.Dec 14 2021, 6:56 AM
Unknown Object (User) created this object in space S1 VyOS Public.
pasik added a subscriber: pasik.Dec 14 2021, 9:24 AM
Viacheslav changed the subtype of this task from "Task" to "Feature Request".Dec 21 2021, 8:15 PM
Viacheslav added a subscriber: Viacheslav.Jan 9 2022, 7:40 AM

Does it work with vlan bridges T3115?

n.fort added a subscriber: n.fort.Jan 9 2022, 6:18 PM

Scenario proposed by @NikolayP gives next content in table ip filter:

table ip filter {
	chain VYOS_FW_FORWARD {
		type filter hook forward priority filter; policy accept;
		iifname "eth0.705" counter packets 0 bytes 0 jump access_in
		iifname "eth1.706" counter packets 0 bytes 0 jump access_in
		jump VYOS_POST_FW
	}

	chain VYOS_FW_LOCAL {
		type filter hook input priority filter; policy accept;
		jump VYOS_POST_FW
	}

	chain VYOS_FW_OUTPUT {
		type filter hook output priority filter; policy accept;
		jump VYOS_POST_FW
	}

	chain VYOS_POST_FW {
		return
	}

	chain VYOS_FRAG_MARK {
		type filter hook prerouting priority -450; policy accept;
		ip frag-off & 16383 != 0 meta mark set 0x000ffff1 return
	}

	chain access_in {
		meta l4proto ip ip daddr 0.0.0.0/0 ip saddr 0.0.0.0/0 counter packets 0 bytes 0 drop comment "access_in-10"
		return
	}
}

As mentioned, filtering do not happens, because it should be done in "bridge filter" table, and not in "ip filter" table, since interfaces eth0.705 and eth0.706 are member of bri1.

nft commands to get expected results:

sudo nft add table bridge filter
sudo nft add chain bridge filter FORWARD '{type filter hook forward priority filter; }'
sudo nft add rule bridge filter FORWARD iif { eth0.705, eth1.706 }  ip daddr 0.0.0.0/0 ip saddr 0.0.0.0/0 counter drop

Finally tables "ip filter" and "bridge filter" shows correct filtering on bridge table, while counter on "ip filter" remains in cero.

vyos@vyos# sudo nft list table ip filter
table ip filter {
	chain VYOS_FW_FORWARD {
		type filter hook forward priority filter; policy accept;
		iifname "eth0.705" counter packets 0 bytes 0 jump access_in
		iifname "eth1.706" counter packets 0 bytes 0 jump access_in
		jump VYOS_POST_FW
	}

	chain VYOS_FW_LOCAL {
		type filter hook input priority filter; policy accept;
		jump VYOS_POST_FW
	}

	chain VYOS_FW_OUTPUT {
		type filter hook output priority filter; policy accept;
		jump VYOS_POST_FW
	}

	chain VYOS_POST_FW {
		return
	}

	chain VYOS_FRAG_MARK {
		type filter hook prerouting priority -450; policy accept;
		ip frag-off & 16383 != 0 meta mark set 0x000ffff1 return
	}

	chain access_in {
		meta l4proto ip ip daddr 0.0.0.0/0 ip saddr 0.0.0.0/0 counter packets 0 bytes 0 drop comment "access_in-10"
		return
	}
}
[edit]
vyos@vyos# sudo nft list table bridge filter
table bridge filter {
	chain FORWARD {
		type filter hook forward priority filter; policy accept;
		iif { "eth0.705", "eth1.706" } ip daddr 0.0.0.0/0 ip saddr 0.0.0.0/0 counter packets 10 bytes 840 drop
	}
}

It would be good to start discussing how vyos cli should include bridge filtering. Could be something like:

set firewall ip|bridge name ....

This implies changing actual cli, but it would be easy to include more families filters, like:

set firewall ip|ipv6|inet|bridge|netdev name ....
Viacheslav added a comment.Jan 18 2022, 8:51 PM

Some details in T4193

Unknown Object (User) updated the task description. (Show Details)Jan 24 2022, 5:29 AM
eronlloyd added a subscriber: eronlloyd.Feb 20 2022, 11:43 AM

+1

syncer edited projects, added VyOS 1.3 Equuleus (1.3.2); removed VyOS 1.3 Equuleus, VyOS 1.4 Sagitta.Aug 14 2022, 1:05 PM
dmbaturin edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.2).Aug 14 2022, 6:31 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).Jul 12 2023, 9:46 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:29 PM
n.fort claimed this task.Sep 5 2023, 9:40 AM
n.fort added a project: VyOS 1.4 Sagitta.
n.fort added a comment.Sep 7 2023, 8:47 PM

PR: https://github.com/vyos/vyos-1x/pull/2222

n.fort changed the task status from Open to In progress.Sep 8 2023, 10:01 AM
n.fort changed the task status from In progress to Needs testing.Sep 12 2023, 10:17 AM

op-mode: https://github.com/vyos/vyos-1x/pull/2242

n.fort removed a project: VyOS 1.3 Equuleus (1.3.5).Sep 12 2023, 12:16 PM
n.fort changed the task status from Needs testing to In progress.Nov 16 2023, 1:20 PM
n.fort triaged this task as High priority.
n.fort changed Version from VyOS 1.3.0-epa3 to 1.4-rolling-202311160309.
n.fort changed the task status from In progress to Needs testing.Nov 21 2023, 5:46 PM
n.fort closed this task as Resolved.Jan 4 2024, 10:59 AM