Page MenuHomeVyOS Platform
Create Task
Maniphest T4605

Firewall change default table names
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

We have default table names like

table ip    filter
table ip6   filter
table ip    nat
table ip6   nat
table inet  mangle
table ip    raw
table ip6   raw
table ip    mangle
table ip6   mangle

I propose to change names to vyos_xxx:

table ip    vyos_filter
table ip6   vyos_filter
table ip    vyos_nat
table ip6   vyos_nat
table inet  vyos_mangle
table ip    vyos_raw
table ip6   vyos_raw
table ip    vyos_mangle
table ip6   vyos_mangle

It can prevent overlap with some customer rules or some custom apps which can affect the firewall configuration

Just one example, tailscale by default can add its own firewall rules to filter and nat

[email protected]# sudo nft list table filter
table ip filter {
	chain VYOS_FW_FORWARD {
		type filter hook forward priority filter; policy accept;
		jump VYOS_POST_FW
	}

	chain VYOS_FW_LOCAL {
		type filter hook input priority filter; policy accept;
		jump VYOS_POST_FW
	}
...

	chain ts-input {
		iifname "lo" ip saddr 100.116.x.88 counter packets 0 bytes 0 accept
		iifname != "tailscale0" ip saddr 100.115.x.0/23 counter packets 0 bytes 0 return
		iifname != "tailscale0" ip saddr 100.64.0.0/10 counter packets 0 bytes 0 drop
	}

	chain ts-forward {
		iifname "tailscale0" counter packets 0 bytes 0 meta mark set 0x40000 
		mark 0x40000 counter packets 0 bytes 0 accept
		oifname "tailscale0" ip saddr 100.64.0.0/10 counter packets 0 bytes 0 drop
		oifname "tailscale0" counter packets 0 bytes 0 accept
	}
}
[edit]
[email protected]#
table ip nat {
	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
		counter packets 195 bytes 19483 jump VYOS_PRE_DNAT_HOOK
	}

...

	chain ts-postrouting {
		mark 0x40000 counter packets 0 bytes 0 masquerade

It will cause a commit error:

[email protected]# compare 
+firewall {
+    name FOO {
+        default-action drop
+        rule 10 {
+            action accept
+        }
+    }
+}
[edit]
[email protected]# commit
[ firewall ]
Failed to apply firewall

[[firewall]] failed
Commit failed
[edit]
[email protected]#

Rename tables to vyos_xxx can prevent such issues in the future.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Internal change (not visible to end users)

Related Objects

Event Timeline

Viacheslav created this task.Aug 11 2022, 9:45 AM
Viacheslav updated the task description. (Show Details)Aug 11 2022, 9:48 AM
Viacheslav added a subscriber: sdev.Aug 11 2022, 10:06 AM
pasik added a subscriber: pasik.Aug 11 2022, 1:54 PM
fernando added a subscriber: fernando.Aug 12 2022, 6:47 PM
n.fort added a subscriber: n.fort.Aug 12 2022, 7:24 PM
sdev added a comment.Aug 17 2022, 8:02 PM

While I'm for changing to prefixed tables, I think the issue of tailscale and custom apps should fall under the accepted risk of running custom scripts outside of the config.

For components managed by the CLI that use the firewall table, the firewall conf script has a preserve_chains list for chains to preserve/ignore.

sdev added a comment.Sep 12 2022, 7:15 PM

PR for filter tables: https://github.com/vyos/vyos-1x/pull/1534

sdev added a comment.Sep 21 2022, 4:12 PM

PR for NAT included with refactor: https://github.com/vyos/vyos-1x/pull/1552

Viacheslav mentioned this in T4713: [email protected]:~$ show nat destination rules | doesn't work.Sep 27 2022, 9:36 AM
Viacheslav mentioned this in T4708: 'show nat destination rules' throwing an error.Sep 27 2022, 12:04 PM
sdev added a comment.Nov 11 2022, 4:49 PM

PR for policy route refactor updates to vyos_mangle: https://github.com/vyos/vyos-1x/pull/1654

Viacheslav closed this task as Resolved.Wed, May 24, 9:18 AM
Viacheslav assigned this task to sdev.
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.