Page MenuHomeVyOS Platform

Make the chain policy configurable
Closed, ResolvedPublicFEATURE REQUEST

Description

VyOS always creates the input and forward nft chains with policy accept. This prevents the defense-in-depth approach to block everything except allowed ports, because interfaces, that are not configured in set firewall interfaces permit all traffic.

I've started the work here: https://github.com/glueckself/vyos-1x/commit/197ea70f28fa284ac12155f5347432ee3c8ba75b

My initial approach was to make it a non-breaking change, setting policy accept when no default-policy is configured. Because the nft_action filter replaces the accept action with return, in case of policy drop, this causes the packet to be dropped, even if there are rules that would accept it (because they only return, until the packet is at the end of the chain where it's dropped). However, removing the return "return" makes this a breaking change, as with policy accept+return, packets could be accepted in the in rulesets, but dropped in the out ruleset (because both in and out rulesets are merged in the VYOS_FW_FORWARD chain). From what I understand, nft stops processing on the accept, which would prevent out rules from being processed.

One idea to solve this would be to use the postrouting chain for out-rules - but this would also be a behaviour change, as it would now affect packets coming from the router itself.

The code is in an very early state. Also, this is my first time working on VyOS and first time working with nft. I do have networking experience and a bit of experience with python. Please let me know if there are any issues with my approach, and how I should proceed with the nft_action filter.

Details

Version
-
Is it a breaking change?
Behavior change

Event Timeline

Viacheslav changed the task status from Open to Needs testing.Jan 20 2024, 12:31 PM
Viacheslav assigned this task to n.fort.
Viacheslav triaged this task as Wishlist priority.
Viacheslav added subscribers: n.fort, Viacheslav.

@n.fort needs your comments

Behavior change for this issue was fix some month ago in migration scripts, in order to remain action "return" when upgrading from older versions to new syntax.

Making the base chain policy configurable, is not as flexible as it sounds, since policy can only me set to accept or drop. So all options shared in the link provided in the task description will not work.

Same behavior as legacy code can be achieve in new syntax.

Legacy code uses:

  • Base chains
  • Jump actions to custom chains if in/out/local interfaces are matched.
  • Return actions
  • Default accept at the very end.

All those capabilities are available in vyos 1.4 and 1.5

I think we can close this one