Page MenuHomeVyOS Platform

Add ability to resequence rule numbers for firewall
Closed, ResolvedPublicFEATURE REQUEST

Description

Today the sequence starts at 1 and use 1 as spacing.

This becomes somewhat tricky to insert new rules in a filter.

Suggestion to alter default to start at 10 and use 10 as spacing example:

Before:

set firewall ipv4 forward filter default-action 'accept'
set firewall ipv4 forward filter rule 1 action 'drop'
set firewall ipv4 forward filter rule 1 state invalid 'enable'
set firewall ipv4 forward filter rule 2 action 'accept'
set firewall ipv4 forward filter rule 2 state established 'enable'
set firewall ipv4 forward filter rule 3 action 'accept'
set firewall ipv4 forward filter rule 3 state related 'enable'

After:

set firewall ipv4 forward filter default-action 'accept'
set firewall ipv4 forward filter rule 10 action 'drop'
set firewall ipv4 forward filter rule 10 state invalid 'enable'
set firewall ipv4 forward filter rule 20 action 'accept'
set firewall ipv4 forward filter rule 20 state established 'enable'
set firewall ipv4 forward filter rule 30 action 'accept'
set firewall ipv4 forward filter rule 30 state related 'enable'

This could be achieved by adding this command (where "10 10" would be default):

set firewall ipv4 forward filter resequence 10 10
  • start_num Sequence number assigned to the first rule. Default is 10.
  • inc_num Numeric interval between consecutive rules. Default is 10.

Where if I use:

set firewall ipv4 forward filter resequence 100 20

the result would become:

set firewall ipv4 forward filter default-action 'accept'
set firewall ipv4 forward filter rule 100 action 'drop'
set firewall ipv4 forward filter rule 100 state invalid 'enable'
set firewall ipv4 forward filter rule 120 action 'accept'
set firewall ipv4 forward filter rule 120 state established 'enable'
set firewall ipv4 forward filter rule 140 action 'accept'
set firewall ipv4 forward filter rule 140 state related 'enable'

This would match "how others do it" such as Arista.

Ref:

https://www.arista.com/en/um-eos/eos-acls-and-route-maps#xx1151287

Details

Version
-
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

I don't get this thing.
You can use any number that you want.
Could you explain what exactly Is wrong and why you can't use your own declared numbers?

The following is for example made up by migration:

set firewall ipv4 forward filter default-action 'accept'
set firewall ipv4 forward filter rule 1 action 'drop'
set firewall ipv4 forward filter rule 1 state invalid 'enable'
set firewall ipv4 forward filter rule 2 action 'accept'
set firewall ipv4 forward filter rule 2 state established 'enable'
set firewall ipv4 forward filter rule 3 action 'accept'
set firewall ipv4 forward filter rule 3 state related 'enable'

How am I able to squeeze in a new rule between rule 2 and 3 when I am in config mode?

If the numbering by default is lets say 10 as stepsize (inc_num) that is first rule is "rule 10", 2nd rule is "rule 20", 3rd rule is "rule 30" and so on then I can add my own rules in between "rule 10" and "rule 20" by calling that "rule 17".

A renumbering would go through all rule numbers and space them according to inc_num (default 10 if not specified).

For example:

set firewall ipv4 forward filter resequence 10 10

Would make this:

set firewall ipv4 forward filter default-action 'accept'
set firewall ipv4 forward filter rule 10 action 'drop'
set firewall ipv4 forward filter rule 10 state invalid 'enable'
set firewall ipv4 forward filter rule 17 action 'drop'
set firewall ipv4 forward filter rule 17 <something>
set firewall ipv4 forward filter rule 20 action 'accept'
set firewall ipv4 forward filter rule 20 state established 'enable'
set firewall ipv4 forward filter rule 30 action 'accept'
set firewall ipv4 forward filter rule 30 state related 'enable'

to become this:

set firewall ipv4 forward filter default-action 'accept'
set firewall ipv4 forward filter rule 10 action 'drop'
set firewall ipv4 forward filter rule 10 state invalid 'enable'
set firewall ipv4 forward filter rule 20 action 'drop'
set firewall ipv4 forward filter rule 20 <something>
set firewall ipv4 forward filter rule 30 action 'accept'
set firewall ipv4 forward filter rule 30 state established 'enable'
set firewall ipv4 forward filter rule 40 action 'accept'
set firewall ipv4 forward filter rule 40 state related 'enable'

If it is only per migration, you can change it in migration or rewrite the rules once.

I guess seq configured there https://github.com/vyos/vyos-1x/blob/bf7e94a6606c9245721194b7d5c18c24a9f8baef/src/migration-scripts/firewall/10-to-11#L78

As we don't have "auto sequence" and must declare them explicitly.

Yes but if you have more than a few rules its shitty to have to do this manually.

Having a config-mode setting that does this for you would be prefered.

Again, look at how others does this: https://www.arista.com/en/um-eos/eos-acls-and-route-maps#xx1151287

resequence (ACLs)
The resequence command assigns sequence numbers to rules in the configuration mode ACL. Command parameters specify the number of the first rule and the numeric interval between consecutive rules.

Maximum rule sequence number is 4294967295.

Command Mode

ACL Configuration

IPv6-ACL Configuration

Std-ACL Configuration

Std-IPv6-ACL Configuration

MAC-ACL Configuration

Command Syntax

resequence [start_num [inc_num]]

Parameters
start_num Sequence number assigned to the first rule. Default is 10.
inc_num Numeric interval between consecutive rules. Default is 10.
Example

The resequence command re-numbers the list, starting the first command at number 100 and incrementing subsequent lines by 20.

switch(config-acl-test1)# show
IP Access List test1
  10 permit ip 10.10.10.0/24 any
  20 permit ip any host 10.20.10.1
  30 deny ip host 10.10.10.1 host 10.20.10.1
  40 permit ip any any
  50 remark end of list
switch(config-acl-test1)# resequence 100 20
switch(config-acl-test1)# show
IP Access List test1
  100 permit ip 10.10.10.0/24 any
  120 permit ip any host 10.20.10.1
  140 deny ip host 10.10.10.1 host 10.20.10.1
  160 permit ip any any
  180 remark end of list

@Apachez, I got your point. The thing is, we don't have cisco-like CLI and can modify any seq rule.
It possibly could be from op-mode (not sure) because otherwise, you get resequence per each commit. That is definitely wrong.

The refactored firewall frontend uses rule numbers as described in: https://docs.vyos.io/en/latest/configuration/firewall/general.html#firewall-rules

When you already have something like:

set firewall ipv4 forward filter rule 1 action accept
set firewall ipv4 forward filter rule 2 action accept
set firewall ipv4 forward filter rule 3 action accept
...
set firewall ipv4 forward filter rule 997 action accept
set firewall ipv4 forward filter rule 998 action accept
set firewall ipv4 forward filter rule 999 action accept

It will be somewhat tricky today to in an easy way insert a new rule between two rulenumbers.

Also after that rule have been inserted to make the full rulelist to use proper spacing of the rulenum between each rule.

If there at least could exist some kind of operator (when you are in config-mode) to issue a resequence of a specific chain it would be helpful.

set firewall [ipv4 | ipv6] [input | output | forward | +name] filter resequence <start_num> <inc_num>

start_num if not specified is default 10.

inc_num if not specified is default 10.

Op-mode command reduce
PR https://github.com/vyos/vyos-1x/pull/2302

vyos@r4:~$ show conf com | match firew
set firewall ipv4 input filter default-action 'accept'
set firewall ipv4 input filter rule 1 action 'accept'
set firewall ipv4 input filter rule 1 description 'Allow loopback'
set firewall ipv4 input filter rule 1 inbound-interface interface-name 'lo'
set firewall ipv4 input filter rule 1 source address '127.0.0.0/8'
set firewall ipv4 input filter rule 2 action 'accept'
set firewall ipv4 input filter rule 2 description 'Allow established/related'
set firewall ipv4 input filter rule 2 state established 'enable'
set firewall ipv4 input filter rule 2 state related 'enable'
set firewall ipv4 input filter rule 60 action 'accept'
set firewall ipv4 input filter rule 60 description 'Allow SSH from trusted networks'
set firewall ipv4 input filter rule 60 destination port '22'
set firewall ipv4 input filter rule 60 protocol 'tcp'
set firewall ipv4 input filter rule 10000 action 'drop'
set firewall ipv4 input filter rule 10000 description 'Drop everything else'
vyos@r4:~$ 
vyos@r4:~$ produce firewall rule-resequence start 10 step 10

set firewall ipv4 input filter default-action 'accept'
set firewall ipv4 input filter rule 10 action 'accept'
set firewall ipv4 input filter rule 10 description 'Allow loopback'
set firewall ipv4 input filter rule 10 inbound-interface interface-name 'lo'
set firewall ipv4 input filter rule 10 source address '127.0.0.0/8'
set firewall ipv4 input filter rule 20 action 'accept'
set firewall ipv4 input filter rule 20 description 'Allow established/related'
set firewall ipv4 input filter rule 20 state established 'enable'
set firewall ipv4 input filter rule 20 state related 'enable'
set firewall ipv4 input filter rule 30 action 'accept'
set firewall ipv4 input filter rule 30 description 'Allow SSH from trusted networks'
set firewall ipv4 input filter rule 30 destination port '22'
set firewall ipv4 input filter rule 30 protocol 'tcp'
set firewall ipv4 input filter rule 40 action 'drop'
set firewall ipv4 input filter rule 40 description 'Drop everything else'

vyos@r4:~$

1.5-rolling-202309250022

Is there a reason why some global options and some address groups (not all) are included in the output? Seems unintentional to me.

$  generate firewall rule-resequence
set firewall global-options all-ping 'enable'
set firewall group address-group IOT_Clockwise
set firewall group address-group PIA-UK description 'Hosts to route via PIA-UK'
set firewall group address-group PIA-US description 'Hosts to route via PIA-US'
set firewall group address-group WAN_No_4G_Access description 'Hosts that have no access to the 4G WAN failover connection'
set firewall ipv4 forward filter default-action 'drop'
set firewall ipv4 forward filter rule 100 action 'drop'
set firewall ipv4 forward filter rule 100 description 'Drop invalid'
set firewall ipv4 forward filter rule 100 state invalid 'enable'
set firewall ipv4 forward filter rule 110 action 'accept'
set firewall ipv4 forward filter rule 110 description 'Allow established and related'
set firewall ipv4 forward filter rule 110 state established 'enable'
set firewall ipv4 forward filter rule 110 state related 'enable'
....more...

1.5-rolling-202309250022

Is there a reason why some global options and some address groups (not all) are included in the output? Seems unintentional to me.

The parser could be better. https://github.com/vyos/vyos-1x/blob/734392fdff1276110d81c2315e6a4a29a1316f7d/src/op_mode/generate_firewall_rule-resequence.py#L50-L73

I have not contributed code to this project before so let me know if I've missed conventions...

https://github.com/JeffWDH/vyos-1x/commit/28b3e323cf74cf631ebe7d7debe28dd683865001

Simply strips 'global-options' and 'group' from the dict so it doesn't get processed.

syncer triaged this task as Normal priority.

The syntax seems to have changed from "produce" to "generate" during this task?

vyos@vyos:~$ produce firewall rule-resequence start 10 step 10

  Invalid command: [produce]

vyos@vyos:~$ generate firewall rule-resequence start 10 step 10

set firewall ipv4 forward filter default-action 'drop'
...

But whats the proper method to get this "generated" config to stick into the VyOS config?

The "generate" command doesnt seem to exist in config mode.

It's an op-mode command, so it does not changes configuration. User may get something different from what he expected, so at least on this very first attempt of re-generating and re-ordering firewall rules, it's done in op-mode command with no impact on running configuration.

How to use it?

  • Use the command
  • Copy the output
  • Delete current firewall
  • Paste command output
  • Commit

I assume this will end up in config mode aswell before this task can be set to resolved?

Simply because this is a few more steps:

  • Use the command
  • Copy the output
  • Delete current firewall
  • Paste command output
  • Commit

than this:

  • Use the command
  • Commit

I assume this will end up in config mode aswell before this task can be set to resolved?

Simply because this is a few more steps:

  • Use the command
  • Copy the output
  • Delete current firewall
  • Paste command output
  • Commit

than this:

  • Use the command
  • Commit

For now, it affects only firewall rules, but not the full firewall section, as it could include firewall group and other firewall options.

I'm closing this task a solution was included. I'm not in favor of introducing similar command in configuration mode.

Also NAT-rules are in the need of a resequence feature in the config-mode:

https://vyos.dev/T6313

I dont think this task has been resolved since there is no change in the config-mode as requested.

Having 5 manual steps to do this as of today is not what I would call "resolved"...

I think the original request was Add ability to resequence rule numbers for firewall, and we added this tool.
Auto-Apply configuration based on this tool is the wrong way. We haven't had such hacks before and probably won't implement them in the nearest feature.
All configuration changes have to be only per user commit; there should not be any auto-commits/auto applies configs. We have API for these tricks.
CLI is completely different from the cisco/arista logic.

If you still want it in configuration, it is probably better to open a new task with a detailed description of what you want and how you see it.
If you have ideas for implementation, add please a PR (at least the PoC)

Task T6313 completely describes the "op-mode," in my opinion.

The thing is that adding this as op-mode only doesnt really solve anything.

Since I can already today export the config, resequence the rules elsewhere and then manually copy them back to replace current rules.

The point is to be able to do this when in config-mode so no copypaste monsters will be involved.

The original post in https://vyos.dev/T5497 already in detail describes the needed feature in config-mode.

Such as when in config-mode mode and running:

set firewall ipv4 forward filter resequence 100 20

The sequence numbers (rule numbers) would be change so when one do commit and save there is no need to copy things back and forth as the current PR (only affecting op-mode) needs to.

Feel free to reopen it and update the task description, but I'm not expecting it to be implemented.

Apachez changed the task status from Resolved to Unknown Status.May 10 2024, 4:54 PM

Ill put it into "known issue" since IMHO a complete "resolved" would be when this feature exists in config-mode aswell.

Perhaps a group task could be created for both T5497 and T6313 which are virtually the same thing but in different sections of the config?

Just so I dont get the vocabulary wrong here...

By config-mode I mean when you enter "configure" and add/remove config lines by set/unset commands. Which then are finished with "commit" and "save".

And by op-mode I mean when you are outside of configure and are operating the router with show-commands and other.

Or did I get this wrong?

n.fort subscribed.
Viacheslav lowered the priority of this task from Normal to Wishlist.May 14 2024, 10:57 AM
dmbaturin changed the task status from Unknown Status to Resolved.Jul 2 2024, 7:05 PM
dmbaturin claimed this task.