Page MenuHomeVyOS Platform

Firewall mark - Add capabilities for matching firewall mark
Closed, ResolvedPublicFEATURE REQUEST

Description

It's is not possible to use firewall marks as matching criteria, neither in firewall and in policy route.
Firewall matchers:

vyos@vyos-suri# set firewall ipv4 name FOO rule 10 
Possible completions:
   action               Rule action
+  connection-mark      Connection mark
 > connection-status    Connection status
   description          Description
 > destination          Destination parameters
   disable              Option to disable firewall rule
+  dscp                 DSCP value
+  dscp-exclude         DSCP value not to match
 > fragment             IP fragment match
 > icmp                 ICMP type and code information
 > inbound-interface    Match inbound-interface
 > ipsec                Inbound IPsec packets
   jump-target          Set jump target. Action jump must be defined to use this setting
 > limit                Rate limit using a token bucket filter
   log                  Option to log packets matching rule
 > log-options          Log options
 > outbound-interface   Match outbound-interface
+  packet-length        Payload size in bytes, including header and data to match
+  packet-length-exclude
                        Payload size in bytes, including header and data not to match
   packet-type          Packet type
   protocol             Protocol to match (protocol name, number, or "all")
   queue                Queue target to use. Action queue must be defined to use this
                        setting
+  queue-options        Options used for queue target. Action queue must be defined to
                        use this setting
 > recent               Parameters for matching recently seen sources
 > source               Source parameters
 > state                Session state
 > tcp                  TCP flags to match
 > time                 Time to match rule
 > ttl                  Time to live limit

Policy route matchers:

vyos@vyos-suri# set policy route FOO rule 10 
Possible completions:
   action               Rule action
+  connection-mark      Connection mark
   description          Description
 > destination          Destination parameters
   disable              Option to disable firewall rule
+  dscp                 DSCP value
+  dscp-exclude         DSCP value not to match
 > fragment             IP fragment match
 > icmp                 ICMP type and code information
 > ipsec                Inbound IPsec packets
 > limit                Rate limit using a token bucket filter
   log                  Option to log packets matching rule
+  packet-length        Payload size in bytes, including header and data to match
+  packet-length-exclude
                        Payload size in bytes, including header and data not to match
   packet-type          Packet type
   protocol             Protocol to match (protocol name, number, or "all") (default:
                        all)
 > recent               Parameters for matching recently seen sources
 > set                  Packet modifications
 > source               Source parameters
 > state                Session state
 > tcp                  TCP flags to match
 > time                 Time to match rule
 > ttl                  Time to live limit

It would be useful in some cases to be able to use firewall marks as option in firewall/policy

Details

Version
1.5-rolling-202309260022
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

n.fort changed the task status from Open to Confirmed.
n.fort claimed this task.
n.fort changed Version from - to 1.5-rolling-202309260022.

We have fwmark for policy local-route
But it is only for match mark and routing decision

vyos@vyos-lns# set policy local-route rule 100 
Possible completions:
+  destination          Destination address or prefix
   fwmark               Match fwmark value
   inbound-interface    Inbound Interface
 > set                  Packet modifications
+  source               Source address or prefix

To set marking you can use

vyos@vyos-lns# set policy route FOO rule 10 set 
Possible completions:
   connection-mark      Connection marking
   dscp                 Packet Differentiated Services Codepoint (DSCP)
   mark                 Packet marking
n.fort renamed this task from Firewall marl - Add capabilities for matching firewall mark to Firewall mark - Add capabilities for matching firewall mark.Sep 27 2023, 5:48 PM
n.fort changed the task status from Confirmed to In progress.
n.fort changed the task status from In progress to Needs testing.Oct 3 2023, 7:02 PM