Page MenuHomeVyOS Platform
Create Task
Maniphest T5616

Firewall mark - Add capabilities for matching firewall mark
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

It's is not possible to use firewall marks as matching criteria, neither in firewall and in policy route.
Firewall matchers:

vyos@vyos-suri# set firewall ipv4 name FOO rule 10 
Possible completions:
   action               Rule action
+  connection-mark      Connection mark
 > connection-status    Connection status
   description          Description
 > destination          Destination parameters
   disable              Option to disable firewall rule
+  dscp                 DSCP value
+  dscp-exclude         DSCP value not to match
 > fragment             IP fragment match
 > icmp                 ICMP type and code information
 > inbound-interface    Match inbound-interface
 > ipsec                Inbound IPsec packets
   jump-target          Set jump target. Action jump must be defined to use this setting
 > limit                Rate limit using a token bucket filter
   log                  Option to log packets matching rule
 > log-options          Log options
 > outbound-interface   Match outbound-interface
+  packet-length        Payload size in bytes, including header and data to match
+  packet-length-exclude
                        Payload size in bytes, including header and data not to match
   packet-type          Packet type
   protocol             Protocol to match (protocol name, number, or "all")
   queue                Queue target to use. Action queue must be defined to use this
                        setting
+  queue-options        Options used for queue target. Action queue must be defined to
                        use this setting
 > recent               Parameters for matching recently seen sources
 > source               Source parameters
 > state                Session state
 > tcp                  TCP flags to match
 > time                 Time to match rule
 > ttl                  Time to live limit

Policy route matchers:

vyos@vyos-suri# set policy route FOO rule 10 
Possible completions:
   action               Rule action
+  connection-mark      Connection mark
   description          Description
 > destination          Destination parameters
   disable              Option to disable firewall rule
+  dscp                 DSCP value
+  dscp-exclude         DSCP value not to match
 > fragment             IP fragment match
 > icmp                 ICMP type and code information
 > ipsec                Inbound IPsec packets
 > limit                Rate limit using a token bucket filter
   log                  Option to log packets matching rule
+  packet-length        Payload size in bytes, including header and data to match
+  packet-length-exclude
                        Payload size in bytes, including header and data not to match
   packet-type          Packet type
   protocol             Protocol to match (protocol name, number, or "all") (default:
                        all)
 > recent               Parameters for matching recently seen sources
 > set                  Packet modifications
 > source               Source parameters
 > state                Session state
 > tcp                  TCP flags to match
 > time                 Time to match rule
 > ttl                  Time to live limit

It would be useful in some cases to be able to use firewall marks as option in firewall/policy

Details

Version
1.5-rolling-202309260022
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Related Objects
Search...

Event Timeline

n.fort created this task.Sep 26 2023, 12:11 PM
n.fort changed the task status from Open to Confirmed.
n.fort claimed this task.
n.fort changed Version from - to 1.5-rolling-202309260022.
Viacheslav subscribed.Sep 26 2023, 12:47 PM

We have fwmark for policy local-route
But it is only for match mark and routing decision

vyos@vyos-lns# set policy local-route rule 100 
Possible completions:
+  destination          Destination address or prefix
   fwmark               Match fwmark value
   inbound-interface    Inbound Interface
 > set                  Packet modifications
+  source               Source address or prefix

To set marking you can use

vyos@vyos-lns# set policy route FOO rule 10 set 
Possible completions:
   connection-mark      Connection marking
   dscp                 Packet Differentiated Services Codepoint (DSCP)
   mark                 Packet marking
pasik subscribed.Sep 26 2023, 2:01 PM
n.fort added a comment.Sep 27 2023, 5:48 PM

PR: https://github.com/vyos/vyos-1x/pull/2314

n.fort renamed this task from Firewall marl - Add capabilities for matching firewall mark to Firewall mark - Add capabilities for matching firewall mark.Sep 27 2023, 5:48 PM
n.fort changed the task status from Confirmed to In progress.
Restricted Repository Identity mentioned this in rVYOSONEX989ff045aa73: Merge pull request #2314 from nicolas-fort/T5616.Sep 30 2023, 3:56 AM
n.fort mentioned this in rVYOSONEX2ae3de0848de: T5616: firewall: add option to be able to match firewall marks in firewall….Sep 30 2023, 3:56 AM
n.fort changed the task status from In progress to Needs testing.Oct 3 2023, 7:02 PM
dmbaturin closed subtask T5617: Add an option to exclude single values to the numeric validator as Resolved.Oct 21 2023, 1:32 PM
n.fort added a comment.Nov 13 2023, 6:59 PM

PR for Sagitta: https://github.com/vyos/vyos-1x/pull/2478

n.fort mentioned this in rVYOSONEX9e053268355f: T5729: T5590: T5616: backport to sagita fwall marks, fix on firewall logs….Nov 15 2023, 11:48 AM
n.fort closed this task as Resolved.Nov 22 2023, 7:16 PM