Page MenuHomeVyOS Platform

VyOS 1.3 to 1.4 LTS Firewall ruleset migration script breaks configuration
Closed, ResolvedPublicBUG

Description

Hello,

It is well known that all pre-1.4 versions of VyOS since the Vyatta times actually used 'return' action in place of 'accept' in the firewall rules on the iptables level. See T5096 for example.

That approach allowed the packets forwarded from one interface to the other to be filtered with both 'in' firewall ruleset of the former and 'out' ruleset of the latter.

Recent VyOS 1.4 LTS versions introduced nftables instead of iptables to handle firewall. Current migration script converts, say

... interface ethernet eth0 firewall in name WAN-IN
... interface ethernet eth1 firewall out name LAN-OUT

into

firewall ipv4 
 forward {
     filter {
         default-action accept
         rule 5 {
             action jump
             inbound-interface {
                 name eth0
             }
             jump-target WAN-IN
         }
         ...
         rule 40 {
             action jump
             jump-target LAN-OUT
             outbound-interface {
                 name eth1
             }
         }
         ...

while rules WAN-IN and LAN-OUT remain basically intact and contain 'accept' and 'drop' actions that translate further into nft 'accept' and 'drop' respectively.

According to my understanding and quick tests this indeed breaks the whole idea of in and out filtering of packets of previous VyOS versions because in the example above the rule 40 will never match any packets forwarded from eth0 to eth1 (they will be either accepted or dropped with rule 5). To allow for these packets to be processed with rule 40 all 'accept' actions within chain WAN-IN should actually be 'return' as it was in previous VyOS versions (on iptables level). So current migration script breaks the configuration.

I feel that this change is really deep as it may lead to unexpected consequences. For example, if you had WAN-OUT filtering of outgoing traffic it may dangerously stop working because forwarded traffic from LAN to WAN may first match LAN-IN ruleset with 'default-action accept' and then never be processed with WAN-OUT.

Details

Version
1.4 LTS
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

This comment was removed by dutty.

Changes that seems to be needed only in migration script https://github.com/vyos/vyos-1x/blob/current/src/migration-scripts/firewall/10-to-11:

  • Use accept action for base-chains (it's done, no change needed here).
  • Migrate action=accept to action=return on every rule.
  • fix order and ensure all "in" rules are applied first.

As said before, this changed should be done only in migrator script. Action=accept in vyos command shall remain as accept in nftables

@n.fort
Looks like 1) and 2) is correct, as well as 'Action=accept in vyos command shall remain as accept in nftables'.
However, the 3) is not obvious to me. As long as all rules with Action=Accept in both IN and OUT chains will migrate to Action=return, looks like there should be no difference in order, other than probably for performance reason.

I suggest changing order just as a cosmetic fix: feels more reasonable/readable to parse first "incoming", and then "outgoing"

Yes, I agree with that, readability will be better if everything is in order.

As a side comment, the new firewall system allows more granular control and sometimes may simplify configuration. It follows better the lower level logic of nftables.

However, it is not as simple and straightforward as the previous system, and requires more expertise from the system administrators. VyOS team should pay attention to document well the firewall configuration, and use relevant examples. Otherwise people will tend to create wrong configs.

Specifically, I believe the manual use of Action=Return instead of Action=Accept in IN and OUT chains (if OUT ruleset is present or will be added later even for only interface in the system) must be specifically described, explained and illustrated.

However, current Docs use Action=Accept only in all configuration examples, for instance in the Quick Start section. This will not work as expected if OUT ruleset will be configured as well, as the latter will not fire for packets that match IN ruleset first with Action=accept. Even experienced VyOS users with the background of VyOS 1.1, 1.2, 1.3 may not figure out quickly why they should start using Action=return in those places where they used to configure Action=accept.

On the other hand I would expect someone aka the admin who will configure an enterprise firewall such as VyOS could be called to have at least SOME basic knowledge and also some interest to read the documentation on how to configure the firewall.

Worst kind of admins are those who doesnt know anything, dont want to learn anything but still want to use "cool" features.

On the other hand I would expect someone aka the admin who will configure an enterprise firewall such as VyOS could be called to have at least SOME basic knowledge and also some interest to read the documentation on how to configure the firewall.

The appearance of this bug in the migration script shows that even VyOS developers couldn't properly handle the breaking change. For years, action=accept in CLI was translated routinely into action=return under the hood automatically. Now it must be done manually by admins. So, the explanation how to configure IN and OUT chains properly from now on must be included in the Docs.

sarthurdev changed the task status from Open to In progress.Jan 10 2024, 4:55 PM
sarthurdev added a project: VyOS 1.5 Circinus.
sarthurdev changed the task status from In progress to Needs testing.Jan 10 2024, 7:17 PM
sarthurdev moved this task from Open to In Progress on the VyOS 1.5 Circinus board.