Page MenuHomeVyOS Platform
Create Task
Maniphest T6951

Add a configuration command for ethertypes that bridge firewalls should always accept
Closed, ResolvedPublic
Actions

Description

We have a command called set firewall global-options apply-to-bridged-traffic invalid-connections that forces the firewall to accept connections from a hardcoded list of ethertypes (ARP and DHCP at the moment) even if they are (mis-)classified as invalid (see T6647).

My concern is that the list of special cases is growing and we have no guarantee that PPPoE is the last in the list. There's also a chance that people want, say, only DHCP, only ARP, or only PPPoE, depending on what they use.

I wonder if the command should be reworked into something like accept-invalid-connections ethertype <ethertype>. That will require a migration script.

We may want to provide human-readable aliases for common ethertypes there.

Details

Version
-
Is it a breaking change?
Config syntax change (migratable)
Issue type
Feature (new functionality)

Related Objects

Event Timeline

dmbaturin created this task.Dec 16 2024, 11:18 AM
dmbaturin updated the task description. (Show Details)Dec 16 2024, 11:20 AM
pasik subscribed.Dec 16 2024, 12:28 PM
dmbaturin added projects: VyOS 1.5 Circinus, VyOS 1.4 Sagitta (1.4.3), Restricted Project.Feb 6 2025, 12:48 AM
andrin mentioned this in T7150: Traffic marked invalid on bridge member interfaces.Feb 9 2025, 4:53 PM
natali-rs1985 changed the task status from Open to In progress.May 19 2025, 1:58 PM
natali-rs1985 claimed this task.
natali-rs1985 added a comment.Jun 13 2025, 9:40 AM

https://github.com/vyos/vyos-1x/pull/4558

natali-rs1985 mentioned this in rVYOSONEX8dbc3c5e67cc: firewall: T6951: Add a configuration command for ethertypes that bridge….Jun 19 2025, 2:45 PM
Restricted Repository Identity mentioned this in rVYOSONEX79dec52ed4c3: Merge pull request #4558 from natali-rs1985/T6951.Jun 19 2025, 2:45 PM
natali-rs1985 removed a project: VyOS 1.4 Sagitta (1.4.3).Jun 25 2025, 12:36 PM
natali-rs1985 moved this task from Need Triage to Completed on the VyOS Rolling board.
natali-rs1985 moved this task from Open to Finished on the VyOS 1.5 Circinus board.
natali-rs1985 closed this task as Resolved.Jun 25 2025, 12:38 PM
dmbaturin edited projects, added VyOS 1.5 Circinus (1.5-stream-2025-Q2); removed VyOS 1.5 Circinus.Jul 9 2025, 1:12 PM