Page MenuHomeVyOS Platform
Create Task
Maniphest T7149

Add an explicit option to allow traffic before the system is successfully configured
Open, NormalPublicFEATURE REQUEST
Actions

Description

Summary

Add an option that, if present, allows the system to pass traffic while the boot config is still loading or has failed to load.

For example,

set system option allow-traffic-before-fully-booted

If that option is absent, disable IPv4 and IPv6 forwarding and add provisional nftables rules to block all traffic before starting to load the config, and only remove those restrictions when the config is successfully loaded.

Use case

At the moment, the config system makes a strict assumption that if it cannot successfully load the whole config, it should load everything it can. Usually that is fine because it gives end users a partially functional system (e.g., it can't give out DHCP leases but at least it can route traffic from systems that already have addresses) and gives the admin a chance to log in over SSH and fix the rest.

But there are cases when that assumption is wrong. For example, if the system's primary role is firewall, and it manages to load interfaces and routes but fails to apply firewall rules, it will be passing all traffic without filtering — thus failing to fulfill its intended role.

Making the system become completely inaccessible over the network on any config failure would be a radical departure from the behavior that has been there for over a decade. Some people may be relying on that behavior for the case of non-fatal failures and may not have out-of-band management ready.

But an option that is inserted into old configs by a migration script to preserve the old behavior can be a suitable first step.

Details

Version
-
Is it a breaking change?
Config syntax change (migratable)
Issue type
Feature (new functionality)

Event Timeline

dmbaturin created this task.Feb 9 2025, 3:07 PM
pasik subscribed.Feb 9 2025, 3:08 PM
Embezzle subscribed.Feb 9 2025, 3:36 PM
Apachez subscribed.Feb 11 2025, 3:52 AM
Apachez added a comment.Feb 11 2025, 4:05 AM

Dunno how this is done for IPv6 but for IPv4 we got these kernel parameters to play with:

/proc/sys/net/ipv4/ip_forward
https://sysctl-explorer.net/net/ipv4/ip_forward/

/proc/sys/net/ipv4/conf/interface/forwarding
https://sysctl-explorer.net/net/ipv4/forwarding/

And as I see it there should be two options.

1:

One regarding boot, this should be a no brainer - the default should be to NOT forward traffic between interfaces until the config have been successfully applied by vyos_configd. So this usecase doesnt really need a config-option.

There are no valid reasons for why a failed boot should leave the system wideopen and route traffic between incorrectly configured interfaces.

That is not until everything went well with vyos_configd it should flip these kernel parameters to 1. And perhaps remove some nftables defaults that block all traffic except towards MGMT (if such would be used aswell).

2:

The other is regarding reconfig, this can be debatable what the default should be - but can be dealt with a config option so the admin can select behaviour. Something like this:

set system option allow-traffic-during-reconfig

That is if routing (and perhaps other processing aswell except MGMT) should be blocked during a reconfig. That is unless the new config towards nftables and frr is applied atomically.

I would prefer if allow-traffic-during-reconfig would default to disable. That is the admin must explicitly allow for the device to forward traffic even in an incomplete state.

Ckath subscribed.Feb 12 2025, 7:35 PM
dmbaturin triaged this task as Normal priority.Feb 17 2025, 2:52 PM
woodsb02 subscribed.Mar 12 2025, 11:43 AM