Page MenuHomeVyOS Platform
Create Task
Maniphest T8118

firewall: Traffic is processed multiple times when using zone-based firewall
Open, NormalPublicBUG
Actions

Description

Currently, the tables for the normal firewall and the zone-based firewall are independent hooks from each other. This means, that when traffic is processed in the normal firewall hooks, accepted traffic is again processed by the zone-based hooks.

Current nftables config:
NOTE: Hit counters for the state policy were after sending 1000 pings; hits should be roughly 2000 but packets are processed through that chain twice:
        chain VYOS_FORWARD_filter {
                type filter hook forward priority filter; policy accept;
                counter packets 2000 bytes 200000 jump VYOS_STATE_POLICY_FORWARD
                counter packets 1 bytes 100 accept comment "FWD-filter default-action accept"
        }
		
        chain VYOS_ZONE_FORWARD {
                type filter hook forward priority filter + 1; policy accept;
                counter packets 2000 bytes 200000 jump VYOS_STATE_POLICY_FORWARD
		        ....normal zone based config
                counter packets 0 bytes 0 log prefix "[default-drop]" drop comment "zone default-action drop"
        }
        chain VYOS_STATE_POLICY_FORWARD {
                ct state established counter packets 3998 bytes 399800 accept
                ct state invalid counter packets 0 bytes 0 drop
                ct state related counter packets 0 bytes 0 accept
                return
        }
Proper solution:

The main VYOS_FORWARD_filter should call VYOS_ZONE_FORWARD as a named chain instead of a base chain, which will prevent traffic from needing to enter both hooks. You can see with this, the state policy shows the expected number of hits after sending 1000 pings:

        chain VYOS_FORWARD_filter {
                type filter hook forward priority filter; policy accept;
                counter packets 2000 bytes 200000 jump VYOS_STATE_POLICY_FORWARD
                counter packets 1 bytes 100 jump VYOS_ZONE_FORWARD
                counter packets 0 bytes 0 accept comment "FWD-filter default-action accept"
        }
		
        chain VYOS_ZONE_FORWARD {
		        ....normal zone based config; no state policy since that's in the base chain
                counter packets 0 bytes 0 log prefix "[default-drop]" drop comment "zone default-action drop"
        }
		
        chain VYOS_STATE_POLICY_FORWARD {
                ct state established counter packets 1999 bytes 199900 accept
                ct state invalid counter packets 0 bytes 0 drop
                ct state related counter packets 0 bytes 0 accept
                return
        }

Details

Version
1.4, 1.5
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)