diff --git a/data/templates/firewall/nftables-policy.j2 b/data/templates/firewall/nftables-policy.j2
index 1c9bda64f..699349e2b 100644
--- a/data/templates/firewall/nftables-policy.j2
+++ b/data/templates/firewall/nftables-policy.j2
@@ -1,65 +1,65 @@
#!/usr/sbin/nft -f
{% import 'firewall/nftables-defines.j2' as group_tmpl %}
{% if first_install is not vyos_defined %}
delete table ip vyos_mangle
delete table ip6 vyos_mangle
{% endif %}
table ip vyos_mangle {
chain VYOS_PBR_PREROUTING {
type filter hook prerouting priority -150; policy accept;
{% if route is vyos_defined %}
{% for route_text, conf in route.items() if conf.interface is vyos_defined %}
iifname { {{ conf.interface | join(",") }} } counter jump VYOS_PBR_UD_{{ route_text }}
{% endfor %}
{% endif %}
}
chain VYOS_PBR_POSTROUTING {
type filter hook postrouting priority -150; policy accept;
}
{% if route is vyos_defined %}
{% for route_text, conf in route.items() %}
chain VYOS_PBR_UD_{{ route_text }} {
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
- {{ rule_conf | nft_rule(route_text, rule_id, 'ip') }}
+ {{ rule_conf | nft_rule('route', route_text, rule_id, 'ip') }}
{% endfor %}
{% endif %}
}
{% endfor %}
{% endif %}
{{ group_tmpl.groups(firewall_group, False) }}
}
table ip6 vyos_mangle {
chain VYOS_PBR6_PREROUTING {
type filter hook prerouting priority -150; policy accept;
{% if route6 is vyos_defined %}
{% for route_text, conf in route6.items() if conf.interface is vyos_defined %}
iifname { {{ ",".join(conf.interface) }} } counter jump VYOS_PBR6_UD_{{ route_text }}
{% endfor %}
{% endif %}
}
chain VYOS_PBR6_POSTROUTING {
type filter hook postrouting priority -150; policy accept;
}
{% if route6 is vyos_defined %}
{% for route_text, conf in route6.items() %}
chain VYOS_PBR6_UD_{{ route_text }} {
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
- {{ rule_conf | nft_rule(route_text, rule_id, 'ip6') }}
+ {{ rule_conf | nft_rule('route6', route_text, rule_id, 'ip6') }}
{% endfor %}
{% endif %}
}
{% endfor %}
{% endif %}
{{ group_tmpl.groups(firewall_group, True) }}
}
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index 2c7115134..10cbc68cb 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -1,222 +1,225 @@
#!/usr/sbin/nft -f
{% import 'firewall/nftables-defines.j2' as group_tmpl %}
-{% import 'firewall/nftables-zone.j2' as zone_tmpl %}
{% if first_install is not vyos_defined %}
delete table ip vyos_filter
{% endif %}
table ip vyos_filter {
- chain VYOS_FW_FORWARD {
- type filter hook forward priority 0; policy accept;
-{% if state_policy is vyos_defined %}
- jump VYOS_STATE_POLICY
-{% endif %}
-{% if interface is vyos_defined %}
-{% for ifname, ifconf in interface.items() %}
-{% if ifconf.in is vyos_defined and ifconf.in.name is vyos_defined %}
- iifname {{ ifname }} counter jump NAME_{{ ifconf.in.name }}
-{% endif %}
-{% if ifconf.out is vyos_defined and ifconf.out.name is vyos_defined %}
- oifname {{ ifname }} counter jump NAME_{{ ifconf.out.name }}
-{% endif %}
-{% endfor %}
-{% endif %}
- jump VYOS_POST_FW
- }
- chain VYOS_FW_LOCAL {
- type filter hook input priority 0; policy accept;
-{% if state_policy is vyos_defined %}
- jump VYOS_STATE_POLICY
-{% endif %}
-{% if interface is vyos_defined %}
-{% for ifname, ifconf in interface.items() %}
-{% if ifconf.local is vyos_defined and ifconf.local.name is vyos_defined %}
- iifname {{ ifname }} counter jump NAME_{{ ifconf.local.name }}
-{% endif %}
-{% endfor %}
-{% endif %}
- jump VYOS_POST_FW
+{% if ipv4 is vyos_defined %}
+{% set ns = namespace(sets=[]) %}
+{% if ipv4.forward is vyos_defined %}
+{% for prior, conf in ipv4.forward.items() %}
+{% set def_action = conf.default_action %}
+ chain VYOS_FORWARD_{{ prior }} {
+ type filter hook forward priority {{ prior }}; policy {{ def_action }};
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('FWD', prior, rule_id) }}
+{% if rule_conf.recent is vyos_defined %}
+{% set ns.sets = ns.sets + ['FWD_' + prior + '_' + rule_id] %}
+{% endif %}
+{% endfor %}
+{% endif %}
}
- chain VYOS_FW_OUTPUT {
- type filter hook output priority 0; policy accept;
-{% if state_policy is vyos_defined %}
- jump VYOS_STATE_POLICY
-{% endif %}
- jump VYOS_POST_FW
+{% endfor %}
+{% endif %}
+
+{% if ipv4.input is vyos_defined %}
+{% for prior, conf in ipv4.input.items() %}
+{% set def_action = conf.default_action %}
+ chain VYOS_INPUT_{{ prior }} {
+ type filter hook input priority {{ prior }}; policy {{ def_action }};
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('INP',prior, rule_id) }}
+{% if rule_conf.recent is vyos_defined %}
+{% set ns.sets = ns.sets + ['INP_' + prior + '_' + rule_id] %}
+{% endif %}
+{% endfor %}
+{% endif %}
}
- chain VYOS_POST_FW {
- return
+{% endfor %}
+{% endif %}
+
+{% if ipv4.output is vyos_defined %}
+{% for prior, conf in ipv4.output.items() %}
+{% set def_action = conf.default_action %}
+ chain VYOS_OUTPUT_{{ prior }} {
+ type filter hook output priority {{ prior }}; policy {{ def_action }};
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('OUT', prior, rule_id) }}
+{% if rule_conf.recent is vyos_defined %}
+{% set ns.sets = ns.sets + ['OUT_' + prior + '_' + rule_id] %}
+{% endif %}
+{% endfor %}
+{% endif %}
}
+{% endfor %}
+{% endif %}
chain VYOS_FRAG_MARK {
type filter hook prerouting priority -450; policy accept;
ip frag-off & 0x3fff != 0 meta mark set 0xffff1 return
}
-{% if name is vyos_defined %}
-{% set ns = namespace(sets=[]) %}
-{% for name_text, conf in name.items() %}
+{% if ipv4.prerouting is vyos_defined %}
+{% for prior, conf in ipv4.prerouting.items() %}
+{% set def_action = conf.default_action %}
+ chain VYOS_PREROUTING_{{ prior }} {
+ type filter hook prerouting priority {{ prior }}; policy {{ def_action }};
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('PRE', prior, rule_id) }}
+{% if rule_conf.recent is vyos_defined %}
+{% set ns.sets = ns.sets + ['PRE_' + prior + '_' + rule_id] %}
+{% endif %}
+{% endfor %}
+{% endif %}
+ {{ conf | nft_default_rule(prior) }}
+ }
+{% endfor %}
+{% endif %}
+
+{% if ipv4.name is vyos_defined %}
+{% for name_text, conf in ipv4.name.items() %}
chain NAME_{{ name_text }} {
-{% if conf.rule is vyos_defined %}
-{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
- {{ rule_conf | nft_rule(name_text, rule_id) }}
-{% if rule_conf.recent is vyos_defined %}
-{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %}
-{% endif %}
-{% endfor %}
-{% endif %}
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('NAM', name_text, rule_id) }}
+{% if rule_conf.recent is vyos_defined %}
+{% set ns.sets = ns.sets + ['NAM_' + name_text + '_' + rule_id] %}
+{% endif %}
+{% endfor %}
+{% endif %}
{{ conf | nft_default_rule(name_text) }}
}
-{% endfor %}
-{% for set_name in ip_fqdn %}
- set FQDN_{{ set_name }} {
- type ipv4_addr
- flags interval
- }
-{% endfor %}
+{% endfor %}
+{% endif %}
+
{% for set_name in ns.sets %}
set RECENT_{{ set_name }} {
type ipv4_addr
size 65535
flags dynamic
}
{% endfor %}
+{% for set_name in ip_fqdn %}
+ set FQDN_{{ set_name }} {
+ type ipv4_addr
+ flags interval
+ }
+{% endfor %}
{% if geoip_updated.name is vyos_defined %}
{% for setname in geoip_updated.name %}
set {{ setname }} {
type ipv4_addr
flags interval
}
{% endfor %}
{% endif %}
{% endif %}
-
{{ group_tmpl.groups(group, False) }}
-
-{% if zone is vyos_defined %}
-{{ zone_tmpl.zone_chains(zone, state_policy is vyos_defined, False) }}
-{% endif %}
-
-{% if state_policy is vyos_defined %}
- chain VYOS_STATE_POLICY {
-{% if state_policy.established is vyos_defined %}
- {{ state_policy.established | nft_state_policy('established') }}
-{% endif %}
-{% if state_policy.invalid is vyos_defined %}
- {{ state_policy.invalid | nft_state_policy('invalid') }}
-{% endif %}
-{% if state_policy.related is vyos_defined %}
- {{ state_policy.related | nft_state_policy('related') }}
-{% endif %}
- return
- }
-{% endif %}
}
{% if first_install is not vyos_defined %}
delete table ip6 vyos_filter
{% endif %}
table ip6 vyos_filter {
- chain VYOS_FW6_FORWARD {
- type filter hook forward priority 0; policy accept;
-{% if state_policy is vyos_defined %}
- jump VYOS_STATE_POLICY6
-{% endif %}
-{% if interface is vyos_defined %}
-{% for ifname, ifconf in interface.items() %}
-{% if ifconf.in is vyos_defined and ifconf.in.ipv6_name is vyos_defined %}
- iifname {{ ifname }} counter jump NAME6_{{ ifconf.in.ipv6_name }}
-{% endif %}
-{% if ifconf.out is vyos_defined and ifconf.out.ipv6_name is vyos_defined %}
- oifname {{ ifname }} counter jump NAME6_{{ ifconf.out.ipv6_name }}
-{% endif %}
-{% endfor %}
-{% endif %}
- jump VYOS_POST_FW6
- }
- chain VYOS_FW6_LOCAL {
- type filter hook input priority 0; policy accept;
-{% if state_policy is vyos_defined %}
- jump VYOS_STATE_POLICY6
-{% endif %}
-{% if interface is vyos_defined %}
-{% for ifname, ifconf in interface.items() %}
-{% if ifconf.local is vyos_defined and ifconf.local.ipv6_name is vyos_defined %}
- iifname {{ ifname }} counter jump NAME6_{{ ifconf.local.ipv6_name }}
-{% endif %}
-{% endfor %}
-{% endif %}
- jump VYOS_POST_FW6
+{% if ipv6 is vyos_defined %}
+{% set ns = namespace(sets=[]) %}
+{% if ipv6.forward is vyos_defined %}
+{% for prior, conf in ipv6.forward.items() %}
+{% set def_action = conf.default_action %}
+ chain VYOS_IPV6_FORWARD_{{ prior }} {
+ type filter hook forward priority {{ prior }}; policy {{ def_action }};
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('FWD', prior, rule_id ,'ip6') }}
+{% if rule_conf.recent is vyos_defined %}
+{% set ns.sets = ns.sets + ['FWD_' + prior + '_' + rule_id] %}
+{% endif %}
+{% endfor %}
+{% endif %}
}
- chain VYOS_FW6_OUTPUT {
- type filter hook output priority 0; policy accept;
-{% if state_policy is vyos_defined %}
- jump VYOS_STATE_POLICY6
-{% endif %}
- jump VYOS_POST_FW6
+{% endfor %}
+{% endif %}
+
+{% if ipv6.input is vyos_defined %}
+{% for prior, conf in ipv6.input.items() %}
+{% set def_action = conf.default_action %}
+ chain VYOS_IPV6_INPUT_{{ prior }} {
+ type filter hook input priority {{ prior }}; policy {{ def_action }};
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('INP', prior, rule_id ,'ip6') }}
+{% if rule_conf.recent is vyos_defined %}
+{% set ns.sets = ns.sets + ['INP_' + prior + '_' + rule_id] %}
+{% endif %}
+{% endfor %}
+{% endif %}
}
- chain VYOS_POST_FW6 {
- return
+{% endfor %}
+{% endif %}
+
+{% if ipv6.output is vyos_defined %}
+{% for prior, conf in ipv6.output.items() %}
+{% set def_action = conf.default_action %}
+ chain VYOS_IPV6_OUTPUT_{{ prior }} {
+ type filter hook output priority {{ prior }}; policy {{ def_action }};
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('OUT', prior, rule_id ,'ip6') }}
+{% if rule_conf.recent is vyos_defined %}
+{% set ns.sets = ns.sets + ['OUT_ ' + prior + '_' + rule_id] %}
+{% endif %}
+{% endfor %}
+{% endif %}
}
+{% endfor %}
+{% endif %}
+
chain VYOS_FRAG6_MARK {
type filter hook prerouting priority -450; policy accept;
exthdr frag exists meta mark set 0xffff1 return
}
-{% if ipv6_name is vyos_defined %}
-{% set ns = namespace(sets=[]) %}
-{% for name_text, conf in ipv6_name.items() %}
+
+{% if ipv6.name is vyos_defined %}
+{% for name_text, conf in ipv6.name.items() %}
chain NAME6_{{ name_text }} {
-{% if conf.rule is vyos_defined %}
-{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
- {{ rule_conf | nft_rule(name_text, rule_id, 'ip6') }}
-{% if rule_conf.recent is vyos_defined %}
-{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %}
-{% endif %}
-{% endfor %}
-{% endif %}
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('NAM', name_text, rule_id, 'ip6') }}
+{% if rule_conf.recent is vyos_defined %}
+{% set ns.sets = ns.sets + ['NAM_' + name_text + '_' + rule_id] %}
+{% endif %}
+{% endfor %}
+{% endif %}
{{ conf | nft_default_rule(name_text, ipv6=True) }}
}
-{% endfor %}
-{% for set_name in ip6_fqdn %}
- set FQDN_{{ set_name }} {
- type ipv6_addr
- flags interval
- }
-{% endfor %}
+{% endfor %}
+{% endif %}
+
{% for set_name in ns.sets %}
set RECENT6_{{ set_name }} {
type ipv6_addr
size 65535
flags dynamic
}
{% endfor %}
+{% for set_name in ip6_fqdn %}
+ set FQDN_{{ set_name }} {
+ type ipv6_addr
+ flags interval
+ }
+{% endfor %}
{% if geoip_updated.ipv6_name is vyos_defined %}
{% for setname in geoip_updated.ipv6_name %}
set {{ setname }} {
type ipv6_addr
flags interval
}
{% endfor %}
{% endif %}
{% endif %}
-
{{ group_tmpl.groups(group, True) }}
-
-{% if zone is vyos_defined %}
-{{ zone_tmpl.zone_chains(zone, state_policy is vyos_defined, True) }}
-{% endif %}
-
-{% if state_policy is vyos_defined %}
- chain VYOS_STATE_POLICY6 {
-{% if state_policy.established is vyos_defined %}
- {{ state_policy.established | nft_state_policy('established') }}
-{% endif %}
-{% if state_policy.invalid is vyos_defined %}
- {{ state_policy.invalid | nft_state_policy('invalid') }}
-{% endif %}
-{% if state_policy.related is vyos_defined %}
- {{ state_policy.related | nft_state_policy('related') }}
-{% endif %}
- return
- }
-{% endif %}
-}
+}
\ No newline at end of file
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index 1cdc7b819..127f4b7e7 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -1,987 +1,311 @@
<?xml version="1.0"?>
<interfaceDefinition>
<node name="firewall" owner="${vyos_conf_scripts_dir}/firewall.py">
<properties>
<priority>199</priority>
<help>Firewall</help>
</properties>
<children>
- <leafNode name="all-ping">
- <properties>
- <help>Policy for handling of all IPv4 ICMP echo requests</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable processing of all IPv4 ICMP echo requests</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable processing of all IPv4 ICMP echo requests</description>
- </valueHelp>
- <constraint>
- <regex>(enable|disable)</regex>
- </constraint>
- </properties>
- <defaultValue>enable</defaultValue>
- </leafNode>
- <leafNode name="broadcast-ping">
- <properties>
- <help>Policy for handling broadcast IPv4 ICMP echo and timestamp requests</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable processing of broadcast IPv4 ICMP echo/timestamp requests</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable processing of broadcast IPv4 ICMP echo/timestamp requests</description>
- </valueHelp>
- <constraint>
- <regex>(enable|disable)</regex>
- </constraint>
- </properties>
- <defaultValue>disable</defaultValue>
- </leafNode>
- <leafNode name="config-trap">
- <properties>
- <help>SNMP trap generation on firewall configuration changes</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable sending SNMP trap on firewall configuration change</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable sending SNMP trap on firewall configuration change</description>
- </valueHelp>
- <constraint>
- <regex>(enable|disable)</regex>
- </constraint>
- </properties>
- <defaultValue>disable</defaultValue>
- </leafNode>
+ #include <include/firewall/global-options.xml.i>
<node name="group">
<properties>
<help>Firewall group</help>
</properties>
<children>
<tagNode name="address-group">
<properties>
<help>Firewall address-group</help>
<constraint>
<regex>[a-zA-Z0-9][\w\-\.]*</regex>
</constraint>
</properties>
<children>
<leafNode name="address">
<properties>
<help>Address-group member</help>
<valueHelp>
<format>ipv4</format>
<description>IPv4 address to match</description>
</valueHelp>
<valueHelp>
<format>ipv4range</format>
<description>IPv4 range to match (e.g. 10.0.0.1-10.0.0.200)</description>
</valueHelp>
<constraint>
<validator name="ipv4-address"/>
<validator name="ipv4-range"/>
</constraint>
<multi/>
</properties>
</leafNode>
<leafNode name="include">
<properties>
<help>Include another address-group</help>
<completionHelp>
<path>firewall group address-group</path>
</completionHelp>
<multi/>
</properties>
</leafNode>
#include <include/generic-description.xml.i>
</children>
</tagNode>
<tagNode name="domain-group">
<properties>
<help>Firewall domain-group</help>
<constraint>
<regex>[a-zA-Z_][a-zA-Z0-9][\w\-\.]*</regex>
</constraint>
<constraintErrorMessage>Name of domain-group can only contain alpha-numeric letters, hyphen, underscores and not start with numeric</constraintErrorMessage>
</properties>
<children>
<leafNode name="address">
<properties>
<help>Domain-group member</help>
<valueHelp>
<format>txt</format>
<description>Domain address to match</description>
</valueHelp>
<constraint>
<validator name="fqdn"/>
</constraint>
<multi/>
</properties>
</leafNode>
#include <include/generic-description.xml.i>
</children>
</tagNode>
<tagNode name="interface-group">
<properties>
<help>Firewall interface-group</help>
<constraint>
<regex>[a-zA-Z0-9][\w\-\.]*</regex>
</constraint>
</properties>
<children>
<leafNode name="interface">
<properties>
<help>Interface-group member</help>
<completionHelp>
<script>${vyos_completion_dir}/list_interfaces</script>
</completionHelp>
<multi/>
</properties>
</leafNode>
<leafNode name="include">
<properties>
<help>Include another interface-group</help>
<completionHelp>
<path>firewall group interface-group</path>
</completionHelp>
<multi/>
</properties>
</leafNode>
#include <include/generic-description.xml.i>
</children>
</tagNode>
<tagNode name="ipv6-address-group">
<properties>
<help>Firewall ipv6-address-group</help>
<constraint>
<regex>[a-zA-Z0-9][\w\-\.]*</regex>
</constraint>
</properties>
<children>
<leafNode name="address">
<properties>
<help>Address-group member</help>
<valueHelp>
<format>ipv6</format>
<description>IPv6 address to match</description>
</valueHelp>
<valueHelp>
<format>ipv6range</format>
<description>IPv6 range to match (e.g. 2002::1-2002::ff)</description>
</valueHelp>
<constraint>
<validator name="ipv6-address"/>
<validator name="ipv6-range"/>
</constraint>
<multi/>
</properties>
</leafNode>
<leafNode name="include">
<properties>
<help>Include another ipv6-address-group</help>
<completionHelp>
<path>firewall group ipv6-address-group</path>
</completionHelp>
<multi/>
</properties>
</leafNode>
#include <include/generic-description.xml.i>
</children>
</tagNode>
<tagNode name="ipv6-network-group">
<properties>
<help>Firewall ipv6-network-group</help>
<constraint>
<regex>[a-zA-Z0-9][\w\-\.]*</regex>
</constraint>
</properties>
<children>
#include <include/generic-description.xml.i>
<leafNode name="network">
<properties>
<help>Network-group member</help>
<valueHelp>
<format>ipv6net</format>
<description>IPv6 address to match</description>
</valueHelp>
<constraint>
<validator name="ipv6-prefix"/>
</constraint>
<multi/>
</properties>
</leafNode>
<leafNode name="include">
<properties>
<help>Include another ipv6-network-group</help>
<completionHelp>
<path>firewall group ipv6-network-group</path>
</completionHelp>
<multi/>
</properties>
</leafNode>
</children>
</tagNode>
<tagNode name="mac-group">
<properties>
<help>Firewall mac-group</help>
<constraint>
<regex>[a-zA-Z0-9][\w\-\.]*</regex>
</constraint>
</properties>
<children>
#include <include/generic-description.xml.i>
<leafNode name="mac-address">
<properties>
<help>Mac-group member</help>
<valueHelp>
<format>macaddr</format>
<description>MAC address to match</description>
</valueHelp>
<constraint>
<validator name="mac-address"/>
</constraint>
<multi/>
</properties>
</leafNode>
<leafNode name="include">
<properties>
<help>Include another mac-group</help>
<completionHelp>
<path>firewall group mac-group</path>
</completionHelp>
<multi/>
</properties>
</leafNode>
</children>
</tagNode>
<tagNode name="network-group">
<properties>
<help>Firewall network-group</help>
<constraint>
<regex>[a-zA-Z0-9][\w\-\.]*</regex>
</constraint>
</properties>
<children>
#include <include/generic-description.xml.i>
<leafNode name="network">
<properties>
<help>Network-group member</help>
<valueHelp>
<format>ipv4net</format>
<description>IPv4 Subnet to match</description>
</valueHelp>
<constraint>
<validator name="ipv4-prefix"/>
</constraint>
<multi/>
</properties>
</leafNode>
<leafNode name="include">
<properties>
<help>Include another network-group</help>
<completionHelp>
<path>firewall group network-group</path>
</completionHelp>
<multi/>
</properties>
</leafNode>
</children>
</tagNode>
<tagNode name="port-group">
<properties>
<help>Firewall port-group</help>
<constraint>
<regex>[a-zA-Z0-9][\w\-\.]*</regex>
</constraint>
</properties>
<children>
#include <include/generic-description.xml.i>
<leafNode name="port">
<properties>
<help>Port-group member</help>
<valueHelp>
<format>txt</format>
<description>Named port (any name in /etc/services, e.g., http)</description>
</valueHelp>
<valueHelp>
<format>u32:1-65535</format>
<description>Numbered port</description>
</valueHelp>
<valueHelp>
<format>start-end</format>
<description>Numbered port range (e.g. 1001-1050)</description>
</valueHelp>
<multi/>
<constraint>
<validator name="port-range"/>
</constraint>
</properties>
</leafNode>
<leafNode name="include">
<properties>
<help>Include another port-group</help>
<completionHelp>
<path>firewall group port-group</path>
</completionHelp>
<multi/>
</properties>
</leafNode>
</children>
</tagNode>
</children>
</node>
- <tagNode name="interface">
+ <node name="ipv4">
<properties>
- <help>Interface name to apply firewall configuration</help>
- <completionHelp>
- <script>${vyos_completion_dir}/list_interfaces</script>
- </completionHelp>
- <constraint>
- #include <include/constraint/interface-name-with-wildcard.xml.i>
- </constraint>
+ <help>IPv4 firewall</help>
</properties>
<children>
- <node name="in">
- <properties>
- <help>Forwarded packets on inbound interface</help>
- </properties>
- <children>
- #include <include/firewall/name.xml.i>
- </children>
- </node>
- <node name="out">
- <properties>
- <help>Forwarded packets on outbound interface</help>
- </properties>
- <children>
- #include <include/firewall/name.xml.i>
- </children>
- </node>
- <node name="local">
- <properties>
- <help>Packets destined for this router</help>
- </properties>
- <children>
- #include <include/firewall/name.xml.i>
- </children>
- </node>
- </children>
- </tagNode>
- <leafNode name="ip-src-route">
- <properties>
- <help>Policy for handling IPv4 packets with source route option</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable processing of IPv4 packets with source route option</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable processing of IPv4 packets with source route option</description>
- </valueHelp>
- <constraint>
- <regex>(enable|disable)</regex>
- </constraint>
- </properties>
- <defaultValue>disable</defaultValue>
- </leafNode>
- <tagNode name="ipv6-name">
- <properties>
- <help>IPv6 firewall rule-set name</help>
- <constraint>
- <regex>[a-zA-Z0-9][\w\-\.]*</regex>
- </constraint>
- </properties>
- <children>
- #include <include/firewall/default-action.xml.i>
- #include <include/firewall/enable-default-log.xml.i>
- #include <include/generic-description.xml.i>
- <leafNode name="default-jump-target">
- <properties>
- <help>Set jump target. Action jump must be defined in default-action to use this setting</help>
- <completionHelp>
- <path>firewall ipv6-name</path>
- </completionHelp>
- </properties>
- </leafNode>
- <tagNode name="rule">
- <properties>
- <help>Firewall rule number (IPv6)</help>
- <valueHelp>
- <format>u32:1-999999</format>
- <description>Number for this Firewall rule</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 1-999999"/>
- </constraint>
- <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
- </properties>
- <children>
- #include <include/firewall/action.xml.i>
- #include <include/generic-description.xml.i>
- <node name="destination">
- <properties>
- <help>Destination parameters</help>
- </properties>
- <children>
- #include <include/firewall/address-ipv6.xml.i>
- #include <include/firewall/fqdn.xml.i>
- #include <include/firewall/geoip.xml.i>
- #include <include/firewall/source-destination-group-ipv6.xml.i>
- #include <include/firewall/port.xml.i>
- #include <include/firewall/address-mask-ipv6.xml.i>
- </children>
- </node>
- <node name="source">
- <properties>
- <help>Source parameters</help>
- </properties>
- <children>
- #include <include/firewall/address-ipv6.xml.i>
- #include <include/firewall/fqdn.xml.i>
- #include <include/firewall/geoip.xml.i>
- #include <include/firewall/source-destination-group-ipv6.xml.i>
- #include <include/firewall/port.xml.i>
- #include <include/firewall/address-mask-ipv6.xml.i>
- </children>
- </node>
- #include <include/firewall/common-rule.xml.i>
- #include <include/firewall/dscp.xml.i>
- #include <include/firewall/packet-options.xml.i>
- #include <include/firewall/hop-limit.xml.i>
- #include <include/firewall/connection-mark.xml.i>
- <node name="icmpv6">
- <properties>
- <help>ICMPv6 type and code information</help>
- </properties>
- <children>
- <leafNode name="code">
- <properties>
- <help>ICMPv6 code</help>
- <valueHelp>
- <format>u32:0-255</format>
- <description>ICMPv6 code (0-255)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="type">
- <properties>
- <help>ICMPv6 type</help>
- <valueHelp>
- <format>u32:0-255</format>
- <description>ICMPv6 type (0-255)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- #include <include/firewall/icmpv6-type-name.xml.i>
- </children>
- </node>
- <leafNode name="jump-target">
- <properties>
- <help>Set jump target. Action jump must be defined to use this setting</help>
- <completionHelp>
- <path>firewall ipv6-name</path>
- </completionHelp>
- </properties>
- </leafNode>
- #include <include/firewall/nft-queue.xml.i>
- </children>
- </tagNode>
- </children>
- </tagNode>
- <leafNode name="ipv6-receive-redirects">
- <properties>
- <help>Policy for handling received ICMPv6 redirect messages</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable processing of received ICMPv6 redirect messages</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable processing of received ICMPv6 redirect messages</description>
- </valueHelp>
- <constraint>
- <regex>(enable|disable)</regex>
- </constraint>
- </properties>
- <defaultValue>disable</defaultValue>
- </leafNode>
- <leafNode name="ipv6-src-route">
- <properties>
- <help>Policy for handling IPv6 packets with routing extension header</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable processing of IPv6 packets with routing header type 2</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable processing of IPv6 packets with routing header</description>
- </valueHelp>
- <constraint>
- <regex>(enable|disable)</regex>
- </constraint>
- </properties>
- <defaultValue>disable</defaultValue>
- </leafNode>
- <leafNode name="log-martians">
- <properties>
- <help>Policy for logging IPv4 packets with invalid addresses</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable logging of IPv4 packets with invalid addresses</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable logging of Ipv4 packets with invalid addresses</description>
- </valueHelp>
- <constraint>
- <regex>(enable|disable)</regex>
- </constraint>
- </properties>
- <defaultValue>enable</defaultValue>
- </leafNode>
- <tagNode name="name">
- <properties>
- <help>IPv4 firewall rule-set name</help>
- <constraint>
- <regex>[a-zA-Z0-9][\w\-\.]*</regex>
- </constraint>
- </properties>
- <children>
- #include <include/firewall/default-action.xml.i>
- #include <include/firewall/enable-default-log.xml.i>
- #include <include/generic-description.xml.i>
- <leafNode name="default-jump-target">
- <properties>
- <help>Set jump target. Action jump must be defined in default-action to use this setting</help>
- <completionHelp>
- <path>firewall name</path>
- </completionHelp>
- </properties>
- </leafNode>
- <tagNode name="rule">
- <properties>
- <help>Firewall rule number (IPv4)</help>
- <valueHelp>
- <format>u32:1-999999</format>
- <description>Number for this Firewall rule</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 1-999999"/>
- </constraint>
- <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
- </properties>
- <children>
- #include <include/firewall/action.xml.i>
- #include <include/generic-description.xml.i>
- <node name="destination">
- <properties>
- <help>Destination parameters</help>
- </properties>
- <children>
- #include <include/firewall/address.xml.i>
- #include <include/firewall/fqdn.xml.i>
- #include <include/firewall/geoip.xml.i>
- #include <include/firewall/source-destination-group.xml.i>
- #include <include/firewall/port.xml.i>
- #include <include/firewall/address-mask.xml.i>
- </children>
- </node>
- <node name="source">
- <properties>
- <help>Source parameters</help>
- </properties>
- <children>
- #include <include/firewall/address.xml.i>
- #include <include/firewall/fqdn.xml.i>
- #include <include/firewall/geoip.xml.i>
- #include <include/firewall/source-destination-group.xml.i>
- #include <include/firewall/port.xml.i>
- #include <include/firewall/address-mask.xml.i>
- </children>
- </node>
- #include <include/firewall/common-rule.xml.i>
- #include <include/firewall/dscp.xml.i>
- #include <include/firewall/packet-options.xml.i>
- #include <include/firewall/connection-mark.xml.i>
- <node name="icmp">
- <properties>
- <help>ICMP type and code information</help>
- </properties>
- <children>
- <leafNode name="code">
- <properties>
- <help>ICMP code</help>
- <valueHelp>
- <format>u32:0-255</format>
- <description>ICMP code (0-255)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="type">
- <properties>
- <help>ICMP type</help>
- <valueHelp>
- <format>u32:0-255</format>
- <description>ICMP type (0-255)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- #include <include/firewall/icmp-type-name.xml.i>
- </children>
- </node>
- <leafNode name="jump-target">
- <properties>
- <help>Set jump target. Action jump must be defined to use this setting</help>
- <completionHelp>
- <path>firewall name</path>
- </completionHelp>
- </properties>
- </leafNode>
- #include <include/firewall/ttl.xml.i>
- #include <include/firewall/nft-queue.xml.i>
- </children>
- </tagNode>
- </children>
- </tagNode>
- <leafNode name="receive-redirects">
- <properties>
- <help>Policy for handling received IPv4 ICMP redirect messages</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable processing of received IPv4 ICMP redirect messages</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable processing of received IPv4 ICMP redirect messages</description>
- </valueHelp>
- <constraint>
- <regex>(enable|disable)</regex>
- </constraint>
- </properties>
- <defaultValue>disable</defaultValue>
- </leafNode>
- <leafNode name="resolver-cache">
- <properties>
- <help>Retains last successful value if domain resolution fails</help>
- <valueless/>
- </properties>
- </leafNode>
- <leafNode name="resolver-interval">
- <properties>
- <help>Domain resolver update interval</help>
- <valueHelp>
- <format>u32:10-3600</format>
- <description>Interval (seconds)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 10-3600"/>
- </constraint>
- </properties>
- <defaultValue>300</defaultValue>
- </leafNode>
- <leafNode name="send-redirects">
- <properties>
- <help>Policy for sending IPv4 ICMP redirect messages</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable sending IPv4 ICMP redirect messages</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable sending IPv4 ICMP redirect messages</description>
- </valueHelp>
- <constraint>
- <regex>(enable|disable)</regex>
- </constraint>
- </properties>
- <defaultValue>enable</defaultValue>
- </leafNode>
- <leafNode name="source-validation">
- <properties>
- <help>Policy for source validation by reversed path, as specified in RFC3704</help>
- <completionHelp>
- <list>strict loose disable</list>
- </completionHelp>
- <valueHelp>
- <format>strict</format>
- <description>Enable Strict Reverse Path Forwarding as defined in RFC3704</description>
- </valueHelp>
- <valueHelp>
- <format>loose</format>
- <description>Enable Loose Reverse Path Forwarding as defined in RFC3704</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>No source validation</description>
- </valueHelp>
- <constraint>
- <regex>(strict|loose|disable)</regex>
- </constraint>
- </properties>
- <defaultValue>disable</defaultValue>
- </leafNode>
- <node name="state-policy">
- <properties>
- <help>Global firewall state-policy</help>
- </properties>
- <children>
- <node name="established">
- <properties>
- <help>Global firewall policy for packets part of an established connection</help>
- </properties>
- <children>
- #include <include/firewall/action-accept-drop-reject.xml.i>
- #include <include/firewall/log.xml.i>
- #include <include/firewall/rule-log-level.xml.i>
- </children>
- </node>
- <node name="invalid">
- <properties>
- <help>Global firewall policy for packets part of an invalid connection</help>
- </properties>
- <children>
- #include <include/firewall/action-accept-drop-reject.xml.i>
- #include <include/firewall/log.xml.i>
- #include <include/firewall/rule-log-level.xml.i>
- </children>
- </node>
- <node name="related">
- <properties>
- <help>Global firewall policy for packets part of a related connection</help>
- </properties>
- <children>
- #include <include/firewall/action-accept-drop-reject.xml.i>
- #include <include/firewall/log.xml.i>
- #include <include/firewall/rule-log-level.xml.i>
- </children>
- </node>
+ #include <include/firewall/ipv4-hook-forward.xml.i>
+ #include <include/firewall/ipv4-hook-input.xml.i>
+ #include <include/firewall/ipv4-hook-output.xml.i>
+ #include <include/firewall/ipv4-custom-name.xml.i>
</children>
</node>
- <leafNode name="syn-cookies">
- <properties>
- <help>Policy for using TCP SYN cookies with IPv4</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable use of TCP SYN cookies with IPv4</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable use of TCP SYN cookies with IPv4</description>
- </valueHelp>
- <constraint>
- <regex>(enable|disable)</regex>
- </constraint>
- </properties>
- <defaultValue>enable</defaultValue>
- </leafNode>
- <leafNode name="twa-hazards-protection">
+ <node name="ipv6">
<properties>
- <help>RFC1337 TCP TIME-WAIT assasination hazards protection</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable RFC1337 TIME-WAIT hazards protection</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable RFC1337 TIME-WAIT hazards protection</description>
- </valueHelp>
- <constraint>
- <regex>(enable|disable)</regex>
- </constraint>
- </properties>
- <defaultValue>disable</defaultValue>
- </leafNode>
- <tagNode name="zone">
- <properties>
- <help>Zone-policy</help>
- <valueHelp>
- <format>txt</format>
- <description>Zone name</description>
- </valueHelp>
- <constraint>
- <regex>[a-zA-Z0-9][\w\-\.]*</regex>
- </constraint>
+ <help>IPv6 firewall</help>
</properties>
<children>
- #include <include/generic-description.xml.i>
- #include <include/firewall/enable-default-log.xml.i>
- <leafNode name="default-action">
- <properties>
- <help>Default-action for traffic coming into this zone</help>
- <completionHelp>
- <list>drop reject</list>
- </completionHelp>
- <valueHelp>
- <format>drop</format>
- <description>Drop silently</description>
- </valueHelp>
- <valueHelp>
- <format>reject</format>
- <description>Drop and notify source</description>
- </valueHelp>
- <constraint>
- <regex>(drop|reject)</regex>
- </constraint>
- </properties>
- <defaultValue>drop</defaultValue>
- </leafNode>
- <tagNode name="from">
- <properties>
- <help>Zone from which to filter traffic</help>
- <completionHelp>
- <path>zone-policy zone</path>
- </completionHelp>
- </properties>
- <children>
- <node name="firewall">
- <properties>
- <help>Firewall options</help>
- </properties>
- <children>
- <leafNode name="ipv6-name">
- <properties>
- <help>IPv6 firewall ruleset</help>
- <completionHelp>
- <path>firewall ipv6-name</path>
- </completionHelp>
- </properties>
- </leafNode>
- <leafNode name="name">
- <properties>
- <help>IPv4 firewall ruleset</help>
- <completionHelp>
- <path>firewall name</path>
- </completionHelp>
- </properties>
- </leafNode>
- </children>
- </node>
- </children>
- </tagNode>
- <leafNode name="interface">
- <properties>
- <help>Interface associated with zone</help>
- <valueHelp>
- <format>txt</format>
- <description>Interface associated with zone</description>
- </valueHelp>
- <valueHelp>
- <format>vrf</format>
- <description>VRF associated with zone</description>
- </valueHelp>
- <completionHelp>
- <script>${vyos_completion_dir}/list_interfaces</script>
- <path>vrf name</path>
- </completionHelp>
- <multi/>
- </properties>
- </leafNode>
- <node name="intra-zone-filtering">
- <properties>
- <help>Intra-zone filtering</help>
- </properties>
- <children>
- <leafNode name="action">
- <properties>
- <help>Action for intra-zone traffic</help>
- <completionHelp>
- <list>accept drop</list>
- </completionHelp>
- <valueHelp>
- <format>accept</format>
- <description>Accept traffic</description>
- </valueHelp>
- <valueHelp>
- <format>drop</format>
- <description>Drop silently</description>
- </valueHelp>
- <constraint>
- <regex>(accept|drop)</regex>
- </constraint>
- </properties>
- </leafNode>
- <node name="firewall">
- <properties>
- <help>Use the specified firewall chain</help>
- </properties>
- <children>
- <leafNode name="ipv6-name">
- <properties>
- <help>IPv6 firewall ruleset</help>
- <completionHelp>
- <path>firewall ipv6-name</path>
- </completionHelp>
- </properties>
- </leafNode>
- <leafNode name="name">
- <properties>
- <help>IPv4 firewall ruleset</help>
- <completionHelp>
- <path>firewall name</path>
- </completionHelp>
- </properties>
- </leafNode>
- </children>
- </node>
- </children>
- </node>
- <leafNode name="local-zone">
- <properties>
- <help>Zone to be local-zone</help>
- <valueless/>
- </properties>
- </leafNode>
+ #include <include/firewall/ipv6-hook-forward.xml.i>
+ #include <include/firewall/ipv6-hook-input.xml.i>
+ #include <include/firewall/ipv6-hook-output.xml.i>
+ #include <include/firewall/ipv6-custom-name.xml.i>
</children>
- </tagNode>
+ </node>
</children>
</node>
</interfaceDefinition>
diff --git a/interface-definitions/include/firewall/action-and-notrack.xml.i b/interface-definitions/include/firewall/action-and-notrack.xml.i
new file mode 100644
index 000000000..5f81a1451
--- /dev/null
+++ b/interface-definitions/include/firewall/action-and-notrack.xml.i
@@ -0,0 +1,41 @@
+<!-- include start from firewall/action-and-notrack.xml.i -->
+<leafNode name="action">
+ <properties>
+ <help>Rule action</help>
+ <completionHelp>
+ <list>accept jump notrack reject return drop queue</list>
+ </completionHelp>
+ <valueHelp>
+ <format>accept</format>
+ <description>Accept matching entries</description>
+ </valueHelp>
+ <valueHelp>
+ <format>jump</format>
+ <description>Jump to another chain</description>
+ </valueHelp>
+ <valueHelp>
+ <format>reject</format>
+ <description>Reject matching entries</description>
+ </valueHelp>
+ <valueHelp>
+ <format>return</format>
+ <description>Return from the current chain and continue at the next rule of the last chain</description>
+ </valueHelp>
+ <valueHelp>
+ <format>drop</format>
+ <description>Drop matching entries</description>
+ </valueHelp>
+ <valueHelp>
+ <format>queue</format>
+ <description>Enqueue packet to userspace</description>
+ </valueHelp>
+ <valueHelp>
+ <format>notrack</format>
+ <description>Igone connection tracking</description>
+ </valueHelp>
+ <constraint>
+ <regex>(accept|jump|notrack|reject|return|drop|queue)</regex>
+ </constraint>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/common-rule-inet.xml.i b/interface-definitions/include/firewall/common-rule-inet.xml.i
new file mode 100644
index 000000000..7a2eb86d4
--- /dev/null
+++ b/interface-definitions/include/firewall/common-rule-inet.xml.i
@@ -0,0 +1,374 @@
+<!-- include start from firewall/common-rule-inet.xml.i -->
+#include <include/firewall/action.xml.i>
+#include <include/generic-description.xml.i>
+#include <include/firewall/dscp.xml.i>
+#include <include/firewall/packet-options.xml.i>
+#include <include/firewall/connection-mark.xml.i>
+#include <include/firewall/nft-queue.xml.i>
+<leafNode name="disable">
+ <properties>
+ <help>Option to disable firewall rule</help>
+ <valueless/>
+ </properties>
+</leafNode>
+<node name="fragment">
+ <properties>
+ <help>IP fragment match</help>
+ </properties>
+ <children>
+ <leafNode name="match-frag">
+ <properties>
+ <help>Second and further fragments of fragmented packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="match-non-frag">
+ <properties>
+ <help>Head fragments or unfragmented packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<node name="ipsec">
+ <properties>
+ <help>Inbound IPsec packets</help>
+ </properties>
+ <children>
+ <leafNode name="match-ipsec">
+ <properties>
+ <help>Inbound IPsec packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="match-none">
+ <properties>
+ <help>Inbound non-IPsec packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<node name="limit">
+ <properties>
+ <help>Rate limit using a token bucket filter</help>
+ </properties>
+ <children>
+ <leafNode name="burst">
+ <properties>
+ <help>Maximum number of packets to allow in excess of rate</help>
+ <valueHelp>
+ <format>u32:0-4294967295</format>
+ <description>Maximum number of packets to allow in excess of rate</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-4294967295"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="rate">
+ <properties>
+ <help>Maximum average matching rate</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>integer/unit (Example: 5/minute)</description>
+ </valueHelp>
+ <constraint>
+ <regex>\d+/(second|minute|hour|day)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<leafNode name="log">
+ <properties>
+ <help>Option to log packets matching rule</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable log</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable log</description>
+ </valueHelp>
+ <constraint>
+ <regex>(enable|disable)</regex>
+ </constraint>
+ </properties>
+</leafNode>
+<leafNode name="log">
+ <properties>
+ <help>Option to log packets matching rule</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable log</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable log</description>
+ </valueHelp>
+ <constraint>
+ <regex>(enable|disable)</regex>
+ </constraint>
+ </properties>
+</leafNode>
+#include <include/firewall/rule-log-options.xml.i>
+<node name="connection-status">
+ <properties>
+ <help>Connection status</help>
+ </properties>
+ <children>
+ <leafNode name="nat">
+ <properties>
+ <help>NAT connection status</help>
+ <completionHelp>
+ <list>destination source</list>
+ </completionHelp>
+ <valueHelp>
+ <format>destination</format>
+ <description>Match connections that are subject to destination NAT</description>
+ </valueHelp>
+ <valueHelp>
+ <format>source</format>
+ <description>Match connections that are subject to source NAT</description>
+ </valueHelp>
+ <constraint>
+ <regex>(destination|source)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<leafNode name="protocol">
+ <properties>
+ <help>Protocol to match (protocol name, number, or "all")</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_protocols.sh</script>
+ <list>all tcp_udp</list>
+ </completionHelp>
+ <valueHelp>
+ <format>all</format>
+ <description>All IP protocols</description>
+ </valueHelp>
+ <valueHelp>
+ <format>tcp_udp</format>
+ <description>Both TCP and UDP</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>IP protocol number</description>
+ </valueHelp>
+ <valueHelp>
+ <format><protocol></format>
+ <description>IP protocol name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!<protocol></format>
+ <description>IP protocol name</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ip-protocol"/>
+ </constraint>
+ </properties>
+</leafNode>
+<node name="recent">
+ <properties>
+ <help>Parameters for matching recently seen sources</help>
+ </properties>
+ <children>
+ <leafNode name="count">
+ <properties>
+ <help>Source addresses seen more than N times</help>
+ <valueHelp>
+ <format>u32:1-255</format>
+ <description>Source addresses seen more than N times</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="time">
+ <properties>
+ <help>Source addresses seen in the last second/minute/hour</help>
+ <completionHelp>
+ <list>second minute hour</list>
+ </completionHelp>
+ <valueHelp>
+ <format>second</format>
+ <description>Source addresses seen COUNT times in the last second</description>
+ </valueHelp>
+ <valueHelp>
+ <format>minute</format>
+ <description>Source addresses seen COUNT times in the last minute</description>
+ </valueHelp>
+ <valueHelp>
+ <format>hour</format>
+ <description>Source addresses seen COUNT times in the last hour</description>
+ </valueHelp>
+ <constraint>
+ <regex>(second|minute|hour)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<node name="state">
+ <properties>
+ <help>Session state</help>
+ </properties>
+ <children>
+ <leafNode name="established">
+ <properties>
+ <help>Established state</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable</description>
+ </valueHelp>
+ <constraint>
+ <regex>(enable|disable)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="invalid">
+ <properties>
+ <help>Invalid state</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable</description>
+ </valueHelp>
+ <constraint>
+ <regex>(enable|disable)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="new">
+ <properties>
+ <help>New state</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable</description>
+ </valueHelp>
+ <constraint>
+ <regex>(enable|disable)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="related">
+ <properties>
+ <help>Related state</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable</description>
+ </valueHelp>
+ <constraint>
+ <regex>(enable|disable)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+#include <include/firewall/tcp-flags.xml.i>
+<node name="time">
+ <properties>
+ <help>Time to match rule</help>
+ </properties>
+ <children>
+ <leafNode name="startdate">
+ <properties>
+ <help>Date to start matching rule</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Enter date using following notation - YYYY-MM-DD</description>
+ </valueHelp>
+ <constraint>
+ <regex>(\d{4}\-\d{2}\-\d{2})</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="starttime">
+ <properties>
+ <help>Time of day to start matching rule</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Enter time using using 24 hour notation - hh:mm:ss</description>
+ </valueHelp>
+ <constraint>
+ <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="stopdate">
+ <properties>
+ <help>Date to stop matching rule</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Enter date using following notation - YYYY-MM-DD</description>
+ </valueHelp>
+ <constraint>
+ <regex>(\d{4}\-\d{2}\-\d{2})</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="stoptime">
+ <properties>
+ <help>Time of day to stop matching rule</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Enter time using using 24 hour notation - hh:mm:ss</description>
+ </valueHelp>
+ <constraint>
+ <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="weekdays">
+ <properties>
+ <help>Comma separated weekdays to match rule on</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:0-6</format>
+ <description>Day number (0 = Sunday ... 6 = Saturday)</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
new file mode 100644
index 000000000..a1071a09a
--- /dev/null
+++ b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
@@ -0,0 +1,331 @@
+<!-- include start from firewall/common-rule-ipv4-raw.xml.i -->
+#include <include/firewall/action-and-notrack.xml.i>
+#include <include/generic-description.xml.i>
+#include <include/firewall/dscp.xml.i>
+#include <include/firewall/ttl.xml.i>
+#include <include/firewall/nft-queue.xml.i>
+<node name="destination">
+ <properties>
+ <help>Destination parameters</help>
+ </properties>
+ <children>
+ #include <include/firewall/address.xml.i>
+ #include <include/firewall/address-mask.xml.i>
+ #include <include/firewall/fqdn.xml.i>
+ #include <include/firewall/geoip.xml.i>
+ #include <include/firewall/mac-address.xml.i>
+ #include <include/firewall/port.xml.i>
+ #include <include/firewall/source-destination-group.xml.i>
+ </children>
+</node>
+<leafNode name="disable">
+ <properties>
+ <help>Option to disable firewall rule</help>
+ <valueless/>
+ </properties>
+</leafNode>
+<node name="fragment">
+ <properties>
+ <help>IP fragment match</help>
+ </properties>
+ <children>
+ <leafNode name="match-frag">
+ <properties>
+ <help>Second and further fragments of fragmented packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="match-non-frag">
+ <properties>
+ <help>Head fragments or unfragmented packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<node name="icmp">
+ <properties>
+ <help>ICMP type and code information</help>
+ </properties>
+ <children>
+ <leafNode name="code">
+ <properties>
+ <help>ICMP code</help>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>ICMP code (0-255)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="type">
+ <properties>
+ <help>ICMP type</help>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>ICMP type (0-255)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ #include <include/firewall/icmp-type-name.xml.i>
+ </children>
+</node>
+<node name="ipsec">
+ <properties>
+ <help>Inbound IPsec packets</help>
+ </properties>
+ <children>
+ <leafNode name="match-ipsec">
+ <properties>
+ <help>Inbound IPsec packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="match-none">
+ <properties>
+ <help>Inbound non-IPsec packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<node name="limit">
+ <properties>
+ <help>Rate limit using a token bucket filter</help>
+ </properties>
+ <children>
+ <leafNode name="burst">
+ <properties>
+ <help>Maximum number of packets to allow in excess of rate</help>
+ <valueHelp>
+ <format>u32:0-4294967295</format>
+ <description>Maximum number of packets to allow in excess of rate</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-4294967295"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="rate">
+ <properties>
+ <help>Maximum average matching rate</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>integer/unit (Example: 5/minute)</description>
+ </valueHelp>
+ <constraint>
+ <regex>\d+/(second|minute|hour|day)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<leafNode name="log">
+ <properties>
+ <help>Option to log packets matching rule</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable log</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable log</description>
+ </valueHelp>
+ <constraint>
+ <regex>(enable|disable)</regex>
+ </constraint>
+ </properties>
+</leafNode>
+#include <include/firewall/rule-log-options.xml.i>
+<node name="connection-status">
+ <properties>
+ <help>Connection status</help>
+ </properties>
+ <children>
+ <leafNode name="nat">
+ <properties>
+ <help>NAT connection status</help>
+ <completionHelp>
+ <list>destination source</list>
+ </completionHelp>
+ <valueHelp>
+ <format>destination</format>
+ <description>Match connections that are subject to destination NAT</description>
+ </valueHelp>
+ <valueHelp>
+ <format>source</format>
+ <description>Match connections that are subject to source NAT</description>
+ </valueHelp>
+ <constraint>
+ <regex>(destination|source)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<leafNode name="protocol">
+ <properties>
+ <help>Protocol to match (protocol name, number, or "all")</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_protocols.sh</script>
+ <list>all tcp_udp</list>
+ </completionHelp>
+ <valueHelp>
+ <format>all</format>
+ <description>All IP protocols</description>
+ </valueHelp>
+ <valueHelp>
+ <format>tcp_udp</format>
+ <description>Both TCP and UDP</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>IP protocol number</description>
+ </valueHelp>
+ <valueHelp>
+ <format><protocol></format>
+ <description>IP protocol name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!<protocol></format>
+ <description>IP protocol name</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ip-protocol"/>
+ </constraint>
+ </properties>
+</leafNode>
+<node name="recent">
+ <properties>
+ <help>Parameters for matching recently seen sources</help>
+ </properties>
+ <children>
+ <leafNode name="count">
+ <properties>
+ <help>Source addresses seen more than N times</help>
+ <valueHelp>
+ <format>u32:1-255</format>
+ <description>Source addresses seen more than N times</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="time">
+ <properties>
+ <help>Source addresses seen in the last second/minute/hour</help>
+ <completionHelp>
+ <list>second minute hour</list>
+ </completionHelp>
+ <valueHelp>
+ <format>second</format>
+ <description>Source addresses seen COUNT times in the last second</description>
+ </valueHelp>
+ <valueHelp>
+ <format>minute</format>
+ <description>Source addresses seen COUNT times in the last minute</description>
+ </valueHelp>
+ <valueHelp>
+ <format>hour</format>
+ <description>Source addresses seen COUNT times in the last hour</description>
+ </valueHelp>
+ <constraint>
+ <regex>(second|minute|hour)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<node name="source">
+ <properties>
+ <help>Source parameters</help>
+ </properties>
+ <children>
+ #include <include/firewall/address.xml.i>
+ #include <include/firewall/address-mask.xml.i>
+ #include <include/firewall/fqdn.xml.i>
+ #include <include/firewall/geoip.xml.i>
+ #include <include/firewall/mac-address.xml.i>
+ #include <include/firewall/port.xml.i>
+ #include <include/firewall/source-destination-group.xml.i>
+ </children>
+</node>
+#include <include/firewall/tcp-flags.xml.i>
+<node name="time">
+ <properties>
+ <help>Time to match rule</help>
+ </properties>
+ <children>
+ <leafNode name="startdate">
+ <properties>
+ <help>Date to start matching rule</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Enter date using following notation - YYYY-MM-DD</description>
+ </valueHelp>
+ <constraint>
+ <regex>(\d{4}\-\d{2}\-\d{2})</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="starttime">
+ <properties>
+ <help>Time of day to start matching rule</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Enter time using using 24 hour notation - hh:mm:ss</description>
+ </valueHelp>
+ <constraint>
+ <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="stopdate">
+ <properties>
+ <help>Date to stop matching rule</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Enter date using following notation - YYYY-MM-DD</description>
+ </valueHelp>
+ <constraint>
+ <regex>(\d{4}\-\d{2}\-\d{2})</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="stoptime">
+ <properties>
+ <help>Time of day to stop matching rule</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Enter time using using 24 hour notation - hh:mm:ss</description>
+ </valueHelp>
+ <constraint>
+ <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="weekdays">
+ <properties>
+ <help>Comma separated weekdays to match rule on</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:0-6</format>
+ <description>Day number (0 = Sunday ... 6 = Saturday)</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/common-rule-ipv4.xml.i b/interface-definitions/include/firewall/common-rule-ipv4.xml.i
new file mode 100644
index 000000000..4ed179ae7
--- /dev/null
+++ b/interface-definitions/include/firewall/common-rule-ipv4.xml.i
@@ -0,0 +1,72 @@
+<!-- include start from firewall/common-rule-ipv4.xml.i -->
+#include <include/firewall/common-rule-inet.xml.i>
+#include <include/firewall/ttl.xml.i>
+<node name="destination">
+ <properties>
+ <help>Destination parameters</help>
+ </properties>
+ <children>
+ #include <include/firewall/address.xml.i>
+ #include <include/firewall/address-mask.xml.i>
+ #include <include/firewall/fqdn.xml.i>
+ #include <include/firewall/geoip.xml.i>
+ #include <include/firewall/mac-address.xml.i>
+ #include <include/firewall/port.xml.i>
+ #include <include/firewall/source-destination-group.xml.i>
+ </children>
+</node>
+<node name="icmp">
+ <properties>
+ <help>ICMP type and code information</help>
+ </properties>
+ <children>
+ <leafNode name="code">
+ <properties>
+ <help>ICMP code</help>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>ICMP code (0-255)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="type">
+ <properties>
+ <help>ICMP type</help>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>ICMP type (0-255)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ #include <include/firewall/icmp-type-name.xml.i>
+ </children>
+</node>
+<leafNode name="jump-target">
+ <properties>
+ <help>Set jump target. Action jump must be defined to use this setting</help>
+ <completionHelp>
+ <path>firewall ipv4 name</path>
+ </completionHelp>
+ </properties>
+</leafNode>
+<node name="source">
+ <properties>
+ <help>Source parameters</help>
+ </properties>
+ <children>
+ #include <include/firewall/address.xml.i>
+ #include <include/firewall/address-mask.xml.i>
+ #include <include/firewall/fqdn.xml.i>
+ #include <include/firewall/geoip.xml.i>
+ #include <include/firewall/mac-address.xml.i>
+ #include <include/firewall/port.xml.i>
+ #include <include/firewall/source-destination-group.xml.i>
+ </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/common-rule-ipv6.xml.i b/interface-definitions/include/firewall/common-rule-ipv6.xml.i
new file mode 100644
index 000000000..6219557db
--- /dev/null
+++ b/interface-definitions/include/firewall/common-rule-ipv6.xml.i
@@ -0,0 +1,72 @@
+<!-- include start from firewall/common-rule-ipv6.xml.i -->
+#include <include/firewall/common-rule-inet.xml.i>
+#include <include/firewall/hop-limit.xml.i>
+<node name="destination">
+ <properties>
+ <help>Destination parameters</help>
+ </properties>
+ <children>
+ #include <include/firewall/address-ipv6.xml.i>
+ #include <include/firewall/address-mask-ipv6.xml.i>
+ #include <include/firewall/fqdn.xml.i>
+ #include <include/firewall/geoip.xml.i>
+ #include <include/firewall/mac-address.xml.i>
+ #include <include/firewall/port.xml.i>
+ #include <include/firewall/source-destination-group-ipv6.xml.i>
+ </children>
+</node>
+<node name="icmpv6">
+ <properties>
+ <help>ICMPv6 type and code information</help>
+ </properties>
+ <children>
+ <leafNode name="code">
+ <properties>
+ <help>ICMPv6 code</help>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>ICMPv6 code (0-255)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="type">
+ <properties>
+ <help>ICMPv6 type</help>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>ICMPv6 type (0-255)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ #include <include/firewall/icmpv6-type-name.xml.i>
+ </children>
+</node>
+<leafNode name="jump-target">
+ <properties>
+ <help>Set jump target. Action jump must be defined to use this setting</help>
+ <completionHelp>
+ <path>firewall ipv6 name</path>
+ </completionHelp>
+ </properties>
+</leafNode>
+<node name="source">
+ <properties>
+ <help>Source parameters</help>
+ </properties>
+ <children>
+ #include <include/firewall/address-ipv6.xml.i>
+ #include <include/firewall/address-mask-ipv6.xml.i>
+ #include <include/firewall/fqdn.xml.i>
+ #include <include/firewall/geoip.xml.i>
+ #include <include/firewall/mac-address.xml.i>
+ #include <include/firewall/port.xml.i>
+ #include <include/firewall/source-destination-group-ipv6.xml.i>
+ </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/default-action-base-chains.xml.i b/interface-definitions/include/firewall/default-action-base-chains.xml.i
new file mode 100644
index 000000000..aa62abf3d
--- /dev/null
+++ b/interface-definitions/include/firewall/default-action-base-chains.xml.i
@@ -0,0 +1,22 @@
+<!-- include start from firewall/default-action-base-chains.xml.i -->
+<leafNode name="default-action">
+ <properties>
+ <help>Default-action for rule-set</help>
+ <completionHelp>
+ <list>drop accept</list>
+ </completionHelp>
+ <valueHelp>
+ <format>drop</format>
+ <description>Drop if no prior rules are hit</description>
+ </valueHelp>
+ <valueHelp>
+ <format>accept</format>
+ <description>Accept if no prior rules are hit</description>
+ </valueHelp>
+ <constraint>
+ <regex>(drop|accept)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>accept</defaultValue>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i
new file mode 100644
index 000000000..a63874cb0
--- /dev/null
+++ b/interface-definitions/include/firewall/global-options.xml.i
@@ -0,0 +1,252 @@
+<!-- include start from firewall/global-options.xml.i -->
+<node name="global-options">
+ <properties>
+ <help>Global Options</help>
+ </properties>
+ <children>
+ <leafNode name="all-ping">
+ <properties>
+ <help>Policy for handling of all IPv4 ICMP echo requests</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable processing of all IPv4 ICMP echo requests</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable processing of all IPv4 ICMP echo requests</description>
+ </valueHelp>
+ <constraint>
+ <regex>(enable|disable)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>enable</defaultValue>
+ </leafNode>
+ <leafNode name="broadcast-ping">
+ <properties>
+ <help>Policy for handling broadcast IPv4 ICMP echo and timestamp requests</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable processing of broadcast IPv4 ICMP echo/timestamp requests</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable processing of broadcast IPv4 ICMP echo/timestamp requests</description>
+ </valueHelp>
+ <constraint>
+ <regex>(enable|disable)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>disable</defaultValue>
+ </leafNode>
+ <leafNode name="ip-src-route">
+ <properties>
+ <help>Policy for handling IPv4 packets with source route option</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable processing of IPv4 packets with source route option</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable processing of IPv4 packets with source route option</description>
+ </valueHelp>
+ <constraint>
+ <regex>(enable|disable)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>disable</defaultValue>
+ </leafNode>
+ <leafNode name="log-martians">
+ <properties>
+ <help>Policy for logging IPv4 packets with invalid addresses</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable logging of IPv4 packets with invalid addresses</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable logging of Ipv4 packets with invalid addresses</description>
+ </valueHelp>
+ <constraint>
+ <regex>(enable|disable)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>enable</defaultValue>
+ </leafNode>
+ <leafNode name="receive-redirects">
+ <properties>
+ <help>Policy for handling received IPv4 ICMP redirect messages</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable processing of received IPv4 ICMP redirect messages</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable processing of received IPv4 ICMP redirect messages</description>
+ </valueHelp>
+ <constraint>
+ <regex>(enable|disable)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>disable</defaultValue>
+ </leafNode>
+ <leafNode name="resolver-cache">
+ <properties>
+ <help>Retains last successful value if domain resolution fails</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="resolver-interval">
+ <properties>
+ <help>Domain resolver update interval</help>
+ <valueHelp>
+ <format>u32:10-3600</format>
+ <description>Interval (seconds)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 10-3600"/>
+ </constraint>
+ </properties>
+ <defaultValue>300</defaultValue>
+ </leafNode>
+ <leafNode name="send-redirects">
+ <properties>
+ <help>Policy for sending IPv4 ICMP redirect messages</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable sending IPv4 ICMP redirect messages</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable sending IPv4 ICMP redirect messages</description>
+ </valueHelp>
+ <constraint>
+ <regex>(enable|disable)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>enable</defaultValue>
+ </leafNode>
+ <leafNode name="source-validation">
+ <properties>
+ <help>Policy for source validation by reversed path, as specified in RFC3704</help>
+ <completionHelp>
+ <list>strict loose disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>strict</format>
+ <description>Enable Strict Reverse Path Forwarding as defined in RFC3704</description>
+ </valueHelp>
+ <valueHelp>
+ <format>loose</format>
+ <description>Enable Loose Reverse Path Forwarding as defined in RFC3704</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>No source validation</description>
+ </valueHelp>
+ <constraint>
+ <regex>(strict|loose|disable)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>disable</defaultValue>
+ </leafNode>
+ <leafNode name="syn-cookies">
+ <properties>
+ <help>Policy for using TCP SYN cookies with IPv4</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable use of TCP SYN cookies with IPv4</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable use of TCP SYN cookies with IPv4</description>
+ </valueHelp>
+ <constraint>
+ <regex>(enable|disable)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>enable</defaultValue>
+ </leafNode>
+ <leafNode name="twa-hazards-protection">
+ <properties>
+ <help>RFC1337 TCP TIME-WAIT assasination hazards protection</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable RFC1337 TIME-WAIT hazards protection</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable RFC1337 TIME-WAIT hazards protection</description>
+ </valueHelp>
+ <constraint>
+ <regex>(enable|disable)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>disable</defaultValue>
+ </leafNode>
+ <leafNode name="ipv6-receive-redirects">
+ <properties>
+ <help>Policy for handling received ICMPv6 redirect messages</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable processing of received ICMPv6 redirect messages</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable processing of received ICMPv6 redirect messages</description>
+ </valueHelp>
+ <constraint>
+ <regex>(enable|disable)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>disable</defaultValue>
+ </leafNode>
+ <leafNode name="ipv6-src-route">
+ <properties>
+ <help>Policy for handling IPv6 packets with routing extension header</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable processing of IPv6 packets with routing header type 2</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable processing of IPv6 packets with routing header</description>
+ </valueHelp>
+ <constraint>
+ <regex>(enable|disable)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>disable</defaultValue>
+ </leafNode>
+ </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/inbound-interface.xml.i b/interface-definitions/include/firewall/inbound-interface.xml.i
new file mode 100644
index 000000000..13df71de3
--- /dev/null
+++ b/interface-definitions/include/firewall/inbound-interface.xml.i
@@ -0,0 +1,10 @@
+<!-- include start from firewall/inbound-interface.xml.i -->
+<node name="inbound-interface">
+ <properties>
+ <help>Match inbound-interface</help>
+ </properties>
+ <children>
+ #include <include/firewall/match-interface.xml.i>
+ </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv4-custom-name.xml.i b/interface-definitions/include/firewall/ipv4-custom-name.xml.i
new file mode 100644
index 000000000..9d6ecfaf2
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv4-custom-name.xml.i
@@ -0,0 +1,41 @@
+<!-- include start from firewall/ipv4-custom-name.xml.i -->
+<tagNode name="name">
+ <properties>
+ <help>IPv4 custom firewall</help>
+ <constraint>
+ <regex>[a-zA-Z0-9][\w\-\.]*</regex>
+ </constraint>
+ </properties>
+ <children>
+ #include <include/firewall/default-action.xml.i>
+ #include <include/firewall/enable-default-log.xml.i>
+ #include <include/generic-description.xml.i>
+ <leafNode name="default-jump-target">
+ <properties>
+ <help>Set jump target. Action jump must be defined in default-action to use this setting</help>
+ <completionHelp>
+ <path>firewall ipv4 name</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ <tagNode name="rule">
+ <properties>
+ <help>IPv4 Firewall custom rule number</help>
+ <valueHelp>
+ <format>u32:1-999999</format>
+ <description>Number for this firewall rule</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-999999"/>
+ </constraint>
+ <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+ </properties>
+ <children>
+ #include <include/firewall/common-rule-ipv4.xml.i>
+ #include <include/firewall/inbound-interface.xml.i>
+ #include <include/firewall/outbound-interface.xml.i>
+ </children>
+ </tagNode>
+ </children>
+</tagNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
new file mode 100644
index 000000000..08ee96419
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
@@ -0,0 +1,36 @@
+<!-- include start from firewall/ipv4-hook-forward.xml.i -->
+<node name="forward">
+ <properties>
+ <help>IPv4 forward firewall</help>
+ </properties>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>IPv4 firewall forward filter</help>
+ </properties>
+ <children>
+ #include <include/firewall/default-action-base-chains.xml.i>
+ #include <include/generic-description.xml.i>
+ <tagNode name="rule">
+ <properties>
+ <help>IPv4 Firewall forward filter rule number</help>
+ <valueHelp>
+ <format>u32:1-999999</format>
+ <description>Number for this firewall rule</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-999999"/>
+ </constraint>
+ <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+ </properties>
+ <children>
+ #include <include/firewall/common-rule-ipv4.xml.i>
+ #include <include/firewall/inbound-interface.xml.i>
+ #include <include/firewall/outbound-interface.xml.i>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv4-hook-input.xml.i b/interface-definitions/include/firewall/ipv4-hook-input.xml.i
new file mode 100644
index 000000000..32b0ec94f
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv4-hook-input.xml.i
@@ -0,0 +1,35 @@
+<!-- include start from firewall/ipv4-hook-input.xml.i -->
+<node name="input">
+ <properties>
+ <help>IPv4 input firewall</help>
+ </properties>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>IPv4 firewall input filter</help>
+ </properties>
+ <children>
+ #include <include/firewall/default-action-base-chains.xml.i>
+ #include <include/generic-description.xml.i>
+ <tagNode name="rule">
+ <properties>
+ <help>IPv4 Firewall input filter rule number</help>
+ <valueHelp>
+ <format>u32:1-999999</format>
+ <description>Number for this firewall rule</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-999999"/>
+ </constraint>
+ <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+ </properties>
+ <children>
+ #include <include/firewall/common-rule-ipv4.xml.i>
+ #include <include/firewall/inbound-interface.xml.i>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv4-hook-output.xml.i b/interface-definitions/include/firewall/ipv4-hook-output.xml.i
new file mode 100644
index 000000000..d50d1e93b
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv4-hook-output.xml.i
@@ -0,0 +1,35 @@
+<!-- include start from firewall/ipv4-hook-output.xml.i -->
+<node name="output">
+ <properties>
+ <help>IPv4 output firewall</help>
+ </properties>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>IPv4 firewall output filter</help>
+ </properties>
+ <children>
+ #include <include/firewall/default-action-base-chains.xml.i>
+ #include <include/generic-description.xml.i>
+ <tagNode name="rule">
+ <properties>
+ <help>IPv4 Firewall output filter rule number</help>
+ <valueHelp>
+ <format>u32:1-999999</format>
+ <description>Number for this firewall rule</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-999999"/>
+ </constraint>
+ <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+ </properties>
+ <children>
+ #include <include/firewall/common-rule-ipv4.xml.i>
+ #include <include/firewall/outbound-interface.xml.i>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i
new file mode 100644
index 000000000..c38918375
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i
@@ -0,0 +1,85 @@
+<!-- include start from firewall/ipv4-hook-prerouting.xml.i -->
+<node name="prerouting">
+ <properties>
+ <help>IPv4 prerouting firewall</help>
+ </properties>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>IPv4 firewall prerouting filter</help>
+ </properties>
+ <children>
+ #include <include/firewall/default-action-base-chains.xml.i>
+ #include <include/generic-description.xml.i>
+ <tagNode name="rule">
+ <properties>
+ <help>IPv4 Firewall prerouting filter rule number</help>
+ <valueHelp>
+ <format>u32:1-999999</format>
+ <description>Number for this firewall rule</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-999999"/>
+ </constraint>
+ <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+ </properties>
+ <children>
+ #include <include/firewall/common-rule-ipv4.xml.i>
+ #include <include/firewall/inbound-interface.xml.i>
+ <leafNode name="jump-target">
+ <properties>
+ <help>Set jump target. Action jump must be defined to use this setting</help>
+ <completionHelp>
+ <path>firewall ipv4 name</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ <node name="raw">
+ <properties>
+ <help>IPv4 firewall prerouting raw</help>
+ </properties>
+ <children>
+ #include <include/firewall/default-action-base-chains.xml.i>
+ #include <include/generic-description.xml.i>
+ <leafNode name="default-jump-target">
+ <properties>
+ <help>Set jump target. Action jump must be defined in default-action to use this setting</help>
+ <completionHelp>
+ <path>firewall ipv4 name</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ <tagNode name="rule">
+ <properties>
+ <help>IPv4 Firewall prerouting raw rule number</help>
+ <valueHelp>
+ <format>u32:1-999999</format>
+ <description>Number for this firewall rule</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-999999"/>
+ </constraint>
+ <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+ </properties>
+ <children>
+ #include <include/firewall/common-rule-ipv4-raw.xml.i>
+ #include <include/firewall/inbound-interface.xml.i>
+ <leafNode name="jump-target">
+ <properties>
+ <help>Set jump target. Action jump must be defined to use this setting</help>
+ <completionHelp>
+ <path>firewall ipv4 name</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv6-custom-name.xml.i b/interface-definitions/include/firewall/ipv6-custom-name.xml.i
new file mode 100644
index 000000000..81610babf
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv6-custom-name.xml.i
@@ -0,0 +1,41 @@
+<!-- include start from firewall/ipv6-custom-name.xml.i -->
+<tagNode name="name">
+ <properties>
+ <help>IPv6 custom firewall</help>
+ <constraint>
+ <regex>[a-zA-Z0-9][\w\-\.]*</regex>
+ </constraint>
+ </properties>
+ <children>
+ #include <include/firewall/default-action.xml.i>
+ #include <include/firewall/enable-default-log.xml.i>
+ #include <include/generic-description.xml.i>
+ <leafNode name="default-jump-target">
+ <properties>
+ <help>Set jump target. Action jump must be defined in default-action to use this setting</help>
+ <completionHelp>
+ <path>firewall ipv6 name</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ <tagNode name="rule">
+ <properties>
+ <help>IPv6 Firewall custom rule number</help>
+ <valueHelp>
+ <format>u32:1-999999</format>
+ <description>Number for this firewall rule</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-999999"/>
+ </constraint>
+ <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+ </properties>
+ <children>
+ #include <include/firewall/common-rule-ipv6.xml.i>
+ #include <include/firewall/inbound-interface.xml.i>
+ #include <include/firewall/outbound-interface.xml.i>
+ </children>
+ </tagNode>
+ </children>
+</tagNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv6-hook-forward.xml.i b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i
new file mode 100644
index 000000000..20ab8dbe8
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i
@@ -0,0 +1,36 @@
+<!-- include start from firewall/ipv6-hook-forward.xml.i -->
+<node name="forward">
+ <properties>
+ <help>IPv6 forward firewall</help>
+ </properties>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>IPv6 firewall forward filter</help>
+ </properties>
+ <children>
+ #include <include/firewall/default-action-base-chains.xml.i>
+ #include <include/generic-description.xml.i>
+ <tagNode name="rule">
+ <properties>
+ <help>IPv6 Firewall forward filter rule number</help>
+ <valueHelp>
+ <format>u32:1-999999</format>
+ <description>Number for this firewall rule</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-999999"/>
+ </constraint>
+ <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+ </properties>
+ <children>
+ #include <include/firewall/common-rule-ipv6.xml.i>
+ #include <include/firewall/inbound-interface.xml.i>
+ #include <include/firewall/outbound-interface.xml.i>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv6-hook-input.xml.i b/interface-definitions/include/firewall/ipv6-hook-input.xml.i
new file mode 100644
index 000000000..e34958f28
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv6-hook-input.xml.i
@@ -0,0 +1,35 @@
+<!-- include start from firewall/ipv6-hook-input.xml.i -->
+<node name="input">
+ <properties>
+ <help>IPv6 input firewall</help>
+ </properties>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>IPv6 firewall input filter</help>
+ </properties>
+ <children>
+ #include <include/firewall/default-action-base-chains.xml.i>
+ #include <include/generic-description.xml.i>
+ <tagNode name="rule">
+ <properties>
+ <help>IPv6 Firewall input filter rule number</help>
+ <valueHelp>
+ <format>u32:1-999999</format>
+ <description>Number for this firewall rule</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-999999"/>
+ </constraint>
+ <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+ </properties>
+ <children>
+ #include <include/firewall/common-rule-ipv6.xml.i>
+ #include <include/firewall/inbound-interface.xml.i>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv6-hook-output.xml.i b/interface-definitions/include/firewall/ipv6-hook-output.xml.i
new file mode 100644
index 000000000..eb4ea7ac3
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv6-hook-output.xml.i
@@ -0,0 +1,35 @@
+<!-- include start from firewall/ipv6-hook-output.xml.i -->
+<node name="output">
+ <properties>
+ <help>IPv6 output firewall</help>
+ </properties>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>IPv6 firewall output filter</help>
+ </properties>
+ <children>
+ #include <include/firewall/default-action-base-chains.xml.i>
+ #include <include/generic-description.xml.i>
+ <tagNode name="rule">
+ <properties>
+ <help>IPv6 Firewall output filter rule number</help>
+ <valueHelp>
+ <format>u32:1-999999</format>
+ <description>Number for this firewall rule</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-999999"/>
+ </constraint>
+ <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+ </properties>
+ <children>
+ #include <include/firewall/common-rule-ipv6.xml.i>
+ #include <include/firewall/outbound-interface.xml.i>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/match-interface.xml.i b/interface-definitions/include/firewall/match-interface.xml.i
index 3e52422cf..a62bf8d89 100644
--- a/interface-definitions/include/firewall/match-interface.xml.i
+++ b/interface-definitions/include/firewall/match-interface.xml.i
@@ -1,18 +1,25 @@
<!-- include start from firewall/match-interface.xml.i -->
<leafNode name="interface-name">
<properties>
<help>Match interface</help>
<completionHelp>
<script>${vyos_completion_dir}/list_interfaces</script>
</completionHelp>
+ <valueHelp>
+ <format>txt</format>
+ <description>Interface name, wildcard (*) supported</description>
+ </valueHelp>
+ <constraint>
+ #include <include/constraint/interface-name-with-wildcard.xml.i>
+ </constraint>
</properties>
</leafNode>
<leafNode name="interface-group">
<properties>
<help>Match interface-group</help>
<completionHelp>
<path>firewall group interface-group</path>
</completionHelp>
</properties>
</leafNode>
<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/outbound-interface.xml.i b/interface-definitions/include/firewall/outbound-interface.xml.i
new file mode 100644
index 000000000..8654dfd80
--- /dev/null
+++ b/interface-definitions/include/firewall/outbound-interface.xml.i
@@ -0,0 +1,10 @@
+<!-- include start from firewall/outbound-interface.xml.i -->
+<node name="outbound-interface">
+ <properties>
+ <help>Match outbound-interface</help>
+ </properties>
+ <children>
+ #include <include/firewall/match-interface.xml.i>
+ </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/version/firewall-version.xml.i b/interface-definitions/include/version/firewall-version.xml.i
index c32484542..dd21bfaca 100644
--- a/interface-definitions/include/version/firewall-version.xml.i
+++ b/interface-definitions/include/version/firewall-version.xml.i
@@ -1,3 +1,3 @@
<!-- include start from include/version/firewall-version.xml.i -->
-<syntaxVersion component='firewall' version='10'></syntaxVersion>
+<syntaxVersion component='firewall' version='11'></syntaxVersion>
<!-- include end -->
diff --git a/op-mode-definitions/firewall.xml.in b/op-mode-definitions/firewall.xml.in
index b5dee7c9e..164ce6b60 100644
--- a/op-mode-definitions/firewall.xml.in
+++ b/op-mode-definitions/firewall.xml.in
@@ -1,191 +1,351 @@
<?xml version="1.0"?>
<interfaceDefinition>
<!--
<node name="clear">
<children>
<node name="firewall">
<properties>
<help>Clear firewall statistics</help>
</properties>
<children>
<tagNode name="ipv6-name">
<properties>
<help>Clear firewall statistics for chain</help>
<completionHelp>
<path>firewall ipv6-name</path>
</completionHelp>
</properties>
<children>
<leafNode name="counters">
<properties>
<help>Clear counters for specified chain</help>
</properties>
<command>echo "TODO"</command>
</leafNode>
<tagNode name="rule">
<properties>
<help>Clear firewall statistics for a rule</help>
<completionHelp>
<path>firewall ipv6-name ${COMP_WORDS[4]} rule</path>
</completionHelp>
</properties>
<children>
<leafNode name="counters">
<properties>
<help>Clear counters for specified rule</help>
</properties>
<command>echo "TODO"</command>
</leafNode>
</children>
</tagNode>
</children>
</tagNode>
<tagNode name="name">
<properties>
<help>Clear firewall statistics for chain</help>
<completionHelp>
<path>firewall name</path>
</completionHelp>
</properties>
<children>
<leafNode name="counters">
<properties>
<help>Clear counters for specified chain</help>
</properties>
<command>echo "TODO"</command>
</leafNode>
<tagNode name="rule">
<properties>
<help>Clear firewall statistics for a rule</help>
<completionHelp>
<path>firewall name ${COMP_WORDS[4]} rule</path>
</completionHelp>
</properties>
<children>
<leafNode name="counters">
<properties>
<help>Clear counters for specified rule</help>
</properties>
<command>echo "TODO"</command>
</leafNode>
</children>
</tagNode>
</children>
</tagNode>
</children>
</node>
</children>
</node>
-->
<!--
<node name="reset">
<children>
<node name="firewall">
<properties>
<help>Reset a firewall group</help>
</properties>
<children>
<tagNode name="address-group">
<properties>
<help>Reset a firewall address group</help>
</properties>
</tagNode>
<tagNode name="network-group">
<properties>
<help>Reset a firewall network group</help>
</properties>
</tagNode>
<tagNode name="port-group">
<properties>
<help>Reset a firewall port group</help>
</properties>
</tagNode>
</children>
</node>
</children>
</node>
-->
<node name="show">
<children>
<node name="firewall">
<properties>
<help>Show firewall information</help>
</properties>
<children>
<tagNode name="group">
<properties>
<help>Show firewall group</help>
<completionHelp>
<path>firewall group address-group</path>
<path>firewall group network-group</path>
<path>firewall group port-group</path>
<path>firewall group ipv6-address-group</path>
<path>firewall group ipv6-network-group</path>
</completionHelp>
</properties>
<command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_group --name $4</command>
</tagNode>
<leafNode name="group">
<properties>
<help>Show firewall group</help>
</properties>
<command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_group</command>
</leafNode>
- <tagNode name="ipv6-name">
+ <node name="ipv6">
<properties>
- <help>Show IPv6 firewall chains</help>
- <completionHelp>
- <path>firewall ipv6-name</path>
- </completionHelp>
+ <help>Show IPv6 firewall</help>
</properties>
<children>
- <tagNode name="rule">
+ <node name="forward">
+ <properties>
+ <help>Show IPv6 forward firewall ruleset</help>
+ </properties>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>Show IPv6 forward filter firewall ruleset</help>
+ </properties>
+ <children>
+ <tagNode name="rule">
+ <properties>
+ <help>Show summary of IPv6 forward filter firewall rules</help>
+ <completionHelp>
+ <path>firewall ipv6 forward filter rule</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7 --ipv6</command>
+ </tagNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --ipv6</command>
+ </node>
+ </children>
+ </node>
+ <node name="input">
+ <properties>
+ <help>Show IPv6 input firewall ruleset</help>
+ </properties>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>Show IPv6 forward input firewall ruleset</help>
+ </properties>
+ <children>
+ <tagNode name="rule">
+ <properties>
+ <help>Show summary of IPv6 input filter firewall rules</help>
+ <completionHelp>
+ <path>firewall ipv6 input filter rule</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7 --ipv6</command>
+ </tagNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --ipv6</command>
+ </node>
+ </children>
+ </node>
+ <node name="output">
+ <properties>
+ <help>Show IPv6 output firewall ruleset</help>
+ </properties>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>Show IPv6 output filter firewall ruleset</help>
+ </properties>
+ <children>
+ <tagNode name="rule">
+ <properties>
+ <help>Show summary of IPv6 output filter firewall rules</help>
+ <completionHelp>
+ <path>firewall ipv6 output filter rule</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7 --ipv6</command>
+ </tagNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --ipv6</command>
+ </node>
+ </children>
+ </node>
+ <tagNode name="ipv6-name">
<properties>
- <help>Show summary of IPv6 firewall rules</help>
+ <help>Show IPv6 custom firewall chains</help>
<completionHelp>
- <path>firewall ipv6-name ${COMP_WORDS[6]} rule</path>
+ <path>firewall ipv6 ipv6-name</path>
</completionHelp>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --name $4 --rule $6 --ipv6</command>
+ <children>
+ <tagNode name="rule">
+ <properties>
+ <help>Show summary of IPv6 custom firewall ruleset</help>
+ <completionHelp>
+ <path>firewall ipv6 ipv6-name ${COMP_WORDS[6]} rule</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7 --ipv6</command>
+ </tagNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --ipv6</command>
</tagNode>
</children>
- <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --name $4 --ipv6</command>
- </tagNode>
- <tagNode name="name">
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_family --family $3</command>
+ </node>
+ <node name="ipv4">
<properties>
- <help>Show IPv4 firewall chains</help>
- <completionHelp>
- <path>firewall name</path>
- </completionHelp>
+ <help>Show IPv4 firewall</help>
</properties>
<children>
- <tagNode name="rule">
+ <node name="forward">
+ <properties>
+ <help>Show IPv4 forward firewall ruleset</help>
+ </properties>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>Show IPv4 forward filter firewall ruleset</help>
+ </properties>
+ <children>
+ <tagNode name="rule">
+ <properties>
+ <help>Show summary of IPv4 forward filter firewall rules</help>
+ <completionHelp>
+ <path>firewall ipv4 forward filter rule</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7</command>
+ </tagNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5</command>
+ </node>
+ </children>
+ </node>
+ <node name="input">
+ <properties>
+ <help>Show IPv4 input firewall ruleset</help>
+ </properties>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>Show IPv4 forward input firewall ruleset</help>
+ </properties>
+ <children>
+ <tagNode name="rule">
+ <properties>
+ <help>Show summary of IPv4 input filter firewall rules</help>
+ <completionHelp>
+ <path>firewall ipv4 input filter rule</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7</command>
+ </tagNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5</command>
+ </node>
+ </children>
+ </node>
+ <node name="output">
+ <properties>
+ <help>Show IPv4 output firewall ruleset</help>
+ </properties>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>Show IPv4 output filter firewall ruleset</help>
+ </properties>
+ <children>
+ <tagNode name="rule">
+ <properties>
+ <help>Show summary of IPv4 output filter firewall rules</help>
+ <completionHelp>
+ <path>firewall ipv4 output filter rule</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7</command>
+ </tagNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5</command>
+ </node>
+ </children>
+ </node>
+ <tagNode name="name">
<properties>
- <help>Show summary of IPv4 firewall rules</help>
+ <help>Show IPv4 custom firewall chains</help>
<completionHelp>
- <path>firewall name ${COMP_WORDS[6]} rule</path>
+ <path>firewall ipv4 name</path>
</completionHelp>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --name $4 --rule $6</command>
+ <children>
+ <tagNode name="rule">
+ <properties>
+ <help>Show summary of IPv4 custom firewall ruleset</help>
+ <completionHelp>
+ <path>firewall ipv4 name ${COMP_WORDS[6]} rule</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7</command>
+ </tagNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5</command>
</tagNode>
</children>
- <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --name $4</command>
- </tagNode>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_family --family $3</command>
+ </node>
<leafNode name="statistics">
<properties>
<help>Show statistics of firewall application</help>
</properties>
<command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_statistics</command>
</leafNode>
<leafNode name="summary">
<properties>
<help>Show summary of firewall application</help>
</properties>
<command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_summary</command>
</leafNode>
</children>
<command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_all</command>
</node>
</children>
</node>
</interfaceDefinition>
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 903cc8535..4aa509fe2 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -1,533 +1,559 @@
#!/usr/bin/env python3
#
# Copyright (C) 2021-2023 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import csv
import gzip
import os
import re
from pathlib import Path
from socket import AF_INET
from socket import AF_INET6
from socket import getaddrinfo
from time import strftime
from vyos.remote import download
from vyos.template import is_ipv4
from vyos.template import render
from vyos.utils.dict import dict_search_args
from vyos.utils.dict import dict_search_recursive
from vyos.utils.process import call
from vyos.utils.process import cmd
from vyos.utils.process import run
# Domain Resolver
def fqdn_config_parse(firewall):
firewall['ip_fqdn'] = {}
firewall['ip6_fqdn'] = {}
for domain, path in dict_search_recursive(firewall, 'fqdn'):
- fw_name = path[1] # name/ipv6-name
- rule = path[3] # rule id
- suffix = path[4][0] # source/destination (1 char)
- set_name = f'{fw_name}_{rule}_{suffix}'
-
- if path[0] == 'name':
+ hook_name = path[1]
+ priority = path[2]
+
+ fw_name = path[2]
+ rule = path[4]
+ suffix = path[5][0]
+ set_name = f'{hook_name}_{priority}_{rule}_{suffix}'
+
+ if (path[0] == 'ipv4') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'):
firewall['ip_fqdn'][set_name] = domain
- elif path[0] == 'ipv6_name':
+ elif (path[0] == 'ipv6') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'):
+ if path[1] == 'name':
+ set_name = f'name6_{priority}_{rule}_{suffix}'
firewall['ip6_fqdn'][set_name] = domain
def fqdn_resolve(fqdn, ipv6=False):
try:
res = getaddrinfo(fqdn, None, AF_INET6 if ipv6 else AF_INET)
return set(item[4][0] for item in res)
except:
return None
# End Domain Resolver
def find_nftables_rule(table, chain, rule_matches=[]):
# Find rule in table/chain that matches all criteria and return the handle
results = cmd(f'sudo nft -a list chain {table} {chain}').split("\n")
for line in results:
if all(rule_match in line for rule_match in rule_matches):
handle_search = re.search('handle (\d+)', line)
if handle_search:
return handle_search[1]
return None
def remove_nftables_rule(table, chain, handle):
cmd(f'sudo nft delete rule {table} {chain} handle {handle}')
# Functions below used by template generation
def nft_action(vyos_action):
if vyos_action == 'accept':
return 'return'
return vyos_action
-def parse_rule(rule_conf, fw_name, rule_id, ip_name):
+def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
output = []
def_suffix = '6' if ip_name == 'ip6' else ''
if 'state' in rule_conf and rule_conf['state']:
states = ",".join([s for s, v in rule_conf['state'].items() if v == 'enable'])
if states:
output.append(f'ct state {{{states}}}')
if 'connection_status' in rule_conf and rule_conf['connection_status']:
status = rule_conf['connection_status']
if status['nat'] == 'destination':
nat_status = '{dnat}'
output.append(f'ct status {nat_status}')
if status['nat'] == 'source':
nat_status = '{snat}'
output.append(f'ct status {nat_status}')
if 'protocol' in rule_conf and rule_conf['protocol'] != 'all':
proto = rule_conf['protocol']
operator = ''
if proto[0] == '!':
operator = '!='
proto = proto[1:]
if proto == 'tcp_udp':
proto = '{tcp, udp}'
output.append(f'meta l4proto {operator} {proto}')
for side in ['destination', 'source']:
if side in rule_conf:
prefix = side[0]
side_conf = rule_conf[side]
address_mask = side_conf.get('address_mask', None)
if 'address' in side_conf:
suffix = side_conf['address']
operator = ''
exclude = suffix[0] == '!'
if exclude:
operator = '!= '
suffix = suffix[1:]
if address_mask:
operator = '!=' if exclude else '=='
operator = f'& {address_mask} {operator} '
output.append(f'{ip_name} {prefix}addr {operator}{suffix}')
if 'fqdn' in side_conf:
fqdn = side_conf['fqdn']
+ hook_name = ''
operator = ''
if fqdn[0] == '!':
operator = '!='
- output.append(f'{ip_name} {prefix}addr {operator} @FQDN_{fw_name}_{rule_id}_{prefix}')
+ if hook == 'FWD':
+ hook_name = 'forward'
+ if hook == 'INP':
+ hook_name = 'input'
+ if hook == 'OUT':
+ hook_name = 'output'
+ if hook == 'NAM':
+ hook_name = f'name{def_suffix}'
+ output.append(f'{ip_name} {prefix}addr {operator} @FQDN_{hook_name}_{fw_name}_{rule_id}_{prefix}')
if dict_search_args(side_conf, 'geoip', 'country_code'):
operator = ''
+ hook_name = ''
if dict_search_args(side_conf, 'geoip', 'inverse_match') != None:
operator = '!='
- output.append(f'{ip_name} {prefix}addr {operator} @GEOIP_CC_{fw_name}_{rule_id}')
+ if hook == 'FWD':
+ hook_name = 'forward'
+ if hook == 'INP':
+ hook_name = 'input'
+ if hook == 'OUT':
+ hook_name = 'output'
+ if hook == 'NAM':
+ hook_name = f'name'
+ output.append(f'{ip_name} {prefix}addr {operator} @GEOIP_CC{def_suffix}_{hook_name}_{fw_name}_{rule_id}')
if 'mac_address' in side_conf:
suffix = side_conf["mac_address"]
if suffix[0] == '!':
suffix = f'!= {suffix[1:]}'
output.append(f'ether {prefix}addr {suffix}')
if 'port' in side_conf:
proto = rule_conf['protocol']
port = side_conf['port'].split(',')
ports = []
negated_ports = []
for p in port:
if p[0] == '!':
negated_ports.append(p[1:])
else:
ports.append(p)
if proto == 'tcp_udp':
proto = 'th'
if ports:
ports_str = ','.join(ports)
output.append(f'{proto} {prefix}port {{{ports_str}}}')
if negated_ports:
negated_ports_str = ','.join(negated_ports)
output.append(f'{proto} {prefix}port != {{{negated_ports_str}}}')
if 'group' in side_conf:
group = side_conf['group']
if 'address_group' in group:
group_name = group['address_group']
operator = ''
exclude = group_name[0] == "!"
if exclude:
operator = '!='
group_name = group_name[1:]
if address_mask:
operator = '!=' if exclude else '=='
operator = f'& {address_mask} {operator}'
output.append(f'{ip_name} {prefix}addr {operator} @A{def_suffix}_{group_name}')
# Generate firewall group domain-group
elif 'domain_group' in group:
group_name = group['domain_group']
operator = ''
if group_name[0] == '!':
operator = '!='
group_name = group_name[1:]
output.append(f'{ip_name} {prefix}addr {operator} @D_{group_name}')
elif 'network_group' in group:
group_name = group['network_group']
operator = ''
if group_name[0] == '!':
operator = '!='
group_name = group_name[1:]
output.append(f'{ip_name} {prefix}addr {operator} @N{def_suffix}_{group_name}')
if 'mac_group' in group:
group_name = group['mac_group']
operator = ''
if group_name[0] == '!':
operator = '!='
group_name = group_name[1:]
output.append(f'ether {prefix}addr {operator} @M_{group_name}')
if 'port_group' in group:
proto = rule_conf['protocol']
group_name = group['port_group']
if proto == 'tcp_udp':
proto = 'th'
operator = ''
if group_name[0] == '!':
operator = '!='
group_name = group_name[1:]
output.append(f'{proto} {prefix}port {operator} @P_{group_name}')
if 'log' in rule_conf and rule_conf['log'] == 'enable':
action = rule_conf['action'] if 'action' in rule_conf else 'accept'
output.append(f'log prefix "[{fw_name[:19]}-{rule_id}-{action[:1].upper()}]"')
if 'log_options' in rule_conf:
if 'level' in rule_conf['log_options']:
log_level = rule_conf['log_options']['level']
output.append(f'log level {log_level}')
if 'group' in rule_conf['log_options']:
log_group = rule_conf['log_options']['group']
output.append(f'log group {log_group}')
if 'queue_threshold' in rule_conf['log_options']:
queue_threshold = rule_conf['log_options']['queue_threshold']
output.append(f'queue-threshold {queue_threshold}')
if 'snapshot_length' in rule_conf['log_options']:
log_snaplen = rule_conf['log_options']['snapshot_length']
output.append(f'snaplen {log_snaplen}')
if 'hop_limit' in rule_conf:
operators = {'eq': '==', 'gt': '>', 'lt': '<'}
for op, operator in operators.items():
if op in rule_conf['hop_limit']:
value = rule_conf['hop_limit'][op]
output.append(f'ip6 hoplimit {operator} {value}')
if 'inbound_interface' in rule_conf:
if 'interface_name' in rule_conf['inbound_interface']:
iiface = rule_conf['inbound_interface']['interface_name']
output.append(f'iifname {{{iiface}}}')
else:
iiface = rule_conf['inbound_interface']['interface_group']
output.append(f'iifname @I_{iiface}')
if 'outbound_interface' in rule_conf:
if 'interface_name' in rule_conf['outbound_interface']:
oiface = rule_conf['outbound_interface']['interface_name']
output.append(f'oifname {{{oiface}}}')
else:
oiface = rule_conf['outbound_interface']['interface_group']
output.append(f'oifname @I_{oiface}')
if 'ttl' in rule_conf:
operators = {'eq': '==', 'gt': '>', 'lt': '<'}
for op, operator in operators.items():
if op in rule_conf['ttl']:
value = rule_conf['ttl'][op]
output.append(f'ip ttl {operator} {value}')
for icmp in ['icmp', 'icmpv6']:
if icmp in rule_conf:
if 'type_name' in rule_conf[icmp]:
output.append(icmp + ' type ' + rule_conf[icmp]['type_name'])
else:
if 'code' in rule_conf[icmp]:
output.append(icmp + ' code ' + rule_conf[icmp]['code'])
if 'type' in rule_conf[icmp]:
output.append(icmp + ' type ' + rule_conf[icmp]['type'])
if 'packet_length' in rule_conf:
lengths_str = ','.join(rule_conf['packet_length'])
output.append(f'ip{def_suffix} length {{{lengths_str}}}')
if 'packet_length_exclude' in rule_conf:
negated_lengths_str = ','.join(rule_conf['packet_length_exclude'])
output.append(f'ip{def_suffix} length != {{{negated_lengths_str}}}')
if 'packet_type' in rule_conf:
output.append(f'pkttype ' + rule_conf['packet_type'])
if 'dscp' in rule_conf:
dscp_str = ','.join(rule_conf['dscp'])
output.append(f'ip{def_suffix} dscp {{{dscp_str}}}')
if 'dscp_exclude' in rule_conf:
negated_dscp_str = ','.join(rule_conf['dscp_exclude'])
output.append(f'ip{def_suffix} dscp != {{{negated_dscp_str}}}')
if 'ipsec' in rule_conf:
if 'match_ipsec' in rule_conf['ipsec']:
output.append('meta ipsec == 1')
if 'match_none' in rule_conf['ipsec']:
output.append('meta ipsec == 0')
if 'fragment' in rule_conf:
# Checking for fragmentation after priority -400 is not possible,
# so we use a priority -450 hook to set a mark
if 'match_frag' in rule_conf['fragment']:
output.append('meta mark 0xffff1')
if 'match_non_frag' in rule_conf['fragment']:
output.append('meta mark != 0xffff1')
if 'limit' in rule_conf:
if 'rate' in rule_conf['limit']:
output.append(f'limit rate {rule_conf["limit"]["rate"]}')
if 'burst' in rule_conf['limit']:
output.append(f'burst {rule_conf["limit"]["burst"]} packets')
if 'recent' in rule_conf:
count = rule_conf['recent']['count']
time = rule_conf['recent']['time']
- output.append(f'add @RECENT{def_suffix}_{fw_name}_{rule_id} {{ {ip_name} saddr limit rate over {count}/{time} burst {count} packets }}')
+ output.append(f'add @RECENT{def_suffix}_{hook}_{fw_name}_{rule_id} {{ {ip_name} saddr limit rate over {count}/{time} burst {count} packets }}')
if 'time' in rule_conf:
output.append(parse_time(rule_conf['time']))
tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags')
if tcp_flags:
output.append(parse_tcp_flags(tcp_flags))
# TCP MSS
tcp_mss = dict_search_args(rule_conf, 'tcp', 'mss')
if tcp_mss:
output.append(f'tcp option maxseg size {tcp_mss}')
if 'connection_mark' in rule_conf:
conn_mark_str = ','.join(rule_conf['connection_mark'])
output.append(f'ct mark {{{conn_mark_str}}}')
output.append('counter')
if 'set' in rule_conf:
output.append(parse_policy_set(rule_conf['set'], def_suffix))
if 'action' in rule_conf:
- output.append(nft_action(rule_conf['action']))
+ # Change action=return to action=action
+ # #output.append(nft_action(rule_conf['action']))
+ output.append(f'{rule_conf["action"]}')
if 'jump' in rule_conf['action']:
target = rule_conf['jump_target']
output.append(f'NAME{def_suffix}_{target}')
if 'queue' in rule_conf['action']:
if 'queue' in rule_conf:
target = rule_conf['queue']
output.append(f'num {target}')
if 'queue_options' in rule_conf:
queue_opts = ','.join(rule_conf['queue_options'])
output.append(f'{queue_opts}')
else:
output.append('return')
- output.append(f'comment "{fw_name}-{rule_id}"')
+ output.append(f'comment "{hook}-{fw_name}-{rule_id}"')
return " ".join(output)
def parse_tcp_flags(flags):
include = [flag for flag in flags if flag != 'not']
exclude = list(flags['not']) if 'not' in flags else []
return f'tcp flags & ({"|".join(include + exclude)}) == {"|".join(include) if include else "0x0"}'
def parse_time(time):
out = []
if 'startdate' in time:
start = time['startdate']
if 'T' not in start and 'starttime' in time:
start += f' {time["starttime"]}'
out.append(f'time >= "{start}"')
if 'starttime' in time and 'startdate' not in time:
out.append(f'hour >= "{time["starttime"]}"')
if 'stopdate' in time:
stop = time['stopdate']
if 'T' not in stop and 'stoptime' in time:
stop += f' {time["stoptime"]}'
out.append(f'time < "{stop}"')
if 'stoptime' in time and 'stopdate' not in time:
out.append(f'hour < "{time["stoptime"]}"')
if 'weekdays' in time:
days = time['weekdays'].split(",")
out_days = [f'"{day}"' for day in days if day[0] != '!']
out.append(f'day {{{",".join(out_days)}}}')
return " ".join(out)
def parse_policy_set(set_conf, def_suffix):
out = []
if 'connection_mark' in set_conf:
conn_mark = set_conf['connection_mark']
out.append(f'ct mark set {conn_mark}')
if 'dscp' in set_conf:
dscp = set_conf['dscp']
out.append(f'ip{def_suffix} dscp set {dscp}')
if 'mark' in set_conf:
mark = set_conf['mark']
out.append(f'meta mark set {mark}')
if 'table' in set_conf:
table = set_conf['table']
if table == 'main':
table = '254'
mark = 0x7FFFFFFF - int(table)
out.append(f'meta mark set {mark}')
if 'tcp_mss' in set_conf:
mss = set_conf['tcp_mss']
out.append(f'tcp option maxseg size set {mss}')
return " ".join(out)
# GeoIP
nftables_geoip_conf = '/run/nftables-geoip.conf'
geoip_database = '/usr/share/vyos-geoip/dbip-country-lite.csv.gz'
geoip_lock_file = '/run/vyos-geoip.lock'
def geoip_load_data(codes=[]):
data = None
if not os.path.exists(geoip_database):
return []
try:
with gzip.open(geoip_database, mode='rt') as csv_fh:
reader = csv.reader(csv_fh)
out = []
for start, end, code in reader:
if code.lower() in codes:
out.append([start, end, code.lower()])
return out
except:
print('Error: Failed to open GeoIP database')
return []
def geoip_download_data():
url = 'https://download.db-ip.com/free/dbip-country-lite-{}.csv.gz'.format(strftime("%Y-%m"))
try:
dirname = os.path.dirname(geoip_database)
if not os.path.exists(dirname):
os.mkdir(dirname)
download(geoip_database, url)
print("Downloaded GeoIP database")
return True
except:
print("Error: Failed to download GeoIP database")
return False
class GeoIPLock(object):
def __init__(self, file):
self.file = file
def __enter__(self):
if os.path.exists(self.file):
return False
Path(self.file).touch()
return True
def __exit__(self, exc_type, exc_value, tb):
os.unlink(self.file)
def geoip_update(firewall, force=False):
with GeoIPLock(geoip_lock_file) as lock:
if not lock:
print("Script is already running")
return False
if not firewall:
print("Firewall is not configured")
return True
if not os.path.exists(geoip_database):
if not geoip_download_data():
return False
elif force:
geoip_download_data()
ipv4_codes = {}
ipv6_codes = {}
ipv4_sets = {}
ipv6_sets = {}
# Map country codes to set names
for codes, path in dict_search_recursive(firewall, 'country_code'):
- set_name = f'GEOIP_CC_{path[1]}_{path[3]}'
- if path[0] == 'name':
+ set_name = f'GEOIP_CC_{path[1]}_{path[2]}_{path[4]}'
+ if ( path[0] == 'ipv4'):
for code in codes:
ipv4_codes.setdefault(code, []).append(set_name)
- elif path[0] == 'ipv6_name':
+ elif ( path[0] == 'ipv6' ):
+ set_name = f'GEOIP_CC6_{path[1]}_{path[2]}_{path[4]}'
for code in codes:
ipv6_codes.setdefault(code, []).append(set_name)
if not ipv4_codes and not ipv6_codes:
if force:
print("GeoIP not in use by firewall")
return True
geoip_data = geoip_load_data([*ipv4_codes, *ipv6_codes])
# Iterate IP blocks to assign to sets
for start, end, code in geoip_data:
ipv4 = is_ipv4(start)
if code in ipv4_codes and ipv4:
ip_range = f'{start}-{end}' if start != end else start
for setname in ipv4_codes[code]:
ipv4_sets.setdefault(setname, []).append(ip_range)
if code in ipv6_codes and not ipv4:
ip_range = f'{start}-{end}' if start != end else start
for setname in ipv6_codes[code]:
ipv6_sets.setdefault(setname, []).append(ip_range)
render(nftables_geoip_conf, 'firewall/nftables-geoip-update.j2', {
'ipv4_sets': ipv4_sets,
'ipv6_sets': ipv6_sets
})
result = run(f'nft -f {nftables_geoip_conf}')
if result != 0:
print('Error: GeoIP failed to update firewall')
return False
return True
diff --git a/python/vyos/template.py b/python/vyos/template.py
index 6469623fd..e167488c6 100644
--- a/python/vyos/template.py
+++ b/python/vyos/template.py
@@ -1,741 +1,742 @@
# Copyright 2019-2023 VyOS maintainers and contributors <maintainers@vyos.io>
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library. If not, see <http://www.gnu.org/licenses/>.
import functools
import os
from jinja2 import Environment
from jinja2 import FileSystemLoader
from jinja2 import ChainableUndefined
from vyos.defaults import directories
from vyos.utils.dict import dict_search_args
from vyos.utils.file import makedir
from vyos.utils.permission import chmod
from vyos.utils.permission import chown
# Holds template filters registered via register_filter()
_FILTERS = {}
_TESTS = {}
# reuse Environments with identical settings to improve performance
@functools.lru_cache(maxsize=2)
def _get_environment(location=None):
if location is None:
loc_loader=FileSystemLoader(directories["templates"])
else:
loc_loader=FileSystemLoader(location)
env = Environment(
# Don't check if template files were modified upon re-rendering
auto_reload=False,
# Cache up to this number of templates for quick re-rendering
cache_size=100,
loader=loc_loader,
trim_blocks=True,
undefined=ChainableUndefined,
extensions=['jinja2.ext.loopcontrols']
)
env.filters.update(_FILTERS)
env.tests.update(_TESTS)
return env
def register_filter(name, func=None):
"""Register a function to be available as filter in templates under given name.
It can also be used as a decorator, see below in this module for examples.
:raise RuntimeError:
when trying to register a filter after a template has been rendered already
:raise ValueError: when trying to register a name which was taken already
"""
if func is None:
return functools.partial(register_filter, name)
if _get_environment.cache_info().currsize:
raise RuntimeError(
"Filters can only be registered before rendering the first template"
)
if name in _FILTERS:
raise ValueError(f"A filter with name {name!r} was registered already")
_FILTERS[name] = func
return func
def register_test(name, func=None):
"""Register a function to be available as test in templates under given name.
It can also be used as a decorator, see below in this module for examples.
:raise RuntimeError:
when trying to register a test after a template has been rendered already
:raise ValueError: when trying to register a name which was taken already
"""
if func is None:
return functools.partial(register_test, name)
if _get_environment.cache_info().currsize:
raise RuntimeError(
"Tests can only be registered before rendering the first template"
)
if name in _TESTS:
raise ValueError(f"A test with name {name!r} was registered already")
_TESTS[name] = func
return func
def render_to_string(template, content, formater=None, location=None):
"""Render a template from the template directory, raise on any errors.
:param template: the path to the template relative to the template folder
:param content: the dictionary of variables to put into rendering context
:param formater:
if given, it has to be a callable the rendered string is passed through
The parsed template files are cached, so rendering the same file multiple times
does not cause as too much overhead.
If used everywhere, it could be changed to load the template from Python
environment variables from an importable Python module generated when the Debian
package is build (recovering the load time and overhead caused by having the
file out of the code).
"""
template = _get_environment(location).get_template(template)
rendered = template.render(content)
if formater is not None:
rendered = formater(rendered)
return rendered
def render(
destination,
template,
content,
formater=None,
permission=None,
user=None,
group=None,
location=None,
):
"""Render a template from the template directory to a file, raise on any errors.
:param destination: path to the file to save the rendered template in
:param permission: permission bitmask to set for the output file
:param user: user to own the output file
:param group: group to own the output file
All other parameters are as for :func:`render_to_string`.
"""
# Create the directory if it does not exist
folder = os.path.dirname(destination)
makedir(folder, user, group)
# As we are opening the file with 'w', we are performing the rendering before
# calling open() to not accidentally erase the file if rendering fails
rendered = render_to_string(template, content, formater, location)
# Write to file
with open(destination, "w") as file:
chmod(file.fileno(), permission)
chown(file.fileno(), user, group)
file.write(rendered)
##################################
# Custom template filters follow #
##################################
@register_filter('force_to_list')
def force_to_list(value):
""" Convert scalars to single-item lists and leave lists untouched """
if isinstance(value, list):
return value
else:
return [value]
@register_filter('seconds_to_human')
def seconds_to_human(seconds, separator=""):
""" Convert seconds to human-readable values like 1d6h15m23s """
from vyos.utils.convert import seconds_to_human
return seconds_to_human(seconds, separator=separator)
@register_filter('bytes_to_human')
def bytes_to_human(bytes, initial_exponent=0, precision=2):
""" Convert bytes to human-readable values like 1.44M """
from vyos.utils.convert import bytes_to_human
return bytes_to_human(bytes, initial_exponent=initial_exponent, precision=precision)
@register_filter('human_to_bytes')
def human_to_bytes(value):
""" Convert a data amount with a unit suffix to bytes, like 2K to 2048 """
from vyos.utils.convert import human_to_bytes
return human_to_bytes(value)
@register_filter('ip_from_cidr')
def ip_from_cidr(prefix):
""" Take an IPv4/IPv6 CIDR host and strip cidr mask.
Example:
192.0.2.1/24 -> 192.0.2.1, 2001:db8::1/64 -> 2001:db8::1
"""
from ipaddress import ip_interface
return str(ip_interface(prefix).ip)
@register_filter('address_from_cidr')
def address_from_cidr(prefix):
""" Take an IPv4/IPv6 CIDR prefix and convert the network to an "address".
Example:
192.0.2.0/24 -> 192.0.2.0, 2001:db8::/48 -> 2001:db8::
"""
from ipaddress import ip_network
return str(ip_network(prefix).network_address)
@register_filter('bracketize_ipv6')
def bracketize_ipv6(address):
""" Place a passed IPv6 address into [] brackets, do nothing for IPv4 """
if is_ipv6(address):
return f'[{address}]'
return address
@register_filter('dot_colon_to_dash')
def dot_colon_to_dash(text):
""" Replace dot and colon to dash for string
Example:
192.0.2.1 => 192-0-2-1, 2001:db8::1 => 2001-db8--1
"""
text = text.replace(":", "-")
text = text.replace(".", "-")
return text
@register_filter('generate_uuid4')
def generate_uuid4(text):
""" Generate random unique ID
Example:
% uuid4()
UUID('958ddf6a-ef14-4e81-8cfb-afb12456d1c5')
"""
from uuid import uuid4
return uuid4()
@register_filter('netmask_from_cidr')
def netmask_from_cidr(prefix):
""" Take CIDR prefix and convert the prefix length to a "subnet mask".
Example:
- 192.0.2.0/24 -> 255.255.255.0
- 2001:db8::/48 -> ffff:ffff:ffff::
"""
from ipaddress import ip_network
return str(ip_network(prefix).netmask)
@register_filter('netmask_from_ipv4')
def netmask_from_ipv4(address):
""" Take IP address and search all attached interface IP addresses for the
given one. After address has been found, return the associated netmask.
Example:
- 172.18.201.10 -> 255.255.255.128
"""
from netifaces import interfaces
from netifaces import ifaddresses
from netifaces import AF_INET
for interface in interfaces():
tmp = ifaddresses(interface)
if AF_INET in tmp:
for af_addr in tmp[AF_INET]:
if 'addr' in af_addr:
if af_addr['addr'] == address:
return af_addr['netmask']
raise ValueError
@register_filter('is_ip_network')
def is_ip_network(addr):
""" Take IP(v4/v6) address and validate if the passed argument is a network
or a host address.
Example:
- 192.0.2.0 -> False
- 192.0.2.10/24 -> False
- 192.0.2.0/24 -> True
- 2001:db8:: -> False
- 2001:db8::100 -> False
- 2001:db8::/48 -> True
- 2001:db8:1000::/64 -> True
"""
try:
from ipaddress import ip_network
# input variables must contain a / to indicate its CIDR notation
if len(addr.split('/')) != 2:
raise ValueError()
ip_network(addr)
return True
except:
return False
@register_filter('network_from_ipv4')
def network_from_ipv4(address):
""" Take IP address and search all attached interface IP addresses for the
given one. After address has been found, return the associated network
address.
Example:
- 172.18.201.10 has mask 255.255.255.128 -> network is 172.18.201.0
"""
netmask = netmask_from_ipv4(address)
from ipaddress import ip_interface
cidr_prefix = ip_interface(f'{address}/{netmask}').network
return address_from_cidr(cidr_prefix)
@register_filter('is_interface')
def is_interface(interface):
""" Check if parameter is a valid local interface name """
return os.path.exists(f'/sys/class/net/{interface}')
@register_filter('is_ip')
def is_ip(addr):
""" Check addr if it is an IPv4 or IPv6 address """
return is_ipv4(addr) or is_ipv6(addr)
@register_filter('is_ipv4')
def is_ipv4(text):
""" Filter IP address, return True on IPv4 address, False otherwise """
from ipaddress import ip_interface
try: return ip_interface(text).version == 4
except: return False
@register_filter('is_ipv6')
def is_ipv6(text):
""" Filter IP address, return True on IPv6 address, False otherwise """
from ipaddress import ip_interface
try: return ip_interface(text).version == 6
except: return False
@register_filter('first_host_address')
def first_host_address(text):
""" Return first usable (host) IP address from given prefix.
Example:
- 10.0.0.0/24 -> 10.0.0.1
- 2001:db8::/64 -> 2001:db8::
"""
from ipaddress import ip_interface
from ipaddress import IPv4Network
from ipaddress import IPv6Network
addr = ip_interface(text)
if addr.version == 4:
return str(addr.ip +1)
return str(addr.ip)
@register_filter('last_host_address')
def last_host_address(text):
""" Return first usable IP address from given prefix.
Example:
- 10.0.0.0/24 -> 10.0.0.254
- 2001:db8::/64 -> 2001:db8::ffff:ffff:ffff:ffff
"""
from ipaddress import ip_interface
from ipaddress import IPv4Network
from ipaddress import IPv6Network
addr = ip_interface(text)
if addr.version == 4:
return str(IPv4Network(addr).broadcast_address - 1)
return str(IPv6Network(addr).broadcast_address)
@register_filter('inc_ip')
def inc_ip(address, increment):
""" Increment given IP address by 'increment'
Example (inc by 2):
- 10.0.0.0/24 -> 10.0.0.2
- 2001:db8::/64 -> 2001:db8::2
"""
from ipaddress import ip_interface
return str(ip_interface(address).ip + int(increment))
@register_filter('dec_ip')
def dec_ip(address, decrement):
""" Decrement given IP address by 'decrement'
Example (inc by 2):
- 10.0.0.0/24 -> 10.0.0.2
- 2001:db8::/64 -> 2001:db8::2
"""
from ipaddress import ip_interface
return str(ip_interface(address).ip - int(decrement))
@register_filter('compare_netmask')
def compare_netmask(netmask1, netmask2):
"""
Compare two IP netmask if they have the exact same size.
compare_netmask('10.0.0.0/8', '20.0.0.0/8') -> True
compare_netmask('10.0.0.0/8', '20.0.0.0/16') -> False
"""
from ipaddress import ip_network
try:
return ip_network(netmask1).netmask == ip_network(netmask2).netmask
except:
return False
@register_filter('isc_static_route')
def isc_static_route(subnet, router):
# https://ercpe.de/blog/pushing-static-routes-with-isc-dhcp-server
# Option format is:
# <netmask>, <network-byte1>, <network-byte2>, <network-byte3>, <router-byte1>, <router-byte2>, <router-byte3>
# where bytes with the value 0 are omitted.
from ipaddress import ip_network
net = ip_network(subnet)
# add netmask
string = str(net.prefixlen) + ','
# add network bytes
if net.prefixlen:
width = net.prefixlen // 8
if net.prefixlen % 8:
width += 1
string += ','.join(map(str,tuple(net.network_address.packed)[:width])) + ','
# add router bytes
string += ','.join(router.split('.'))
return string
@register_filter('is_file')
def is_file(filename):
if os.path.exists(filename):
return os.path.isfile(filename)
return False
@register_filter('get_dhcp_router')
def get_dhcp_router(interface):
""" Static routes can point to a router received by a DHCP reply. This
helper is used to get the current default router from the DHCP reply.
Returns False of no router is found, returns the IP address as string if
a router is found.
"""
lease_file = directories['isc_dhclient_dir'] + f'/dhclient_{interface}.leases'
if not os.path.exists(lease_file):
return None
from vyos.utils.file import read_file
for line in read_file(lease_file).splitlines():
if 'option routers' in line:
(_, _, address) = line.split()
return address.rstrip(';')
@register_filter('natural_sort')
def natural_sort(iterable):
import re
from jinja2.runtime import Undefined
if isinstance(iterable, Undefined) or iterable is None:
return list()
def convert(text):
return int(text) if text.isdigit() else text.lower()
def alphanum_key(key):
return [convert(c) for c in re.split('([0-9]+)', str(key))]
return sorted(iterable, key=alphanum_key)
@register_filter('get_ipv4')
def get_ipv4(interface):
""" Get interface IPv4 addresses"""
from vyos.ifconfig import Interface
return Interface(interface).get_addr_v4()
@register_filter('get_ipv6')
def get_ipv6(interface):
""" Get interface IPv6 addresses"""
from vyos.ifconfig import Interface
return Interface(interface).get_addr_v6()
@register_filter('get_ip')
def get_ip(interface):
""" Get interface IP addresses"""
from vyos.ifconfig import Interface
return Interface(interface).get_addr()
def get_first_ike_dh_group(ike_group):
if ike_group and 'proposal' in ike_group:
for priority, proposal in ike_group['proposal'].items():
if 'dh_group' in proposal:
return 'dh-group' + proposal['dh_group']
return 'dh-group2' # Fallback on dh-group2
@register_filter('get_esp_ike_cipher')
def get_esp_ike_cipher(group_config, ike_group=None):
pfs_lut = {
'dh-group1' : 'modp768',
'dh-group2' : 'modp1024',
'dh-group5' : 'modp1536',
'dh-group14' : 'modp2048',
'dh-group15' : 'modp3072',
'dh-group16' : 'modp4096',
'dh-group17' : 'modp6144',
'dh-group18' : 'modp8192',
'dh-group19' : 'ecp256',
'dh-group20' : 'ecp384',
'dh-group21' : 'ecp521',
'dh-group22' : 'modp1024s160',
'dh-group23' : 'modp2048s224',
'dh-group24' : 'modp2048s256',
'dh-group25' : 'ecp192',
'dh-group26' : 'ecp224',
'dh-group27' : 'ecp224bp',
'dh-group28' : 'ecp256bp',
'dh-group29' : 'ecp384bp',
'dh-group30' : 'ecp512bp',
'dh-group31' : 'curve25519',
'dh-group32' : 'curve448'
}
ciphers = []
if 'proposal' in group_config:
for priority, proposal in group_config['proposal'].items():
# both encryption and hash need to be specified for a proposal
if not {'encryption', 'hash'} <= set(proposal):
continue
tmp = '{encryption}-{hash}'.format(**proposal)
if 'prf' in proposal:
tmp += '-' + proposal['prf']
if 'dh_group' in proposal:
tmp += '-' + pfs_lut[ 'dh-group' + proposal['dh_group'] ]
elif 'pfs' in group_config and group_config['pfs'] != 'disable':
group = group_config['pfs']
if group_config['pfs'] == 'enable':
group = get_first_ike_dh_group(ike_group)
tmp += '-' + pfs_lut[group]
ciphers.append(tmp)
return ciphers
@register_filter('get_uuid')
def get_uuid(interface):
""" Get interface IP addresses"""
from uuid import uuid1
return uuid1()
openvpn_translate = {
'des': 'des-cbc',
'3des': 'des-ede3-cbc',
'bf128': 'bf-cbc',
'bf256': 'bf-cbc',
'aes128gcm': 'aes-128-gcm',
'aes128': 'aes-128-cbc',
'aes192gcm': 'aes-192-gcm',
'aes192': 'aes-192-cbc',
'aes256gcm': 'aes-256-gcm',
'aes256': 'aes-256-cbc'
}
@register_filter('openvpn_cipher')
def get_openvpn_cipher(cipher):
if cipher in openvpn_translate:
return openvpn_translate[cipher].upper()
return cipher.upper()
@register_filter('openvpn_ncp_ciphers')
def get_openvpn_ncp_ciphers(ciphers):
out = []
for cipher in ciphers:
if cipher in openvpn_translate:
out.append(openvpn_translate[cipher])
else:
out.append(cipher)
return ':'.join(out).upper()
@register_filter('snmp_auth_oid')
def snmp_auth_oid(type):
if type not in ['md5', 'sha', 'aes', 'des', 'none']:
raise ValueError()
OIDs = {
'md5' : '.1.3.6.1.6.3.10.1.1.2',
'sha' : '.1.3.6.1.6.3.10.1.1.3',
'aes' : '.1.3.6.1.6.3.10.1.2.4',
'des' : '.1.3.6.1.6.3.10.1.2.2',
'none': '.1.3.6.1.6.3.10.1.2.1'
}
return OIDs[type]
@register_filter('nft_action')
def nft_action(vyos_action):
if vyos_action == 'accept':
return 'return'
return vyos_action
@register_filter('nft_rule')
-def nft_rule(rule_conf, fw_name, rule_id, ip_name='ip'):
+def nft_rule(rule_conf, fw_hook, fw_name, rule_id, ip_name='ip'):
from vyos.firewall import parse_rule
- return parse_rule(rule_conf, fw_name, rule_id, ip_name)
+ return parse_rule(rule_conf, fw_hook, fw_name, rule_id, ip_name)
@register_filter('nft_default_rule')
def nft_default_rule(fw_conf, fw_name, ipv6=False):
output = ['counter']
default_action = fw_conf['default_action']
if 'enable_default_log' in fw_conf:
action_suffix = default_action[:1].upper()
output.append(f'log prefix "[{fw_name[:19]}-default-{action_suffix}]"')
- output.append(nft_action(default_action))
+ #output.append(nft_action(default_action))
+ output.append(f'{default_action}')
if 'default_jump_target' in fw_conf:
target = fw_conf['default_jump_target']
def_suffix = '6' if ipv6 else ''
output.append(f'NAME{def_suffix}_{target}')
output.append(f'comment "{fw_name} default-action {default_action}"')
return " ".join(output)
@register_filter('nft_state_policy')
def nft_state_policy(conf, state):
out = [f'ct state {state}']
if 'log' in conf and 'enable' in conf['log']:
log_state = state[:3].upper()
log_action = (conf['action'] if 'action' in conf else 'accept')[:1].upper()
out.append(f'log prefix "[STATE-POLICY-{log_state}-{log_action}]"')
if 'log_level' in conf:
log_level = conf['log_level']
out.append(f'level {log_level}')
out.append('counter')
if 'action' in conf:
out.append(conf['action'])
return " ".join(out)
@register_filter('nft_intra_zone_action')
def nft_intra_zone_action(zone_conf, ipv6=False):
if 'intra_zone_filtering' in zone_conf:
intra_zone = zone_conf['intra_zone_filtering']
fw_name = 'ipv6_name' if ipv6 else 'name'
name_prefix = 'NAME6_' if ipv6 else 'NAME_'
if 'action' in intra_zone:
if intra_zone['action'] == 'accept':
return 'return'
return intra_zone['action']
elif dict_search_args(intra_zone, 'firewall', fw_name):
name = dict_search_args(intra_zone, 'firewall', fw_name)
return f'jump {name_prefix}{name}'
return 'return'
@register_filter('nft_nested_group')
def nft_nested_group(out_list, includes, groups, key):
if not vyos_defined(out_list):
out_list = []
def add_includes(name):
if key in groups[name]:
for item in groups[name][key]:
if item in out_list:
continue
out_list.append(item)
if 'include' in groups[name]:
for name_inc in groups[name]['include']:
add_includes(name_inc)
for name in includes:
add_includes(name)
return out_list
@register_filter('nat_rule')
def nat_rule(rule_conf, rule_id, nat_type, ipv6=False):
from vyos.nat import parse_nat_rule
return parse_nat_rule(rule_conf, rule_id, nat_type, ipv6)
@register_filter('nat_static_rule')
def nat_static_rule(rule_conf, rule_id, nat_type):
from vyos.nat import parse_nat_static_rule
return parse_nat_static_rule(rule_conf, rule_id, nat_type)
@register_filter('range_to_regex')
def range_to_regex(num_range):
"""Convert range of numbers or list of ranges
to regex
% range_to_regex('11-12')
'(1[1-2])'
% range_to_regex(['11-12', '14-15'])
'(1[1-2]|1[4-5])'
"""
from vyos.range_regex import range_to_regex
if isinstance(num_range, list):
data = []
for entry in num_range:
if '-' not in entry:
data.append(entry)
else:
data.append(range_to_regex(entry))
return f'({"|".join(data)})'
if '-' not in num_range:
return num_range
regex = range_to_regex(num_range)
return f'({regex})'
@register_test('vyos_defined')
def vyos_defined(value, test_value=None, var_type=None):
"""
Jinja2 plugin to test if a variable is defined and not none - vyos_defined
will test value if defined and is not none and return true or false.
If test_value is supplied, the value must also pass == test_value to return true.
If var_type is supplied, the value must also be of the specified class/type
Examples:
1. Test if var is defined and not none:
{% if foo is vyos_defined %}
...
{% endif %}
2. Test if variable is defined, not none and has value "something"
{% if bar is vyos_defined("something") %}
...
{% endif %}
Parameters
----------
value : any
Value to test from ansible
test_value : any, optional
Value to test in addition of defined and not none, by default None
var_type : ['float', 'int', 'str', 'list', 'dict', 'tuple', 'bool'], optional
Type or Class to test for
Returns
-------
boolean
True if variable matches criteria, False in other cases.
Implementation inspired and re-used from https://github.com/aristanetworks/ansible-avd/
"""
from jinja2 import Undefined
if isinstance(value, Undefined) or value is None:
# Invalid value - return false
return False
elif test_value is not None and value != test_value:
# Valid value but not matching the optional argument
return False
elif str(var_type).lower() in ['float', 'int', 'str', 'list', 'dict', 'tuple', 'bool'] and str(var_type).lower() != type(value).__name__:
# Invalid class - return false
return False
else:
# Valid value and is matching optional argument if provided - return true
return True
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 0c56c2c93..7a13f396f 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -1,567 +1,531 @@
#!/usr/bin/env python3
#
# Copyright (C) 2021-2022 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import unittest
from glob import glob
from time import sleep
from base_vyostest_shim import VyOSUnitTestSHIM
from vyos.configsession import ConfigSessionError
from vyos.utils.process import cmd
from vyos.utils.process import run
sysfs_config = {
'all_ping': {'sysfs': '/proc/sys/net/ipv4/icmp_echo_ignore_all', 'default': '0', 'test_value': 'disable'},
'broadcast_ping': {'sysfs': '/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts', 'default': '1', 'test_value': 'enable'},
'ip_src_route': {'sysfs': '/proc/sys/net/ipv4/conf/*/accept_source_route', 'default': '0', 'test_value': 'enable'},
'ipv6_receive_redirects': {'sysfs': '/proc/sys/net/ipv6/conf/*/accept_redirects', 'default': '0', 'test_value': 'enable'},
'ipv6_src_route': {'sysfs': '/proc/sys/net/ipv6/conf/*/accept_source_route', 'default': '-1', 'test_value': 'enable'},
'log_martians': {'sysfs': '/proc/sys/net/ipv4/conf/all/log_martians', 'default': '1', 'test_value': 'disable'},
'receive_redirects': {'sysfs': '/proc/sys/net/ipv4/conf/*/accept_redirects', 'default': '0', 'test_value': 'enable'},
'send_redirects': {'sysfs': '/proc/sys/net/ipv4/conf/*/send_redirects', 'default': '1', 'test_value': 'disable'},
'syn_cookies': {'sysfs': '/proc/sys/net/ipv4/tcp_syncookies', 'default': '1', 'test_value': 'disable'},
'twa_hazards_protection': {'sysfs': '/proc/sys/net/ipv4/tcp_rfc1337', 'default': '0', 'test_value': 'enable'}
}
class TestFirewall(VyOSUnitTestSHIM.TestCase):
@classmethod
def setUpClass(cls):
super(TestFirewall, cls).setUpClass()
# ensure we can also run this test on a live system - so lets clean
# out the current configuration :)
cls.cli_delete(cls, ['firewall'])
@classmethod
def tearDownClass(cls):
super(TestFirewall, cls).tearDownClass()
def tearDown(self):
self.cli_delete(['firewall'])
self.cli_commit()
# Verify chains/sets are cleaned up from nftables
nftables_search = [
['set M_smoketest_mac'],
['set N_smoketest_network'],
['set P_smoketest_port'],
['set D_smoketest_domain'],
['set RECENT_smoketest_4'],
['chain NAME_smoketest']
]
self.verify_nftables(nftables_search, 'ip vyos_filter', inverse=True)
def verify_nftables(self, nftables_search, table, inverse=False, args=''):
nftables_output = cmd(f'sudo nft {args} list table {table}')
for search in nftables_search:
matched = False
for line in nftables_output.split("\n"):
if all(item in line for item in search):
matched = True
break
self.assertTrue(not matched if inverse else matched, msg=search)
def wait_for_domain_resolver(self, table, set_name, element, max_wait=10):
# Resolver no longer blocks commit, need to wait for daemon to populate set
count = 0
while count < max_wait:
code = run(f'sudo nft get element {table} {set_name} {{ {element} }}')
if code == 0:
return True
count += 1
sleep(1)
return False
def test_geoip(self):
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'action', 'drop'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'se'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'gb'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'action', 'accept'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'de'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'fr'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'inverse-match'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'se'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'gb'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '2', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'de'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'fr'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'inverse-match'])
self.cli_commit()
nftables_search = [
- ['ip saddr @GEOIP_CC_smoketest_1', 'drop'],
- ['ip saddr != @GEOIP_CC_smoketest_2', 'return']
+ ['ip saddr @GEOIP_CC_name_smoketest_1', 'drop'],
+ ['ip saddr != @GEOIP_CC_name_smoketest_2', 'accept']
]
# -t prevents 1000+ GeoIP elements being returned
self.verify_nftables(nftables_search, 'ip vyos_filter', args='-t')
def test_groups(self):
hostmap_path = ['system', 'static-host-mapping', 'host-name']
example_org = ['192.0.2.8', '192.0.2.10', '192.0.2.11']
self.cli_set(hostmap_path + ['example.com', 'inet', '192.0.2.5'])
for ips in example_org:
self.cli_set(hostmap_path + ['example.org', 'inet', ips])
self.cli_commit()
self.cli_set(['firewall', 'group', 'mac-group', 'smoketest_mac', 'mac-address', '00:01:02:03:04:05'])
self.cli_set(['firewall', 'group', 'network-group', 'smoketest_network', 'network', '172.16.99.0/24'])
self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port', 'port', '53'])
self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port', 'port', '123'])
self.cli_set(['firewall', 'group', 'domain-group', 'smoketest_domain', 'address', 'example.com'])
self.cli_set(['firewall', 'group', 'domain-group', 'smoketest_domain', 'address', 'example.org'])
self.cli_set(['firewall', 'group', 'interface-group', 'smoketest_interface', 'interface', 'eth0'])
self.cli_set(['firewall', 'group', 'interface-group', 'smoketest_interface', 'interface', 'vtun0'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'action', 'accept'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'destination', 'address', '172.16.10.10'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'protocol', 'tcp_udp'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'action', 'accept'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'source', 'group', 'mac-group', 'smoketest_mac'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '3', 'action', 'accept'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '3', 'source', 'group', 'domain-group', 'smoketest_domain'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '4', 'action', 'accept'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '4', 'outbound-interface', 'interface-group', 'smoketest_interface'])
-
- self.cli_set(['firewall', 'interface', 'eth0', 'in', 'name', 'smoketest'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'destination', 'address', '172.16.10.10'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'protocol', 'tcp_udp'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '2', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '2', 'source', 'group', 'mac-group', 'smoketest_mac'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'source', 'group', 'domain-group', 'smoketest_domain'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'outbound-interface', 'interface-group', 'smoketest_interface'])
self.cli_commit()
self.wait_for_domain_resolver('ip vyos_filter', 'D_smoketest_domain', '192.0.2.5')
nftables_search = [
- ['iifname "eth0"', 'jump NAME_smoketest'],
- ['ip saddr @N_smoketest_network', 'ip daddr 172.16.10.10', 'th dport @P_smoketest_port', 'return'],
+ ['ip saddr @N_smoketest_network', 'ip daddr 172.16.10.10', 'th dport @P_smoketest_port', 'accept'],
['elements = { 172.16.99.0/24 }'],
['elements = { 53, 123 }'],
- ['ether saddr @M_smoketest_mac', 'return'],
+ ['ether saddr @M_smoketest_mac', 'accept'],
['elements = { 00:01:02:03:04:05 }'],
['set D_smoketest_domain'],
['elements = { 192.0.2.5, 192.0.2.8,'],
['192.0.2.10, 192.0.2.11 }'],
- ['ip saddr @D_smoketest_domain', 'return'],
- ['oifname @I_smoketest_interface', 'return']
+ ['ip saddr @D_smoketest_domain', 'accept'],
+ ['oifname @I_smoketest_interface', 'accept']
]
self.verify_nftables(nftables_search, 'ip vyos_filter')
self.cli_delete(['system', 'static-host-mapping'])
self.cli_commit()
def test_nested_groups(self):
self.cli_set(['firewall', 'group', 'network-group', 'smoketest_network', 'network', '172.16.99.0/24'])
self.cli_set(['firewall', 'group', 'network-group', 'smoketest_network1', 'network', '172.16.101.0/24'])
self.cli_set(['firewall', 'group', 'network-group', 'smoketest_network1', 'include', 'smoketest_network'])
self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port', 'port', '53'])
self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port1', 'port', '123'])
self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port1', 'include', 'smoketest_port'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'action', 'accept'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network1'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port1'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'protocol', 'tcp_udp'])
-
- self.cli_set(['firewall', 'interface', 'eth0', 'in', 'name', 'smoketest'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network1'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port1'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'protocol', 'tcp_udp'])
self.cli_commit()
# Test circular includes
self.cli_set(['firewall', 'group', 'network-group', 'smoketest_network', 'include', 'smoketest_network1'])
with self.assertRaises(ConfigSessionError):
self.cli_commit()
self.cli_delete(['firewall', 'group', 'network-group', 'smoketest_network', 'include', 'smoketest_network1'])
nftables_search = [
- ['iifname "eth0"', 'jump NAME_smoketest'],
- ['ip saddr @N_smoketest_network1', 'th dport @P_smoketest_port1', 'return'],
+ ['ip saddr @N_smoketest_network1', 'th dport @P_smoketest_port1', 'accept'],
['elements = { 172.16.99.0/24, 172.16.101.0/24 }'],
['elements = { 53, 123 }']
]
self.verify_nftables(nftables_search, 'ip vyos_filter')
def test_ipv4_basic_rules(self):
name = 'smoketest'
interface = 'eth0'
interface_wc = 'l2tp*'
mss_range = '501-1460'
conn_mark = '555'
- self.cli_set(['firewall', 'name', name, 'default-action', 'drop'])
- self.cli_set(['firewall', 'name', name, 'enable-default-log'])
- self.cli_set(['firewall', 'name', name, 'rule', '1', 'action', 'accept'])
- self.cli_set(['firewall', 'name', name, 'rule', '1', 'source', 'address', '172.16.20.10'])
- self.cli_set(['firewall', 'name', name, 'rule', '1', 'destination', 'address', '172.16.10.10'])
- self.cli_set(['firewall', 'name', name, 'rule', '1', 'log', 'enable'])
- self.cli_set(['firewall', 'name', name, 'rule', '1', 'log-options', 'level', 'debug'])
- self.cli_set(['firewall', 'name', name, 'rule', '1', 'ttl', 'eq', '15'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'action', 'reject'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'protocol', 'tcp'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'destination', 'port', '8888'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'log', 'enable'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'log-options', 'level', 'err'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'tcp', 'flags', 'syn'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'tcp', 'flags', 'not', 'ack'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'ttl', 'gt', '102'])
- self.cli_set(['firewall', 'name', name, 'rule', '3', 'action', 'accept'])
- self.cli_set(['firewall', 'name', name, 'rule', '3', 'protocol', 'tcp'])
- self.cli_set(['firewall', 'name', name, 'rule', '3', 'destination', 'port', '22'])
- self.cli_set(['firewall', 'name', name, 'rule', '3', 'limit', 'rate', '5/minute'])
- self.cli_set(['firewall', 'name', name, 'rule', '3', 'log', 'disable'])
- self.cli_set(['firewall', 'name', name, 'rule', '4', 'action', 'drop'])
- self.cli_set(['firewall', 'name', name, 'rule', '4', 'protocol', 'tcp'])
- self.cli_set(['firewall', 'name', name, 'rule', '4', 'destination', 'port', '22'])
- self.cli_set(['firewall', 'name', name, 'rule', '4', 'recent', 'count', '10'])
- self.cli_set(['firewall', 'name', name, 'rule', '4', 'recent', 'time', 'minute'])
- self.cli_set(['firewall', 'name', name, 'rule', '4', 'packet-type', 'host'])
- self.cli_set(['firewall', 'name', name, 'rule', '5', 'action', 'accept'])
- self.cli_set(['firewall', 'name', name, 'rule', '5', 'protocol', 'tcp'])
- self.cli_set(['firewall', 'name', name, 'rule', '5', 'tcp', 'flags', 'syn'])
- self.cli_set(['firewall', 'name', name, 'rule', '5', 'tcp', 'mss', mss_range])
- self.cli_set(['firewall', 'name', name, 'rule', '5', 'packet-type', 'broadcast'])
- self.cli_set(['firewall', 'name', name, 'rule', '5', 'inbound-interface', 'interface-name', interface])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'action', 'return'])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'protocol', 'gre'])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'outbound-interface', 'interface-name', interface])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'connection-mark', conn_mark])
-
- self.cli_set(['firewall', 'interface', interface, 'in', 'name', name])
- self.cli_set(['firewall', 'interface', interface_wc, 'in', 'name', name])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'enable-default-log'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'source', 'address', '172.16.20.10'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'destination', 'address', '172.16.10.10'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'log', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'log-options', 'level', 'debug'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'ttl', 'eq', '15'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'action', 'reject'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'protocol', 'tcp'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'destination', 'port', '8888'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'log', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'log-options', 'level', 'err'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'tcp', 'flags', 'syn'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'tcp', 'flags', 'not', 'ack'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'ttl', 'gt', '102'])
+
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'protocol', 'tcp'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'destination', 'port', '22'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'limit', 'rate', '5/minute'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'log', 'disable'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'protocol', 'tcp'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'destination', 'port', '22'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'recent', 'count', '10'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'recent', 'time', 'minute'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'packet-type', 'host'])
+
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'protocol', 'tcp'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'tcp', 'flags', 'syn'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'tcp', 'mss', mss_range])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'packet-type', 'broadcast'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'inbound-interface', 'interface-name', interface])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '6', 'action', 'return'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '6', 'protocol', 'gre'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '6', 'connection-mark', conn_mark])
+
+ self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'default-action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '5', 'action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '5', 'protocol', 'gre'])
+ self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '5', 'outbound-interface', 'interface-name', interface_wc])
+ self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '6', 'action', 'return'])
+ self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '6', 'protocol', 'icmp'])
+ self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '6', 'connection-mark', conn_mark])
self.cli_commit()
mark_hex = "{0:#010x}".format(int(conn_mark))
nftables_search = [
- [f'iifname "{interface}"', f'jump NAME_{name}'],
- [f'iifname "{interface_wc}"', f'jump NAME_{name}'],
- ['saddr 172.16.20.10', 'daddr 172.16.10.10', 'log prefix "[smoketest-1-A]" log level debug', 'ip ttl 15', 'return'],
+ ['chain VYOS_FORWARD_filter'],
+ ['type filter hook forward priority filter; policy drop;'],
+ ['tcp dport 22', 'limit rate 5/minute', 'accept'],
+ ['tcp dport 22', 'add @RECENT_FWD_filter_4 { ip saddr limit rate over 10/minute burst 10 packets }', 'meta pkttype host', 'drop'],
+ ['chain VYOS_INPUT_filter'],
+ ['type filter hook input priority filter; policy accept;'],
+ ['tcp flags & syn == syn', f'tcp option maxseg size {mss_range}', f'iifname "{interface}"', 'meta pkttype broadcast', 'accept'],
+ ['meta l4proto gre', f'ct mark {mark_hex}', 'return'],
+ ['chain VYOS_OUTPUT_filter'],
+ ['type filter hook output priority filter; policy accept;'],
+ ['meta l4proto gre', f'oifname "{interface_wc}"', 'drop'],
+ ['meta l4proto icmp', f'ct mark {mark_hex}', 'return'],
+ ['chain NAME_smoketest'],
+ ['saddr 172.16.20.10', 'daddr 172.16.10.10', 'log prefix "[smoketest-1-A]" log level debug', 'ip ttl 15', 'accept'],
['tcp flags syn / syn,ack', 'tcp dport 8888', 'log prefix "[smoketest-2-R]" log level err', 'ip ttl > 102', 'reject'],
- ['tcp dport 22', 'limit rate 5/minute', 'return'],
- ['log prefix "[smoketest-default-D]"','smoketest default-action', 'drop'],
- ['tcp dport 22', 'add @RECENT_smoketest_4 { ip saddr limit rate over 10/minute burst 10 packets }', 'meta pkttype host', 'drop'],
- ['tcp flags & syn == syn', f'tcp option maxseg size {mss_range}', f'iifname "{interface}"', 'meta pkttype broadcast'],
- ['meta l4proto gre', f'oifname "{interface}"', f'ct mark {mark_hex}', 'return']
+ ['log prefix "[smoketest-default-D]"','smoketest default-action', 'drop']
]
self.verify_nftables(nftables_search, 'ip vyos_filter')
def test_ipv4_advanced(self):
name = 'smoketest-adv'
name2 = 'smoketest-adv2'
interface = 'eth0'
- self.cli_set(['firewall', 'name', name, 'default-action', 'drop'])
- self.cli_set(['firewall', 'name', name, 'enable-default-log'])
-
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'action', 'accept'])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'packet-length', '64'])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'packet-length', '512'])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'packet-length', '1024'])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'dscp', '17'])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'dscp', '52'])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'log', 'enable'])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'log-options', 'group', '66'])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'log-options', 'snapshot-length', '6666'])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'log-options', 'queue-threshold','32000'])
-
- self.cli_set(['firewall', 'name', name, 'rule', '7', 'action', 'accept'])
- self.cli_set(['firewall', 'name', name, 'rule', '7', 'packet-length', '1-30000'])
- self.cli_set(['firewall', 'name', name, 'rule', '7', 'packet-length-exclude', '60000-65535'])
- self.cli_set(['firewall', 'name', name, 'rule', '7', 'dscp', '3-11'])
- self.cli_set(['firewall', 'name', name, 'rule', '7', 'dscp-exclude', '21-25'])
-
- self.cli_set(['firewall', 'name', name2, 'default-action', 'jump'])
- self.cli_set(['firewall', 'name', name2, 'default-jump-target', name])
- self.cli_set(['firewall', 'name', name2, 'enable-default-log'])
- self.cli_set(['firewall', 'name', name2, 'rule', '1', 'source', 'address', '198.51.100.1'])
- self.cli_set(['firewall', 'name', name2, 'rule', '1', 'action', 'jump'])
- self.cli_set(['firewall', 'name', name2, 'rule', '1', 'jump-target', name])
-
- self.cli_set(['firewall', 'name', name2, 'rule', '2', 'protocol', 'tcp'])
- self.cli_set(['firewall', 'name', name2, 'rule', '2', 'action', 'queue'])
- self.cli_set(['firewall', 'name', name2, 'rule', '2', 'queue', '3'])
- self.cli_set(['firewall', 'name', name2, 'rule', '3', 'protocol', 'udp'])
- self.cli_set(['firewall', 'name', name2, 'rule', '3', 'action', 'queue'])
- self.cli_set(['firewall', 'name', name2, 'rule', '3', 'queue-options', 'fanout'])
- self.cli_set(['firewall', 'name', name2, 'rule', '3', 'queue-options', 'bypass'])
- self.cli_set(['firewall', 'name', name2, 'rule', '3', 'queue', '0-15'])
-
- self.cli_set(['firewall', 'interface', interface, 'in', 'name', name])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'enable-default-log'])
+
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'packet-length', '64'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'packet-length', '512'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'packet-length', '1024'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'dscp', '17'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'dscp', '52'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log-options', 'group', '66'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log-options', 'snapshot-length', '6666'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log-options', 'queue-threshold','32000'])
+
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'packet-length', '1-30000'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'packet-length-exclude', '60000-65535'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'dscp', '3-11'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'dscp-exclude', '21-25'])
+
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'source', 'address', '198.51.100.1'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'action', 'jump'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'jump-target', name])
+
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'protocol', 'tcp'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'action', 'queue'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'queue', '3'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'protocol', 'udp'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'action', 'queue'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'queue-options', 'fanout'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'queue-options', 'bypass'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'queue', '0-15'])
self.cli_commit()
nftables_search = [
- [f'iifname "{interface}"', f'jump NAME_{name}'],
- ['ip length { 64, 512, 1024 }', 'ip dscp { 0x11, 0x34 }', f'log prefix "[{name}-6-A]" log group 66 snaplen 6666 queue-threshold 32000', 'return'],
- ['ip length 1-30000', 'ip length != 60000-65535', 'ip dscp 0x03-0x0b', 'ip dscp != 0x15-0x19', 'return'],
- [f'log prefix "[{name}-default-D]"', 'drop'],
+ ['chain VYOS_FORWARD_filter'],
+ ['type filter hook forward priority filter; policy drop;'],
['ip saddr 198.51.100.1', f'jump NAME_{name}'],
- [f'log prefix "[{name2}-default-J]"', f'jump NAME_{name}'],
+ ['chain VYOS_INPUT_filter'],
+ ['type filter hook input priority filter; policy accept;'],
[f'meta l4proto tcp','queue to 3'],
- [f'meta l4proto udp','queue flags bypass,fanout to 0-15']
+ [f'meta l4proto udp','queue flags bypass,fanout to 0-15'],
+ [f'chain NAME_{name}'],
+ ['ip length { 64, 512, 1024 }', 'ip dscp { 0x11, 0x34 }', f'log prefix "[{name}-6-A]" log group 66 snaplen 6666 queue-threshold 32000', 'accept'],
+ ['ip length 1-30000', 'ip length != 60000-65535', 'ip dscp 0x03-0x0b', 'ip dscp != 0x15-0x19', 'accept'],
+ [f'log prefix "[{name}-default-D]"', 'drop']
]
self.verify_nftables(nftables_search, 'ip vyos_filter')
def test_ipv4_mask(self):
name = 'smoketest-mask'
interface = 'eth0'
self.cli_set(['firewall', 'group', 'address-group', 'mask_group', 'address', '1.1.1.1'])
- self.cli_set(['firewall', 'name', name, 'default-action', 'drop'])
- self.cli_set(['firewall', 'name', name, 'enable-default-log'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'enable-default-log'])
- self.cli_set(['firewall', 'name', name, 'rule', '1', 'action', 'drop'])
- self.cli_set(['firewall', 'name', name, 'rule', '1', 'destination', 'address', '0.0.1.2'])
- self.cli_set(['firewall', 'name', name, 'rule', '1', 'destination', 'address-mask', '0.0.255.255'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'destination', 'address', '0.0.1.2'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'destination', 'address-mask', '0.0.255.255'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'action', 'accept'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'source', 'address', '!0.0.3.4'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'source', 'address-mask', '0.0.255.255'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'source', 'address', '!0.0.3.4'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'source', 'address-mask', '0.0.255.255'])
- self.cli_set(['firewall', 'name', name, 'rule', '3', 'action', 'drop'])
- self.cli_set(['firewall', 'name', name, 'rule', '3', 'source', 'group', 'address-group', 'mask_group'])
- self.cli_set(['firewall', 'name', name, 'rule', '3', 'source', 'address-mask', '0.0.255.255'])
-
- self.cli_set(['firewall', 'interface', interface, 'in', 'name', name])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'source', 'group', 'address-group', 'mask_group'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'source', 'address-mask', '0.0.255.255'])
self.cli_commit()
nftables_search = [
[f'daddr & 0.0.255.255 == 0.0.1.2'],
[f'saddr & 0.0.255.255 != 0.0.3.4'],
[f'saddr & 0.0.255.255 == @A_mask_group']
]
self.verify_nftables(nftables_search, 'ip vyos_filter')
def test_ipv6_basic_rules(self):
name = 'v6-smoketest'
interface = 'eth0'
- self.cli_set(['firewall', 'ipv6-name', name, 'default-action', 'drop'])
- self.cli_set(['firewall', 'ipv6-name', name, 'enable-default-log'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'enable-default-log'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'action', 'accept'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'source', 'address', '2002::1'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'destination', 'address', '2002::1:1'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'log', 'enable'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'log-options', 'level', 'crit'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'source', 'address', '2002::1'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'destination', 'address', '2002::1:1'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'log', 'enable'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'log-options', 'level', 'crit'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'action', 'reject'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'protocol', 'tcp_udp'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'destination', 'port', '8888'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'inbound-interface', 'interface-name', interface])
+ self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'default-action', 'accept'])
+ self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '2', 'action', 'reject'])
+ self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '2', 'protocol', 'tcp_udp'])
+ self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '2', 'destination', 'port', '8888'])
+ self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '2', 'inbound-interface', 'interface-name', interface])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'action', 'return'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'protocol', 'gre'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'outbound-interface', 'interface-name', interface])
+ self.cli_set(['firewall', 'ipv6', 'output', 'filter', 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv6', 'output', 'filter', 'rule', '3', 'action', 'return'])
+ self.cli_set(['firewall', 'ipv6', 'output', 'filter', 'rule', '3', 'protocol', 'gre'])
+ self.cli_set(['firewall', 'ipv6', 'output', 'filter', 'rule', '3', 'outbound-interface', 'interface-name', interface])
- self.cli_set(['firewall', 'interface', interface, 'in', 'ipv6-name', name])
+ self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '3', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '3', 'protocol', 'udp'])
+ self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '3', 'source', 'address', '2002::1:2'])
+ self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '3', 'inbound-interface', 'interface-name', interface])
self.cli_commit()
nftables_search = [
- [f'iifname "{interface}"', f'jump NAME6_{name}'],
- ['saddr 2002::1', 'daddr 2002::1:1', 'log prefix "[v6-smoketest-1-A]" log level crit', 'return'],
+ ['chain VYOS_IPV6_FORWARD_filter'],
+ ['type filter hook forward priority filter; policy accept;'],
['meta l4proto { tcp, udp }', 'th dport 8888', f'iifname "{interface}"', 'reject'],
+ ['chain VYOS_IPV6_INPUT_filter'],
+ ['type filter hook input priority filter; policy accept;'],
+ ['meta l4proto udp', 'ip6 saddr 2002::1:2', f'iifname "{interface}"', 'accept'],
+ ['chain VYOS_IPV6_OUTPUT_filter'],
+ ['type filter hook output priority filter; policy drop;'],
['meta l4proto gre', f'oifname "{interface}"', 'return'],
- ['smoketest default-action', f'log prefix "[{name}-default-D]"', 'drop']
+ [f'chain NAME6_{name}'],
+ ['saddr 2002::1', 'daddr 2002::1:1', 'log prefix "[v6-smoketest-1-A]" log level crit', 'accept'],
+ [f'"{name} default-action drop"', f'log prefix "[{name}-default-D]"', 'drop']
]
self.verify_nftables(nftables_search, 'ip6 vyos_filter')
def test_ipv6_advanced(self):
name = 'v6-smoketest-adv'
name2 = 'v6-smoketest-adv2'
interface = 'eth0'
- self.cli_set(['firewall', 'ipv6-name', name, 'default-action', 'drop'])
- self.cli_set(['firewall', 'ipv6-name', name, 'enable-default-log'])
-
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'action', 'accept'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'packet-length', '65'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'packet-length', '513'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'packet-length', '1025'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'dscp', '18'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'dscp', '53'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'enable-default-log'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '4', 'action', 'accept'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '4', 'packet-length', '1-1999'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '4', 'packet-length-exclude', '60000-65535'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '4', 'dscp', '4-14'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '4', 'dscp-exclude', '31-35'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'packet-length', '65'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'packet-length', '513'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'packet-length', '1025'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'dscp', '18'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'dscp', '53'])
- self.cli_set(['firewall', 'ipv6-name', name2, 'default-action', 'jump'])
- self.cli_set(['firewall', 'ipv6-name', name2, 'default-jump-target', name])
- self.cli_set(['firewall', 'ipv6-name', name2, 'enable-default-log'])
- self.cli_set(['firewall', 'ipv6-name', name2, 'rule', '1', 'source', 'address', '2001:db8::/64'])
- self.cli_set(['firewall', 'ipv6-name', name2, 'rule', '1', 'action', 'jump'])
- self.cli_set(['firewall', 'ipv6-name', name2, 'rule', '1', 'jump-target', name])
+ self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '4', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '4', 'packet-length', '1-1999'])
+ self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '4', 'packet-length-exclude', '60000-65535'])
+ self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '4', 'dscp', '4-14'])
+ self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '4', 'dscp-exclude', '31-35'])
- self.cli_set(['firewall', 'interface', interface, 'in', 'ipv6-name', name])
+ self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'default-action', 'accept'])
+ self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '1', 'source', 'address', '2001:db8::/64'])
+ self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '1', 'action', 'jump'])
+ self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '1', 'jump-target', name])
self.cli_commit()
nftables_search = [
- [f'iifname "{interface}"', f'jump NAME6_{name}'],
- ['ip6 length { 65, 513, 1025 }', 'ip6 dscp { af21, 0x35 }', 'return'],
- ['ip6 length 1-1999', 'ip6 length != 60000-65535', 'ip6 dscp 0x04-0x0e', 'ip6 dscp != 0x1f-0x23', 'return'],
- [f'log prefix "[{name}-default-D]"', 'drop'],
+ ['chain VYOS_IPV6_FORWARD_filter'],
+ ['type filter hook forward priority filter; policy accept;'],
+ ['ip6 length 1-1999', 'ip6 length != 60000-65535', 'ip6 dscp 0x04-0x0e', 'ip6 dscp != 0x1f-0x23', 'accept'],
+ ['chain VYOS_IPV6_INPUT_filter'],
+ ['type filter hook input priority filter; policy accept;'],
['ip6 saddr 2001:db8::/64', f'jump NAME6_{name}'],
- [f'log prefix "[{name2}-default-J]"', f'jump NAME6_{name}']
+ [f'chain NAME6_{name}'],
+ ['ip6 length { 65, 513, 1025 }', 'ip6 dscp { af21, 0x35 }', 'accept'],
+ [f'log prefix "[{name}-default-D]"', 'drop']
]
self.verify_nftables(nftables_search, 'ip6 vyos_filter')
def test_ipv6_mask(self):
name = 'v6-smoketest-mask'
interface = 'eth0'
self.cli_set(['firewall', 'group', 'ipv6-address-group', 'mask_group', 'address', '::beef'])
- self.cli_set(['firewall', 'ipv6-name', name, 'default-action', 'drop'])
- self.cli_set(['firewall', 'ipv6-name', name, 'enable-default-log'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'enable-default-log'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'action', 'drop'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'destination', 'address', '::1111:2222:3333:4444'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'destination', 'address-mask', '::ffff:ffff:ffff:ffff'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'action', 'drop'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'destination', 'address', '::1111:2222:3333:4444'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'destination', 'address-mask', '::ffff:ffff:ffff:ffff'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'action', 'accept'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'source', 'address', '!::aaaa:bbbb:cccc:dddd'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'source', 'address-mask', '::ffff:ffff:ffff:ffff'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '2', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '2', 'source', 'address', '!::aaaa:bbbb:cccc:dddd'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '2', 'source', 'address-mask', '::ffff:ffff:ffff:ffff'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'action', 'drop'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'source', 'group', 'address-group', 'mask_group'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'source', 'address-mask', '::ffff:ffff:ffff:ffff'])
-
- self.cli_set(['firewall', 'interface', interface, 'in', 'ipv6-name', name])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'action', 'drop'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'source', 'group', 'address-group', 'mask_group'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'source', 'address-mask', '::ffff:ffff:ffff:ffff'])
self.cli_commit()
nftables_search = [
['daddr & ::ffff:ffff:ffff:ffff == ::1111:2222:3333:4444'],
['saddr & ::ffff:ffff:ffff:ffff != ::aaaa:bbbb:cccc:dddd'],
['saddr & ::ffff:ffff:ffff:ffff == @A6_mask_group']
]
self.verify_nftables(nftables_search, 'ip6 vyos_filter')
- def test_state_policy(self):
- self.cli_set(['firewall', 'state-policy', 'established', 'action', 'accept'])
- self.cli_set(['firewall', 'state-policy', 'related', 'action', 'accept'])
- self.cli_set(['firewall', 'state-policy', 'invalid', 'action', 'drop'])
-
- self.cli_commit()
-
- chains = {
- 'ip vyos_filter': ['VYOS_FW_FORWARD', 'VYOS_FW_OUTPUT', 'VYOS_FW_LOCAL'],
- 'ip6 vyos_filter': ['VYOS_FW6_FORWARD', 'VYOS_FW6_OUTPUT', 'VYOS_FW6_LOCAL']
- }
-
- for table in ['ip vyos_filter', 'ip6 vyos_filter']:
- for chain in chains[table]:
- nftables_output = cmd(f'sudo nft list chain {table} {chain}')
- self.assertTrue('jump VYOS_STATE_POLICY' in nftables_output)
-
def test_ipv4_state_and_status_rules(self):
name = 'smoketest-state'
interface = 'eth0'
- self.cli_set(['firewall', 'name', name, 'default-action', 'drop'])
- self.cli_set(['firewall', 'name', name, 'rule', '1', 'action', 'accept'])
- self.cli_set(['firewall', 'name', name, 'rule', '1', 'state', 'established', 'enable'])
- self.cli_set(['firewall', 'name', name, 'rule', '1', 'state', 'related', 'enable'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'action', 'reject'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'state', 'invalid', 'enable'])
- self.cli_set(['firewall', 'name', name, 'rule', '3', 'action', 'accept'])
- self.cli_set(['firewall', 'name', name, 'rule', '3', 'state', 'new', 'enable'])
-
- self.cli_set(['firewall', 'name', name, 'rule', '3', 'connection-status', 'nat', 'destination'])
- self.cli_set(['firewall', 'name', name, 'rule', '4', 'action', 'accept'])
- self.cli_set(['firewall', 'name', name, 'rule', '4', 'state', 'new', 'enable'])
- self.cli_set(['firewall', 'name', name, 'rule', '4', 'state', 'established', 'enable'])
- self.cli_set(['firewall', 'name', name, 'rule', '4', 'connection-status', 'nat', 'source'])
-
- self.cli_set(['firewall', 'interface', interface, 'in', 'name', name])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'state', 'established', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'state', 'related', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'action', 'reject'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'state', 'invalid', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'state', 'new', 'enable'])
+
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'connection-status', 'nat', 'destination'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'state', 'new', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'state', 'established', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'connection-status', 'nat', 'source'])
self.cli_commit()
nftables_search = [
- [f'iifname "{interface}"', f'jump NAME_{name}'],
- ['ct state { established, related }', 'return'],
+ ['ct state { established, related }', 'accept'],
['ct state invalid', 'reject'],
- ['ct state new', 'ct status dnat', 'return'],
- ['ct state { established, new }', 'ct status snat', 'return'],
+ ['ct state new', 'ct status dnat', 'accept'],
+ ['ct state { established, new }', 'ct status snat', 'accept'],
['drop', f'comment "{name} default-action drop"']
]
self.verify_nftables(nftables_search, 'ip vyos_filter')
def test_sysfs(self):
for name, conf in sysfs_config.items():
paths = glob(conf['sysfs'])
for path in paths:
with open(path, 'r') as f:
self.assertEqual(f.read().strip(), conf['default'], msg=path)
- self.cli_set(['firewall', name.replace("_", "-"), conf['test_value']])
+ self.cli_set(['firewall', 'global-options', name.replace("_", "-"), conf['test_value']])
self.cli_commit()
for name, conf in sysfs_config.items():
paths = glob(conf['sysfs'])
for path in paths:
with open(path, 'r') as f:
self.assertNotEqual(f.read().strip(), conf['default'], msg=path)
- def test_zone_basic(self):
- self.cli_set(['firewall', 'name', 'smoketest', 'default-action', 'drop'])
- self.cli_set(['firewall', 'zone', 'smoketest-eth0', 'interface', 'eth0'])
- self.cli_set(['firewall', 'zone', 'smoketest-eth0', 'from', 'smoketest-local', 'firewall', 'name', 'smoketest'])
- self.cli_set(['firewall', 'zone', 'smoketest-local', 'local-zone'])
- self.cli_set(['firewall', 'zone', 'smoketest-local', 'from', 'smoketest-eth0', 'firewall', 'name', 'smoketest'])
-
- self.cli_commit()
-
- nftables_search = [
- ['chain VZONE_smoketest-eth0'],
- ['chain VZONE_smoketest-local_IN'],
- ['chain VZONE_smoketest-local_OUT'],
- ['oifname "eth0"', 'jump VZONE_smoketest-eth0'],
- ['jump VZONE_smoketest-local_IN'],
- ['jump VZONE_smoketest-local_OUT'],
- ['iifname "eth0"', 'jump NAME_smoketest'],
- ['oifname "eth0"', 'jump NAME_smoketest']
- ]
-
- nftables_output = cmd('sudo nft list table ip vyos_filter')
-
- for search in nftables_search:
- matched = False
- for line in nftables_output.split("\n"):
- if all(item in line for item in search):
- matched = True
- break
- self.assertTrue(matched)
-
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 7242e503a..7c09dfe9b 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -1,498 +1,466 @@
#!/usr/bin/env python3
#
# Copyright (C) 2021-2022 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import re
from glob import glob
from json import loads
from sys import exit
from vyos.base import Warning
from vyos.config import Config
+from vyos.configdict import dict_merge
from vyos.configdict import node_changed
from vyos.configdiff import get_config_diff, Diff
from vyos.configdep import set_dependents, call_dependents
# from vyos.configverify import verify_interface_exists
from vyos.firewall import fqdn_config_parse
from vyos.firewall import geoip_update
from vyos.template import render
from vyos.utils.process import call
from vyos.utils.process import cmd
from vyos.utils.dict import dict_search_args
from vyos.utils.dict import dict_search_recursive
from vyos.utils.process import process_named_running
from vyos.utils.process import rc_cmd
+from vyos.xml import defaults
from vyos import ConfigError
from vyos import airbag
airbag.enable()
nat_conf_script = 'nat.py'
policy_route_conf_script = 'policy-route.py'
nftables_conf = '/run/nftables.conf'
sysfs_config = {
'all_ping': {'sysfs': '/proc/sys/net/ipv4/icmp_echo_ignore_all', 'enable': '0', 'disable': '1'},
'broadcast_ping': {'sysfs': '/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts', 'enable': '0', 'disable': '1'},
'ip_src_route': {'sysfs': '/proc/sys/net/ipv4/conf/*/accept_source_route'},
'ipv6_receive_redirects': {'sysfs': '/proc/sys/net/ipv6/conf/*/accept_redirects'},
'ipv6_src_route': {'sysfs': '/proc/sys/net/ipv6/conf/*/accept_source_route', 'enable': '0', 'disable': '-1'},
'log_martians': {'sysfs': '/proc/sys/net/ipv4/conf/all/log_martians'},
'receive_redirects': {'sysfs': '/proc/sys/net/ipv4/conf/*/accept_redirects'},
'send_redirects': {'sysfs': '/proc/sys/net/ipv4/conf/*/send_redirects'},
'source_validation': {'sysfs': '/proc/sys/net/ipv4/conf/*/rp_filter', 'disable': '0', 'strict': '1', 'loose': '2'},
'syn_cookies': {'sysfs': '/proc/sys/net/ipv4/tcp_syncookies'},
'twa_hazards_protection': {'sysfs': '/proc/sys/net/ipv4/tcp_rfc1337'}
}
valid_groups = [
'address_group',
'domain_group',
'network_group',
'port_group',
'interface_group'
]
nested_group_types = [
'address_group', 'network_group', 'mac_group',
'port_group', 'ipv6_address_group', 'ipv6_network_group'
]
snmp_change_type = {
'unknown': 0,
'add': 1,
'delete': 2,
'change': 3
}
snmp_event_source = 1
snmp_trap_mib = 'VYATTA-TRAP-MIB'
snmp_trap_name = 'mgmtEventTrap'
def geoip_updated(conf, firewall):
diff = get_config_diff(conf)
node_diff = diff.get_child_nodes_diff(['firewall'], expand_nodes=Diff.DELETE, recursive=True)
out = {
'name': [],
'ipv6_name': [],
'deleted_name': [],
'deleted_ipv6_name': []
}
updated = False
for key, path in dict_search_recursive(firewall, 'geoip'):
- set_name = f'GEOIP_CC_{path[1]}_{path[3]}'
- if path[0] == 'name':
+ set_name = f'GEOIP_CC_{path[1]}_{path[2]}_{path[4]}'
+ if (path[0] == 'ipv4'):
out['name'].append(set_name)
- elif path[0] == 'ipv6_name':
+ elif (path[0] == 'ipv6'):
+ set_name = f'GEOIP_CC6_{path[1]}_{path[2]}_{path[4]}'
out['ipv6_name'].append(set_name)
+
updated = True
if 'delete' in node_diff:
for key, path in dict_search_recursive(node_diff['delete'], 'geoip'):
- set_name = f'GEOIP_CC_{path[1]}_{path[3]}'
- if path[0] == 'name':
+ set_name = f'GEOIP_CC_{path[1]}_{path[2]}_{path[4]}'
+ if (path[0] == 'ipv4'):
out['deleted_name'].append(set_name)
- elif path[0] == 'ipv6-name':
+ elif (path[0] == 'ipv6'):
+ set_name = f'GEOIP_CC_{path[1]}_{path[2]}_{path[4]}'
out['deleted_ipv6_name'].append(set_name)
updated = True
if updated:
return out
return False
def get_config(config=None):
if config:
conf = config
else:
conf = Config()
base = ['firewall']
firewall = conf.get_config_dict(base, key_mangling=('-', '_'),
no_tag_node_value_mangle=True,
get_first_key=True,
with_recursive_defaults=True)
- firewall['group_resync'] = bool('group' in firewall or node_changed(conf, base + ['group']))
+ # We have gathered the dict representation of the CLI, but there are
+ # default options which we need to update into the dictionary retrived.
+ # XXX: T2665: we currently have no nice way for defaults under tag
+ # nodes, thus we load the defaults "by hand"
+ default_values = defaults(base)
+
+ for family in ['ipv4', 'ipv6']:
+ for tmp in ['name', 'forward', 'input', 'output', 'prerouting']:
+ if tmp in default_values[family]:
+ del default_values[family][tmp]
+
+
+ firewall = dict_merge(default_values, firewall)
+
+ # Merge in defaults for IPv4 ruleset
+ if 'name' in firewall['ipv4']:
+ default_values = defaults(base + ['ipv4'] + ['name'])
+ for name in firewall['ipv4']['name']:
+ firewall['ipv4']['name'][name] = dict_merge(default_values,
+ firewall['ipv4']['name'][name])
+ for hook in ['forward', 'input', 'output', 'prerouting']:
+ if hook in firewall['ipv4']:
+ for priority in ['filter', 'mangle', 'raw']:
+ if priority in firewall['ipv4'][hook]:
+ default_values = defaults(base + ['ipv4'] + [hook] + [priority])
+ firewall['ipv4'][hook][priority] = dict_merge(default_values,
+ firewall['ipv4'][hook][priority])
+
+ # Merge in defaults for IPv6 ruleset
+ if 'name' in firewall['ipv6']:
+ default_values = defaults(base + ['ipv6'] + ['name'])
+ for ipv6_name in firewall['ipv6']['name']:
+ firewall['ipv6']['name'][ipv6_name] = dict_merge(default_values,
+ firewall['ipv6']['name'][ipv6_name])
+ for hook in ['forward', 'input', 'output', 'prerouting']:
+ if hook in firewall['ipv6']:
+ for priority in ['filter', 'mangle', 'raw']:
+ if priority in firewall['ipv6'][hook]:
+ default_values = defaults(base + ['ipv6'] + [hook] + [priority])
+ firewall['ipv6'][hook][priority] = dict_merge(default_values,
+ firewall['ipv6'][hook][priority])
+ firewall['group_resync'] = bool('group' in firewall or node_changed(conf, base + ['group']))
if firewall['group_resync']:
# Update nat and policy-route as firewall groups were updated
set_dependents('group_resync', conf)
- if 'config_trap' in firewall and firewall['config_trap'] == 'enable':
- diff = get_config_diff(conf)
- firewall['trap_diff'] = diff.get_child_nodes_diff_str(base)
- firewall['trap_targets'] = conf.get_config_dict(['service', 'snmp', 'trap-target'],
- key_mangling=('-', '_'), get_first_key=True,
- no_tag_node_value_mangle=True)
-
firewall['geoip_updated'] = geoip_updated(conf, firewall)
fqdn_config_parse(firewall)
return firewall
def verify_rule(firewall, rule_conf, ipv6):
if 'action' not in rule_conf:
raise ConfigError('Rule action must be defined')
if 'jump' in rule_conf['action'] and 'jump_target' not in rule_conf:
raise ConfigError('Action set to jump, but no jump-target specified')
if 'jump_target' in rule_conf:
if 'jump' not in rule_conf['action']:
raise ConfigError('jump-target defined, but action jump needed and it is not defined')
target = rule_conf['jump_target']
if not ipv6:
- if target not in dict_search_args(firewall, 'name'):
+ if target not in dict_search_args(firewall, 'ipv4', 'name'):
raise ConfigError(f'Invalid jump-target. Firewall name {target} does not exist on the system')
else:
- if target not in dict_search_args(firewall, 'ipv6_name'):
- raise ConfigError(f'Invalid jump-target. Firewall ipv6-name {target} does not exist on the system')
+ if target not in dict_search_args(firewall, 'ipv6', 'name'):
+ raise ConfigError(f'Invalid jump-target. Firewall ipv6 name {target} does not exist on the system')
if 'queue_options' in rule_conf:
if 'queue' not in rule_conf['action']:
raise ConfigError('queue-options defined, but action queue needed and it is not defined')
if 'fanout' in rule_conf['queue_options'] and ('queue' not in rule_conf or '-' not in rule_conf['queue']):
raise ConfigError('queue-options fanout defined, then queue needs to be defined as a range')
if 'queue' in rule_conf and 'queue' not in rule_conf['action']:
raise ConfigError('queue defined, but action queue needed and it is not defined')
if 'fragment' in rule_conf:
if {'match_frag', 'match_non_frag'} <= set(rule_conf['fragment']):
raise ConfigError('Cannot specify both "match-frag" and "match-non-frag"')
if 'limit' in rule_conf:
if 'rate' in rule_conf['limit']:
rate_int = re.sub(r'\D', '', rule_conf['limit']['rate'])
if int(rate_int) < 1:
raise ConfigError('Limit rate integer cannot be less than 1')
if 'ipsec' in rule_conf:
if {'match_ipsec', 'match_non_ipsec'} <= set(rule_conf['ipsec']):
raise ConfigError('Cannot specify both "match-ipsec" and "match-non-ipsec"')
if 'recent' in rule_conf:
if not {'count', 'time'} <= set(rule_conf['recent']):
raise ConfigError('Recent "count" and "time" values must be defined')
tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags')
if tcp_flags:
if dict_search_args(rule_conf, 'protocol') != 'tcp':
raise ConfigError('Protocol must be tcp when specifying tcp flags')
not_flags = dict_search_args(rule_conf, 'tcp', 'flags', 'not')
if not_flags:
duplicates = [flag for flag in tcp_flags if flag in not_flags]
if duplicates:
raise ConfigError(f'Cannot match a tcp flag as set and not set')
if 'protocol' in rule_conf:
if rule_conf['protocol'] == 'icmp' and ipv6:
raise ConfigError(f'Cannot match IPv4 ICMP protocol on IPv6, use ipv6-icmp')
if rule_conf['protocol'] == 'ipv6-icmp' and not ipv6:
raise ConfigError(f'Cannot match IPv6 ICMP protocol on IPv4, use icmp')
for side in ['destination', 'source']:
if side in rule_conf:
side_conf = rule_conf[side]
if len({'address', 'fqdn', 'geoip'} & set(side_conf)) > 1:
raise ConfigError('Only one of address, fqdn or geoip can be specified')
if 'group' in side_conf:
if len({'address_group', 'network_group', 'domain_group'} & set(side_conf['group'])) > 1:
raise ConfigError('Only one address-group, network-group or domain-group can be specified')
for group in valid_groups:
if group in side_conf['group']:
group_name = side_conf['group'][group]
fw_group = f'ipv6_{group}' if ipv6 and group in ['address_group', 'network_group'] else group
error_group = fw_group.replace("_", "-")
if group in ['address_group', 'network_group', 'domain_group']:
types = [t for t in ['address', 'fqdn', 'geoip'] if t in side_conf]
if types:
raise ConfigError(f'{error_group} and {types[0]} cannot both be defined')
if group_name and group_name[0] == '!':
group_name = group_name[1:]
group_obj = dict_search_args(firewall, 'group', fw_group, group_name)
if group_obj is None:
raise ConfigError(f'Invalid {error_group} "{group_name}" on firewall rule')
if not group_obj:
Warning(f'{error_group} "{group_name}" has no members!')
if 'port' in side_conf or dict_search_args(side_conf, 'group', 'port_group'):
if 'protocol' not in rule_conf:
raise ConfigError('Protocol must be defined if specifying a port or port-group')
if rule_conf['protocol'] not in ['tcp', 'udp', 'tcp_udp']:
raise ConfigError('Protocol must be tcp, udp, or tcp_udp when specifying a port or port-group')
if 'port' in side_conf and dict_search_args(side_conf, 'group', 'port_group'):
raise ConfigError(f'{side} port-group and port cannot both be defined')
if 'log_options' in rule_conf:
if 'log' not in rule_conf or 'enable' not in rule_conf['log']:
raise ConfigError('log-options defined, but log is not enable')
if 'snapshot_length' in rule_conf['log_options'] and 'group' not in rule_conf['log_options']:
raise ConfigError('log-options snapshot-length defined, but log group is not define')
if 'queue_threshold' in rule_conf['log_options'] and 'group' not in rule_conf['log_options']:
raise ConfigError('log-options queue-threshold defined, but log group is not define')
def verify_nested_group(group_name, group, groups, seen):
if 'include' not in group:
return
seen.append(group_name)
for g in group['include']:
if g not in groups:
raise ConfigError(f'Nested group "{g}" does not exist')
if g in seen:
raise ConfigError(f'Group "{group_name}" has a circular reference')
if 'include' in groups[g]:
verify_nested_group(g, groups[g], groups, seen)
def verify(firewall):
- if 'config_trap' in firewall and firewall['config_trap'] == 'enable':
- if not firewall['trap_targets']:
- raise ConfigError(f'Firewall config-trap enabled but "service snmp trap-target" is not defined')
-
if 'group' in firewall:
for group_type in nested_group_types:
if group_type in firewall['group']:
groups = firewall['group'][group_type]
for group_name, group in groups.items():
verify_nested_group(group_name, group, groups, [])
- for name in ['name', 'ipv6_name']:
- if name in firewall:
- for name_id, name_conf in firewall[name].items():
- if 'jump' in name_conf['default_action'] and 'default_jump_target' not in name_conf:
- raise ConfigError('default-action set to jump, but no default-jump-target specified')
- if 'default_jump_target' in name_conf:
- target = name_conf['default_jump_target']
- if 'jump' not in name_conf['default_action']:
- raise ConfigError('default-jump-target defined,but default-action jump needed and it is not defined')
- if name_conf['default_jump_target'] == name_id:
- raise ConfigError(f'Loop detected on default-jump-target.')
- ## Now need to check that default-jump-target exists (other firewall chain/name)
- if target not in dict_search_args(firewall, name):
- raise ConfigError(f'Invalid jump-target. Firewall {name} {target} does not exist on the system')
-
- if 'rule' in name_conf:
- for rule_id, rule_conf in name_conf['rule'].items():
- verify_rule(firewall, rule_conf, name == 'ipv6_name')
-
- if 'interface' in firewall:
- for ifname, if_firewall in firewall['interface'].items():
- # verify ifname needs to be disabled, dynamic devices come up later
- # verify_interface_exists(ifname)
-
- for direction in ['in', 'out', 'local']:
- name = dict_search_args(if_firewall, direction, 'name')
- ipv6_name = dict_search_args(if_firewall, direction, 'ipv6_name')
-
- if name and dict_search_args(firewall, 'name', name) == None:
- raise ConfigError(f'Invalid firewall name "{name}" referenced on interface {ifname}')
-
- if ipv6_name and dict_search_args(firewall, 'ipv6_name', ipv6_name) == None:
- raise ConfigError(f'Invalid firewall ipv6-name "{ipv6_name}" referenced on interface {ifname}')
-
- local_zone = False
- zone_interfaces = []
-
- if 'zone' in firewall:
- for zone, zone_conf in firewall['zone'].items():
- if 'local_zone' not in zone_conf and 'interface' not in zone_conf:
- raise ConfigError(f'Zone "{zone}" has no interfaces and is not the local zone')
-
- if 'local_zone' in zone_conf:
- if local_zone:
- raise ConfigError('There cannot be multiple local zones')
- if 'interface' in zone_conf:
- raise ConfigError('Local zone cannot have interfaces assigned')
- if 'intra_zone_filtering' in zone_conf:
- raise ConfigError('Local zone cannot use intra-zone-filtering')
- local_zone = True
-
- if 'interface' in zone_conf:
- found_duplicates = [intf for intf in zone_conf['interface'] if intf in zone_interfaces]
-
- if found_duplicates:
- raise ConfigError(f'Interfaces cannot be assigned to multiple zones')
-
- zone_interfaces += zone_conf['interface']
-
- if 'intra_zone_filtering' in zone_conf:
- intra_zone = zone_conf['intra_zone_filtering']
-
- if len(intra_zone) > 1:
- raise ConfigError('Only one intra-zone-filtering action must be specified')
-
- if 'firewall' in intra_zone:
- v4_name = dict_search_args(intra_zone, 'firewall', 'name')
- if v4_name and not dict_search_args(firewall, 'name', v4_name):
- raise ConfigError(f'Firewall name "{v4_name}" does not exist')
-
- v6_name = dict_search_args(intra_zone, 'firewall', 'ipv6_name')
- if v6_name and not dict_search_args(firewall, 'ipv6_name', v6_name):
- raise ConfigError(f'Firewall ipv6-name "{v6_name}" does not exist')
-
- if not v4_name and not v6_name:
- raise ConfigError('No firewall names specified for intra-zone-filtering')
-
- if 'from' in zone_conf:
- for from_zone, from_conf in zone_conf['from'].items():
- if from_zone not in firewall['zone']:
- raise ConfigError(f'Zone "{zone}" refers to a non-existent or deleted zone "{from_zone}"')
-
- v4_name = dict_search_args(from_conf, 'firewall', 'name')
- if v4_name and not dict_search_args(firewall, 'name', v4_name):
- raise ConfigError(f'Firewall name "{v4_name}" does not exist')
-
- v6_name = dict_search_args(from_conf, 'firewall', 'ipv6_name')
- if v6_name and not dict_search_args(firewall, 'ipv6_name', v6_name):
- raise ConfigError(f'Firewall ipv6-name "{v6_name}" does not exist')
+ if 'ipv4' in firewall:
+ for name in ['name','forward','input','output']:
+ if name in firewall['ipv4']:
+ for name_id, name_conf in firewall['ipv4'][name].items():
+ if 'jump' in name_conf['default_action'] and 'default_jump_target' not in name_conf:
+ raise ConfigError('default-action set to jump, but no default-jump-target specified')
+ if 'default_jump_target' in name_conf:
+ target = name_conf['default_jump_target']
+ if 'jump' not in name_conf['default_action']:
+ raise ConfigError('default-jump-target defined, but default-action jump needed and it is not defined')
+ if name_conf['default_jump_target'] == name_id:
+ raise ConfigError(f'Loop detected on default-jump-target.')
+ ## Now need to check that default-jump-target exists (other firewall chain/name)
+ if target not in dict_search_args(firewall['ipv4'], 'name'):
+ raise ConfigError(f'Invalid jump-target. Firewall name {target} does not exist on the system')
+
+ if 'rule' in name_conf:
+ for rule_id, rule_conf in name_conf['rule'].items():
+ verify_rule(firewall, rule_conf, False)
+
+ if 'ipv6' in firewall:
+ for name in ['name','forward','input','output']:
+ if name in firewall['ipv6']:
+ for name_id, name_conf in firewall['ipv6'][name].items():
+ if 'jump' in name_conf['default_action'] and 'default_jump_target' not in name_conf:
+ raise ConfigError('default-action set to jump, but no default-jump-target specified')
+ if 'default_jump_target' in name_conf:
+ target = name_conf['default_jump_target']
+ if 'jump' not in name_conf['default_action']:
+ raise ConfigError('default-jump-target defined, but default-action jump needed and it is not defined')
+ if name_conf['default_jump_target'] == name_id:
+ raise ConfigError(f'Loop detected on default-jump-target.')
+ ## Now need to check that default-jump-target exists (other firewall chain/name)
+ if target not in dict_search_args(firewall['ipv6'], 'name'):
+ raise ConfigError(f'Invalid jump-target. Firewall name {target} does not exist on the system')
+
+ if 'rule' in name_conf:
+ for rule_id, rule_conf in name_conf['rule'].items():
+ verify_rule(firewall, rule_conf, True)
return None
def generate(firewall):
if not os.path.exists(nftables_conf):
firewall['first_install'] = True
- if 'zone' in firewall:
- for local_zone, local_zone_conf in firewall['zone'].items():
- if 'local_zone' not in local_zone_conf:
- continue
-
- local_zone_conf['from_local'] = {}
-
- for zone, zone_conf in firewall['zone'].items():
- if zone == local_zone or 'from' not in zone_conf:
- continue
- if local_zone in zone_conf['from']:
- local_zone_conf['from_local'][zone] = zone_conf['from'][local_zone]
-
render(nftables_conf, 'firewall/nftables.j2', firewall)
return None
def apply_sysfs(firewall):
for name, conf in sysfs_config.items():
paths = glob(conf['sysfs'])
value = None
- if name in firewall:
- conf_value = firewall[name]
-
+ if name in firewall['global_options']:
+ conf_value = firewall['global_options'][name]
if conf_value in conf:
value = conf[conf_value]
elif conf_value == 'enable':
value = '1'
elif conf_value == 'disable':
value = '0'
if value:
for path in paths:
with open(path, 'w') as f:
f.write(value)
def post_apply_trap(firewall):
if 'first_install' in firewall:
return None
- if 'config_trap' not in firewall or firewall['config_trap'] != 'enable':
- return None
-
if not process_named_running('snmpd'):
return None
trap_username = os.getlogin()
for host, target_conf in firewall['trap_targets'].items():
community = target_conf['community'] if 'community' in target_conf else 'public'
port = int(target_conf['port']) if 'port' in target_conf else 162
base_cmd = f'snmptrap -v2c -c {community} {host}:{port} 0 {snmp_trap_mib}::{snmp_trap_name} '
for change_type, changes in firewall['trap_diff'].items():
for path_str, value in changes.items():
objects = [
f'mgmtEventUser s "{trap_username}"',
f'mgmtEventSource i {snmp_event_source}',
f'mgmtEventType i {snmp_change_type[change_type]}'
]
if change_type == 'add':
objects.append(f'mgmtEventCurrCfg s "{path_str} {value}"')
elif change_type == 'delete':
objects.append(f'mgmtEventPrevCfg s "{path_str} {value}"')
elif change_type == 'change':
objects.append(f'mgmtEventPrevCfg s "{path_str} {value[0]}"')
objects.append(f'mgmtEventCurrCfg s "{path_str} {value[1]}"')
cmd(base_cmd + ' '.join(objects))
def apply(firewall):
install_result, output = rc_cmd(f'nft -f {nftables_conf}')
if install_result == 1:
raise ConfigError(f'Failed to apply firewall: {output}')
apply_sysfs(firewall)
if firewall['group_resync']:
call_dependents()
# T970 Enable a resolver (systemd daemon) that checks
# domain-group/fqdn addresses and update entries for domains by timeout
# If router loaded without internet connection or for synchronization
domain_action = 'stop'
if dict_search_args(firewall, 'group', 'domain_group') or firewall['ip_fqdn'] or firewall['ip6_fqdn']:
domain_action = 'restart'
call(f'systemctl {domain_action} vyos-domain-resolver.service')
if firewall['geoip_updated']:
# Call helper script to Update set contents
if 'name' in firewall['geoip_updated'] or 'ipv6_name' in firewall['geoip_updated']:
print('Updating GeoIP. Please wait...')
geoip_update(firewall)
post_apply_trap(firewall)
return None
if __name__ == '__main__':
try:
c = get_config()
verify(c)
generate(c)
apply(c)
except ConfigError as e:
print(e)
exit(1)
diff --git a/src/migration-scripts/firewall/10-to-11 b/src/migration-scripts/firewall/10-to-11
new file mode 100755
index 000000000..716c5a240
--- /dev/null
+++ b/src/migration-scripts/firewall/10-to-11
@@ -0,0 +1,374 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# T5160: Firewall re-writing
+
+# cli changes from:
+# set firewall name <name> ...
+# set firewall ipv6-name <name> ...
+# To
+# set firewall ipv4 name <name>
+# set firewall ipv6 name <name>
+
+## Also from 'firewall interface' removed.
+## in and out:
+ # set firewall interface <iface> [in|out] [name | ipv6-name] <name>
+ # To
+ # set firewall [ipv4 | ipv6] forward filter rule <5,10,15,...> [inbound-interface | outboubd-interface] interface-name <iface>
+ # set firewall [ipv4 | ipv6] forward filter rule <5,10,15,...> action jump
+ # set firewall [ipv4 | ipv6] forward filter rule <5,10,15,...> jump-target <name>
+## local:
+ # set firewall interface <iface> local [name | ipv6-name] <name>
+ # To
+ # set firewall [ipv4 | ipv6] input filter rule <5,10,15,...> inbound-interface interface-name <iface>
+ # set firewall [ipv4 | ipv6] input filter rule <5,10,15,...> action jump
+ # set firewall [ipv4 | ipv6] input filter rule <5,10,15,...> jump-target <name>
+
+import re
+
+from sys import argv
+from sys import exit
+
+from vyos.configtree import ConfigTree
+from vyos.ifconfig import Section
+
+if len(argv) < 2:
+ print("Must specify file name!")
+ exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+base = ['firewall']
+config = ConfigTree(config_file)
+
+if not config.exists(base):
+ # Nothing to do
+ exit(0)
+
+### Migration of state policies
+if config.exists(base + ['state-policy']):
+ for family in ['ipv4', 'ipv6']:
+ for hook in ['forward', 'input', 'output']:
+ for priority in ['filter']:
+ # Add default-action== accept for compatibility reasons:
+ config.set(base + [family, hook, priority, 'default-action'], value='accept')
+ position = 1
+ for state in config.list_nodes(base + ['state-policy']):
+ action = config.return_value(base + ['state-policy', state, 'action'])
+ config.set(base + [family, hook, priority, 'rule'])
+ config.set_tag(base + [family, hook, priority, 'rule'])
+ config.set(base + [family, hook, priority, 'rule', position, 'state', state], value='enable')
+ config.set(base + [family, hook, priority, 'rule', position, 'action'], value=action)
+ position = position + 1
+ config.delete(base + ['state-policy'])
+
+## migration of global options:
+for option in ['all-ping', 'broadcast-ping', 'config-trap', 'ip-src-route', 'ipv6-receive-redirects', 'ipv6-src-route', 'log-martians',
+ 'receive-redirects', 'resolver-cache', 'resolver-internal', 'send-redirects', 'source-validation', 'syn-cookies', 'twa-hazards-protection']:
+ if config.exists(base + [option]):
+ if option != 'config-trap':
+ val = config.return_value(base + [option])
+ config.set(base + ['global-options', option], value=val)
+ config.delete(base + [option])
+
+### Migration of firewall name and ipv6-name
+if config.exists(base + ['name']):
+ config.set(['firewall', 'ipv4', 'name'])
+ config.set_tag(['firewall', 'ipv4', 'name'])
+
+ for ipv4name in config.list_nodes(base + ['name']):
+ config.copy(base + ['name', ipv4name], base + ['ipv4', 'name', ipv4name])
+ config.delete(base + ['name'])
+
+if config.exists(base + ['ipv6-name']):
+ config.set(['firewall', 'ipv6', 'name'])
+ config.set_tag(['firewall', 'ipv6', 'name'])
+
+ for ipv6name in config.list_nodes(base + ['ipv6-name']):
+ config.copy(base + ['ipv6-name', ipv6name], base + ['ipv6', 'name', ipv6name])
+ config.delete(base + ['ipv6-name'])
+
+### Migration of firewall interface
+if config.exists(base + ['interface']):
+ fwd_ipv4_rule = 5
+ inp_ipv4_rule = 5
+ fwd_ipv6_rule = 5
+ inp_ipv6_rule = 5
+ for iface in config.list_nodes(base + ['interface']):
+ for direction in ['in', 'out', 'local']:
+ if config.exists(base + ['interface', iface, direction]):
+ if config.exists(base + ['interface', iface, direction, 'name']):
+ target = config.return_value(base + ['interface', iface, direction, 'name'])
+ if direction == 'in':
+ # Add default-action== accept for compatibility reasons:
+ config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept')
+ new_base = base + ['ipv4', 'forward', 'filter', 'rule']
+ config.set(new_base)
+ config.set_tag(new_base)
+ config.set(new_base + [fwd_ipv4_rule, 'inbound-interface', 'interface-name'], value=iface)
+ config.set(new_base + [fwd_ipv4_rule, 'action'], value='jump')
+ config.set(new_base + [fwd_ipv4_rule, 'jump-target'], value=target)
+ fwd_ipv4_rule = fwd_ipv4_rule + 5
+ elif direction == 'out':
+ # Add default-action== accept for compatibility reasons:
+ config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept')
+ new_base = base + ['ipv4', 'forward', 'filter', 'rule']
+ config.set(new_base)
+ config.set_tag(new_base)
+ config.set(new_base + [fwd_ipv4_rule, 'outbound-interface', 'interface-name'], value=iface)
+ config.set(new_base + [fwd_ipv4_rule, 'action'], value='jump')
+ config.set(new_base + [fwd_ipv4_rule, 'jump-target'], value=target)
+ fwd_ipv4_rule = fwd_ipv4_rule + 5
+ else:
+ # Add default-action== accept for compatibility reasons:
+ config.set(base + ['ipv4', 'input', 'filter', 'default-action'], value='accept')
+ new_base = base + ['ipv4', 'input', 'filter', 'rule']
+ config.set(new_base)
+ config.set_tag(new_base)
+ config.set(new_base + [inp_ipv4_rule, 'inbound-interface', 'interface-name'], value=iface)
+ config.set(new_base + [inp_ipv4_rule, 'action'], value='jump')
+ config.set(new_base + [inp_ipv4_rule, 'jump-target'], value=target)
+ inp_ipv4_rule = inp_ipv4_rule + 5
+
+ if config.exists(base + ['interface', iface, direction, 'ipv6-name']):
+ target = config.return_value(base + ['interface', iface, direction, 'ipv6-name'])
+ if direction == 'in':
+ # Add default-action== accept for compatibility reasons:
+ config.set(base + ['ipv6', 'forward', 'filter', 'default-action'], value='accept')
+ new_base = base + ['ipv6', 'forward', 'filter', 'rule']
+ config.set(new_base)
+ config.set_tag(new_base)
+ config.set(new_base + [fwd_ipv6_rule, 'inbound-interface', 'interface-name'], value=iface)
+ config.set(new_base + [fwd_ipv6_rule, 'action'], value='jump')
+ config.set(new_base + [fwd_ipv6_rule, 'jump-target'], value=target)
+ fwd_ipv6_rule = fwd_ipv6_rule + 5
+ elif direction == 'out':
+ # Add default-action== accept for compatibility reasons:
+ config.set(base + ['ipv6', 'forward', 'filter', 'default-action'], value='accept')
+ new_base = base + ['ipv6', 'forward', 'filter', 'rule']
+ config.set(new_base)
+ config.set_tag(new_base)
+ config.set(new_base + [fwd_ipv6_rule, 'outbound-interface', 'interface-name'], value=iface)
+ config.set(new_base + [fwd_ipv6_rule, 'action'], value='jump')
+ config.set(new_base + [fwd_ipv6_rule, 'jump-target'], value=target)
+ fwd_ipv6_rule = fwd_ipv6_rule + 5
+ else:
+ new_base = base + ['ipv6', 'input', 'filter', 'rule']
+ # Add default-action== accept for compatibility reasons:
+ config.set(base + ['ipv6', 'input', 'filter', 'default-action'], value='accept')
+ config.set(new_base)
+ config.set_tag(new_base)
+ config.set(new_base + [inp_ipv6_rule, 'inbound-interface', 'interface-name'], value=iface)
+ config.set(new_base + [inp_ipv6_rule, 'action'], value='jump')
+ config.set(new_base + [inp_ipv6_rule, 'jump-target'], value=target)
+ inp_ipv6_rule = inp_ipv6_rule + 5
+
+ config.delete(base + ['interface'])
+
+
+### Migration of zones:
+### User interface groups
+if config.exists(base + ['zone']):
+ inp_ipv4_rule = 101
+ inp_ipv6_rule = 101
+ fwd_ipv4_rule = 101
+ fwd_ipv6_rule = 101
+ out_ipv4_rule = 101
+ out_ipv6_rule = 101
+ local_zone = 'False'
+
+ for zone in config.list_nodes(base + ['zone']):
+ if config.exists(base + ['zone', zone, 'local-zone']):
+ local_zone = 'True'
+ # Add default-action== accept for compatibility reasons:
+ config.set(base + ['ipv4', 'input', 'filter', 'default-action'], value='accept')
+ config.set(base + ['ipv6', 'input', 'filter', 'default-action'], value='accept')
+ config.set(base + ['ipv4', 'output', 'filter', 'default-action'], value='accept')
+ config.set(base + ['ipv6', 'output', 'filter', 'default-action'], value='accept')
+ for from_zone in config.list_nodes(base + ['zone', zone, 'from']):
+ group_name = 'IG_' + from_zone
+ if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'name']):
+ # ipv4 input ruleset
+ target_ipv4_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'name'])
+ config.set(base + ['ipv4', 'input', 'filter', 'rule'])
+ config.set_tag(base + ['ipv4', 'input', 'filter', 'rule'])
+ config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name)
+ config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value='jump')
+ config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
+ inp_ipv4_rule = inp_ipv4_rule + 5
+ if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name']):
+ # ipv6 input ruleset
+ target_ipv6_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name'])
+ config.set(base + ['ipv6', 'input', 'filter', 'rule'])
+ config.set_tag(base + ['ipv6', 'input', 'filter', 'rule'])
+ config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'inbound-interface', 'interface-group'], value=group_name)
+ config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'action'], value='jump')
+ config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'jump-target'], value=target_ipv6_chain)
+ inp_ipv6_rule = inp_ipv6_rule + 5
+
+ # Migrate: set firewall zone <zone> default-action <action>
+ # Options: drop or reject. If not specified, is drop
+ if config.exists(base + ['zone', zone, 'default-action']):
+ local_def_action = config.return_value(base + ['zone', zone, 'default-action'])
+ else:
+ local_def_action = 'drop'
+ config.set(base + ['ipv4', 'input', 'filter', 'rule'])
+ config.set_tag(base + ['ipv4', 'input', 'filter', 'rule'])
+ config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value=local_def_action)
+ config.set(base + ['ipv6', 'input', 'filter', 'rule'])
+ config.set_tag(base + ['ipv6', 'input', 'filter', 'rule'])
+ config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'action'], value=local_def_action)
+ if config.exists(base + ['zone', zone, 'enable-default-log']):
+ config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'log'], value='enable')
+ config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'log'], value='enable')
+
+ else:
+ # It's not a local zone
+ group_name = 'IG_' + zone
+ # Add default-action== accept for compatibility reasons:
+ config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept')
+ config.set(base + ['ipv6', 'forward', 'filter', 'default-action'], value='accept')
+ # intra-filtering migration. By default accept
+ intra_zone_ipv4_action = 'accept'
+ intra_zone_ipv6_action = 'accept'
+
+ if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'action']):
+ intra_zone_ipv4_action = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'action'])
+ intra_zone_ipv6_action = intra_zone_ipv4_action
+ else:
+ if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name']):
+ intra_zone_ipv4_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name'])
+ intra_zone_ipv4_action = 'jump'
+ if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']):
+ intra_zone_ipv6_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name'])
+ intra_zone_ipv6_action = 'jump'
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule'])
+ config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule'])
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name)
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=intra_zone_ipv4_action)
+ config.set(base + ['ipv6', 'forward', 'filter', 'rule'])
+ config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule'])
+ config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name)
+ config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'inbound-interface', 'interface-group'], value=group_name)
+ config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'action'], value=intra_zone_ipv6_action)
+ if intra_zone_ipv4_action == 'jump':
+ if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name']):
+ intra_zone_ipv4_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name'])
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=intra_zone_ipv4_target)
+ if intra_zone_ipv6_action == 'jump':
+ if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']):
+ intra_zone_ipv6_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name'])
+ config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'jump-target'], value=intra_zone_ipv6_target)
+ fwd_ipv4_rule = fwd_ipv4_rule + 5
+ fwd_ipv6_rule = fwd_ipv6_rule + 5
+
+ if config.exists(base + ['zone', zone, 'interface']):
+ # Create interface group IG_<zone>
+ group_name = 'IG_' + zone
+ config.set(base + ['group', 'interface-group'], value=group_name)
+ config.set_tag(base + ['group', 'interface-group'])
+ for iface in config.return_values(base + ['zone', zone, 'interface']):
+ config.set(base + ['group', 'interface-group', group_name, 'interface'], value=iface, replace=False)
+
+ if config.exists(base + ['zone', zone, 'from']):
+ for from_zone in config.list_nodes(base + ['zone', zone, 'from']):
+ from_group = 'IG_' + from_zone
+ if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'name']):
+ target_ipv4_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'name'])
+ if config.exists(base + ['zone', from_zone, 'local-zone']):
+ # It's from LOCAL zone -> Output filtering
+ config.set(base + ['ipv4', 'output', 'filter', 'rule'])
+ config.set_tag(base + ['ipv4', 'output', 'filter', 'rule'])
+ config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
+ config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value='jump')
+ config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
+ out_ipv4_rule = out_ipv4_rule + 5
+ else:
+ # It's not LOCAL zone -> forward filtering
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule'])
+ config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule'])
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=from_group)
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value='jump')
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
+ fwd_ipv4_rule = fwd_ipv4_rule + 5
+ if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name']):
+ target_ipv6_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name'])
+ if config.exists(base + ['zone', from_zone, 'local-zone']):
+ # It's from LOCAL zone -> Output filtering
+ config.set(base + ['ipv6', 'output', 'filter', 'rule'])
+ config.set_tag(base + ['ipv6', 'output', 'filter', 'rule'])
+ config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name)
+ config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'action'], value='jump')
+ config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'jump-target'], value=target_ipv6_chain)
+ out_ipv6_rule = out_ipv6_rule + 5
+ else:
+ # It's not LOCAL zone -> forward filtering
+ config.set(base + ['ipv6', 'forward', 'filter', 'rule'])
+ config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule'])
+ config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name)
+ config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'inbound-interface', 'interface-group'], value=from_group)
+ config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'action'], value='jump')
+ config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'jump-target'], value=target_ipv6_chain)
+ fwd_ipv6_rule = fwd_ipv6_rule + 5
+
+ ## Now need to migrate: set firewall zone <zone> default-action <action> # action=drop if not specified.
+ if config.exists(base + ['zone', zone, 'default-action']):
+ def_action = config.return_value(base + ['zone', zone, 'default-action'])
+ else:
+ def_action = 'drop'
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule'])
+ config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule'])
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=def_action)
+ description = 'zone_' + zone + ' default-action'
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'description'], value=description)
+ config.set(base + ['ipv6', 'forward', 'filter', 'rule'])
+ config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule'])
+ config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name)
+ config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'action'], value=def_action)
+ config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'description'], value=description)
+
+ if config.exists(base + ['zone', zone, 'enable-default-log']):
+ config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'log'], value='enable')
+ config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'log'], value='enable')
+ fwd_ipv4_rule = fwd_ipv4_rule + 5
+ fwd_ipv6_rule = fwd_ipv6_rule + 5
+
+ # Migrate default-action (force to be drop in output chain) if local zone is defined
+ if local_zone == 'True':
+ # General drop in output change if needed
+ config.set(base + ['ipv4', 'output', 'filter', 'rule'])
+ config.set_tag(base + ['ipv4', 'output', 'filter', 'rule'])
+ config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value=local_def_action)
+ config.set(base + ['ipv6', 'output', 'filter', 'rule'])
+ config.set_tag(base + ['ipv6', 'output', 'filter', 'rule'])
+ config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'action'], value=local_def_action)
+
+ config.delete(base + ['zone'])
+
+###### END migration zones
+
+try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ exit(1)
\ No newline at end of file
diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py
index 8260bbb77..852a7248a 100755
--- a/src/op_mode/firewall.py
+++ b/src/op_mode/firewall.py
@@ -1,351 +1,348 @@
#!/usr/bin/env python3
#
# Copyright (C) 2021 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import argparse
import ipaddress
import json
import re
import tabulate
from vyos.config import Config
from vyos.utils.process import cmd
from vyos.utils.dict import dict_search_args
-def get_firewall_interfaces(firewall, name=None, ipv6=False):
- directions = ['in', 'out', 'local']
-
- if 'interface' in firewall:
- for ifname, if_conf in firewall['interface'].items():
- for direction in directions:
- if direction not in if_conf:
- continue
-
- fw_conf = if_conf[direction]
- name_str = f'({ifname},{direction})'
-
- if 'name' in fw_conf:
- fw_name = fw_conf['name']
-
- if not name:
- firewall['name'][fw_name]['interface'].append(name_str)
- elif not ipv6 and name == fw_name:
- firewall['interface'].append(name_str)
-
- if 'ipv6_name' in fw_conf:
- fw_name = fw_conf['ipv6_name']
-
- if not name:
- firewall['ipv6_name'][fw_name]['interface'].append(name_str)
- elif ipv6 and name == fw_name:
- firewall['interface'].append(name_str)
-
- return firewall
-
-def get_config_firewall(conf, name=None, ipv6=False, interfaces=True):
+def get_config_firewall(conf, hook=None, priority=None, ipv6=False, interfaces=True):
config_path = ['firewall']
- if name:
- config_path += ['ipv6-name' if ipv6 else 'name', name]
+ if hook:
+ config_path += ['ipv6' if ipv6 else 'ipv4', hook]
+ if priority:
+ config_path += [priority]
firewall = conf.get_config_dict(config_path, key_mangling=('-', '_'),
get_first_key=True, no_tag_node_value_mangle=True)
- if firewall and interfaces:
- if name:
- firewall['interface'] = {}
- else:
- if 'name' in firewall:
- for fw_name, name_conf in firewall['name'].items():
- name_conf['interface'] = []
- if 'ipv6_name' in firewall:
- for fw_name, name_conf in firewall['ipv6_name'].items():
- name_conf['interface'] = []
-
- get_firewall_interfaces(firewall, name, ipv6)
return firewall
-def get_nftables_details(name, ipv6=False):
+def get_nftables_details(hook, priority, ipv6=False):
suffix = '6' if ipv6 else ''
name_prefix = 'NAME6_' if ipv6 else 'NAME_'
- command = f'sudo nft list chain ip{suffix} vyos_filter {name_prefix}{name}'
+ if hook == 'name' or hook == 'ipv6-name':
+ command = f'sudo nft list chain ip{suffix} vyos_filter {name_prefix}{priority}'
+ else:
+ up_hook = hook.upper()
+ command = f'sudo nft list chain ip{suffix} vyos_filter VYOS_{up_hook}_{priority}'
+
try:
results = cmd(command)
except:
return {}
out = {}
for line in results.split('\n'):
- comment_search = re.search(rf'{name}[\- ](\d+|default-action)', line)
+ comment_search = re.search(rf'{priority}[\- ](\d+|default-action)', line)
if not comment_search:
continue
rule = {}
rule_id = comment_search[1]
counter_search = re.search(r'counter packets (\d+) bytes (\d+)', line)
if counter_search:
rule['packets'] = counter_search[1]
rule['bytes'] = counter_search[2]
rule['conditions'] = re.sub(r'(\b(counter packets \d+ bytes \d+|drop|reject|return|log)\b|comment "[\w\-]+")', '', line).strip()
out[rule_id] = rule
return out
-def output_firewall_name(name, name_conf, ipv6=False, single_rule_id=None):
+def output_firewall_name(hook, priority, firewall_conf, ipv6=False, single_rule_id=None):
ip_str = 'IPv6' if ipv6 else 'IPv4'
- print(f'\n---------------------------------\n{ip_str} Firewall "{name}"\n')
-
- if name_conf['interface']:
- print('Active on: {0}\n'.format(" ".join(name_conf['interface'])))
+ print(f'\n---------------------------------\n{ip_str} Firewall "{hook} {priority}"\n')
- details = get_nftables_details(name, ipv6)
+ details = get_nftables_details(hook, priority, ipv6)
rows = []
- if 'rule' in name_conf:
- for rule_id, rule_conf in name_conf['rule'].items():
+ if 'rule' in firewall_conf:
+ for rule_id, rule_conf in firewall_conf['rule'].items():
if single_rule_id and rule_id != single_rule_id:
continue
if 'disable' in rule_conf:
continue
row = [rule_id, rule_conf['action'], rule_conf['protocol'] if 'protocol' in rule_conf else 'all']
if rule_id in details:
rule_details = details[rule_id]
row.append(rule_details.get('packets', 0))
row.append(rule_details.get('bytes', 0))
row.append(rule_details['conditions'])
rows.append(row)
- if 'default_action' in name_conf and not single_rule_id:
- row = ['default', name_conf['default_action'], 'all']
+ if 'default_action' in firewall_conf and not single_rule_id:
+ row = ['default', firewall_conf['default_action'], 'all']
if 'default-action' in details:
rule_details = details['default-action']
row.append(rule_details.get('packets', 0))
row.append(rule_details.get('bytes', 0))
rows.append(row)
if rows:
header = ['Rule', 'Action', 'Protocol', 'Packets', 'Bytes', 'Conditions']
print(tabulate.tabulate(rows, header) + '\n')
-def output_firewall_name_statistics(name, name_conf, ipv6=False, single_rule_id=None):
+def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_rule_id=None):
ip_str = 'IPv6' if ipv6 else 'IPv4'
- print(f'\n---------------------------------\n{ip_str} Firewall "{name}"\n')
+ print(f'\n---------------------------------\n{ip_str} Firewall "{hook} {prior}"\n')
- if name_conf['interface']:
- print('Active on: {0}\n'.format(" ".join(name_conf['interface'])))
-
- details = get_nftables_details(name, ipv6)
+ details = get_nftables_details(prior, ipv6)
rows = []
- if 'rule' in name_conf:
- for rule_id, rule_conf in name_conf['rule'].items():
+ if 'rule' in prior_conf:
+ for rule_id, rule_conf in prior_conf['rule'].items():
if single_rule_id and rule_id != single_rule_id:
continue
if 'disable' in rule_conf:
continue
source_addr = dict_search_args(rule_conf, 'source', 'address') or '0.0.0.0/0'
dest_addr = dict_search_args(rule_conf, 'destination', 'address') or '0.0.0.0/0'
row = [rule_id]
if rule_id in details:
rule_details = details[rule_id]
row.append(rule_details.get('packets', 0))
row.append(rule_details.get('bytes', 0))
else:
row.append('0')
row.append('0')
row.append(rule_conf['action'])
row.append(source_addr)
row.append(dest_addr)
rows.append(row)
- if 'default_action' in name_conf and not single_rule_id:
+ if 'default_action' in prior_conf and not single_rule_id:
row = ['default']
if 'default-action' in details:
rule_details = details['default-action']
row.append(rule_details.get('packets', 0))
row.append(rule_details.get('bytes', 0))
else:
row.append('0')
row.append('0')
- row.append(name_conf['default_action'])
+ row.append(prior_conf['default_action'])
row.append('0.0.0.0/0') # Source
row.append('0.0.0.0/0') # Dest
rows.append(row)
if rows:
header = ['Rule', 'Packets', 'Bytes', 'Action', 'Source', 'Destination']
print(tabulate.tabulate(rows, header) + '\n')
def show_firewall():
print('Rulesets Information')
conf = Config()
firewall = get_config_firewall(conf)
if not firewall:
return
- if 'name' in firewall:
- for name, name_conf in firewall['name'].items():
- output_firewall_name(name, name_conf, ipv6=False)
+ if 'ipv4' in firewall:
+ for hook, hook_conf in firewall['ipv4'].items():
+ for prior, prior_conf in firewall['ipv4'][hook].items():
+ output_firewall_name(hook, prior, prior_conf, ipv6=False)
+
+ if 'ipv6' in firewall:
+ for hook, hook_conf in firewall['ipv6'].items():
+ for prior, prior_conf in firewall['ipv6'][hook].items():
+ output_firewall_name(hook, prior, prior_conf, ipv6=True)
- if 'ipv6_name' in firewall:
- for name, name_conf in firewall['ipv6_name'].items():
- output_firewall_name(name, name_conf, ipv6=True)
+def show_firewall_family(family):
+ print(f'Rulesets {family} Information')
-def show_firewall_name(name, ipv6=False):
+ conf = Config()
+ firewall = get_config_firewall(conf)
+
+ if not firewall:
+ return
+
+ for hook, hook_conf in firewall[family].items():
+ for prior, prior_conf in firewall[family][hook].items():
+ if family == 'ipv6':
+ output_firewall_name(hook, prior, prior_conf, ipv6=True)
+ else:
+ output_firewall_name(hook, prior, prior_conf, ipv6=False)
+
+def show_firewall_name(hook, priority, ipv6=False):
print('Ruleset Information')
conf = Config()
- firewall = get_config_firewall(conf, name, ipv6)
+ firewall = get_config_firewall(conf, hook, priority, ipv6)
if firewall:
- output_firewall_name(name, firewall, ipv6)
+ output_firewall_name(hook, priority, firewall, ipv6)
-def show_firewall_rule(name, rule_id, ipv6=False):
+def show_firewall_rule(hook, priority, rule_id, ipv6=False):
print('Rule Information')
conf = Config()
- firewall = get_config_firewall(conf, name, ipv6)
+ firewall = get_config_firewall(conf, hook, priority, ipv6)
if firewall:
- output_firewall_name(name, firewall, ipv6, rule_id)
+ output_firewall_name(hook, priority, firewall, ipv6, rule_id)
def show_firewall_group(name=None):
conf = Config()
firewall = get_config_firewall(conf, interfaces=False)
if 'group' not in firewall:
return
def find_references(group_type, group_name):
out = []
- for name_type in ['name', 'ipv6_name']:
- if name_type not in firewall:
- continue
- for name, name_conf in firewall[name_type].items():
- if 'rule' not in name_conf:
+ family = []
+ if group_type in ['address_group', 'network_group']:
+ family = ['ipv4']
+ elif group_type == 'ipv6_address_group':
+ family = ['ipv6']
+ group_type = 'address_group'
+ elif group_type == 'ipv6_network_group':
+ family = ['ipv6']
+ group_type = 'network_group'
+ else:
+ family = ['ipv4', 'ipv6']
+
+ for item in family:
+ for name_type in ['name', 'ipv6_name', 'forward', 'input', 'output']:
+ if name_type not in firewall[item]:
continue
- for rule_id, rule_conf in name_conf['rule'].items():
- source_group = dict_search_args(rule_conf, 'source', 'group', group_type)
- dest_group = dict_search_args(rule_conf, 'destination', 'group', group_type)
- if source_group and group_name == source_group:
- out.append(f'{name}-{rule_id}')
- elif dest_group and group_name == dest_group:
- out.append(f'{name}-{rule_id}')
+ for name, name_conf in firewall[item][name_type].items():
+ if 'rule' not in name_conf:
+ continue
+ for rule_id, rule_conf in name_conf['rule'].items():
+ source_group = dict_search_args(rule_conf, 'source', 'group', group_type)
+ dest_group = dict_search_args(rule_conf, 'destination', 'group', group_type)
+ if source_group and group_name == source_group:
+ out.append(f'{name}-{rule_id}')
+ elif dest_group and group_name == dest_group:
+ out.append(f'{name}-{rule_id}')
return out
header = ['Name', 'Type', 'References', 'Members']
rows = []
for group_type, group_type_conf in firewall['group'].items():
for group_name, group_conf in group_type_conf.items():
if name and name != group_name:
continue
references = find_references(group_type, group_name)
row = [group_name, group_type, '\n'.join(references) or 'N/A']
if 'address' in group_conf:
row.append("\n".join(sorted(group_conf['address'])))
elif 'network' in group_conf:
row.append("\n".join(sorted(group_conf['network'], key=ipaddress.ip_network)))
elif 'mac_address' in group_conf:
row.append("\n".join(sorted(group_conf['mac_address'])))
elif 'port' in group_conf:
row.append("\n".join(sorted(group_conf['port'])))
else:
row.append('N/A')
rows.append(row)
if rows:
print('Firewall Groups\n')
print(tabulate.tabulate(rows, header))
def show_summary():
print('Ruleset Summary')
conf = Config()
firewall = get_config_firewall(conf)
if not firewall:
return
- header = ['Ruleset Name', 'Description', 'References']
+ header = ['Ruleset Hook', 'Ruleset Priority', 'Description', 'References']
v4_out = []
v6_out = []
- if 'name' in firewall:
- for name, name_conf in firewall['name'].items():
- description = name_conf.get('description', '')
- interfaces = ", ".join(name_conf['interface'])
- v4_out.append([name, description, interfaces])
+ if 'ipv4' in firewall:
+ for hook, hook_conf in firewall['ipv4'].items():
+ for prior, prior_conf in firewall['ipv4'][hook].items():
+ description = prior_conf.get('description', '')
+ v4_out.append([hook, prior, description])
- if 'ipv6_name' in firewall:
- for name, name_conf in firewall['ipv6_name'].items():
- description = name_conf.get('description', '')
- interfaces = ", ".join(name_conf['interface'])
- v6_out.append([name, description, interfaces or 'N/A'])
+ if 'ipv6' in firewall:
+ for hook, hook_conf in firewall['ipv6'].items():
+ for prior, prior_conf in firewall['ipv6'][hook].items():
+ description = prior_conf.get('description', '')
+ v6_out.append([hook, prior, description])
if v6_out:
- print('\nIPv6 name:\n')
+ print('\nIPv6 Ruleset:\n')
print(tabulate.tabulate(v6_out, header) + '\n')
if v4_out:
- print('\nIPv4 name:\n')
+ print('\nIPv4 Ruleset:\n')
print(tabulate.tabulate(v4_out, header) + '\n')
show_firewall_group()
def show_statistics():
print('Rulesets Statistics')
conf = Config()
firewall = get_config_firewall(conf)
if not firewall:
return
- if 'name' in firewall:
- for name, name_conf in firewall['name'].items():
- output_firewall_name_statistics(name, name_conf, ipv6=False)
+ if 'ipv4' in firewall:
+ for hook, hook_conf in firewall['ipv4'].items():
+ for prior, prior_conf in firewall['ipv4'][hook].items():
+ output_firewall_name_statistics(hook,prior, prior_conf, ipv6=False)
- if 'ipv6_name' in firewall:
- for name, name_conf in firewall['ipv6_name'].items():
- output_firewall_name_statistics(name, name_conf, ipv6=True)
+ if 'ipv6' in firewall:
+ for hook, hook_conf in firewall['ipv6'].items():
+ for prior, prior_conf in firewall['ipv6'][hook].items():
+ output_firewall_name_statistics(hook,prior, prior_conf, ipv6=True)
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('--action', help='Action', required=False)
parser.add_argument('--name', help='Firewall name', required=False, action='store', nargs='?', default='')
+ parser.add_argument('--family', help='IP family', required=False, action='store', nargs='?', default='')
+ parser.add_argument('--hook', help='Firewall hook', required=False, action='store', nargs='?', default='')
+ parser.add_argument('--priority', help='Firewall priority', required=False, action='store', nargs='?', default='')
parser.add_argument('--rule', help='Firewall Rule ID', required=False)
parser.add_argument('--ipv6', help='IPv6 toggle', action='store_true')
args = parser.parse_args()
if args.action == 'show':
if not args.rule:
- show_firewall_name(args.name, args.ipv6)
+ show_firewall_name(args.hook, args.priority, args.ipv6)
else:
- show_firewall_rule(args.name, args.rule, args.ipv6)
+ show_firewall_rule(args.hook, args.priority, args.rule, args.ipv6)
elif args.action == 'show_all':
show_firewall()
+ elif args.action == 'show_family':
+ show_firewall_family(args.family)
elif args.action == 'show_group':
show_firewall_group(args.name)
elif args.action == 'show_statistics':
show_statistics()
elif args.action == 'show_summary':
show_summary()