Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

T6841: firewall: improve config parsing for ZBF when using VRFs and interfaces attached to VRFs #4180

Draft
wants to merge 1 commit into
base: current
Choose a base branch
from
Draft

T6841: firewall: improve config parsing for ZBF when using VRFs and interfaces attached to VRFs #4180

wants to merge 1 commit into from

Conversation

nicolas-fort
Copy link
Contributor

Change Summary

Improve config parsing for ZBF when using VRFs and interfaces attached to VRFs

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

firewall

Proposed changes

For zone based firewall, everything is related to matching inbound and outbound interface. The problem is that in Linux, if an interface is attached to a non-default VRF, then:

  • For matching inbound-interface, we need to specify <vrf_name> in firewall ruleset
  • For matching outbound-interface, we need to specify <physical_interface> in firewall ruleset.

Before this PR, what was written under set firewall zone <zone> interface <iface> was exactly written for inbound|outbound interface in nftables.
Now we have provide more options so we can specify interface name and interfave vrf while defining interfaces in a zone.

  • If using interface name <iface> --> it still writes exactly that interfaces for inbound|outbound interface in nftables
  • If using interface vrf <vrf_name> --> in nftables it writes:
    • <vrf_name> for matching inbound interface
    • <all_vrf_members> for matching outbound interface.

How to test

Smoketest result

root@zbf-vrfaware:/usr/libexec/vyos/tests/smoke/cli# ./test_firewall.py 
test_bridge_firewall (__main__.TestFirewall.test_bridge_firewall) ... ok
test_cyclic_jump_validation (__main__.TestFirewall.test_cyclic_jump_validation) ... ok
test_flow_offload (__main__.TestFirewall.test_flow_offload) ... ok
test_geoip (__main__.TestFirewall.test_geoip) ... ok
test_gre_match (__main__.TestFirewall.test_gre_match) ... ok
test_groups (__main__.TestFirewall.test_groups) ... ok
test_ipsec_metadata_match (__main__.TestFirewall.test_ipsec_metadata_match) ... ok
test_ipv4_advanced (__main__.TestFirewall.test_ipv4_advanced) ... ok
test_ipv4_basic_rules (__main__.TestFirewall.test_ipv4_basic_rules) ... ok
test_ipv4_dynamic_groups (__main__.TestFirewall.test_ipv4_dynamic_groups) ... ok
test_ipv4_global_state (__main__.TestFirewall.test_ipv4_global_state) ... ok
test_ipv4_mask (__main__.TestFirewall.test_ipv4_mask) ... ok
test_ipv4_state_and_status_rules (__main__.TestFirewall.test_ipv4_state_and_status_rules) ... ok
test_ipv4_synproxy (__main__.TestFirewall.test_ipv4_synproxy) ... ok
test_ipv6_advanced (__main__.TestFirewall.test_ipv6_advanced) ... ok
test_ipv6_basic_rules (__main__.TestFirewall.test_ipv6_basic_rules) ... ok
test_ipv6_dynamic_groups (__main__.TestFirewall.test_ipv6_dynamic_groups) ... ok
test_ipv6_mask (__main__.TestFirewall.test_ipv6_mask) ... ok
test_nested_groups (__main__.TestFirewall.test_nested_groups) ... ok
test_source_validation (__main__.TestFirewall.test_source_validation) ... ok
test_sysfs (__main__.TestFirewall.test_sysfs) ... ok
test_timeout_sysctl (__main__.TestFirewall.test_timeout_sysctl) ... ok
test_zone_basic (__main__.TestFirewall.test_zone_basic) ... ok
test_zone_flow_offload (__main__.TestFirewall.test_zone_flow_offload) ... ok
test_zone_with_vrf (__main__.TestFirewall.test_zone_with_vrf) ... ok

----------------------------------------------------------------------
Ran 25 tests in 136.776s

OK

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@nicolas-fort nicolas-fort requested a review from a team as a code owner October 29, 2024 19:18
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 29, 2024
edited
Loading

👍
No issues in PR Title / Commit Title

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 29, 2024
edited
Loading

✅ No issues found in unused-imports check.. Please refer the workflow run

@nicolas-fort
Copy link
Contributor Author

Should I also change these files?
https://github.com/search?q=repo%3Avyos%2Fvyos-1x+path%3A%2F%5Esmoketest%5C%2Fconfig-tests%5C%2F%2F+%22set+firewall+zone%22&type=code

@github-actions GitHub Actions
Copy link

CI integration ❌ failed!

Details

CI logs

  • CLI Smoketests (no interfaces) ❌ failed
  • CLI Smoketests (interfaces only) 👍 passed
  • Config tests ❌ failed
  • RAID1 tests 👍 passed
  • TPM tests 👍 passed

dmbaturin
dmbaturin requested changes Nov 7, 2024
View reviewed changes
Copy link
Member

@dmbaturin dmbaturin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest a different syntax that I think is more intuitive (or less counter-intuitive ;) and there are some missing cases in the migration script logic.

interface-definitions/firewall.xml.in
@@ -464,24 +464,39 @@
</node>
</children>
</tagNode>
<leafNode name="interface">
<node name="interface">
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<node name="interface">
<node name="member">

I agree with the idea to separate interface and VRF options but I have reservations about this syntax. The problem is that a VRF is not an interface, any VRF may include as many interfaces as it wants.

So the parent node should be named something else than interface. I think member might be a good generic word.

interface-definitions/firewall.xml.in
</properties>
</leafNode>
<children>
<leafNode name="name">
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<leafNode name="name">
<leafNode name="interface">

smoketest/scripts/cli/test_firewall.py
@@ -905,7 +905,7 @@ def test_timeout_sysctl(self):
def test_zone_basic(self):
self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'default-action', 'drop'])
self.cli_set(['firewall', 'ipv6', 'name', 'smoketestv6', 'default-action', 'drop'])
self.cli_set(['firewall', 'zone', 'smoketest-eth0', 'interface', 'eth0'])
self.cli_set(['firewall', 'zone', 'smoketest-eth0', 'interface', 'name', 'eth0'])
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
self.cli_set(['firewall', 'zone', 'smoketest-eth0', 'interface', 'name', 'eth0'])
self.cli_set(['firewall', 'zone', 'smoketest-eth0', 'member', 'interface', 'eth0'])

smoketest/scripts/cli/test_firewall.py
self.cli_set(['firewall', 'zone', 'LOCAL', 'from', 'ZONE1', 'firewall', 'name', 'ZONE1-to-LOCAL'])
self.cli_set(['firewall', 'zone', 'LOCAL', 'local-zone'])
self.cli_set(['firewall', 'zone', 'ZONE1', 'from', 'ZONE2', 'firewall', 'name', 'ZONE2_to_ZONE1'])
self.cli_set(['firewall', 'zone', 'ZONE1', 'interface', 'name', 'eth1'])
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
self.cli_set(['firewall', 'zone', 'ZONE1', 'interface', 'name', 'eth1'])
self.cli_set(['firewall', 'zone', 'ZONE1', 'member', 'interface', 'eth1'])

smoketest/scripts/cli/test_firewall.py
self.cli_set(['firewall', 'zone', 'LOCAL', 'local-zone'])
self.cli_set(['firewall', 'zone', 'ZONE1', 'from', 'ZONE2', 'firewall', 'name', 'ZONE2_to_ZONE1'])
self.cli_set(['firewall', 'zone', 'ZONE1', 'interface', 'name', 'eth1'])
self.cli_set(['firewall', 'zone', 'ZONE1', 'interface', 'name', 'eth2'])
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
self.cli_set(['firewall', 'zone', 'ZONE1', 'interface', 'name', 'eth2'])
self.cli_set(['firewall', 'zone', 'ZONE1', 'member', 'interface', 'eth2'])

src/conf_mode/firewall.py
# Get physical interfaces assigned to the zone if vrf is used:
if 'vrf' in local_zone_conf['interface']:
local_zone_conf['vrf_interfaces'] = {}
for vrf_name in local_zone_conf['interface']['vrf']:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
for vrf_name in local_zone_conf['interface']['vrf']:
for vrf_name in local_zone_conf['member']['vrf']:

src/migration-scripts/firewall/17-to-18
# From
# set firewall zone <zone> interface <iface>
# To
# set firewall zone <zone> interface name <iface>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# set firewall zone <zone> interface name <iface>
# set firewall zone <zone> member interface <iface>

src/migration-scripts/firewall/17-to-18
# To
# set firewall zone <zone> interface name <iface>
# or
# set firewall zone <zone> interface vrf <vrf>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# set firewall zone <zone> interface vrf <vrf>
# set firewall zone <zone> member vrf <vrf>

src/migration-scripts/firewall/17-to-18
for zone in config.list_nodes(base):
if config.exists(base + [zone, 'interface']):
for iface in config.return_values(base + [zone, 'interface']):
config.set(base + [zone, 'interface', 'name'], value=iface, replace=False)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
config.set(base + [zone, 'interface', 'name'], value=iface, replace=False)
config.set(base + [zone, 'member', 'interface'], value=iface, replace=False)

src/migration-scripts/firewall/17-to-18
# Nothing to do
return

for zone in config.list_nodes(base):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This logic looks incomplete.

  1. It doesn't seem to delete values from under the old interface node, only duplicates them under the new one.
  2. VRF support was introduced in 1.4.0 already, but the script doesn't handle the case when the value is a VRF name rather than an interface name.

@nicolas-fort nicolas-fort marked this pull request as draft November 19, 2024 12:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmbaturin dmbaturin dmbaturin requested changes

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev is a code owner automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc is a code owner automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro is a code owner automatically assigned from vyos/reviewers

@sever-sever sever-sever Awaiting requested review from sever-sever sever-sever is a code owner automatically assigned from vyos/reviewers

@fett0 fett0 Awaiting requested review from fett0 fett0 is a code owner automatically assigned from vyos/reviewers

Requested changes must be addressed to merge this pull request.

Assignees

@nicolas-fort nicolas-fort

Labels
current
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nicolas-fort @dmbaturin