Skip to content

T6647: firewall. Introduce patch for accepting invalid ARP and DHCP #4018

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 2, 2024
Merged

T6647: firewall. Introduce patch for accepting invalid ARP and DHCP #4018

merged 1 commit into from
Sep 2, 2024

Conversation

nicolas-fort
Copy link
Contributor

Change Summary

Introduce patch for accepting invalid ARP and DHCP in stateful bridge firewall. This patch is needed because ARP and DHCP are marked as invalid connections.
Also, add ehternet-type matcher in bridge firewall.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

firewall

Proposed changes

At first we tried accepting ARP packets with the new option ehternet-type. This was not enough because if global state policies were configured, this rules were evaluated before custom rules, so ARP replies, which are flaged as INVALID still got droped.
So now there's a new global-option for bridge firewall, which accepts invalid connections for the two known scenarios where this connections are marked as invalid:

  • For DHCP: when bridge is configured as a DHCP server
  • For ARP.

How to test

vyos@bri# run show config comm | grep firewall
set firewall bridge prerouting filter rule 10 action 'accept'
set firewall bridge prerouting filter rule 10 ethernet-type 'arp'
set firewall global-options apply-to-bridged-traffic invalid-connections
set firewall global-options state-policy established action 'accept'
set firewall global-options state-policy invalid action 'drop'
set firewall global-options state-policy related action 'accept'
[edit]
vyos@bri#

And nftables output:

vyos@bri# sudo nft -s list table bridge vyos_filter
table bridge vyos_filter {
        chain VYOS_FORWARD_filter {
                type filter hook forward priority filter; policy accept;
                jump VYOS_STATE_POLICY
                counter accept comment "FWD-filter default-action accept"
        }

        chain VYOS_INPUT_filter {
                type filter hook input priority filter; policy accept;
                jump VYOS_STATE_POLICY
                counter accept comment "INP-filter default-action accept"
        }

        chain VYOS_OUTPUT_filter {
                type filter hook output priority filter; policy accept;
                ct state invalid udp sport 67 udp dport 68 counter accept
                ct state invalid ether type arp counter accept
                jump VYOS_STATE_POLICY
                counter accept comment "OUT-filter default-action accept"
        }

        chain VYOS_PREROUTING_filter {
                type filter hook prerouting priority filter; policy accept;
                ether type arp counter accept comment "bri-PRE-filter-10"
                counter accept comment "PRE-filter default-action accept"
        }

        chain VYOS_STATE_POLICY {
                ct state established counter accept
                ct state invalid counter drop
                ct state related counter accept
                return
        }
}
[edit]
vyos@bri#

Smoketest result

test_firewall.py --> OK

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@nicolas-fort nicolas-fort requested a review from a team as a code owner August 26, 2024 18:23
@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 26, 2024
edited
Loading

👍
No issues in PR Title / Commit Title

c-po
c-po requested changes Aug 26, 2024
View reviewed changes
@nicolas-fort nicolas-fort requested a review from c-po August 26, 2024 19:40
sever-sever
sever-sever reviewed Aug 27, 2024
View reviewed changes
c-po
c-po approved these changes Aug 27, 2024
View reviewed changes
@nicolas-fort
T6647: firewall. Introduce patch for accepting ARP and DHCP replies o…
8e0e1a9 
…n stateful bridge firewall. This patch is needed because ARP and DHCP are marked as invalid connections. Also, add ehternet-type matcher in bridge firewall.
@dmbaturin dmbaturin merged commit c78c5bd into vyos:current Sep 2, 2024
13 of 15 checks passed
@indrajitr indrajitr mentioned this pull request Jun 2, 2025
Merged
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sarthurdev sarthurdev sarthurdev approved these changes

@c-po c-po c-po approved these changes

@dmbaturin dmbaturin Awaiting requested review from dmbaturin dmbaturin was automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc was automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro was automatically assigned from vyos/reviewers

@sever-sever sever-sever Awaiting requested review from sever-sever

Assignees

@nicolas-fort nicolas-fort

Labels
current
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@nicolas-fort @sarthurdev @sever-sever @c-po @dmbaturin