Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

T4072: Firewall op-mode command: add bridge capabilities #2242

Merged
merged 1 commit into from Sep 14, 2023
Merged

T4072: Firewall op-mode command: add bridge capabilities #2242

merged 1 commit into from Sep 14, 2023

Conversation

nicolas-fort
Copy link
Contributor

Change Summary

Add options to op-mode command show firewall in order to print bridge firewall

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):
    Change op-mode command show firewall

Related Task(s)

Component(s) name

firewall

Proposed changes

How to test

vyos@ssh-serv:~$ show firewall 
Rulesets Information

---------------------------------
ipv4 Firewall "forward filter"

  Rule  Action    Protocol      Packets    Bytes  Conditions
------  --------  ----------  ---------  -------  -----------------------------------------
    10  accept    all                 0        0  ct state { established, related }  accept
    20  drop      all                 0        0  ct state invalid
    30  accept    all                 0        0  iifname "eth1"  accept

---------------------------------
ipv4 Firewall "input filter"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  ------------------------------------------------------------------------------------------------------------------------
10       accept    all              1438  1815141  ct state { established, related }  accept
20       drop      all                 0        0  ct state invalid
30       accept    icmp                0        0  ct state new icmp type echo-request  accept
40       drop      tcp                 0        0  ct state new tcp dport 22 iifname "eth0" add @RECENT_INP_filter_40 { ip saddr limit rate over 4/minute burst 4 packets }
41       accept    tcp                 2      120  ct state new tcp dport 22  accept
default  drop      all

---------------------------------
ipv4 Firewall "name FOO"

  Rule  Action    Protocol      Packets    Bytes  Conditions
------  --------  ----------  ---------  -------  -----------------------------------------
    10  accept    tcp                 0        0  meta l4proto tcp ip saddr 1.1.1.1  accept

---------------------------------
bridge Firewall "forward filter"

Rule     Action    Protocol      Packets    Bytes  Conditions
------
10       continue  all                 0        0  iifname "eth2" vlan id 22  continue
20       drop      all                 0        0  iifname @I_TRUNK-RIGHT vlan id 60
30       jump      all                 0        0  oifname "eth1"  jump NAME_TEST
default  accept    all

---------------------------------
bridge Firewall "name TEST"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  -------------------------------------------------
10       continue  all                 0        0  prefix "[bri-NAM-TEST-10-C]" vlan pcp 0  continue
default  accept    all                 0        0

vyos@ssh-serv:~$ 
vyos@ssh-serv:~$ show firewall bridge 
Rulesets bridge Information

---------------------------------
bridge Firewall "forward filter"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  -----------------------------------
10       continue  all                 0        0  iifname "eth2" vlan id 22  continue
20       drop      all                 0        0  iifname @I_TRUNK-RIGHT vlan id 60
30       jump      all                 0        0  oifname "eth1"  jump NAME_TEST
default  accept    all

---------------------------------
bridge Firewall "name TEST"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  -------------------------------------------------
10       continue  all                 0        0  prefix "[bri-NAM-TEST-10-C]" vlan pcp 0  continue
default  accept    all                 0        0

vyos@ssh-serv:~$ 
vyos@ssh-serv:~$ show firewall statistics 
Rulesets Statistics

---------------------------------
ipv4 Firewall "forward filter"

Rule     Packets    Bytes    Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  ---------  -------  --------  --------  -------------  -------------------  --------------------
10       0          0        accept    any       any            any                  any
20       0          0        drop      any       any            any                  any
30       0          0        accept    any       any            eth1                 any
default  N/A        N/A      accept    any       any            any                  any

---------------------------------
ipv4 Firewall "input filter"

Rule     Packets    Bytes    Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  ---------  -------  --------  --------  -------------  -------------------  --------------------
10       1510       1820025  accept    any       any            any                  any
20       0          0        drop      any       any            any                  any
30       0          0        accept    any       any            any                  any
40       0          0        drop      any       any            eth0                 any
41       2          120      accept    any       any            any                  any
default  N/A        N/A      drop      any       any            any                  any

---------------------------------
ipv4 Firewall "name FOO"

  Rule    Packets    Bytes  Action    Source    Destination    Inbound-Interface    Outbound-interface
------  ---------  -------  --------  --------  -------------  -------------------  --------------------
    10          0        0  accept    1.1.1.1   any            any                  any

---------------------------------
bridge Firewall "forward filter"

Rule     Packets    Bytes    Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  ---------  -------  --------  --------  -------------  -------------------  --------------------
10       0          0        continue  any       any            eth2                 any
20       0          0        drop      any       any            TRUNK-RIGHT          any
30       0          0        jump      any       any            any                  eth1
default  N/A        N/A      accept    any       any            any                  any

---------------------------------
bridge Firewall "name TEST"

Rule       Packets    Bytes  Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  ---------  -------  --------  --------  -------------  -------------------  --------------------
10               0        0  continue  any       any            any                  any
default          0        0  accept    any       any            any                  any

vyos@ssh-serv:~$ 
vyos@ssh-serv:~$ show firewall summary 
Ruleset Summary

IPv4 Ruleset:

Ruleset Hook    Ruleset Priority    Description
--------------  ------------------  -------------
forward         filter
input           filter
name            FOO

Bridge Ruleset:

Ruleset Hook    Ruleset Priority    Description
--------------  ------------------  -------------
forward         filter
name            TEST

Firewall Groups

Name         Type             References    Members
-----------  ---------------  ------------  ---------
TRUNK-RIGHT  interface_group  N/D           eth4
vyos@ssh-serv:~$

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@vyosbot vyosbot requested review from a team, dmbaturin, sarthurdev, zdc, jestabro, sever-sever and c-po and removed request for a team September 11, 2023 16:02
@c-po c-po merged commit 324d358 into vyos:current Sep 14, 2023
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@c-po c-po c-po approved these changes

@dmbaturin dmbaturin Awaiting requested review from dmbaturin dmbaturin was automatically assigned from vyos/reviewers

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev was automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc was automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro was automatically assigned from vyos/reviewers

@sever-sever sever-sever Awaiting requested review from sever-sever sever-sever was automatically assigned from vyos/reviewers

Assignees

@nicolas-fort nicolas-fort

Labels
current
Milestone
No milestone
2 participants
@nicolas-fort @c-po