Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

firewall: T6216: replace plus symbols (allowed by IPset but not NFT) in group names with underscores #3290

Merged
merged 1 commit into from Apr 11, 2024
Merged

firewall: T6216: replace plus symbols (allowed by IPset but not NFT) in group names with underscores #3290

merged 1 commit into from Apr 11, 2024

Conversation

nicolas-fort
Copy link
Contributor

@nicolas-fort nicolas-fort commented Apr 10, 2024
edited

Change Summary

Add patch while migrating from 1.3 to 1.4 in order to avoid errors when using character <+> in 1.3 in firewall groups and custom firewall chains.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

firewall

Proposed changes

How to test

Firewall config running on 1.3.4:

set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall group address-group MAIN_ address '10.10.10.10'
set firewall group ipv6-address-group A address '2001::1'
set firewall group ipv6-address-group A address '2001::2'
set firewall group ipv6-address-group A+B address '2001::1'
set firewall group ipv6-address-group A+B address '2001::2001'
set firewall group ipv6-address-group A_B address '3001::3001'
set firewall group ipv6-address-group A__B address '4001::4001'
set firewall group ipv6-address-group B address '2001::2001'
set firewall group ipv6-address-group B address '2001::2002'
set firewall group network-group LAN+VLANS network '198.51.100.0/24'
set firewall group network-group LAN+VLANS network '192.0.2.0/24'
set firewall group network-group LAN+VLANS network '203.0.113.0/24'
set firewall group port-group PG_01 port '55'
set firewall group port-group PG_01 port '66'
set firewall group port-group SSH+TELNET port '21'
set firewall group port-group SSH+TELNET port '22'
set firewall ipv6-name FOO6 default-action 'drop'
set firewall ipv6-name FOO6 rule 888 action 'accept'
set firewall ipv6-name FOO6 rule 888 destination group port-group 'PG_01'
set firewall ipv6-name ME+YOU default-action 'drop'
set firewall ipv6-name ME+YOU rule 1 action 'accept'
set firewall ipv6-name ME+YOU rule 1 source group address-group 'A_B'
set firewall ipv6-name ME+YOU rule 10 action 'accept'
set firewall ipv6-name ME+YOU rule 10 destination group address-group 'A__B'
set firewall ipv6-name ME+YOU rule 987 action 'accept'
set firewall ipv6-name ME+YOU rule 987 protocol 'gre'
set firewall ipv6-name ME+YOU rule 1001 action 'drop'
set firewall ipv6-name ME+YOU rule 1001 destination group address-group 'A+B'
set firewall ipv6-name ME+YOU rule 1001 source group address-group 'A+B'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name BAR default-action 'drop'
set firewall name BAR rule 101 action 'accept'
set firewall name BAR rule 101 destination group network-group 'LAN+VLANS'
set firewall name BAR rule 101 source group address-group 'MAIN_'
set firewall name CHECK-HERE default-action 'drop'
set firewall name CHECK-HERE rule 10 action 'reject'
set firewall name CHECK-HERE rule 10 destination group network-group '!LAN+VLANS'
set firewall name CHECK-HERE rule 10 destination group port-group 'PG_01'
set firewall name CHECK-HERE rule 10 protocol 'tcp'
set firewall name CHECK-HERE rule 10 source group network-group 'LAN+VLANS'
set firewall name FOO default-action 'drop'
set firewall name FOO rule 10 action 'accept'
set firewall name FOO rule 10 destination group port-group 'PG_01'
set firewall name FOO rule 10 protocol 'tcp'
set firewall name FOO+BAR default-action 'drop'
set firewall name FOO+BAR rule 10 action 'drop'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth2 firewall in name 'FOO'
set interfaces ethernet eth3 firewall in name 'BAR'
set interfaces ethernet eth3 firewall out name 'BAR'

And after upgrade to custom build for 1.5 with this patch:

vyos@Equuleus:~$ show configuration commands | grep firewall
set firewall global-options all-ping 'enable'
set firewall global-options broadcast-ping 'disable'
set firewall global-options ip-src-route 'disable'
set firewall global-options ipv6-receive-redirects 'disable'
set firewall global-options ipv6-src-route 'disable'
set firewall global-options log-martians 'enable'
set firewall global-options receive-redirects 'disable'
set firewall global-options send-redirects 'enable'
set firewall global-options source-validation 'disable'
set firewall global-options syn-cookies 'enable'
set firewall global-options twa-hazards-protection 'disable'
set firewall group address-group MAIN_ address '10.10.10.10'
set firewall group ipv6-address-group A address '2001::1'
set firewall group ipv6-address-group A address '2001::2'
set firewall group ipv6-address-group A_B address '3001::3001'
set firewall group ipv6-address-group A__B address '4001::4001'
set firewall group ipv6-address-group A___B address '2001::1'
set firewall group ipv6-address-group A___B address '2001::2001'
set firewall group ipv6-address-group B address '2001::2001'
set firewall group ipv6-address-group B address '2001::2002'
set firewall group network-group LAN_VLANS network '198.51.100.0/24'
set firewall group network-group LAN_VLANS network '192.0.2.0/24'
set firewall group network-group LAN_VLANS network '203.0.113.0/24'
set firewall group port-group PG_01 port '55'
set firewall group port-group PG_01 port '66'
set firewall group port-group SSH_TELNET port '21'
set firewall group port-group SSH_TELNET port '22'
set firewall ipv4 forward filter default-action 'accept'
set firewall ipv4 forward filter rule 5 action 'jump'
set firewall ipv4 forward filter rule 5 inbound-interface name 'eth2'
set firewall ipv4 forward filter rule 5 jump-target 'FOO'
set firewall ipv4 forward filter rule 10 action 'jump'
set firewall ipv4 forward filter rule 10 inbound-interface name 'eth3'
set firewall ipv4 forward filter rule 10 jump-target 'BAR'
set firewall ipv4 forward filter rule 15 action 'jump'
set firewall ipv4 forward filter rule 15 jump-target 'BAR'
set firewall ipv4 forward filter rule 15 outbound-interface name 'eth3'
set firewall ipv4 name BAR default-action 'drop'
set firewall ipv4 name BAR rule 101 action 'return'
set firewall ipv4 name BAR rule 101 destination group network-group 'LAN_VLANS'
set firewall ipv4 name BAR rule 101 source group address-group 'MAIN_'
set firewall ipv4 name CHECK-HERE default-action 'drop'
set firewall ipv4 name CHECK-HERE rule 10 action 'reject'
set firewall ipv4 name CHECK-HERE rule 10 destination group network-group '!LAN_VLANS'
set firewall ipv4 name CHECK-HERE rule 10 destination group port-group 'PG_01'
set firewall ipv4 name CHECK-HERE rule 10 protocol 'tcp'
set firewall ipv4 name CHECK-HERE rule 10 source group network-group 'LAN_VLANS'
set firewall ipv4 name FOO default-action 'drop'
set firewall ipv4 name FOO rule 10 action 'return'
set firewall ipv4 name FOO rule 10 destination group port-group 'PG_01'
set firewall ipv4 name FOO rule 10 protocol 'tcp'
set firewall ipv4 name FOO_BAR default-action 'drop'
set firewall ipv4 name FOO_BAR rule 10 action 'drop'
set firewall ipv6 name FOO6 default-action 'drop'
set firewall ipv6 name FOO6 rule 888 action 'return'
set firewall ipv6 name FOO6 rule 888 destination group port-group 'PG_01'
set firewall ipv6 name FOO6 rule 888 protocol 'tcp_udp'
set firewall ipv6 name ME_YOU default-action 'drop'
set firewall ipv6 name ME_YOU rule 1 action 'return'
set firewall ipv6 name ME_YOU rule 1 source group address-group 'A_B'
set firewall ipv6 name ME_YOU rule 10 action 'return'
set firewall ipv6 name ME_YOU rule 10 destination group address-group 'A__B'
set firewall ipv6 name ME_YOU rule 987 action 'return'
set firewall ipv6 name ME_YOU rule 987 protocol 'gre'
set firewall ipv6 name ME_YOU rule 1001 action 'drop'
set firewall ipv6 name ME_YOU rule 1001 destination group address-group 'A___B'
set firewall ipv6 name ME_YOU rule 1001 source group address-group 'A___B'

Smoketest result

test_firewall.py -- OK

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@vyosbot vyosbot requested review from a team, dmbaturin, sarthurdev, zdc, jestabro, sever-sever and c-po and removed request for a team April 10, 2024 14:01
dmbaturin
dmbaturin reviewed Apr 10, 2024
View reviewed changes
src/migration-scripts/firewall/6-to-7 Outdated
v4_found = True
if group_type in v6_groups and not v6_found:
v6_found = True
new_group_name = group_name.replace('+', '_')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if the config has both LAN+VLANS and LAN_VLANS groups already? :)

It's a rather unlikely situation, but I think we should agree what exactly we should do if our normalized name already exists in the old config.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Iv'e submitted a patch for this situation

@dmbaturin dmbaturin changed the title T6216: firewall: add patch while migrating from 1.3 to 1.4 in order t firewall: T6216: replace plus symbols (allowed by IPset but not NFT) in group names with underscores Apr 10, 2024
@nicolas-fort
T6216: firewall: add patch while migrating from 1.3 to 1.4 in order t…
36baf77 
…o avoid errors when using character <+> in 1.3 in firewall groups and custom firewall chains.
@nicolas-fort
Copy link
Contributor Author

And new tittle indicates that this path is only for firewall groups, while it actually also applies for firewall ruleset name and ipv6-name

@dmbaturin dmbaturin merged commit 869a94f into vyos:current Apr 11, 2024
7 of 8 checks passed
@dmbaturin
Copy link
Member

@Mergifyio backport sagitta

@mergify Mergify
Copy link

mergify bot commented Apr 11, 2024
edited

backport sagitta

✅ Backports have been created

@mergify mergify bot mentioned this pull request Apr 11, 2024
Merged
12 tasks
dmbaturin added a commit that referenced this pull request Apr 11, 2024
@dmbaturin
Merge pull request #3294 from vyos/mergify/bp/sagitta/pr-3290
f37bfac 
firewall: T6216: replace plus symbols (allowed by IPset but not NFT) in group names with underscores (backport #3290)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev was automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc was automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro was automatically assigned from vyos/reviewers

@sever-sever sever-sever Awaiting requested review from sever-sever sever-sever was automatically assigned from vyos/reviewers

@c-po c-po Awaiting requested review from c-po c-po was automatically assigned from vyos/reviewers

@dmbaturin dmbaturin Awaiting requested review from dmbaturin

Assignees

@nicolas-fort nicolas-fort

Labels
current
Milestone
No milestone
2 participants
@nicolas-fort @dmbaturin