Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

T6269: policy: ensure correct rule parsing when using, and when not using <set table> option in policy route. #3367

Merged
merged 1 commit into from May 2, 2024
Merged

T6269: policy: ensure correct rule parsing when using, and when not using <set table> option in policy route. #3367

merged 1 commit into from May 2, 2024

Conversation

nicolas-fort
Copy link
Contributor

Change Summary

Ensure correct rule parsing when using, and when not using option in policy route.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

policy route

Proposed changes

How to test

Config test for both cases describe in T6191 and in T6269

vyos@latest# run show config comm | grep policy
set policy route BAR interface 'eth1'
set policy route BAR rule 4 protocol 'tcp'
set policy route BAR rule 4 set tcp-mss '1399'
set policy route BAR rule 4 source address '198.51.100.0/24'
set policy route BAR rule 4 tcp flags syn
set policy route BAR rule 10 destination address '!10.0.0.0/8'
set policy route BAR rule 10 set table '100'
set policy route BAR rule 10 source address '198.51.100.0/24'
set policy route FOO interface 'eth1'
set policy route FOO rule 10 destination address '192.0.2.0/24'
set policy route FOO rule 10 set table '102'
set policy route FOO rule 10 source address '198.51.100.0/24'
set policy route FOO rule 20 destination address '192.0.2.0/24'
set policy route FOO rule 20 set table '20'
[edit]
vyos@latest#

And check nftables in order to ensure correct rule parsing:

vyos@latest# sudo nft list chain ip vyos_mangle VYOS_PBR_UD_FOO
table ip vyos_mangle {
        chain VYOS_PBR_UD_FOO {
                ip daddr 192.0.2.0/24 ip saddr 198.51.100.0/24 counter packets 0 bytes 0 meta mark set 0x7fffff99 return comment "ipv4-route-FOO-10"
                ip daddr 192.0.2.0/24 counter packets 0 bytes 0 meta mark set 0x7fffffeb return comment "ipv4-route-FOO-20"
        }
}
[edit]
vyos@latest# sudo nft list chain ip vyos_mangle VYOS_PBR_UD_BAR
table ip vyos_mangle {
        chain VYOS_PBR_UD_BAR {
                ip saddr 198.51.100.0/24 tcp flags & syn == syn counter packets 0 bytes 0 tcp option maxseg size set 1399 comment "ipv4-route-BAR-4"
                ip daddr != 10.0.0.0/8 ip saddr 198.51.100.0/24 counter packets 0 bytes 0 meta mark set 0x7fffff9b return comment "ipv4-route-BAR-10"
        }
}
[edit]
vyos@latest#

Smoketest result

./test_frewall.py --> OK
./test_policy_route --> OK

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@vyosbot vyosbot requested review from a team, dmbaturin, sarthurdev, zdc, jestabro, sever-sever and c-po and removed request for a team April 26, 2024 14:20
sarthurdev
sarthurdev approved these changes Apr 26, 2024
View reviewed changes
python/vyos/firewall.py
@@ -488,6 +507,10 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
if synproxy_ws:
output.append(f'wscale {synproxy_ws} timestamp sack-perm')

else:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could be shortened to just elif set_table:

@c-po c-po merged commit 958e9ac into vyos:current May 2, 2024
9 checks passed
@c-po
Copy link
Member

c-po commented May 2, 2024

@Mergifyio backport sagitta

@mergify Mergify
Copy link

mergify bot commented May 2, 2024
edited

backport sagitta

✅ Backports have been created

@mergify mergify bot mentioned this pull request May 2, 2024
Merged
12 tasks
c-po added a commit that referenced this pull request May 2, 2024
@c-po
Merge pull request #3394 from vyos/mergify/bp/sagitta/pr-3367
dd92f14 
T6269: policy: ensure correct rule parsing when using, and when not using <set table> option in policy route. (backport #3367)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sarthurdev sarthurdev sarthurdev approved these changes

@c-po c-po c-po approved these changes

@dmbaturin dmbaturin Awaiting requested review from dmbaturin dmbaturin was automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc was automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro was automatically assigned from vyos/reviewers

@sever-sever sever-sever Awaiting requested review from sever-sever sever-sever was automatically assigned from vyos/reviewers

Assignees

@nicolas-fort nicolas-fort

Labels
current
Milestone
No milestone
3 participants
@nicolas-fort @c-po @sarthurdev