Merge pull request #1478 from nicolas-fort/T3900-fwall-raw-tables

Firewall: Add prerouting information

docs/configuration/firewall/global-options.rst

@@ -145,3 +145,35 @@ Configuration
    [emerg | alert | crit | err | warn | notice | info | debug]
 
    Set the global setting for related connections.
+
+VyOS supports setting timeouts for connections according to the
+connection type. You can set timeout values for generic connections, for ICMP
+connections, UDP connections, or for TCP connections in a number of different
+states.
+
+.. cfgcmd:: set firewall global-options timeout icmp <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: set firewall global-options timeout other <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: set firewall global-options timeout tcp close <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: set firewall global-options timeout tcp close-wait <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: set firewall global-options timeout tcp established <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: set firewall global-options timeout tcp fin-wait <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: set firewall global-options timeout tcp last-ack <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: set firewall global-options timeout tcp syn-recv <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: set firewall global-options timeout tcp syn-sent <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: set firewall global-options timeout tcp time-wait <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: set firewall global-options timeout udp other <1-21474836>
+    :defaultvalue:
+.. cfgcmd:: set firewall global-options timeout udp stream <1-21474836>
+    :defaultvalue:
+
+    Set the timeout in seconds for a protocol or state.

docs/configuration/firewall/index.rst

@@ -26,14 +26,23 @@ firewall are covered below:
 If the interface where the packet was received isn't part of a bridge, then 
 packet is processed at the **IP Layer**:
 
-   * **Prerouting**: several actions can be done in this stage, and currently
-     these actions are defined in different parts in VyOS configuration. Order
-     is important, and all these actions are performed before any actions
-     defined under ``firewall`` section. Relevant configuration that acts in
-     this stage are:
+   * **Prerouting**: All packets that are received by the router
+     are processed in this stage, regardless of the destination of the packet.
+     Starting from vyos-1.5-rolling-202406120020, a new section was added to
+     firewall configuration. There are several actions that can be done in this
+     stage, and currently these actions are also defined in different parts in
+     VyOS configuration. Order is important, and relevant configuration that
+     acts in this stage are:
+
+      * **Firewall prerouting**: rules defined under ``set firewall [ipv4 |
+        ipv6] prerouting raw...``. All rules defined in this section are
+        processed before connection tracking subsystem.
 
       * **Conntrack Ignore**: rules defined under ``set system conntrack ignore
-        [ipv4 | ipv6] ...``.
+        [ipv4 | ipv6] ...``. Starting from vyos-1.5-rolling-202406120020,
+        configuration done in this section can be done in ``firewall [ipv4 |
+        ipv6] prerouting ...``. For compatibility reasons, this feature is
+        still present, but it will be removed in the future.
 
       * **Policy Route**: rules defined under ``set policy [route | route6]
         ...``.
@@ -67,11 +76,13 @@ packet is processed at the **IP Layer**:
      new connection originated by a internal process running on VyOS router,
      such as NTP, or a response to traffic received externally through
      **input** (for example response to an ssh login attempt to the router).
-     This includes ipv4 and ipv6 filtering rules, defined in:
+     This includes ipv4 and ipv6 rules, and two different sections are present:
 
-     * ``set firewall ipv4 output filter ...``.
+     * **Output Prerouting**: ``set firewall [ipv4 | ipv6] output filter ...``.
+       As described in **Prerouting**, rules defined in this section are
+       processed before connection tracking subsystem.
 
-     * ``set firewall ipv6 output filter ...``.
+     * **Output Filter**: ``set firewall [ipv4 | ipv6] output filter ...``.
 
    * **Postrouting**: as in **Prerouting**, several actions defined in
      different parts of VyOS configuration are performed in this
@@ -120,6 +131,9 @@ The main structure of the VyOS firewall CLI is shown next:
                + filter
             - output
                + filter
+               + raw
+            - prerouting
+               + raw
             - name
                + custom_name
        * ipv6
@@ -129,6 +143,9 @@ The main structure of the VyOS firewall CLI is shown next:
                + filter
             - output
                + filter
+               + raw
+            - prerouting
+               + raw
             - ipv6-name
                + custom_name
        * zone

docs/configuration/firewall/ipv4.rst

@@ -31,17 +31,34 @@ of the general structure:
                + filter
             - output
                + filter
+               + raw
+            - prerouting
+               + raw
             - name
                + custom_name
 
+First, all traffic is received by the router, and it is processed in the
+**prerouting** section.
+
+This stage includes:
+
+   * **Firewall Prerouting**: commands found under ``set firewall ipv4
+     prerouting raw ...``
+   * :doc:`Conntrack Ignore</configuration/system/conntrack>`: ``set system
+     conntrack ignore ipv4...``
+   * :doc:`Policy Route</configuration/policy/route>`: commands found under
+     ``set policy route ...``
+   * :doc:`Destination NAT</configuration/nat/nat44>`: commands found under
+     ``set nat destination ...``
+
 For transit traffic, which is received by the router and forwarded, base chain
 is **forward**. A simplified packet flow diagram for transit traffic is shown
 next:
 
 .. figure:: /_static/images/firewall-fwd-packet-flow.png
 
-Where firewall base chain to configure firewall filtering rules for transit
-traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5,
+Firewall base chain to configure firewall filtering rules for transit traffic
+is ``set firewall ipv4 forward filter ...``, which happens in stage 5,
 highlighted with red color.
 
 For traffic towards the router itself, base chain is **input**, while traffic
@@ -52,11 +69,17 @@ router (starting from circle number 6):
 
 .. figure:: /_static/images/firewall-input-packet-flow.png
 
-Base chain is for traffic toward the router is ``set firewall ipv4 input
+Base chain for traffic towards the router is ``set firewall ipv4 input
 filter ...``
 
 And base chain for traffic generated by the router is ``set firewall ipv4
-output filter ...``
+output ...``, where two sub-chains are available: **filter** and **raw**:
+
+* **Output Prerouting**: ``set firewall ipv4 output raw ...``.
+  As described in **Prerouting**, rules defined in this section are
+  processed before connection tracking subsystem.
+* **Output Filter**: ``set firewall ipv4 output filter ...``. Rules defined
+  in this section are processed after connection tracking subsystem.
 
 .. note:: **Important note about default-actions:**
    If default action for any base chain is not defined, then the default

docs/configuration/firewall/ipv6.rst

@@ -31,17 +31,34 @@ of the general structure:
                + filter
             - output
                + filter
+               + raw
+            - prerouting
+               + raw
             - name
                + custom_name
 
+First, all traffic is received by the router, and it is processed in the
+**prerouting** section.
+
+This stage includes:
+
+   * **Firewall Prerouting**: commands found under ``set firewall ipv6
+     prerouting raw ...``
+   * :doc:`Conntrack Ignore</configuration/system/conntrack>`: ``set system
+     conntrack ignore ipv6...``
+   * :doc:`Policy Route</configuration/policy/route>`: commands found under
+     ``set policy route6 ...``
+   * :doc:`Destination NAT</configuration/nat/nat44>`: commands found under
+     ``set nat66 destination ...``
+
 For transit traffic, which is received by the router and forwarded, base chain
 is **forward**. A simplified packet flow diagram for transit traffic is shown
 next:
 
 .. figure:: /_static/images/firewall-fwd-packet-flow.png
 
-Where firewall base chain to configure firewall filtering rules for transit
-traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5,
+Firewall base chain to configure firewall filtering rules for transit traffic
+is ``set firewall ipv6 forward filter ...``, which happens in stage 5,
 highlighted with red color.
 
 For traffic towards the router itself, base chain is **input**, while traffic
@@ -52,11 +69,17 @@ router (starting from circle number 6):
 
 .. figure:: /_static/images/firewall-input-packet-flow.png
 
-Base chain is for traffic toward the router is ``set firewall ipv6 input
+Base chain for traffic towards the router is ``set firewall ipv6 input
 filter ...``
 
 And base chain for traffic generated by the router is ``set firewall ipv6
-output filter ...``
+output filter ...``, where two sub-chains are available: **filter** and **raw**:
+
+* **Output Prerouting**: ``set firewall ipv6 output raw ...``.
+  As described in **Prerouting**, rules defined in this section are
+  processed before connection tracking subsystem.
+* **Output Filter**: ``set firewall ipv6 output filter ...``. Rules defined
+  in this section are processed after connection tracking subsystem.
 
 .. note:: **Important note about default-actions:**
    If default action for any base chain is not defined, then the default

docs/configuration/system/conntrack.rst

@@ -64,39 +64,7 @@ Configure
 Contrack Timeouts
 =================
 
-VyOS supports setting timeouts for connections according to the
-connection type. You can set timeout values for generic connections, for ICMP
-connections, UDP connections, or for TCP connections in a number of different
-states.
-
-.. cfgcmd:: set system conntrack timeout icmp <1-21474836>
-    :defaultvalue:
-.. cfgcmd:: set system conntrack timeout other <1-21474836>
-    :defaultvalue:
-.. cfgcmd:: set system conntrack timeout tcp close <1-21474836>
-    :defaultvalue:
-.. cfgcmd:: set system conntrack timeout tcp close-wait <1-21474836>
-    :defaultvalue:
-.. cfgcmd:: set system conntrack timeout tcp established <1-21474836>
-    :defaultvalue:
-.. cfgcmd:: set system conntrack timeout tcp fin-wait <1-21474836>
-    :defaultvalue:
-.. cfgcmd:: set system conntrack timeout tcp last-ack <1-21474836>
-    :defaultvalue:
-.. cfgcmd:: set system conntrack timeout tcp syn-recv <1-21474836>
-    :defaultvalue:
-.. cfgcmd:: set system conntrack timeout tcp syn-sent <1-21474836>
-    :defaultvalue:
-.. cfgcmd:: set system conntrack timeout tcp time-wait <1-21474836>
-    :defaultvalue:
-.. cfgcmd:: set system conntrack timeout udp other <1-21474836>
-    :defaultvalue:
-.. cfgcmd:: set system conntrack timeout udp stream <1-21474836>
-    :defaultvalue:
-
-    Set the timeout in seconds for a protocol or state.
-
-You can also define custom timeout values to apply to a specific subset of
+You can define custom timeout values to apply to a specific subset of
 connections, based on a packet and flow selector. To do this, you need to
 create a rule defining the packet and flow selector.
 
@@ -177,6 +145,11 @@ create a rule defining the packet and flow selector.
 Conntrack ignore rules
 ======================
 
+.. note:: **Important note about conntrack ignore rules:**
+   Starting from vyos-1.5-rolling-202406120020, ignore rules can be defined in
+   ``set firewall [ipv4 | ipv6] prerouting raw ...``. It's expected that in
+   the future the conntrack ignore rules will be removed.
+
     Customized ignore rules, based on a packet and flow selector.
 
 .. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>