Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

firewall: T6216: replace plus symbols (allowed by IPset but not NFT) in group names with underscores (backport #3290) #3294

Merged
merged 1 commit into from
Apr 11, 2024
Merged

firewall: T6216: replace plus symbols (allowed by IPset but not NFT) in group names with underscores (backport #3290) #3294

merged 1 commit into from
Apr 11, 2024

Conversation

mergify[bot]
Copy link
Contributor

@mergify mergify bot commented Apr 11, 2024

Change Summary

Add patch while migrating from 1.3 to 1.4 in order to avoid errors when using character <+> in 1.3 in firewall groups and custom firewall chains.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

firewall

Proposed changes

How to test

Firewall config running on 1.3.4:

set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall group address-group MAIN_ address '10.10.10.10'
set firewall group ipv6-address-group A address '2001::1'
set firewall group ipv6-address-group A address '2001::2'
set firewall group ipv6-address-group A+B address '2001::1'
set firewall group ipv6-address-group A+B address '2001::2001'
set firewall group ipv6-address-group A_B address '3001::3001'
set firewall group ipv6-address-group A__B address '4001::4001'
set firewall group ipv6-address-group B address '2001::2001'
set firewall group ipv6-address-group B address '2001::2002'
set firewall group network-group LAN+VLANS network '198.51.100.0/24'
set firewall group network-group LAN+VLANS network '192.0.2.0/24'
set firewall group network-group LAN+VLANS network '203.0.113.0/24'
set firewall group port-group PG_01 port '55'
set firewall group port-group PG_01 port '66'
set firewall group port-group SSH+TELNET port '21'
set firewall group port-group SSH+TELNET port '22'
set firewall ipv6-name FOO6 default-action 'drop'
set firewall ipv6-name FOO6 rule 888 action 'accept'
set firewall ipv6-name FOO6 rule 888 destination group port-group 'PG_01'
set firewall ipv6-name ME+YOU default-action 'drop'
set firewall ipv6-name ME+YOU rule 1 action 'accept'
set firewall ipv6-name ME+YOU rule 1 source group address-group 'A_B'
set firewall ipv6-name ME+YOU rule 10 action 'accept'
set firewall ipv6-name ME+YOU rule 10 destination group address-group 'A__B'
set firewall ipv6-name ME+YOU rule 987 action 'accept'
set firewall ipv6-name ME+YOU rule 987 protocol 'gre'
set firewall ipv6-name ME+YOU rule 1001 action 'drop'
set firewall ipv6-name ME+YOU rule 1001 destination group address-group 'A+B'
set firewall ipv6-name ME+YOU rule 1001 source group address-group 'A+B'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name BAR default-action 'drop'
set firewall name BAR rule 101 action 'accept'
set firewall name BAR rule 101 destination group network-group 'LAN+VLANS'
set firewall name BAR rule 101 source group address-group 'MAIN_'
set firewall name CHECK-HERE default-action 'drop'
set firewall name CHECK-HERE rule 10 action 'reject'
set firewall name CHECK-HERE rule 10 destination group network-group '!LAN+VLANS'
set firewall name CHECK-HERE rule 10 destination group port-group 'PG_01'
set firewall name CHECK-HERE rule 10 protocol 'tcp'
set firewall name CHECK-HERE rule 10 source group network-group 'LAN+VLANS'
set firewall name FOO default-action 'drop'
set firewall name FOO rule 10 action 'accept'
set firewall name FOO rule 10 destination group port-group 'PG_01'
set firewall name FOO rule 10 protocol 'tcp'
set firewall name FOO+BAR default-action 'drop'
set firewall name FOO+BAR rule 10 action 'drop'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth2 firewall in name 'FOO'
set interfaces ethernet eth3 firewall in name 'BAR'
set interfaces ethernet eth3 firewall out name 'BAR'

And after upgrade to custom build for 1.5 with this patch:

vyos@Equuleus:~$ show configuration commands | grep firewall
set firewall global-options all-ping 'enable'
set firewall global-options broadcast-ping 'disable'
set firewall global-options ip-src-route 'disable'
set firewall global-options ipv6-receive-redirects 'disable'
set firewall global-options ipv6-src-route 'disable'
set firewall global-options log-martians 'enable'
set firewall global-options receive-redirects 'disable'
set firewall global-options send-redirects 'enable'
set firewall global-options source-validation 'disable'
set firewall global-options syn-cookies 'enable'
set firewall global-options twa-hazards-protection 'disable'
set firewall group address-group MAIN_ address '10.10.10.10'
set firewall group ipv6-address-group A address '2001::1'
set firewall group ipv6-address-group A address '2001::2'
set firewall group ipv6-address-group A_B address '3001::3001'
set firewall group ipv6-address-group A__B address '4001::4001'
set firewall group ipv6-address-group A___B address '2001::1'
set firewall group ipv6-address-group A___B address '2001::2001'
set firewall group ipv6-address-group B address '2001::2001'
set firewall group ipv6-address-group B address '2001::2002'
set firewall group network-group LAN_VLANS network '198.51.100.0/24'
set firewall group network-group LAN_VLANS network '192.0.2.0/24'
set firewall group network-group LAN_VLANS network '203.0.113.0/24'
set firewall group port-group PG_01 port '55'
set firewall group port-group PG_01 port '66'
set firewall group port-group SSH_TELNET port '21'
set firewall group port-group SSH_TELNET port '22'
set firewall ipv4 forward filter default-action 'accept'
set firewall ipv4 forward filter rule 5 action 'jump'
set firewall ipv4 forward filter rule 5 inbound-interface name 'eth2'
set firewall ipv4 forward filter rule 5 jump-target 'FOO'
set firewall ipv4 forward filter rule 10 action 'jump'
set firewall ipv4 forward filter rule 10 inbound-interface name 'eth3'
set firewall ipv4 forward filter rule 10 jump-target 'BAR'
set firewall ipv4 forward filter rule 15 action 'jump'
set firewall ipv4 forward filter rule 15 jump-target 'BAR'
set firewall ipv4 forward filter rule 15 outbound-interface name 'eth3'
set firewall ipv4 name BAR default-action 'drop'
set firewall ipv4 name BAR rule 101 action 'return'
set firewall ipv4 name BAR rule 101 destination group network-group 'LAN_VLANS'
set firewall ipv4 name BAR rule 101 source group address-group 'MAIN_'
set firewall ipv4 name CHECK-HERE default-action 'drop'
set firewall ipv4 name CHECK-HERE rule 10 action 'reject'
set firewall ipv4 name CHECK-HERE rule 10 destination group network-group '!LAN_VLANS'
set firewall ipv4 name CHECK-HERE rule 10 destination group port-group 'PG_01'
set firewall ipv4 name CHECK-HERE rule 10 protocol 'tcp'
set firewall ipv4 name CHECK-HERE rule 10 source group network-group 'LAN_VLANS'
set firewall ipv4 name FOO default-action 'drop'
set firewall ipv4 name FOO rule 10 action 'return'
set firewall ipv4 name FOO rule 10 destination group port-group 'PG_01'
set firewall ipv4 name FOO rule 10 protocol 'tcp'
set firewall ipv4 name FOO_BAR default-action 'drop'
set firewall ipv4 name FOO_BAR rule 10 action 'drop'
set firewall ipv6 name FOO6 default-action 'drop'
set firewall ipv6 name FOO6 rule 888 action 'return'
set firewall ipv6 name FOO6 rule 888 destination group port-group 'PG_01'
set firewall ipv6 name FOO6 rule 888 protocol 'tcp_udp'
set firewall ipv6 name ME_YOU default-action 'drop'
set firewall ipv6 name ME_YOU rule 1 action 'return'
set firewall ipv6 name ME_YOU rule 1 source group address-group 'A_B'
set firewall ipv6 name ME_YOU rule 10 action 'return'
set firewall ipv6 name ME_YOU rule 10 destination group address-group 'A__B'
set firewall ipv6 name ME_YOU rule 987 action 'return'
set firewall ipv6 name ME_YOU rule 987 protocol 'gre'
set firewall ipv6 name ME_YOU rule 1001 action 'drop'
set firewall ipv6 name ME_YOU rule 1001 destination group address-group 'A___B'
set firewall ipv6 name ME_YOU rule 1001 source group address-group 'A___B'

Smoketest result

test_firewall.py -- OK

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly
This is an automatic backport of pull request #3290 done by [Mergify](https://mergify.com).

@nicolas-fort @mergify
T6216: firewall: add patch while migrating from 1.3 to 1.4 in order t…
ea32a6f 
…o avoid errors when using character <+> in 1.3 in firewall groups and custom firewall chains.

(cherry picked from commit 36baf77)
@mergify mergify bot mentioned this pull request Apr 11, 2024
Merged
12 tasks
@github-actions github-actions bot added the sagitta VyOS 1.4 LTS label Apr 11, 2024
@vyosbot vyosbot requested review from a team, dmbaturin, sarthurdev, zdc, jestabro, sever-sever and c-po and removed request for a team April 11, 2024 15:41
@dmbaturin dmbaturin merged commit f37bfac into sagitta Apr 11, 2024
5 checks passed
@mergify mergify bot deleted the mergify/bp/sagitta/pr-3290 branch April 11, 2024 15:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@c-po c-po c-po approved these changes

@dmbaturin dmbaturin dmbaturin approved these changes

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev is a code owner automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc is a code owner automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro is a code owner automatically assigned from vyos/reviewers

@sever-sever sever-sever Awaiting requested review from sever-sever sever-sever is a code owner automatically assigned from vyos/reviewers

Assignees
No one assigned
Labels
sagitta VyOS 1.4 LTS
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dmbaturin @c-po @nicolas-fort