Skip to content

firewall: T7452: update rule generation for Zone-based firewall #4506

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 16, 2025
Merged

firewall: T7452: update rule generation for Zone-based firewall #4506

merged 1 commit into from
Sep 16, 2025

Conversation

davi2367
Copy link
Contributor

@davi2367 davi2367 commented May 14, 2025
edited by c-po
Loading

Change summary

When utilizing the ZBF with VRF, issues occur with outgoing traffic - specifically with ping packets destined for interface on vyos itself.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

https://vyos.dev/T7452

Related PR(s)

How to test / Smoketest result

I added the below entries in netfilter above the default drop, and it solved the issue

oifname "MGMT" counter packets 0 bytes 0 jump NAME_IPV4_LOCAL_TO_MGMT
oifname "MGMT" counter packets 0 bytes 0 return

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@github-actions GitHub Actions
Copy link

github-actions bot commented May 14, 2025
edited
Loading

👍
No issues in PR Title / Commit Title

@davi2367 davi2367 changed the title ZBF/VRF: T7452: genrate netfilter rules with outgoing rules containin… T7452: update zone rule for ZBF/VRF May 14, 2025
@davi2367 davi2367 changed the title T7452: update zone rule for ZBF/VRF firewall: vrf: T7452: update rule generation for Zone-based firewal May 14, 2025
@davi2367 davi2367 changed the title firewall: vrf: T7452: update rule generation for Zone-based firewal firewall: vrf: T7452: update rule generation for Zone-based firewall May 14, 2025
@davi2367 davi2367 changed the title firewall: vrf: T7452: update rule generation for Zone-based firewall firewall: T7452: update rule generation for Zone-based firewall May 14, 2025
@c-po c-po requested review from sarthurdev and c-po May 15, 2025 04:36
@c-po c-po added current bp/sagitta Create automatic backport for sagitta LTS version bp/circinus Create automatic backport for circinus labels May 15, 2025
@davi2367 davi2367 force-pushed the zbf-vrf branch 4 times, most recently from c3a69f9 to 6c93642 Compare May 15, 2025 07:59
@davi2367
Copy link
Contributor Author

On a local VyOS instance ive replaced "/usr/share/vyos/templates/firewall/nftables-zone.j2" with the file in the commit, and corrected some errors. It seems to be working so-far without any issues.

sarthurdev
sarthurdev reviewed May 15, 2025
View reviewed changes
Copy link
Member

@sarthurdev sarthurdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIRC outbound packets to VRF used the physical interface name.

Ping @nicolas-fort as I think this was something you worked on previously. If you have any feedback here?

@davi2367
Copy link
Contributor Author

IIRC outbound packets to VRF used the physical interface name.

Ping @nicolas-fort as I think this was something you worked on previously. If you have any feedback here?

If need be, one can specify the interfaces to listen use in rules by using the "member interface" instead of "member vrf", i changed the behaviour as both are possible with this approach, and it follows the same approach as earlier commits where both vrf and interface was specified under "interface" :)

@sever-sever
Copy link
Member

CI does not like your changes:

 DEBUG - Running Testcase: /usr/libexec/vyos/tests/smoke/cli/test_firewall.py
DEBUG - test_bridge_firewall (__main__.TestFirewall.test_bridge_firewall) ... ok
DEBUG - test_cyclic_jump_validation (__main__.TestFirewall.test_cyclic_jump_validation) ... ok
DEBUG - test_flow_offload (__main__.TestFirewall.test_flow_offload) ... ok
DEBUG - test_geoip (__main__.TestFirewall.test_geoip) ... ok
DEBUG - test_gre_match (__main__.TestFirewall.test_gre_match) ... ok
DEBUG - test_groups (__main__.TestFirewall.test_groups) ... ok
DEBUG - test_ipsec_metadata_match (__main__.TestFirewall.test_ipsec_metadata_match) ... ok
DEBUG - test_ipv4_advanced (__main__.TestFirewall.test_ipv4_advanced) ... ok
DEBUG - test_ipv4_basic_rules (__main__.TestFirewall.test_ipv4_basic_rules) ... ok
DEBUG - test_ipv4_dynamic_groups (__main__.TestFirewall.test_ipv4_dynamic_groups) ... ok
DEBUG - test_ipv4_global_state (__main__.TestFirewall.test_ipv4_global_state) ... ok
DEBUG - test_ipv4_mask (__main__.TestFirewall.test_ipv4_mask) ... ok
DEBUG - test_ipv4_remote_group (__main__.TestFirewall.test_ipv4_remote_group) ... ok
DEBUG - test_ipv4_state_and_status_rules (__main__.TestFirewall.test_ipv4_state_and_status_rules) ... ok
DEBUG - test_ipv4_synproxy (__main__.TestFirewall.test_ipv4_synproxy) ... ok
DEBUG - test_ipv6_advanced (__main__.TestFirewall.test_ipv6_advanced) ... ok
DEBUG - test_ipv6_basic_rules (__main__.TestFirewall.test_ipv6_basic_rules) ... ok
DEBUG - test_ipv6_dynamic_groups (__main__.TestFirewall.test_ipv6_dynamic_groups) ... ok
DEBUG - test_ipv6_mask (__main__.TestFirewall.test_ipv6_mask) ... ok
DEBUG - test_ipv6_remote_group (__main__.TestFirewall.test_ipv6_remote_group) ... ok
DEBUG - test_nested_groups (__main__.TestFirewall.test_nested_groups) ... ok
DEBUG - test_remote_group (__main__.TestFirewall.test_remote_group) ... ok
DEBUG - test_source_validation (__main__.TestFirewall.test_source_validation) ... ok
DEBUG - test_sysfs (__main__.TestFirewall.test_sysfs) ... ok
DEBUG - test_timeout_sysctl (__main__.TestFirewall.test_timeout_sysctl) ... ok
DEBUG - test_zone_basic (__main__.TestFirewall.test_zone_basic) ... ok
DEBUG - test_zone_flow_offload (__main__.TestFirewall.test_zone_flow_offload) ... ok
DEBUG - test_zone_with_vrf (__main__.TestFirewall.test_zone_with_vrf) ... FAIL
DEBUG - 
DEBUG - ======================================================================
DEBUG - FAIL: test_zone_with_vrf (__main__.TestFirewall.test_zone_with_vrf)
DEBUG - ----------------------------------------------------------------------
DEBUG - Traceback (most recent call last):
DEBUG -   File "/usr/libexec/vyos/tests/smoke/cli/test_firewall.py", line 1078, in test_zone_with_vrf
DEBUG -     self.verify_nftables(nftables_search, 'ip vyos_filter')
DEBUG -   File "/usr/libexec/vyos/tests/smoke/cli/base_vyostest_shim.py", line 179, in verify_nftables
DEBUG -     self.assertTrue(not matched if inverse else matched, msg=search)
DEBUG - AssertionError: False is not true : ['oifname "eth0"', 'counter packets', 'jump VZONE_ZONE1']
DEBUG - 
DEBUG - ----------------------------------------------------------------------
DEBUG - Ran 28 tests in 126.922s
DEBUG - 
DEBUG - FAILED (failures=1)

@davi2367 davi2367 force-pushed the zbf-vrf branch 3 times, most recently from ce3614f to 4f03afb Compare June 16, 2025 11:38
@github-actions GitHub Actions
Copy link

Conflicts Found. This pull request has conflicts. Please resolve them before we can evaluate the pull request.

@github-actions GitHub Actions
Copy link

Conflicts Resolved. Conflicts have been resolved. A maintainer will review the pull request shortly.

@github-actions GitHub Actions
Copy link

CI integration 👍 passed!

Details

CI logs

  • CLI Smoketests (no interfaces) 👍 passed
  • CLI Smoketests (interfaces only) 👍 passed
  • Config tests 👍 passed
  • RAID1 tests 👍 passed
  • TPM tests 👍 passed

@davi2367 davi2367 requested a review from sarthurdev June 30, 2025 11:01
dmbaturin
dmbaturin approved these changes Sep 16, 2025
View reviewed changes
Copy link
Member

@dmbaturin dmbaturin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I trust Alex's judgement and the code looks good to me.

@dmbaturin dmbaturin merged commit 3f58d52 into vyos:current Sep 16, 2025
13 of 14 checks passed
@github-actions GitHub Actions
Copy link


Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

I have read the CLA Document and I hereby sign the CLA

David Vølker seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.

@vyosbot vyosbot added the mirror-initiated This PR initiated for mirror sync workflow label Sep 16, 2025
@vyosbot vyosbot added mirror-completed and removed mirror-initiated This PR initiated for mirror sync workflow labels Sep 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmbaturin dmbaturin dmbaturin approved these changes

@c-po c-po Awaiting requested review from c-po

@sarthurdev sarthurdev Awaiting requested review from sarthurdev

Assignees

@davi2367 davi2367

Labels
bp/circinus Create automatic backport for circinus bp/sagitta Create automatic backport for sagitta LTS version current mirror-completed rebase
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@davi2367 @sever-sever @dmbaturin @sarthurdev @c-po @vyosbot