Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

T6723: firewall: extend op-mode commands #4084

Merged
merged 1 commit into from
Sep 18, 2024
Merged

T6723: firewall: extend op-mode commands #4084

merged 1 commit into from
Sep 18, 2024

Conversation

nicolas-fort
Copy link
Contributor

Change Summary

Extend op-mode commands <show firewall ..> and a <show log firewall ..> in order to match all chains/priorities

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

firewall

Proposed changes

How to test

Ipv4 test:

vyos@bridge:~$ show firewall ipv4 prerouting raw
Ruleset Information

---------------------------------
ipv4 Firewall "prerouting raw"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  -------------------------------------------------------
10       accept    icmp                2      168  meta l4proto icmp  prefix "[ipv4-PRE-raw-10-A]"  accept
default  drop      all               913   297958

vyos@bridge:~$ show log firewall ipv4 prerouting raw 
Sep 18 13:52:45 kernel: [ipv4-PRE-raw-10-A]IN=eth0 OUT= MAC=50:00:00:01:00:00:4c:d5:77:c0:19:81:08:00 SRC=192.168.77.14 DST=192.168.77.24 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=39884 DF PROTO=ICMP TYPE=8 CODE=0 ID=2 SEQ=1 
Sep 18 13:52:46 kernel: [ipv4-PRE-raw-10-A]IN=eth0 OUT= MAC=50:00:00:01:00:00:4c:d5:77:c0:19:81:08:00 SRC=192.168.77.14 DST=192.168.77.24 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=40793 DF PROTO=ICMP TYPE=8 CODE=0 ID=2 SEQ=2 
vyos@bridge:~$ show log firewall ipv4 prerouting raw rule 
Possible completions:
  10                    Show log for a rule in the specified firewall

      
vyos@bridge:~$ show log firewall ipv4 prerouting raw rule 20
vyos@bridge:~$ show log firewall ipv4 prerouting raw rule 10
Sep 18 13:52:45 kernel: [ipv4-PRE-raw-10-A]IN=eth0 OUT= MAC=50:00:00:01:00:00:4c:d5:77:c0:19:81:08:00 SRC=192.168.77.14 DST=192.168.77.24 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=39884 DF PROTO=ICMP TYPE=8 CODE=0 ID=
2 SEQ=1 
Sep 18 13:52:46 kernel: [ipv4-PRE-raw-10-A]IN=eth0 OUT= MAC=50:00:00:01:00:00:4c:d5:77:c0:19:81:08:00 SRC=192.168.77.14 DST=192.168.77.24 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=40793 DF PROTO=ICMP TYPE=8 CODE=0 ID=
2 SEQ=2 
vyos@bridge:~$

And bridge test:

vyos@bridge:~$ show firewall bridge prerouting filter
Ruleset Information

---------------------------------
bridge Firewall "prerouting filter"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  ------------------------------------------------------------------------
10       jump      all                 3      150  iifname @I_br0-ifaces  prefix "[bri-PRE-filter-10-J]"  jump NAME_br0-pre
20       jump      all                 0        0  iifname @I_br1-ifaces  jump NAME_br1-pre
30       jump      all                 0        0  iifname @I_br2-ifaces  jump NAME_br2-pre
default  drop      all                 0        0

vyos@bridge:~$ show log firewall bridge prerouting 
Sep 18 13:53:40 kernel: [bri-PRE-filter-10-J]IN=eth1 OUT= ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=00:50:79:66:68:02 IPSRC=10.0.0.12 MACDST=ff:ff:ff:ff:ff:ff IPDST=10.0.0.11
Sep 18 13:53:41 kernel: [bri-PRE-filter-10-J]IN=eth1 OUT= ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=00:50:79:66:68:02 IPSRC=10.0.0.12 MACDST=ff:ff:ff:ff:ff:ff IPDST=10.0.0.11
Sep 18 13:53:42 kernel: [bri-PRE-filter-10-J]IN=eth1 OUT= ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=00:50:79:66:68:02 IPSRC=10.0.0.12 MACDST=ff:ff:ff:ff:ff:ff IPDST=10.0.0.11
vyos@bridge:~$ show log firewall bridge prerouting filter rule 
Possible completions:
  10                    Show log for a rule in the specified firewall
  20
  30
      
vyos@bridge:~$ show log firewall bridge prerouting filter rule 20
vyos@bridge:~$ show log firewall bridge prerouting filter rule 10
Sep 18 13:53:40 kernel: [bri-PRE-filter-10-J]IN=eth1 OUT= ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=00:50:79:66:68:02 IPSRC=10.0.0.12 MACDST=ff:ff:ff:ff:ff:ff IPDST=10.0.0.11
Sep 18 13:53:41 kernel: [bri-PRE-filter-10-J]IN=eth1 OUT= ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=00:50:79:66:68:02 IPSRC=10.0.0.12 MACDST=ff:ff:ff:ff:ff:ff IPDST=10.0.0.11
Sep 18 13:53:42 kernel: [bri-PRE-filter-10-J]IN=eth1 OUT= ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=00:50:79:66:68:02 IPSRC=10.0.0.12 MACDST=ff:ff:ff:ff:ff:ff IPDST=10.0.0.11
vyos@bridge:~$

Smoketest result

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@nicolas-fort
T6723: firewall: extend op-mode commands <show firewall ..> and a <sh…
38511df 
…ow log firewall ..> in order to match all chains/priorities
@nicolas-fort nicolas-fort requested a review from a team as a code owner September 18, 2024 14:14
@github-actions GitHub Actions
Copy link

👍
No issues in PR Title / Commit Title

@c-po c-po merged commit ff0c3b8 into vyos:current Sep 18, 2024
15 of 17 checks passed
@c-po
Copy link
Member

c-po commented Sep 18, 2024

@nicolas-fort backport to sagitta and circinus?

@nicolas-fort
Copy link
Contributor Author

@nicolas-fort backport to sagitta and circinus?

Neither Sagitta and Circinus had received backports for new structure under bridge firewall

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@c-po c-po c-po approved these changes

@fett0 fett0 fett0 approved these changes

@dmbaturin dmbaturin Awaiting requested review from dmbaturin dmbaturin is a code owner automatically assigned from vyos/reviewers

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev is a code owner automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc is a code owner automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro is a code owner automatically assigned from vyos/reviewers

@sever-sever sever-sever Awaiting requested review from sever-sever sever-sever is a code owner automatically assigned from vyos/reviewers

Assignees

@nicolas-fort nicolas-fort

Labels
current
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nicolas-fort @c-po @fett0