vyos-1x icon indicating copy to clipboard operation
vyos-1x copied to clipboard

Published 20 hours ago verified publisher icon vyos

conntrack: T4309: Allow to use address/network groups

Open sever-sever opened this issue 2 years ago • 6 comments

Change Summary

Ability to use IPv4 address and network groups in the conntrack ignore rules

Types of changes

  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [x] New feature (non-breaking change which adds functionality)
  • [ ] Code style update (formatting, renaming)
  • [ ] Refactoring (no functional changes)
  • [ ] Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • [ ] Other (please describe):

Related Task(s)

  • https://phabricator.vyos.net/T4309

Component(s) name

conntrack

Proposed changes

How to test

set firewall group address-group ADDR-GRP address '1.2.3.4'
set firewall group network-group MY-NET-GROUP network '192.0.2.0/24'
set system conntrack ignore rule 5 source address '100.64.0.0/24'
set system conntrack ignore rule 10 description 'R10-ignore'
set system conntrack ignore rule 10 source group network-group 'MY-NET-GROUP'
set system conntrack ignore rule 20 source group address-group 'ADDR-GRP'
set system conntrack ignore rule 30 destination group network-group 'MY-NET-GROUP'

Table ip raw:

table ip raw {
   ...
	set A_ADDR-GRP {
		type ipv4_addr
		flags interval
		elements = { 1.2.3.4 }
	}

	set N_MY-NET-GROUP {
		type ipv4_addr
		flags interval
		elements = { 192.0.2.0/24 }
	}

	chain VYOS_CT_IGNORE {
		ip saddr 100.64.0.0/24 counter notrack comment "ignore-5"
		ip saddr @N_MY-NET-GROUP counter notrack comment "ignore-10"
		ip saddr @A_ADDR-GRP counter notrack comment "ignore-20"
		ip daddr @N_MY-NET-GROUP counter notrack comment "ignore-30"
		return
	}
}

Checklist:

  • [x] I have read the CONTRIBUTING document
  • [x] I have linked this PR to one or more Phabricator Task(s)
  • [ ] I have run the components SMOKETESTS if applicable
  • [x] My commit headlines contain a valid Task id
  • [ ] My change requires a change to the documentation
  • [ ] I have updated the documentation accordingly

sever-sever avatar Aug 23 '22 01:08 sever-sever

You link two independent subsystems. This is something super rare used in VyOS and I already feel some sort of pain. What happens if the firewall group is adjusted and addresses change? Who informs conntrack?

c-po avatar Aug 24 '22 17:08 c-po

You link two independent subsystems. This is something super rare used in VyOS and I already feel some sort of pain. What happens if the firewall group is adjusted and addresses change? Who informs conntrack?

Sure, we should think about how to update groups. We already have something like this in set policy route FOO rule 10 source group network-group

The goal is to use groups in conntrack a later trying to use groups in the NAT. Is it makes sense?

sever-sever avatar Aug 25 '22 13:08 sever-sever

@c-po I added groups_resync and resync_conntrack to the firewall

set firewall group address-group ADDR-GRP address '1.2.3.4'
set firewall group address-group ADDR-GRP address '5.4.3.2'
set firewall group address-group ADDR-GRP address '5.4.3.4'
set firewall group address-group ADDR-GRP address '5.4.3.5'
set firewall group address-group ADDR-GRP address '5.4.3.66'
set firewall group network-group MY-NET-GROUP network '203.0.113.0/24'

set system conntrack ignore rule 5 source address '100.64.0.0/24'
set system conntrack ignore rule 10 description 'R10-ignore'
set system conntrack ignore rule 10 source group network-group 'MY-NET-GROUP'
set system conntrack ignore rule 20 source group address-group 'ADDR-GRP'
set system conntrack ignore rule 30 destination group network-group 'MY-NET-GROUP'

Raw before delete

vyos@r14# sudo nft list table ip raw
table ip raw {
...
	set A_ADDR-GRP {
		type ipv4_addr
		flags interval
		elements = { 1.2.3.4, 5.4.3.2,
			     5.4.3.4, 5.4.3.5,
			     5.4.3.66 }
	}

	set N_MY-NET-GROUP {
		type ipv4_addr
		flags interval
		elements = { 203.0.113.0/24 }
	}

Delete some addresses from firewall address group

vyos@r14# delete firewall group address-group ADDR-GRP address 5.4.3.66 
[edit]
vyos@r14# delete firewall group address-group ADDR-GRP address 5.4.3.5
[edit]
vyos@r14# delete firewall group address-group ADDR-GRP address 5.4.3.4
[edit]
vyos@r14# set firewall group network-group MY-NET-GROUP network 192.0.2.0/24
[edit]
vyos@r14# commit
[edit]
vyos@r14#

Check firewall again (do not expect deleted addresses):

vyos@r14# sudo nft list table ip raw
table ip raw {
...
	set A_ADDR-GRP {
		type ipv4_addr
		flags interval
		elements = { 1.2.3.4, 5.4.3.2 }
	}

	set N_MY-NET-GROUP {
		type ipv4_addr
		flags interval
		elements = { 192.0.2.0/24, 203.0.113.0/24 }
	}

sever-sever avatar Aug 29 '22 09:08 sever-sever

This pull request has conflicts, please resolve those before we can evaluate the pull request.

github-actions[bot] avatar Aug 31 '22 05:08 github-actions[bot]

Conflicts have been resolved. A maintainer will review the pull request shortly.

github-actions[bot] avatar Aug 31 '22 09:08 github-actions[bot]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

github-actions[bot] avatar Sep 14 '22 10:09 github-actions[bot]

close it the firewall was rewritten, and there were several changes, so PR is not actual in this view and have conflicts

sever-sever avatar Nov 20 '22 22:11 sever-sever