Assigning ipv6-name to interface is not generating nftables rules
Closed, ResolvedPublicBUG
Actions

Assigned To

None

Authored By

	artooro
	Jan 20 2022, 5:19 PM

Description

When creating an IPv6 firewall and assigning it to an interface, VyOS creates a chain with the name of the firewall, but it is not actually inserted into the VYOS_FW6_LOCAL chain.
The chain should contain something like:
iifname "eth1" counter packets 68105 bytes 39399923 jump LAN-LOCAL-v6
but it does not.

Config

interfaces {
    ethernet eth1 {
        address 2001:db8:1::1/64
        description LAN
        firewall {
            local {
                ipv6-name LAN-LOCAL-v6
            }
        }
    }
}

nftables rules actually applied

sudo nft list ruleset

table ip6 filter {
	chain VYOS_FW6_FORWARD {
		type filter hook forward priority filter; policy accept;
		jump VYOS_POST_FW6
	}

	chain VYOS_FW6_LOCAL {
		type filter hook input priority filter; policy accept;
		jump VYOS_POST_FW6
	}

	chain VYOS_FW6_OUTPUT {
		type filter hook output priority filter; policy accept;
		jump VYOS_POST_FW6
	}

	chain VYOS_POST_FW6 {
		return
	}

	chain VYOS_FRAG6_MARK {
		type filter hook prerouting priority -450; policy accept;
		exthdr frag exists meta mark set 0x000ffff1 return
	}

	chain LAN-LOCAL-v6 {
		ct state { established, related } counter packets 0 bytes 0 return comment "LAN-LOCAL-v6-1"
		counter packets 0 bytes 0 drop comment "LAN-LOCAL-v6 default-action drop"
	}
}

Details

Version: VyOS 1.4-rolling-202201190447
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Bug (incorrect behavior)

Event Timeline

artooro created this task.Jan 20 2022, 5:19 PM

artooro added a project: VyOS 1.4 Sagitta.Jan 20 2022, 5:25 PM

I can't reproduce this issue on latest rolling

vyos@vyos# set firewall ipv6-name LAN-LOCAL-v6 default-action drop
[edit]
vyos@vyos# set int eth eth1 firewall local ipv6-name LAN-LOCAL-v6
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# sudo nft list table ip6 filter
table ip6 filter {
        chain VYOS_FW6_FORWARD {
                type filter hook forward priority filter; policy accept;
                jump VYOS_POST_FW6
        }

        chain VYOS_FW6_LOCAL {
                type filter hook input priority filter; policy accept;
                iifname "eth1" counter packets 0 bytes 0 jump LAN-LOCAL-v6
                jump VYOS_POST_FW6
        }

        chain VYOS_FW6_OUTPUT {
                type filter hook output priority filter; policy accept;
                jump VYOS_POST_FW6
        }

        chain VYOS_POST_FW6 {
                return
        }

        chain VYOS_FRAG6_MARK {
                type filter hook prerouting priority -450; policy accept;
                exthdr frag exists meta mark set 0x000ffff1 return
        }

        chain LAN-LOCAL-v6 {
                counter packets 0 bytes 0 drop comment "LAN-LOCAL-v6 default-action drop"
        }
}

Confirmed, I just built a new image using 1.4-rolling-202201212148 and I can no longer reproduce the issue.

artooro closed this task as Resolved.Jan 21 2022, 10:35 PM

Assigning ipv6-name to interface is not generating nftables rulesClosed, ResolvedPublicBUGActions

Description

Details

Event Timeline

Assigning ipv6-name to interface is not generating nftables rules
Closed, ResolvedPublicBUG
Actions