Skip to content

Add basic zone-based firewall #1114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 18 commits into
base: main
Choose a base branch
from
Draft

Add basic zone-based firewall #1114

wants to merge 18 commits into from

Conversation

troglobit
Copy link
Contributor

Description

This PR adds support for a basic zone-based firewall to Infix. It builds on top of firewalld using the concepts and limitations laid out in #448

Fixes #448

Checklist

Tick relevant boxes, this PR is-a or has-a:

  • Bugfix
    • Regression tests
    • ChangeLog updates (for next release)
  • Feature
    • YANG model change => revision updated?
    • Regression tests added?
    • ChangeLog updates (for next release)
    • Documentation added?
  • Test changes
    • Checked in changed Readme.adoc (make test-spec)
    • Added new test to group Readme.adoc and yaml file
  • Code style update (formatting, renaming)
  • Refactoring (please detail in commit messages)
  • Build related changes
  • Documentation content changes
    • ChangeLog updated (for major changes)
  • Other (please describe):

@troglobit troglobit added the ci:main Build default defconfig, not minimal label Aug 24, 2025
@troglobit troglobit force-pushed the fw branch 2 times, most recently from cf84a4c to 422e812 Compare August 25, 2025 06:40
@troglobit
cli: add terminal reset|resize commands
ac17e8e 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
cli: minor, xml optimization
ff8f11a 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
utils: silence srload (debug messages)
5bc123f 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
board/common: fixes for unicode translation in log/pager commands
5f068e2 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
libsrx: new helper, srx_set_bool()
5bf42a4 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: minor, replace hard-coded string with define
66a5122 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: new helper function, get all l3 interfaces
8f3e68e 
Used by infix-firewall.c when figuring out interfaces that are not
explicitly assigned to any zone.  Placing them in the default zone

Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: initial zone-based firewall support, based on firewalld
a994a71 
Add supoprt for infix-firewall.yang, modeled on the zone-based firewalld
The terminology is a mix of firewalld, classic netfilter and inspired by
Ubiquity.  E.g., zone 'policy' -> 'action', and the zone matrix overview.

 - Port forwarding allows forwarding a range of ports
 - Operational data comes from firewalld active rules
 - Firewall logging goes to /var/log/firewall.log
 - Show implicit/built-in rules and zones (HOST) in firewall matrix,
   includes "locked" policy for the default-drop behavior
 - The zone services field in admin-exec 'show firewall' shows ANY when
   the zone default action is set to 'accept'
 - Zone 'forwarding' and 'masquerade' settings live in Infix in the
   policys instead, meaning users need to explicitly add a policy
   to allow both intra-zone and inter-zone forwarding
 - Support for emergency lockdown (kill switch)
 - Pre-defined services (xml+enums) are filtered and included as a
   separate YANG model, extensions added for netconf and restconf
 - Includes initial support for firewalld rich rules

firewalld policy rules, including rich rules, have an obnoxious priority
field which is extremely hard to get right, so in Infix we use the far
superior YANG construct 'ordered-by user;'.  This ensure all rules are
generated in that order by setting the priority field, on read-back from
firewalld (operational) the priority field is used to sort the output
of rules in the CLI.

Note: insted of 'firewall-cmd --reload' we use a helper script so we
      don't block forever in Finit. The D-Bus API is *much* quicker.

Fixes #448

Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
doc: add firewall documentation
2641945 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
buildroot: bump firewalld, v2.0.2 to v2.3.1
2fee7c5 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
test: simplify and skip UNIX backup files
4eb7e74 
 - Drop 'local', not available in POSIX shell scripts
 - Check for an assortment of backup file combos
 - Simplify nested if-statements, skip whitelist first

Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
test: add IPv6 versions of must_reach/must_not_reach
6c6e22a 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
test: add nmap to Infamy container
54683e0 
 - Sort packages alphabetically
 - Add nmap for firewall tests

Signed-off-by: Joachim Wiberg <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
ci:main Build default defconfig, not minimal
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support for basic firewall, NAT, IP masquerading, port forwarding
1 participant
@troglobit