firewall: T7739: Default ruleset for firewall zones #4672
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In large networks with many zones where simple allow/deny rules are not sufficient,
zones become tedious to manage. Many use cases can be simplified by providing an
ability to define a default ruleset for traffic from other zones. This change proposes
adding the follwing syntax:
set firewall zone <name> default_firewall name <name>
set firewall zone <name> default_firewall ipv6_name <name>
The proposed behavior is the following:
local in:
The default firewall ruleset for the local zone will be appended after all
from configurations.
local out:
If a non-local zone does not have a from local ruleset but does have a
default_firewall ruleset, the default_firewall ruleset will be appended using
oifname
forward:
The default firewall ruleset for the zone will be appended after all from
configurations
To keep the behavior consistent with from ruleset configurations, a return is appended
after the default_firewall ruleset.
The proposed behavior differs slightly from the default_policy configuration for the
local out chains. The default_policy applied in the out templates comes from the local
zone, not the actual outbound zone. The proposed change does not amend this, but does
make default_firewall logically consistent with the intent of the out rules.
|
All contributors have signed the CLA ✍️ ✅ |
|
👍 |
|
CI integration 👍 passed! Details
|
|
I have read the CLA Document and I hereby sign the CLA |
vyosbot
added a commit
to vyos/vyos-cla-signatures
that referenced
this pull request
Sep 2, 2025
There was a problem hiding this comment.
Pull Request Overview
This PR implements default firewall rulesets for firewall zones, allowing administrators to define fallback rules that apply when specific zone-to-zone rules are not configured. This simplifies management of large networks with many zones by reducing the need to explicitly configure rules between every zone pair.
Key changes:
- Adds
default-firewallconfiguration syntax for zones with IPv4 and IPv6 ruleset options - Implements logic to apply default rulesets when explicit zone-to-zone rules are absent
- Updates nftables templates to generate appropriate rules for default firewall behavior
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| src/conf_mode/firewall.py | Adds configuration parsing and validation for default firewall rulesets |
| interface-definitions/firewall.xml.in | Defines XML schema for new default-firewall configuration node |
| data/templates/firewall/nftables-zone.j2 | Updates nftables template to generate rules for default firewall behavior |
| smoketest/scripts/cli/test_firewall.py | Adds comprehensive test case validating default firewall functionality |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Comment on lines
+431
to
+453
| <node name="default-firewall"> | ||
| <properties> | ||
| <help>Default firewall options for traffic coming into this zone</help> | ||
| </properties> | ||
| <children> | ||
| <leafNode name="ipv6-name"> | ||
| <properties> | ||
| <help>IPv6 firewall ruleset</help> | ||
| <completionHelp> | ||
| <path>firewall ipv6 name</path> | ||
| </completionHelp> | ||
| </properties> | ||
| </leafNode> | ||
| <leafNode name="name"> | ||
| <properties> | ||
| <help>IPv4 firewall ruleset</help> | ||
| <completionHelp> | ||
| <path>firewall ipv4 name</path> | ||
| </completionHelp> | ||
| </properties> | ||
| </leafNode> | ||
| </children> | ||
| </node> |
There was a problem hiding this comment.
The indentation uses tabs instead of spaces, which is inconsistent with the surrounding XML. The file appears to use 2-space indentation consistently elsewhere.
Suggested change
| <node name="default-firewall"> | |
| <properties> | |
| <help>Default firewall options for traffic coming into this zone</help> | |
| </properties> | |
| <children> | |
| <leafNode name="ipv6-name"> | |
| <properties> | |
| <help>IPv6 firewall ruleset</help> | |
| <completionHelp> | |
| <path>firewall ipv6 name</path> | |
| </completionHelp> | |
| </properties> | |
| </leafNode> | |
| <leafNode name="name"> | |
| <properties> | |
| <help>IPv4 firewall ruleset</help> | |
| <completionHelp> | |
| <path>firewall ipv4 name</path> | |
| </completionHelp> | |
| </properties> | |
| </leafNode> | |
| </children> | |
| </node> | |
| <node name="default-firewall"> | |
| <properties> | |
| <help>Default firewall options for traffic coming into this zone</help> | |
| </properties> | |
| <children> | |
| <leafNode name="ipv6-name"> | |
| <properties> | |
| <help>IPv6 firewall ruleset</help> | |
| <completionHelp> | |
| <path>firewall ipv6 name</path> | |
| </completionHelp> | |
| </properties> | |
| </leafNode> | |
| <leafNode name="name"> | |
| <properties> | |
| <help>IPv4 firewall ruleset</help> | |
| <completionHelp> | |
| <path>firewall ipv4 name</path> | |
| </completionHelp> | |
| </properties> | |
| </leafNode> | |
| </children> | |
| </node> |
Copilot uses AI. Check for mistakes.
| {% endif %} | ||
| {% if 'vrf' in zone[from_zone].member %} | ||
| {% for vrf_name in zone[from_zone].member.vrf %} | ||
| oifname { "{{ zone[from_zone]['vrf_interfaces'][vrf_name] }}" } counter jump NAME{{ suffix }}_{{ from_conf[fw_name] }} |
There was a problem hiding this comment.
The template uses double quotes around the VRF interface name, but other interface references in the template use bare names without quotes. This inconsistency could cause nftables syntax errors or unexpected behavior.
Copilot uses AI. Check for mistakes.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In large networks with many zones where simple allow/deny rules are not sufficient, zones become tedious to manage. Many use cases can be simplified by providing an ability to define a default ruleset for traffic from other zones. This change proposes adding the follwing syntax:
set firewall zone default_firewall name
set firewall zone default_firewall ipv6_name
The proposed behavior is the following:
To keep the behavior consistent with from ruleset configurations, a return is appended after the default_firewall ruleset.
The proposed behavior differs slightly from the default_policy configuration for the local out chains. The default_policy applied in the out templates comes from the local zone, not the actual outbound zone. The proposed change does not amend this, but does make default_firewall logically consistent with the intent of the out rules.
Change summary
Types of changes
Related Task(s)
https://vyos.dev/T7739
Related PR(s)
How to test / Smoketest result
Added additional firewall smoketest case to validate. All smoke tests are passing.
Checklist: