With new firewall configuration it’s convenient to create rules using interfaces names.
For example, we can create couple of custom chains for input filter, one for LAN, another one for WAN with completely different rules and jump to them depending of what interface is inbound for the traffic.
set firewall ipv4 input filter default-action 'drop'
set firewall ipv4 input filter rule 100 action 'jump'
set firewall ipv4 input filter rule 100 inbound-interface interface-name 'eth0'
set firewall ipv4 input filter rule 100 jump-target 'From-WAN'
set firewall ipv4 input filter rule 110 action 'jump'
set firewall ipv4 input filter rule 110 inbound-interface interface-name 'eth1'
set firewall ipv4 input filter rule 110 jump-target 'From-LAN'
set firewall ipv4 input filter rule 120 action 'jump'
set firewall ipv4 input filter rule 120 inbound-interface interface-name 'eth2'
set firewall ipv4 input filter rule 120 jump-target 'From-LAN'
set firewall ipv4 name From-WAN default-action 'drop'
set firewall ipv4 name From-WAN description 'WAN to inside'
set firewall ipv4 name From-WAN rule 100 action 'accept'
set firewall ipv4 name From-WAN rule 100 destination port '22'
set firewall ipv4 name From-WAN rule 100 protocol 'tcp'
set firewall ipv4 name From-WAN rule 100 source group address-group 'SSH_TRUSTED'
set firewall ipv4 name From-LAN default-action 'drop'
set firewall ipv4 name From-LAN rule 110 action 'accept'
set firewall ipv4 name From-LAN rule 110 description 'OSPF allow'
set firewall ipv4 name From-LAN rule 110 protocol 'ospf'
set firewall ipv4 name From-LAN rule 110 source group address-group 'OSPF_TRUSTED'
This works fine, until we add interfaces eth1 and eth2 to the VRF. Then suddenly input filter rule 110
and input filter rule 120
never match. It’s because Linux creates new interface for the VRF, and all included interfaces become child interfaces for this newly created VRF-interface.
From the VyOS firewall point of view all packets comming from eth1
and eth2
are comming from VRF-MyName
interface (interface name is the same as name of VRF).
That’s not obvious and not documented, but already discussed here: T3933 The firewall does not filter incoming traffic on the interface with vrf. (vyos.dev) Anyway, we can replace rules 110 and 120 with new rule:
set firewall ipv4 input filter rule 110 action 'jump'
set firewall ipv4 input filter rule 110 inbound-interface interface-name 'VRF-MyName'
set firewall ipv4 input filter rule 110 jump-target 'From-LAN'
Now firewall works fine, until you reboot the router. After rebooting firewall configuration is not applied. When entering configuration mode from CLI there is message:
WARNING: There was a config error on boot: saving the configuration now could overwrite data.
You may want to check and reload the boot config
Executing load config.boot
and commit
fixes firewall. The issue happens, because firewall rules are applied before VRF interface is created (no VRF interface in /sys/class/net/
).