How to replace ipset on vyos1.4

echowings · April 1, 2023, 12:54pm

Hi All,
As we know, from vyos 1.3 to vyos 1.4, the firewall implements from iptables to nftables. then the ipset command disappeared.

How to replace ipset command to quickly add networks into firewall group.

# On VyOS 1.3
set firewall group network-group MY-NETWORK-GROUP

# Write a lot of network in a file
#/config/MY-NETWORK-GROUP-LIST.txt

#Loading firewall group with ipset
for l in `cat /config/MY-NETWORK-GROUP-LIST.txt`; do sudo ipset add MY-NETWORK-GROUP $l;done

On vyos 1.4, I can directly with command to set firewall network, but it is very slow. it will take 5 minutes to finish 8000 records .

My question is how to add network on firewall group quickly load when system boot just as ipset on vyos 1.4?

Viacheslav · April 1, 2023, 3:56pm

It is better to use own table because the firewall will rewrite all your addresses that weren’t added via CLI

For example:

vyos@vyos2# cat test.nft 

add table mytable
flush table mytable

table ip mytable {
	set attackers {
		type ipv4_addr
		flags interval
		elements = { 192.0.2.0/24, 203.0.113.0/24 }
	}

	chain blacklist {
		type filter hook input priority filter - 10; policy accept;
		ip saddr @attackers drop
	}
}

and load it

sudo nft -f test.nft

echowings · April 2, 2023, 2:21am

I Remove blacklist, since When it remains,vyos is not working.
but i can’t read the firewall group list. I want to let it work with vyos to set PBR.

add table mytable
flush table mytable

table ip mytable {
	set attackers {
		type ipv4_addr
		flags interval
		elements = { 192.0.2.0/24, 203.0.113.0/24 }
	}

}

run show firewall group
Firewall Groups

Name             Type           References    Members
---------------  -------------  ------------  ---------
mytable      network_group  N/A           N/A

spitfire2010 · August 18, 2023, 2:10pm

small lists are fine with such script (cloudflare list example):

#!/bin/vbash

source /opt/vyatta/etc/functions/script-template

if [ "$(id -g -n)" != 'vyattacfg' ] ; then
    exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
fi

IPV4=`curl -f https://www.cloudflare.com/ips-v4`
if [[ $? -eq 0 ]]
then
  #clear source group
  delete firewall group network-group cloudflare4
  #create new list
  for IP in $IPV4
  do
    set firewall group network-group cloudflare4 network ${IP}
  done
  commit
else
  echo "Error: Cloudflare API URL return $?"
fi
exit

if the list didn’t change much, it is very fast

Apachez · August 18, 2023, 5:01pm

Personally I would avoid adding the IP-addresses/ranges one by one through the vyos config-mode because that will take AGES for it to complete (for very large rulesets) due to the overhead of loading python etc for each item to be added.

Hopefully this will be fixed in future VyOS now when the firewall refactoring is complete.

That is stuff regarding the firewall (and routing aka stuff related to frr/zebra) should be added as a batch rather then line by line with all the overhead from python etc which adding it line by line brings us - a commit can with current method take several minutes which also impacts boot time (see this task regarding commit and boottimes when it comes to static route entries: ⚓ T5388 Something is fishy with commit and boot times when more than a few hundred static routes are being used).

Probably I would just add one line statically and use that as a placeholder to modify a dump of the ruleset and then load it back as a batch once my additions are completed.

But sure, the “proper” way is to avoid doing manual stuff behind the scenes but utilize the VyOS config-mode as suggested with the example of @spitfire2010 so the below should be seen as a possible workaround if such situation occurs (or if you get a already proper nft syntax from some source which you want to add to the firewall ruleset of VyOS):

# Export current ruleset.
sudo nft -s list ruleset > /config/ruleset.txt

# Add "flush ruleset" at top of the dump otherwise import will fail.
sudo sed -i '1s/^/flush ruleset\n\n/' /config/ruleset.txt

# Modify the exported ruleset...
*** modify the /config/ruleset.txt file ***

# Import the modified ruleset.
sudo nft -o -f /config/ruleset.txt

The above gives that your full change will be pushed as a batch but also atomic so there should be no or minimal impact on the traffic itself when you update your custom ruleset.

To test/verify if everything went ok before actually loading you can append -c to the syntax like so:

sudo nft -c -o -f /config/ruleset.txt

That is first run the syntax with -c and if everything went fine runt it again with -c removed.

The -o syntax can be omitted if you dont want the nft to optimize itself when loading the ruleset (it will also inform you which optimizations it performs).

Apachez · August 18, 2023, 6:54pm

As a spinoff for this I have added a feature request regarding:

Add capability to use local and external dynamic-lists for firewall rules but also for various policies such as access-list, route-maps etc:

https://vyos.dev/T5493

echowings · August 18, 2023, 11:11pm

Thx for the mistake. But I tested on vyos 1.3.3 and u know what? It works!.

Viacheslav · August 19, 2023, 1:17am

Instead of replacing the whole nft rules why not use own separate tables and chains?
And flush only them?
I wouldn’t recommend flush all chains. Only if you know that you do exactly.
BTW thanks to nft it should be atom operation.