Hi All,
As we know, from vyos 1.3 to vyos 1.4, the firewall implements from iptables
to nftables
. then the ipset
command disappeared.
How to replace ipset command to quickly add networks into firewall group.
# On VyOS 1.3
set firewall group network-group MY-NETWORK-GROUP
# Write a lot of network in a file
#/config/MY-NETWORK-GROUP-LIST.txt
#Loading firewall group with ipset
for l in `cat /config/MY-NETWORK-GROUP-LIST.txt`; do sudo ipset add MY-NETWORK-GROUP $l;done
On vyos 1.4, I can directly with command to set firewall network, but it is very slow. it will take 5 minutes to finish 8000 records .
My question is how to add network on firewall group quickly load when system boot just as ipset on vyos 1.4?
1 Like
It is better to use own table because the firewall will rewrite all your addresses that weren’t added via CLI
For example:
vyos@vyos2# cat test.nft
add table mytable
flush table mytable
table ip mytable {
set attackers {
type ipv4_addr
flags interval
elements = { 192.0.2.0/24, 203.0.113.0/24 }
}
chain blacklist {
type filter hook input priority filter - 10; policy accept;
ip saddr @attackers drop
}
}
and load it
sudo nft -f test.nft
I Remove blacklist, since When it remains,vyos is not working.
but i can’t read the firewall group list. I want to let it work with vyos to set PBR.
add table mytable
flush table mytable
table ip mytable {
set attackers {
type ipv4_addr
flags interval
elements = { 192.0.2.0/24, 203.0.113.0/24 }
}
}
run show firewall group
Firewall Groups
Name Type References Members
--------------- ------------- ------------ ---------
mytable network_group N/A N/A
small lists are fine with such script (cloudflare list example):
#!/bin/vbash
source /opt/vyatta/etc/functions/script-template
if [ "$(id -g -n)" != 'vyattacfg' ] ; then
exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
fi
IPV4=`curl -f https://www.cloudflare.com/ips-v4`
if [[ $? -eq 0 ]]
then
#clear source group
delete firewall group network-group cloudflare4
#create new list
for IP in $IPV4
do
set firewall group network-group cloudflare4 network ${IP}
done
commit
else
echo "Error: Cloudflare API URL return $?"
fi
exit
if the list didn’t change much, it is very fast
2 Likes
Personally I would avoid adding the IP-addresses/ranges one by one through the vyos config-mode because that will take AGES for it to complete (for very large rulesets) due to the overhead of loading python etc for each item to be added.
Hopefully this will be fixed in future VyOS now when the firewall refactoring is complete.
That is stuff regarding the firewall (and routing aka stuff related to frr/zebra) should be added as a batch rather then line by line with all the overhead from python etc which adding it line by line brings us - a commit can with current method take several minutes which also impacts boot time (see this task regarding commit and boottimes when it comes to static route entries: âš“ T5388 Something is fishy with commit and boot times when more than a few hundred static routes are being used).
Probably I would just add one line statically and use that as a placeholder to modify a dump of the ruleset and then load it back as a batch once my additions are completed.
But sure, the “proper” way is to avoid doing manual stuff behind the scenes but utilize the VyOS config-mode as suggested with the example of @spitfire2010 so the below should be seen as a possible workaround if such situation occurs (or if you get a already proper nft syntax from some source which you want to add to the firewall ruleset of VyOS):
# Export current ruleset.
sudo nft -s list ruleset > /config/ruleset.txt
# Add "flush ruleset" at top of the dump otherwise import will fail.
sudo sed -i '1s/^/flush ruleset\n\n/' /config/ruleset.txt
# Modify the exported ruleset...
*** modify the /config/ruleset.txt file ***
# Import the modified ruleset.
sudo nft -o -f /config/ruleset.txt
The above gives that your full change will be pushed as a batch but also atomic so there should be no or minimal impact on the traffic itself when you update your custom ruleset.
To test/verify if everything went ok before actually loading you can append -c to the syntax like so:
sudo nft -c -o -f /config/ruleset.txt
That is first run the syntax with -c and if everything went fine runt it again with -c removed.
The -o syntax can be omitted if you dont want the nft to optimize itself when loading the ruleset (it will also inform you which optimizations it performs).
2 Likes
As a spinoff for this I have added a feature request regarding:
Add capability to use local and external dynamic-lists for firewall rules but also for various policies such as access-list, route-maps etc:
https://vyos.dev/T5493
3 Likes
Thx for the mistake. But I tested on vyos 1.3.3 and u know what? It works!.
Instead of replacing the whole nft rules why not use own separate tables and chains?
And flush only them?
I wouldn’t recommend flush all chains. Only if you know that you do exactly.
BTW thanks to nft it should be atom operation.
2 Likes