Source address validation

What is the current (as of 1.4) VyOS CLI equivalent of:

iptables -t raw -I PREROUTING -i $iface -s $prefix -j DROP

Ideally, single rule for a set of a few prefixes (my local IPs, both v4 and v6) and a set of a few interfaces (VLANs that connect my routers with BGP sessions to the outside world via an IXP), to block spoofing my IP ranges in traffic coming from outside - is this possible?

⚓ T2060 source-validation will be configured at different locations and could lead to massive confusion where this was discussed is closed as no longer relevant, but I couldn’t find this in the documentation (no mention of the “raw” table).

I’m still running 1.3.x, preparing to upgrade to 1.4 soon.

I migrated from 1.3 to 1.4 and this is what’s ended up in my config.

set interfaces ethernet eth1 ip source-validation 'strict'

Replying to myself, but interestingly this doesn’t seem to have worked/done anything:

tim@ferrari:/proc/sys/net/ipv4/conf/eth1$ sudo cat /proc/sys/net/ipv4/conf/eth1/rp_filter 
0

I don’t think rp_filter is useful here, because of possible asymmetric routing. I have 2 routers in 2 different locations, OSPF and iBGP between them, eBGP from each one to 2 different upstreams. Traffic from/to some outside prefixes can route through different paths and that shouldn’t be blocked. But no traffic from outside should have my own prefixes as source address. It would be good to block such spoofed packets without blocking valid just asymmetric routed traffic.

Aren’t you just after loose rpf?

Probably because VyOS nowadays uses nftables for uRPF instead of kernel parameters.

Using nftables also had the advantage that it will work for both IPv4 and IPv6 since the kernel parameters only supports rp_filter for IPv4 (as I recall it).

Ohhhhhhhhh

I’m an idiot!!!

I’m sorry, I’ll close that phab.

uRPF strict should cover this (since it will match if routing the packet in the other direction would match the now ingress interface) but if you use uRPF loose that will only look for the default and since your default probably points to transit or IX that will be a source of spoofed traffic that uses your own IP-ranges as srcip.

What I think OP is asking for is how to fulfill BCP38 at ISP level with an explicit firewall rule.

That is the customers should only be able to use their assign IP (no matter if its static or dynamic) but the same goes when you peer over an IX (or is connected to a transit) where you want to drop incoming traffic from external peer that send you traffic using your IP-ranges as srcip (to protect your customers from spoofed and reflective DDoS etc).

Here is the execution code path for nftables:

https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks

The example of iptables -t raw -I PREROUTING -i $iface -s $prefix -j DROP is to drop bad packets as soon as possible which is done by acting on table raw and the PREROUTING chain (as few CPU cycles as possible will then be used).

According to the manual Im not sure if VyOS exposes the PREROUTING table:

https://docs.vyos.io/en/latest/configuration/firewall/ipv4.html
https://docs.vyos.io/en/latest/configuration/firewall/ipv6.html

The below should be equal to what OP is asking:

set firewall ipv4 forward filter rule <1-999999> source address x.x.x.x/32 inbound-interface name ethX action drop

Or probably do this through an address-group:

set firewall group address-group MYOWNRANGES x.x.x.x/32

set firewall ipv4 forward filter rule <1-999999> source group address-group MYOWNRANGES inbound-interface name ethX action drop

This way you only need to add/remove ranges to the MYOWNRANGES group and a single firewall rule will make use of them.

To clarify, yes I’m running a small local ISP here, and I want to implement BCP38. I have full BGP routing tables from the upstreams, no default route (I originate it myself in OSPF, and then serve PPPoE to customers with /32 IPv4 + /56 delegated IPv6 + /64 framed IPv6 prefix, all global without any CGNAT). Looking at the Netfilter hooks, the Ingress or Prerouting hooks should be a good place for this filtering (so it includes not only “forward” but also “input” to the router itself). I advertise two /23 IPv4 prefixes and one /32 IPv6 prefix, so address-group will be useful, as well as inbound-interface group for 3 different VLANs (different services from our favourite Internet exchange). I have been familiar with iptables for a long time, but nftables changes so many things and I wasn’t sure where to look, many thanks for all suggestions.

1 Like