T6570: firewall: add global-option to configure sysctl parameter for enabling/disabling sending traffic from bridge layer to ipvX layer

nicolas-fort · nicolas-fort · commit 43a961f16567 · 2024-07-25T18:27:10.000Z
diff --git a/data/templates/firewall/sysctl-firewall.conf.j2 b/data/templates/firewall/sysctl-firewall.conf.j2
@@ -13,6 +13,14 @@ net.ipv4.conf.*.send_redirects = {{ 1 if global_options.send_redirects == 'enabl
 net.ipv4.tcp_syncookies = {{ 1 if global_options.syn_cookies == 'enable' else 0 }}
 net.ipv4.tcp_rfc1337 = {{ 1 if global_options.twa_hazards_protection == 'enable' else 0 }}
 
+{% if global_options.apply_for_bridge is vyos_defined %}
+net.bridge.bridge-nf-call-iptables = {{ 1 if global_options.apply_for_bridge.ipv4 is vyos_defined else 0 }}
+net.bridge.bridge-nf-call-ip6tables = {{ 1 if global_options.apply_for_bridge.ipv6 is vyos_defined else 0 }}
+{% else %}
+net.bridge.bridge-nf-call-iptables =0
+net.bridge.bridge-nf-call-ip6tables = 0
+{% endif %}
+
 ## Timeout values:
 net.netfilter.nf_conntrack_icmp_timeout = {{ global_options.timeout.icmp }}
 net.netfilter.nf_conntrack_generic_timeout = {{ global_options.timeout.other }}
diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i
@@ -44,6 +44,25 @@
       </properties>
       <defaultValue>disable</defaultValue>
     </leafNode>
+    <node name="apply-for-bridge">
+      <properties>
+        <help>Apply configured firewall rules to traffic switched by bridges</help>
+      </properties>
+      <children>
+        <leafNode name="ipv4">
+          <properties>
+            <help>Apply configured IPv4 firewall rules</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+        <leafNode name="ipv6">
+          <properties>
+            <help>Apply configured IPv6 firewall rules</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+      </children>
+    </node>
     <leafNode name="directed-broadcast">
       <properties>
         <help>Policy for handling IPv4 directed broadcast forwarding on all interfaces</help>
diff --git a/src/etc/sysctl.d/30-vyos-router.conf b/src/etc/sysctl.d/30-vyos-router.conf
@@ -110,3 +110,8 @@ net.ipv6.conf.all.seg6_enabled = 0
 net.ipv6.conf.default.seg6_enabled = 0
 
 net.vrf.strict_mode = 1
+
+# https://vyos.dev/T6570
+# By default, do not forward traffic from bridge to IPvX layer
+net.bridge.bridge-nf-call-iptables = 0
+net.bridge.bridge-nf-call-ip6tables = 0
