Skip to content

Add basic zone-based firewall #1114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 55 commits into
base: main
Choose a base branch
from
Draft

Add basic zone-based firewall #1114

wants to merge 55 commits into from

Conversation

troglobit
Copy link
Contributor

Description

This PR adds support for a basic zone-based firewall to Infix. It builds on top of firewalld using the concepts and limitations laid out in #448

Fixes #448

Checklist

Tick relevant boxes, this PR is-a or has-a:

  • Bugfix
    • Regression tests
    • ChangeLog updates (for next release)
  • Feature
    • YANG model change => revision updated?
    • Regression tests added?
    • ChangeLog updates (for next release)
    • Documentation added?
  • Test changes
    • Checked in changed Readme.adoc (make test-spec)
    • Added new test to group Readme.adoc and yaml file
  • Code style update (formatting, renaming)
  • Refactoring (please detail in commit messages)
  • Build related changes
  • Documentation content changes
    • ChangeLog updated (for major changes)
  • Other (please describe):

@troglobit troglobit added the ci:main Build default defconfig, not minimal label Aug 24, 2025
troglobit added 28 commits August 25, 2025 08:40
@troglobit
package/finit: bump to v4.13
770ca37 
Highlights:
 - fixes to systemd and s6 type services
 - bare-bones libsystemd replacement with #include <systemd/sd-daemon.h>
 - new reload:script mimicking systemd ExecReload, and
 - new stop:script mimicking systemd ExecStop

Full changelog at:
 <https://github.com/troglobit/finit/releases/tag/4.13>

Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
cli: add terminal reset|resize commands
a9cbdb3 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
board/common: fixes for unicode translation in log/pager commands
45ddae5 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: initial firewall support
c903722 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
WIP: firewall infer and well-known-services.yang
198428b 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: drop advanced firewall features for first drop
095e028 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
libsrx: new helper, srx_set_bool()
9035341 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: minor, replace hard-coded string with define
4647188 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: further simplify firewall
5e71367 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: add pre-defined services for dhcpv6 and ipp
ee4573c 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: default firewall settings in factory-config
40de66b 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
utils: silence srload (debug messages)
df32685 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
TODO: firewall
6be8861 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: new helper function, get all l3 interfaces
da5d306 
Used by infix-firewall.c when figuring out interfaces that are not
explicitly assigned to any zone.  Placing them in the default zone

Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: find all interfaces not in a zone and assign to default
809d60e 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
statd: initial operational support for firewall
551f506 
We have pre-defined policys that have 'continue'.

Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
fixup swap proto/port
d188a95 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: clean up unused pre-defined services
d85186d 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: change to singular form and add must expression
da02a85 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
klish-plugin-infix: minor, xml optimization
24550ce 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
cli: add support for 'show firewall [..]' admin-exec commands
c5295be 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: simplify
383b58b 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
board/common: stop-start firewalld for now, --reload takes too long
709eef9 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
cli: firewall: fix lag in tab completion and colorize zone matrix
a95287e 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: replace 'firewall-cmd --reload' with a little script
aedd387 
Not really, just fix the reload functionality so we don't block forever
in Finit.  The D-Bus API is *much* quicker and less buggy that the old
firewall-cmd command.

Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: simplify firewalld zone generation
254dd84 
No need for all the complexity, firewalld handles the diffs anyway.

Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: rename zone/policy 'policy' -> 'action', like Ubiquity
a394311 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: rename sources -> networks, for IP networks
b202455 
Also, add check for overlap between zones that have a port forward rule
to an IP network that lives in another zone.  Raise conditional in the
zone matrix overview!

Signed-off-by: Joachim Wiberg <[email protected]>
troglobit added 27 commits August 25, 2025 08:40
@troglobit
confd: refactor port-forwarding to allow forwarding a range of ports
6a0582f 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
statd: initial support for /var/log/firewall.log
e24ade5 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
statd: update firewall matrix, if forwarding disabled => deny
b1b9508 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
statd: show implicit HOST zone in firewall matrix
30274cc 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: initial support for emergency lockdown (kill switch)
72581aa 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: add immutable flag (read-only) for built-in policies
a6db4f1 
Prepared also for zones, which we don't have any yet.

Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: add services (xml+enums) for netconf and restconf
f2ee467 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: clean up firewalld config files when disabling firewall
0b9d7e1 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
Update firewall TODOs
9afc793 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
test/infamy: add IPv6 versions of must_reach/must_not_reach
4544fc1 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
test: add nmap to Infamy container
8633b83 
 - Sort packages alphabetically
 - Add nmap for firewall tests

Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
test: new test, basic firewall zone verification
330f76e 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
test: new test, lan-wan gateway with snat
8eb3f1b 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
test: new test, wan-dmz-lan firewall with snat and dnat
04904c0 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
Update fw TODOs
ee15b8b 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
doc: draft firewall documentation
bf7285e 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: minor, reorder leafs a bit and udpate descriptions
1d1a35d 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: initial support for firewalld rich rules
c7ad821 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
Revert "confd: default firewall settings in factory-config"
1ecab43 
This reverts commit 626f724.
@troglobit
confd: allow services to set destination addr/len
3fef431 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: fix firewall zone and policy inference
2856c58 
Turns out we never got any update events because the change callback ate
them all.  This commit fixes all that and adds policy inference now that
we have rich rules supporting the subset of the allow-host-ipv6 policy.

Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: restore 'enabled' setting to firewall
fa8232d 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
doc: mention firewall symbolic names for zones and custom filters
f857632 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
confd: sort policy rules according to 'ordered-by user;'
8295055 
The firewalld policy rules, including rich rules, have this obnoxious
priority field which is extremely hard to get right, so in Infix we use
the far superior YANG construct 'ordered-by user;'.  This commit ensure
all rules are generated in that order by setting the priority field, on
read-back from firewalld (operational) this priority field is used to
sort the output of rules in the CLI.

Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
doc: update fw TODOs, what's left?
96b8450 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
test: fix TypeError: non-ordered lists cannot be accessed by index
631b205 
Signed-off-by: Joachim Wiberg <[email protected]>
@troglobit
test: simplify and skip UNIX backup files
422e812 
 - Drop 'local', not available in POSIX shell scripts
 - Check for an assortment of backup file combos
 - Simplify nested if-statements, skip whitelist first

Signed-off-by: Joachim Wiberg <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
ci:main Build default defconfig, not minimal
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support for basic firewall, NAT, IP masquerading, port forwarding
1 participant
@troglobit