Skip to content

op-mode: T6857: Fix default action for prerouting hook #4692

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 18, 2025
Merged

op-mode: T6857: Fix default action for prerouting hook #4692

merged 1 commit into from
Sep 18, 2025

Conversation

l0crian1
Copy link
Contributor

@l0crian1 l0crian1 commented Sep 2, 2025

Change summary

The firewall op-mode output for the prerouting chain has some cosmetic bugs related to the default-action. If there is no default-action set for prerouting raw, then the show firewall ipv4 prerouting raw shows the wrong verdict for the output:

Nftables output (verdict is actually accept as expected):

table ip vyos_filter {
        chain VYOS_PREROUTING_raw {
                type filter hook prerouting priority raw; policy accept;
                counter packets 191 bytes 13038 accept comment "ipv4-PRE-raw-10"
                counter packets 0 bytes 0 accept comment "PRE-raw default-action accept"
        }
}

show firewall ipv4 prerouting raw:

Ruleset Information

---------------------------------
ipv4 Firewall "prerouting raw"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  ------------
10       accept    all               192    12262  accept
default  drop      all                 0        0

show firewall statistics (no default-action listed):

Rulesets Statistics

---------------------------------
ipv4 Firewall "prerouting raw"

  Rule    Packets    Bytes  Action    Source    Destination    Inbound-Interface    Outbound-interface
------  ---------  -------  --------  --------  -------------  -------------------  --------------------
    10        286    17769  accept    any       any            any                  any

After changes:

show firewall ipv4 prerouting raw:

Ruleset Information

---------------------------------
ipv4 Firewall "prerouting raw"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  ------------
10       accept    all                83     5259  accept
default  accept    all                 0        0

show firewall statistics:

Rulesets Statistics

---------------------------------
ipv4 Firewall "prerouting raw"

Rule       Packets    Bytes  Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  ---------  -------  --------  --------  -------------  -------------------  --------------------
10             144     9254  accept    any       any            any                  any
default          0        0  accept    any       any            any                  any

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

How to test / Smoketest result

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@l0crian1
Firewall: T6857: Fix default action for prerouting hook
4013ad1 
- Fixes the op-mode cosmetic bugs with default-action
  for prerouting hook.
@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 2, 2025
edited
Loading

👍
No issues in PR Title / Commit Title

@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 2, 2025

CI integration 👍 passed!

Details

CI logs

  • CLI Smoketests (no interfaces) 👍 passed
  • CLI Smoketests VPP 👍 passed
  • CLI Smoketests (interfaces only) 👍 passed
  • Config tests 👍 passed
  • Config tests VPP 👍 passed
  • RAID1 tests 👍 passed
  • TPM tests 👍 passed

@l0crian1 l0crian1 changed the title Firewall: T6857: Fix default action for prerouting hook op-mode: T6857: Fix default action for prerouting hook Sep 16, 2025
@c-po c-po added the bp/circinus Create automatic backport for circinus label Sep 18, 2025
@c-po c-po requested review from sarthurdev, zdc and c-po September 18, 2025 14:41
c-po
c-po approved these changes Sep 18, 2025
View reviewed changes
Copy link
Member

@c-po c-po left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change in op-mode handling looks reasonable. Fix display output of command

sarthurdev
sarthurdev approved these changes Sep 18, 2025
View reviewed changes
Copy link
Member

@sarthurdev sarthurdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Show default action on prerouting hooks

@sarthurdev sarthurdev merged commit f46bd3a into vyos:current Sep 18, 2025
20 of 21 checks passed
@vyosbot vyosbot added mirror-initiated This PR initiated for mirror sync workflow mirror-completed and removed mirror-initiated This PR initiated for mirror sync workflow labels Sep 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sarthurdev sarthurdev sarthurdev approved these changes

@c-po c-po c-po approved these changes

@zdc zdc Awaiting requested review from zdc

Assignees

@l0crian1 l0crian1

Labels
bp/circinus Create automatic backport for circinus current mirror-completed rebase
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@l0crian1 @sarthurdev @c-po @vyosbot