Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Control plane policing for interface-based firewalls

Control plane policing (CPP) provides protection against attacks on the vRouter by allowing you to configure firewall policies that are assigned to desired interfaces and applying these policies to packets both entering and leaving the vRouter.

For the vRouter, CPP supports the addition of local keyword that can be applied to firewall policies for specific firewall interface types.

CPP is implemented when the local keyword is used in firewall policies that are assigned to any type of vRouter interface type supporting firewall functionality (an interface type that currently supports in and out directions) except for an administrator-defined loopback interface. The system loopback interface, lo, has the local keyword assigned to it by default, and any attempt to assign a local firewall to a user-defined loopback interface causes an error. A local firewall policy with CPP runs on packets that are destined for the vRouter.

To configure CPP, define firewall policies or rule sets and assign them to the desired interfaces by using the local keyword. For the lo interface, assign firewall policies to control the flow of packets from the control plane. Assign firewall policies to other data plane interfaces to control the flow of packets to the control plane.

A few explicit differences exist between firewall policies that are assigned to the local keyword and all other firewall policies:
  • Sessions are not created on a stateful rule match.
  • Strict protocol tracking is silently ignored.
  • Packets that do not match a firewall rule are allowed to pass into and out of the control plane.

For the first two explicit differences, regardless of whether a matched rule implies stateful or strict protocol tracking, these attributes of the rule are silently ignored. This behavior is required because packets entering or leaving the control plane also pass through an input or output interface and the possibility of performing duplicate state tracking can result in false-positive state transitions, which lead to packet drop. To enforce stateful behavior, strict protocol tracking, or both, add appropriate rules to the input or output interfaces as desired.

The third difference enables packets that are unmatched by a policy or rule set to pass. This behavior is the direct opposite of all other firewall behavior. Other firewalls have an implicit drop rule for all packets that do not match an existing rule in the rule set. This behavior is implemented as a convenience for the administrator to allow various control plane packets, such as DHCP, IPv6 ND, BGP, and so forth, to pass without requiring the administrator to create specific rules for these packets. Administrators can have full control over this behavior and can add an explicit drop rule to the firewall group, if desired.

CPP is described in RFC 6192, and a suggested configuration for filtering rules is included in that document. Administrators are encouraged to review RFC 6192 for a list of suggested ACLs and configuration filtering rules for control plane policing.

The vRouter also includes a template of suggested filtering rules that you can incorporate into your CPP configuration. This rule set excludes various routing protocol packets from filtering and provides a default policing rule to rate-limit all other packets entering the control plane. The template CPP configuration also assigns the rule set to the lo system loopback interface.

The template rule set is located on the vRouter in: /opt/vyatta/etc/cpp.conf. After reviewing the template configuration, you can add this rule set to your existing configuration by using the merge command in configuration mode:

vyatta@R1# merge /opt/Vyatta/etc/cpp.conf
vyatta@R1# commit vyatta@R1# save
Administrators may also choose to modify the template rules to meet their particular needs.