diff options
author | Andrew Topp <andrewt@telekinetica.net> | 2024-08-04 17:52:57 +1000 |
---|---|---|
committer | Andrew Topp <andrewt@telekinetica.net> | 2024-08-04 17:52:57 +1000 |
commit | 60b0614296874c144665417130d4881461114db0 (patch) | |
tree | 404eb8bf72582b60cad69d9c23535b41a49094f6 /interface-definitions/include | |
parent | 15c77978f30bebe7c6d4f4e9a87c56e12e1382cd (diff) | |
download | vyos-1x-60b0614296874c144665417130d4881461114db0.tar.gz vyos-1x-60b0614296874c144665417130d4881461114db0.zip |
firewall: T4694: Adding GRE flags & fields matches to firewall rules
* Only matching flags and fields used by modern RFC2890 "extended GRE" -
this is backwards-compatible, but does not match all possible flags.
* There are no nftables helpers for the GRE key field, which is critical
to match individual tunnel sessions (more detail in the forum post)
* nft expression syntax is not flexible enough for multiple field
matches in a single rule and the key offset changes depending on flags.
* Thus, clumsy compromise in requiring an explicit match on the "checksum"
flag if a key is present, so we know where key will be. In most cases,
nobody uses the checksum, but assuming it to be off or automatically
adding a "not checksum" match unless told otherwise would be confusing
* The automatic "flags key" check when specifying a key doesn't have similar
validation, I added it first and it makes sense. I would still like
to find a workaround to the "checksum" offset problem.
* If we could add 2 rules from 1 config definition, we could match
both cases with appropriate offsets, but this would break existing
FW generation logic, logging, etc.
* Added a "test_gre_match" smoketest
Diffstat (limited to 'interface-definitions/include')
-rw-r--r-- | interface-definitions/include/firewall/common-rule-inet.xml.i | 1 | ||||
-rw-r--r-- | interface-definitions/include/firewall/gre.xml.i | 116 |
2 files changed, 117 insertions, 0 deletions
diff --git a/interface-definitions/include/firewall/common-rule-inet.xml.i b/interface-definitions/include/firewall/common-rule-inet.xml.i index 0acb08ec9..e44938b14 100644 --- a/interface-definitions/include/firewall/common-rule-inet.xml.i +++ b/interface-definitions/include/firewall/common-rule-inet.xml.i @@ -19,5 +19,6 @@ #include <include/firewall/synproxy.xml.i> #include <include/firewall/tcp-flags.xml.i> #include <include/firewall/tcp-mss.xml.i> +#include <include/firewall/gre.xml.i> #include <include/firewall/time.xml.i> <!-- include end --> diff --git a/interface-definitions/include/firewall/gre.xml.i b/interface-definitions/include/firewall/gre.xml.i new file mode 100644 index 000000000..285233434 --- /dev/null +++ b/interface-definitions/include/firewall/gre.xml.i @@ -0,0 +1,116 @@ +<!-- include start from firewall/gre.xml.i --> +<node name="gre"> + <properties> + <help>GRE fields to match</help> + </properties> + <children> + <node name="flags"> + <properties> + <help>GRE flag bits to match</help> + </properties> + <children> + <node name="key"> + <properties> + <help>Header includes optional key field</help> + </properties> + <children> + <leafNode name="unset"> + <properties> + <help>Header does not include optional key field</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + <node name="checksum"> + <properties> + <help>Header includes optional checksum</help> + </properties> + <children> + <leafNode name="unset"> + <properties> + <help>Header does not include optional checksum</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + <node name="sequence"> + <properties> + <help>Header includes a sequence number field</help> + </properties> + <children> + <leafNode name="unset"> + <properties> + <help>Header does not include a sequence number field</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + </children> + </node> + <leafNode name="inner-proto"> + <properties> + <help>EtherType of encapsulated packet</help> + <completionHelp> + <list>ip ip6 arp 802.1q 802.1ad</list> + </completionHelp> + <valueHelp> + <format>u32:0-65535</format> + <description>Ethernet protocol number</description> + </valueHelp> + <valueHelp> + <format>u32:0x0-0xffff</format> + <description>Ethernet protocol number (hex)</description> + </valueHelp> + <valueHelp> + <format>ip</format> + <description>IPv4</description> + </valueHelp> + <valueHelp> + <format>ip6</format> + <description>IPv6</description> + </valueHelp> + <valueHelp> + <format>arp</format> + <description>Address Resolution Protocol</description> + </valueHelp> + <valueHelp> + <format>802.1q</format> + <description>VLAN-tagged frames (IEEE 802.1q)</description> + </valueHelp> + <valueHelp> + <format>802.1ad</format> + <description>Provider Bridging (IEEE 802.1ad, Q-in-Q)</description> + </valueHelp> + <valueHelp> + <format>gretap</format> + <description>Transparent Ethernet Bridging (L2 Ethernet over GRE, gretap)</description> + </valueHelp> + <constraint> + <regex>(ip|ip6|arp|802.1q|802.1ad|gretap|0x[0-9a-fA-F]{1,4})</regex> + <validator name="numeric" argument="--range 0-65535"/> + </constraint> + </properties> + </leafNode> + #include <interface/parameters-key.xml.i> + <leafNode name="version"> + <properties> + <help>GRE Version</help> + <valueHelp> + <format>gre</format> + <description>Standard GRE</description> + </valueHelp> + <valueHelp> + <format>pptp</format> + <description>Point to Point Tunnelling Protocol</description> + </valueHelp> + <constraint> + <regex>(gre|pptp)</regex> + </constraint> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> |