summaryrefslogtreecommitdiff
path: root/interface-definitions/include
diff options
context:
space:
mode:
authorAndrew Topp <andrewt@telekinetica.net>2024-08-04 17:52:57 +1000
committerAndrew Topp <andrewt@telekinetica.net>2024-08-04 17:52:57 +1000
commit60b0614296874c144665417130d4881461114db0 (patch)
tree404eb8bf72582b60cad69d9c23535b41a49094f6 /interface-definitions/include
parent15c77978f30bebe7c6d4f4e9a87c56e12e1382cd (diff)
downloadvyos-1x-60b0614296874c144665417130d4881461114db0.tar.gz
vyos-1x-60b0614296874c144665417130d4881461114db0.zip
firewall: T4694: Adding GRE flags & fields matches to firewall rules
* Only matching flags and fields used by modern RFC2890 "extended GRE" - this is backwards-compatible, but does not match all possible flags. * There are no nftables helpers for the GRE key field, which is critical to match individual tunnel sessions (more detail in the forum post) * nft expression syntax is not flexible enough for multiple field matches in a single rule and the key offset changes depending on flags. * Thus, clumsy compromise in requiring an explicit match on the "checksum" flag if a key is present, so we know where key will be. In most cases, nobody uses the checksum, but assuming it to be off or automatically adding a "not checksum" match unless told otherwise would be confusing * The automatic "flags key" check when specifying a key doesn't have similar validation, I added it first and it makes sense. I would still like to find a workaround to the "checksum" offset problem. * If we could add 2 rules from 1 config definition, we could match both cases with appropriate offsets, but this would break existing FW generation logic, logging, etc. * Added a "test_gre_match" smoketest
Diffstat (limited to 'interface-definitions/include')
-rw-r--r--interface-definitions/include/firewall/common-rule-inet.xml.i1
-rw-r--r--interface-definitions/include/firewall/gre.xml.i116
2 files changed, 117 insertions, 0 deletions
diff --git a/interface-definitions/include/firewall/common-rule-inet.xml.i b/interface-definitions/include/firewall/common-rule-inet.xml.i
index 0acb08ec9..e44938b14 100644
--- a/interface-definitions/include/firewall/common-rule-inet.xml.i
+++ b/interface-definitions/include/firewall/common-rule-inet.xml.i
@@ -19,5 +19,6 @@
#include <include/firewall/synproxy.xml.i>
#include <include/firewall/tcp-flags.xml.i>
#include <include/firewall/tcp-mss.xml.i>
+#include <include/firewall/gre.xml.i>
#include <include/firewall/time.xml.i>
<!-- include end -->
diff --git a/interface-definitions/include/firewall/gre.xml.i b/interface-definitions/include/firewall/gre.xml.i
new file mode 100644
index 000000000..285233434
--- /dev/null
+++ b/interface-definitions/include/firewall/gre.xml.i
@@ -0,0 +1,116 @@
+<!-- include start from firewall/gre.xml.i -->
+<node name="gre">
+ <properties>
+ <help>GRE fields to match</help>
+ </properties>
+ <children>
+ <node name="flags">
+ <properties>
+ <help>GRE flag bits to match</help>
+ </properties>
+ <children>
+ <node name="key">
+ <properties>
+ <help>Header includes optional key field</help>
+ </properties>
+ <children>
+ <leafNode name="unset">
+ <properties>
+ <help>Header does not include optional key field</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <node name="checksum">
+ <properties>
+ <help>Header includes optional checksum</help>
+ </properties>
+ <children>
+ <leafNode name="unset">
+ <properties>
+ <help>Header does not include optional checksum</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <node name="sequence">
+ <properties>
+ <help>Header includes a sequence number field</help>
+ </properties>
+ <children>
+ <leafNode name="unset">
+ <properties>
+ <help>Header does not include a sequence number field</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ <leafNode name="inner-proto">
+ <properties>
+ <help>EtherType of encapsulated packet</help>
+ <completionHelp>
+ <list>ip ip6 arp 802.1q 802.1ad</list>
+ </completionHelp>
+ <valueHelp>
+ <format>u32:0-65535</format>
+ <description>Ethernet protocol number</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:0x0-0xffff</format>
+ <description>Ethernet protocol number (hex)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ip</format>
+ <description>IPv4</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ip6</format>
+ <description>IPv6</description>
+ </valueHelp>
+ <valueHelp>
+ <format>arp</format>
+ <description>Address Resolution Protocol</description>
+ </valueHelp>
+ <valueHelp>
+ <format>802.1q</format>
+ <description>VLAN-tagged frames (IEEE 802.1q)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>802.1ad</format>
+ <description>Provider Bridging (IEEE 802.1ad, Q-in-Q)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>gretap</format>
+ <description>Transparent Ethernet Bridging (L2 Ethernet over GRE, gretap)</description>
+ </valueHelp>
+ <constraint>
+ <regex>(ip|ip6|arp|802.1q|802.1ad|gretap|0x[0-9a-fA-F]{1,4})</regex>
+ <validator name="numeric" argument="--range 0-65535"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ #include <interface/parameters-key.xml.i>
+ <leafNode name="version">
+ <properties>
+ <help>GRE Version</help>
+ <valueHelp>
+ <format>gre</format>
+ <description>Standard GRE</description>
+ </valueHelp>
+ <valueHelp>
+ <format>pptp</format>
+ <description>Point to Point Tunnelling Protocol</description>
+ </valueHelp>
+ <constraint>
+ <regex>(gre|pptp)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<!-- include end -->