summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorsarthurdev <965089+sarthurdev@users.noreply.github.com>2023-09-18 20:24:22 +0200
committersarthurdev <965089+sarthurdev@users.noreply.github.com>2023-09-18 20:26:51 +0200
commitfb3ef9af5e394aa25692003fb3c185bfedefe3cb (patch)
tree377a5dd42a9bc0b4c1ee4c3e0670c1cf733f3731
parent4c9c2e372aa57aba298915d5d2702ebaf0b7db91 (diff)
downloadvyos-1x-fb3ef9af5e394aa25692003fb3c185bfedefe3cb.tar.gz
vyos-1x-fb3ef9af5e394aa25692003fb3c185bfedefe3cb.zip
conntrack: T5217: Add tcp flag matching to `system conntrack ignore`
- Moves MSS node out of `tcp-flags.xml.i` and into `tcp-mss.xml.i` - Update smoketest to verify TCP flag matching
-rw-r--r--interface-definitions/include/firewall/common-rule-inet.xml.i1
-rw-r--r--interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i1
-rw-r--r--interface-definitions/include/firewall/common-rule.xml.i1
-rw-r--r--interface-definitions/include/firewall/tcp-flags.xml.i18
-rw-r--r--interface-definitions/include/firewall/tcp-mss.xml.i25
-rw-r--r--interface-definitions/include/policy/route-common.xml.i1
-rw-r--r--interface-definitions/system-conntrack.xml.in2
-rw-r--r--python/vyos/template.py5
-rwxr-xr-xsmoketest/scripts/cli/test_system_conntrack.py3
-rwxr-xr-xsrc/conf_mode/conntrack.py11
10 files changed, 50 insertions, 18 deletions
diff --git a/interface-definitions/include/firewall/common-rule-inet.xml.i b/interface-definitions/include/firewall/common-rule-inet.xml.i
index 7a2eb86d4..e51dd0056 100644
--- a/interface-definitions/include/firewall/common-rule-inet.xml.i
+++ b/interface-definitions/include/firewall/common-rule-inet.xml.i
@@ -303,6 +303,7 @@
</children>
</node>
#include <include/firewall/tcp-flags.xml.i>
+#include <include/firewall/tcp-mss.xml.i>
<node name="time">
<properties>
<help>Time to match rule</help>
diff --git a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
index a1071a09a..e040c9b13 100644
--- a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
+++ b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
@@ -260,6 +260,7 @@
</children>
</node>
#include <include/firewall/tcp-flags.xml.i>
+#include <include/firewall/tcp-mss.xml.i>
<node name="time">
<properties>
<help>Time to match rule</help>
diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i
index 7417a3c58..c62bf2c5f 100644
--- a/interface-definitions/include/firewall/common-rule.xml.i
+++ b/interface-definitions/include/firewall/common-rule.xml.i
@@ -315,6 +315,7 @@
</children>
</node>
#include <include/firewall/tcp-flags.xml.i>
+#include <include/firewall/tcp-mss.xml.i>
<node name="time">
<properties>
<help>Time to match rule</help>
diff --git a/interface-definitions/include/firewall/tcp-flags.xml.i b/interface-definitions/include/firewall/tcp-flags.xml.i
index e2ce7b9fd..36546c2e4 100644
--- a/interface-definitions/include/firewall/tcp-flags.xml.i
+++ b/interface-definitions/include/firewall/tcp-flags.xml.i
@@ -1,7 +1,7 @@
<!-- include start from firewall/tcp-flags.xml.i -->
<node name="tcp">
<properties>
- <help>TCP flags to match</help>
+ <help>TCP options to match</help>
</properties>
<children>
<node name="flags">
@@ -114,22 +114,6 @@
</node>
</children>
</node>
- <leafNode name="mss">
- <properties>
- <help>Maximum segment size (MSS)</help>
- <valueHelp>
- <format>u32:1-16384</format>
- <description>Maximum segment size</description>
- </valueHelp>
- <valueHelp>
- <format>&lt;min&gt;-&lt;max&gt;</format>
- <description>TCP MSS range (use '-' as delimiter)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--allow-range --range 1-16384"/>
- </constraint>
- </properties>
- </leafNode>
</children>
</node>
<!-- include end -->
diff --git a/interface-definitions/include/firewall/tcp-mss.xml.i b/interface-definitions/include/firewall/tcp-mss.xml.i
new file mode 100644
index 000000000..dc49b4272
--- /dev/null
+++ b/interface-definitions/include/firewall/tcp-mss.xml.i
@@ -0,0 +1,25 @@
+<!-- include start from firewall/tcp-mss.xml.i -->
+<node name="tcp">
+ <properties>
+ <help>TCP options to match</help>
+ </properties>
+ <children>
+ <leafNode name="mss">
+ <properties>
+ <help>Maximum segment size (MSS)</help>
+ <valueHelp>
+ <format>u32:1-16384</format>
+ <description>Maximum segment size</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;min&gt;-&lt;max&gt;</format>
+ <description>TCP MSS range (use '-' as delimiter)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--allow-range --range 1-16384"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/policy/route-common.xml.i b/interface-definitions/include/policy/route-common.xml.i
index 216ec9bea..6551d23ab 100644
--- a/interface-definitions/include/policy/route-common.xml.i
+++ b/interface-definitions/include/policy/route-common.xml.i
@@ -314,6 +314,7 @@
</children>
</node>
#include <include/firewall/tcp-flags.xml.i>
+#include <include/firewall/tcp-mss.xml.i>
<node name="time">
<properties>
<help>Time to match rule</help>
diff --git a/interface-definitions/system-conntrack.xml.in b/interface-definitions/system-conntrack.xml.in
index 78d19090c..4452f1a74 100644
--- a/interface-definitions/system-conntrack.xml.in
+++ b/interface-definitions/system-conntrack.xml.in
@@ -127,6 +127,7 @@
#include <include/nat-port.xml.i>
</children>
</node>
+ #include <include/firewall/tcp-flags.xml.i>
</children>
</tagNode>
</children>
@@ -212,6 +213,7 @@
#include <include/nat-port.xml.i>
</children>
</node>
+ #include <include/firewall/tcp-flags.xml.i>
</children>
</tagNode>
</children>
diff --git a/python/vyos/template.py b/python/vyos/template.py
index add4d3ce5..3be486cc4 100644
--- a/python/vyos/template.py
+++ b/python/vyos/template.py
@@ -678,6 +678,11 @@ def conntrack_ignore_rule(rule_conf, rule_id, ipv6=False):
proto = rule_conf['protocol']
output.append(f'meta l4proto {proto}')
+ tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags')
+ if tcp_flags:
+ from vyos.firewall import parse_tcp_flags
+ output.append(parse_tcp_flags(tcp_flags))
+
for side in ['source', 'destination']:
if side in rule_conf:
side_conf = rule_conf[side]
diff --git a/smoketest/scripts/cli/test_system_conntrack.py b/smoketest/scripts/cli/test_system_conntrack.py
index e0de5da93..c9f184558 100755
--- a/smoketest/scripts/cli/test_system_conntrack.py
+++ b/smoketest/scripts/cli/test_system_conntrack.py
@@ -256,6 +256,7 @@ class TestSystemConntrack(VyOSUnitTestSHIM.TestCase):
self.cli_set(base_path + ['ignore', 'ipv4', 'rule', '1', 'destination', 'address', '192.0.2.2'])
self.cli_set(base_path + ['ignore', 'ipv4', 'rule', '1', 'destination', 'port', '22'])
self.cli_set(base_path + ['ignore', 'ipv4', 'rule', '1', 'protocol', 'tcp'])
+ self.cli_set(base_path + ['ignore', 'ipv4', 'rule', '1', 'tcp', 'flags', 'syn'])
self.cli_set(base_path + ['ignore', 'ipv4', 'rule', '2', 'source', 'address', '192.0.2.1'])
self.cli_set(base_path + ['ignore', 'ipv4', 'rule', '2', 'destination', 'group', 'address-group', address_group])
@@ -274,7 +275,7 @@ class TestSystemConntrack(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
nftables_search = [
- ['ip saddr 192.0.2.1', 'ip daddr 192.0.2.2', 'tcp dport 22', 'notrack'],
+ ['ip saddr 192.0.2.1', 'ip daddr 192.0.2.2', 'tcp dport 22', 'tcp flags & syn == syn', 'notrack'],
['ip saddr 192.0.2.1', 'ip daddr @A_conntracktest', 'notrack']
]
diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py
index 47b2bea4d..21a20ea8d 100755
--- a/src/conf_mode/conntrack.py
+++ b/src/conf_mode/conntrack.py
@@ -118,6 +118,17 @@ def verify(conntrack):
if 'protocol' not in rule_config or rule_config['protocol'] not in ['tcp', 'udp']:
raise ConfigError(f'Port requires tcp or udp as protocol in rule {rule}')
+ tcp_flags = dict_search_args(rule_config, 'tcp', 'flags')
+ if tcp_flags:
+ if dict_search_args(rule_config, 'protocol') != 'tcp':
+ raise ConfigError('Protocol must be tcp when specifying tcp flags')
+
+ not_flags = dict_search_args(rule_config, 'tcp', 'flags', 'not')
+ if not_flags:
+ duplicates = [flag for flag in tcp_flags if flag in not_flags]
+ if duplicates:
+ raise ConfigError(f'Cannot match a tcp flag as set and not set')
+
for side in ['destination', 'source']:
if side in rule_config:
side_conf = rule_config[side]