diff options
author | Andrew Topp <andrewt@telekinetica.net> | 2024-08-04 17:52:57 +1000 |
---|---|---|
committer | Andrew Topp <andrewt@telekinetica.net> | 2024-08-04 17:52:57 +1000 |
commit | 60b0614296874c144665417130d4881461114db0 (patch) | |
tree | 404eb8bf72582b60cad69d9c23535b41a49094f6 /src/op_mode/version.py | |
parent | 15c77978f30bebe7c6d4f4e9a87c56e12e1382cd (diff) | |
download | vyos-1x-60b0614296874c144665417130d4881461114db0.tar.gz vyos-1x-60b0614296874c144665417130d4881461114db0.zip |
firewall: T4694: Adding GRE flags & fields matches to firewall rules
* Only matching flags and fields used by modern RFC2890 "extended GRE" -
this is backwards-compatible, but does not match all possible flags.
* There are no nftables helpers for the GRE key field, which is critical
to match individual tunnel sessions (more detail in the forum post)
* nft expression syntax is not flexible enough for multiple field
matches in a single rule and the key offset changes depending on flags.
* Thus, clumsy compromise in requiring an explicit match on the "checksum"
flag if a key is present, so we know where key will be. In most cases,
nobody uses the checksum, but assuming it to be off or automatically
adding a "not checksum" match unless told otherwise would be confusing
* The automatic "flags key" check when specifying a key doesn't have similar
validation, I added it first and it makes sense. I would still like
to find a workaround to the "checksum" offset problem.
* If we could add 2 rules from 1 config definition, we could match
both cases with appropriate offsets, but this would break existing
FW generation logic, logging, etc.
* Added a "test_gre_match" smoketest
Diffstat (limited to 'src/op_mode/version.py')
0 files changed, 0 insertions, 0 deletions