From 60b0614296874c144665417130d4881461114db0 Mon Sep 17 00:00:00 2001 From: Andrew Topp Date: Sun, 4 Aug 2024 17:52:57 +1000 Subject: firewall: T4694: Adding GRE flags & fields matches to firewall rules * Only matching flags and fields used by modern RFC2890 "extended GRE" - this is backwards-compatible, but does not match all possible flags. * There are no nftables helpers for the GRE key field, which is critical to match individual tunnel sessions (more detail in the forum post) * nft expression syntax is not flexible enough for multiple field matches in a single rule and the key offset changes depending on flags. * Thus, clumsy compromise in requiring an explicit match on the "checksum" flag if a key is present, so we know where key will be. In most cases, nobody uses the checksum, but assuming it to be off or automatically adding a "not checksum" match unless told otherwise would be confusing * The automatic "flags key" check when specifying a key doesn't have similar validation, I added it first and it makes sense. I would still like to find a workaround to the "checksum" offset problem. * If we could add 2 rules from 1 config definition, we could match both cases with appropriate offsets, but this would break existing FW generation logic, logging, etc. * Added a "test_gre_match" smoketest --- .../include/firewall/common-rule-inet.xml.i | 1 + interface-definitions/include/firewall/gre.xml.i | 116 +++++++++++++++++++++ 2 files changed, 117 insertions(+) create mode 100644 interface-definitions/include/firewall/gre.xml.i (limited to 'interface-definitions/include/firewall') diff --git a/interface-definitions/include/firewall/common-rule-inet.xml.i b/interface-definitions/include/firewall/common-rule-inet.xml.i index 0acb08ec9..e44938b14 100644 --- a/interface-definitions/include/firewall/common-rule-inet.xml.i +++ b/interface-definitions/include/firewall/common-rule-inet.xml.i @@ -19,5 +19,6 @@ #include #include #include +#include #include diff --git a/interface-definitions/include/firewall/gre.xml.i b/interface-definitions/include/firewall/gre.xml.i new file mode 100644 index 000000000..285233434 --- /dev/null +++ b/interface-definitions/include/firewall/gre.xml.i @@ -0,0 +1,116 @@ + + + + GRE fields to match + + + + + GRE flag bits to match + + + + + Header includes optional key field + + + + + Header does not include optional key field + + + + + + + + Header includes optional checksum + + + + + Header does not include optional checksum + + + + + + + + Header includes a sequence number field + + + + + Header does not include a sequence number field + + + + + + + + + + EtherType of encapsulated packet + + ip ip6 arp 802.1q 802.1ad + + + u32:0-65535 + Ethernet protocol number + + + u32:0x0-0xffff + Ethernet protocol number (hex) + + + ip + IPv4 + + + ip6 + IPv6 + + + arp + Address Resolution Protocol + + + 802.1q + VLAN-tagged frames (IEEE 802.1q) + + + 802.1ad + Provider Bridging (IEEE 802.1ad, Q-in-Q) + + + gretap + Transparent Ethernet Bridging (L2 Ethernet over GRE, gretap) + + + (ip|ip6|arp|802.1q|802.1ad|gretap|0x[0-9a-fA-F]{1,4}) + + + + + #include + + + GRE Version + + gre + Standard GRE + + + pptp + Point to Point Tunnelling Protocol + + + (gre|pptp) + + + + + + -- cgit v1.2.3