Firewall rules: add support for IPv4 and IPv6 packet fragments #2089
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This helper function walks through the list of headers of an IPv6 packet until a given header type is found; it will be reused when adding support for identifying packet fragments. Make firewall_ip6_get_hdr() call this helper function (no functional change).
Wen incoming IP packets are fragmented, the transport layer protocol header is ony present in the first fragment, and not in subsequent fragments; therefore, the firewall code cannot check subsequent fragments against any transport layer constraints in a firewall rule. Amend the firewall_ip*_match() functions so that the second and subsequent framgments of a fragmented packet do not match any rule that contains transport layer constraints.
Add support for a new "fragment" tuple attribute that can be
specified in "ip" and "ip6" tuples in firewall rules; this new
attribute can have a "y" or "n" value: "y" makes the rule match the
second and subsequent fragments of fragmented IP packets, while
"n" makes the rule match non-fragmented packets and the first
fragment of fragmented packets.
Example snippet of Ops configuration that makes the firewall drop
all fragmented IPv4 packets:
```
"ManifestPassthrough": {
"firewall": {
"rules": [
{"ip": {"fragment": "y"}, "action": "drop"}
]
}
}
```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change set adds support for a new "fragment" attribute that can be specified in the "ip" and "ip6" objects in firewall rules; this new attribute, whose behavior mimics the
--fragmentiptables option, can have a "y" or "n" value: "y" makes the rule match the second and subsequent fragments of fragmented IP packets, while "n" makes the rule match non-fragmented packets and the first fragment of fragmented packets.Example snippet of Ops configuration that makes the firewall drop all fragmented IPv4 packets:
In addition, handling of fragmented packets in the firewall klib is being fixed in order for the second and subsequent fragments of a fragmented packet to not match any rule that contains transport layer constraints (because the transport layer protocol header is only present in the first fragment, and not in subsequent fragments).