Skip to content

WIP: ICMP code/type firewall filters #759

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 13 commits into
base: optehdl-cleanup
Choose a base branch
from
Draft

WIP: ICMP code/type firewall filters #759

wants to merge 13 commits into from

Conversation

FelixMcFelix
Copy link
Collaborator

Still working out the right shape, types, etc.

Closes #730.

@FelixMcFelix
ICMP type/code should be *meta* predicates, not body
c1c93f0 
This is encoded using the same `Match` type as before, which captures
ranges a bit more succintly.

Also applies the same range matches to normal ports, which should
greatly simplify huge ranges added in the control plane...
@FelixMcFelix
First stab at InnerFlowId changes
5ce58fa 
One of the side effects of wanting to filter on ICMP type is that flow
IDs need to match that level of specificity. With the old FlowId design,
we get *ICMP* and that's it, with the inner ID of an echo paylad added
in occasionally. This can lead to fun cases like an allowed ICMP DU
opening the door for *all* ICMP packets from that remote host.

What we're doing now is providing access to the same two `u16`s in
different contexts via `l4_info`/`_mut`, which lets us store the
type/code in the source port field (cast as two `u8`s). This does need
us to formalise some things we'd taken for granted, e.g., the `mirror`
flow for an ICMP echo/request reply needs to also change out the
expected type.
@FelixMcFelix
Merge branch 'optehdl-cleanup' into icmp-code-type-fw
4550b57
@FelixMcFelix
Hmm.
8df179f
@FelixMcFelix
Hmm.
8fcb5ef
@FelixMcFelix FelixMcFelix marked this pull request as draft May 19, 2025 14:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@FelixMcFelix