From 89ecd9a8fed18e6f76b475c65dac92676a2f1e52 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Sun, 11 Feb 2018 19:46:01 +0100 Subject: [PATCH] Make firewall rules spec more precise Define options order and explicitly forbid duplicates. --- debugging/vm-interface.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/debugging/vm-interface.md b/debugging/vm-interface.md index b800dfa1..bb5135f1 100644 --- a/debugging/vm-interface.md +++ b/debugging/vm-interface.md @@ -98,19 +98,22 @@ Possible options for a single rule: echo request, valid only together with `proto=icmp` - `dpi`, value: Deep Packet Inspection protocol (like: HTTP, SSL, SMB, SSH, SMTP) or the default 'NO' as no DPI, only packet filtering +Options must appear in the rule in the order listed above. Duplicated options +are forbidden. + Rule matches only when all predicates matches. Only one of `dst4`, `dst6`, `dstname`, `specialtarget` can be used in a single rule. If tool applying firewall encounters any parse error (unknown option, invalid -value etc), it should drop all the traffic coming from that `SOURCE_IP`, +value, duplicated option, etc), it should drop all the traffic coming from that `SOURCE_IP`, regardless of properly parsed rules. Example valid rules: - `action=accept dst4=8.8.8.8 proto=udp dstports=53-53` - `action=drop dst6=2a00:1450:4000::/37 proto=tcp` -- `specialtarget=dns action=accept` -- `specialtarget=dns action=drop proto=tcp` - drop DNS queries sent using TCP +- `action=accept specialtarget=dns` +- `action=drop proto=tcp specialtarget=dns` - drop DNS queries sent using TCP - `action=drop` ### Keys set by VM for passing info to dom0 ###