diff options
| author | Johannes Kimmel <fff@bareminimum.eu> | 2020-09-04 04:59:40 +0200 |
|---|---|---|
| committer | Hans Dedecker <dedeckeh@gmail.com> | 2020-09-12 21:04:42 +0200 |
| commit | a3c033e2afc289672e0ed4b8d8a835d509715af8 (patch) | |
| tree | e714d20e3d1e376d83a08069f92d2c4668959f33 | |
| parent | d7b614a86b815da711b5fecb10687297a70d859e (diff) | |
| download | netifd-a3c033e2afc289672e0ed4b8d8a835d509715af8.tar.gz | |
netifd: vxlan: handle srcport range
This adds adds the ability to set the source port range for vxlan
interfaces.
By default vxlans will use a random port within the ephermal range as
source ports for packets. This is done to aid scaleability within a
datacenter.
But with these defaults it's impossible to punch through NATs or
traverese most stateful firewalls easily. One solution is to fix the
srcport to the same as dstport.
If only srcportmin is specified, then srcportmax is set in a way that
outgoing packets will only use srcportmin.
If a range is to be specified, srcportmin and srcportmax have to be
specified. srcportmax is exclusive.
If only srcportmax is specified, the value is ignored and defaults are
used.
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
| -rw-r--r-- | system-linux.c | 26 | ||||
| -rw-r--r-- | system.c | 2 | ||||
| -rw-r--r-- | system.h | 2 |
3 files changed, 30 insertions, 0 deletions
diff --git a/system-linux.c b/system-linux.c index c5583e0..42f0de3 100644 --- a/system-linux.c +++ b/system-linux.c @@ -3184,6 +3184,32 @@ static int system_add_vxlan(const char *name, const unsigned int link, struct bl } nla_put_u16(msg, IFLA_VXLAN_PORT, htons(port)); + if ((cur = tb_data[VXLAN_DATA_ATTR_SRCPORTMIN])) { + struct ifla_vxlan_port_range srcports = {0,0}; + + uint32_t low = blobmsg_get_u32(cur); + if (low < 1 || low > 65535 - 1) { + ret = -EINVAL; + goto failure; + } + + srcports.low = htons((uint16_t) low); + srcports.high = htons((uint16_t) (low+1)); + + if ((cur = tb_data[VXLAN_DATA_ATTR_SRCPORTMAX])) { + uint32_t high = blobmsg_get_u32(cur); + if (high < 1 || high > 65535) { + ret = -EINVAL; + goto failure; + } + + if (high > low) + srcports.high = htons((uint16_t) high); + } + + nla_put(msg, IFLA_VXLAN_PORT_RANGE, sizeof(srcports), &srcports); + } + if ((cur = tb_data[VXLAN_DATA_ATTR_RXCSUM])) { bool rxcsum = blobmsg_get_bool(cur); nla_put_u8(msg, IFLA_VXLAN_UDP_ZERO_CSUM6_RX, !rxcsum); @@ -38,6 +38,8 @@ static const struct blobmsg_policy vxlan_data_attrs[__VXLAN_DATA_ATTR_MAX] = { [VXLAN_DATA_ATTR_MACADDR] = { .name = "macaddr", .type = BLOBMSG_TYPE_STRING }, [VXLAN_DATA_ATTR_RXCSUM] = { .name = "rxcsum", .type = BLOBMSG_TYPE_BOOL }, [VXLAN_DATA_ATTR_TXCSUM] = { .name = "txcsum", .type = BLOBMSG_TYPE_BOOL }, + [VXLAN_DATA_ATTR_SRCPORTMIN] = { .name = "srcportmin", .type = BLOBMSG_TYPE_INT32 }, + [VXLAN_DATA_ATTR_SRCPORTMAX] = { .name = "srcportmax", .type = BLOBMSG_TYPE_INT32 }, }; const struct uci_blob_param_list vxlan_data_attr_list = { @@ -44,6 +44,8 @@ enum vxlan_data { VXLAN_DATA_ATTR_MACADDR, VXLAN_DATA_ATTR_RXCSUM, VXLAN_DATA_ATTR_TXCSUM, + VXLAN_DATA_ATTR_SRCPORTMIN, + VXLAN_DATA_ATTR_SRCPORTMAX, __VXLAN_DATA_ATTR_MAX }; |