Firewall allow drop packets by TCP MSS size
Closed, ResolvedPublicFEATURE REQUEST
Actions

Assigned To

Authored By

	Viacheslav
	Aug 17 2022, 3:37 PM

Description

Ability to drop packets by TCP MSS size

% nft add rule inet filter input tcp flags syn tcp option maxseg size 1-500 drop

Details

Difficulty level: Unknown (require assessment)
Version: -
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Perfectly compatible
Issue type: Improvement (missing useful functionality)

Event Timeline

Viacheslav created this task.Aug 17 2022, 3:37 PM

Viacheslav renamed this task from Firewall allow drop packets by TCP MSS to Firewall allow drop packets by TCP MSS size.Aug 17 2022, 4:11 PM

Viacheslav updated the task description. (Show Details)

pasik added a subscriber: pasik.Aug 17 2022, 5:13 PM

Viacheslav changed the task status from Open to In progress.Aug 18 2022, 4:30 PM

Viacheslav claimed this task.

PR https://github.com/vyos/vyos-1x/pull/1478

set firewall name FOO rule 10 action 'drop'
set firewall name FOO rule 10 protocol 'tcp'
set firewall name FOO rule 10 tcp flags syn
set firewall name FOO rule 10 tcp mss '1-500'

nft:

vyos@r14# sudo nft -s list table ip filter
table ip filter {
        ...

	chain NAME_FOO {
		tcp flags & syn == syn tcp option maxseg size 1-500 counter drop comment "FOO-10"
		counter return comment "FOO default-action accept"
	}
}

Viacheslav closed this task as Resolved.Aug 25 2022, 6:32 AM

Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.

Firewall allow drop packets by TCP MSS sizeClosed, ResolvedPublicFEATURE REQUESTActions

Description

Details

Event Timeline

Firewall allow drop packets by TCP MSS size
Closed, ResolvedPublicFEATURE REQUEST
Actions