ZeroTierOne icon indicating copy to clipboard operation
ZeroTierOne copied to clipboard

Published 20 hours ago verified publisher icon zerotier

Does chr direction implicitly affect partner interface?

Open AvrumFeldman opened this issue 4 years ago • 3 comments
trafficstars

When allowing directional traffic using chr inbound is it automatically allowed in the reverse on the other interface involved in the traffic? Meaning, if lets say I allow outbound tcp traffic, is those traffic implicitly allowed inbound on the receiving side?

Reason for my question, I'm currently trying to allow all tcp outbound and inbound traffic but limit inbound tcp_syn to specific devices, but when implementing it using the below flow rules tcp_syn is somehow arriving inbound to devices even though there is no rule allowing tcp_syn inbound.

# Allow outbound tcp traffic
accept
    not chr inbound
    ipprotocol tcp
;

# Allow inbound (as outbound was already matched one above) tcp as long not tcp_syn
accept
    ipprotocol tcp
    not chr tcp_syn
;

# Allow inbound tcp_syn when combined with tcp_ack as otherwise it's blocked one above. 
accept
    ipprotocol tcp
    chr tcp_syn
    chr tcp_ack
;

P.S. I'm sorry for my previous ticket, I was working on this issue the whole night and that was the result. Now when I was trying to write a concise summary of my issue I arrived to this reproducible question which I feel is more appropriate for this community.

AvrumFeldman avatar Nov 01 '21 03:11 AvrumFeldman

Hey, sorry we never responded.

When allowing directional traffic using chr inbound is it automatically allowed in the reverse on the other interface involved in the traffic? Meaning, if lets say I allow outbound tcp traffic, is those traffic implicitly allowed inbound on the receiving side?

I don't think so.

If this is still an open question for you I can try to ask someone with more familiarity.

joseph-henry avatar May 16 '22 20:05 joseph-henry

Hello I was actually experimenting with not chr inbound today, and seeing unexpected results. Then I saw this issue too. Will research more...

laduke avatar May 18 '22 17:05 laduke

I can see the SYN leave the tcp_client, but never arrive on tcp_server, with these rules

cap tcp_server id 11
    accept ipprotocol tcp; 
;

cap tcp_client id 21
    accept ipprotocol tcp and not chr inbound; 
;

accept not chr tcp_syn;
accept chr tcp_syn and chr tcp_ack;

accept ipprotocol icmp4;
accept ethertype arp; 

# accept;
break;

not sure what if just misunderstanding the logic or if there's a bug with not chr inbound

laduke avatar May 18 '22 23:05 laduke

Hi @joseph-henry Sorry for my radio silence, didn't notice the email notifications.

Before I go ahead and start testing, was this apparent bug resolved?

AvrumFeldman avatar Sep 14 '22 17:09 AvrumFeldman