Limit communication using tags

p0liX · December 9, 2020, 2:23pm

I’m trying to come up with logic to limit connections using tags. I have 1 tag with 3 options, Robot, Operator, Server.

  tag device_type
   id 500                 
   enum 100 operator
   enum 200 robot
   enum 300 server
   default 100

I’m trying to come up with the logic to limit communication for like device types. (i.e. 2 operators can’t connect to each other, but an operators can connect to robots). I’ve tried dropping if tdiff of tag is 0, I’ve tried accepting with different tags and dropping everything else. No matter what I try, it drops all traffic unless I open it up. I’ve also trie this using completely separate tags for each type as well with the same result.

drop
 tdiff device_type 0
 ;

What would the most effective method be to deal with this?

zt-travis · December 9, 2020, 5:56pm

Hmm. What is the wanted logic for servers?

p0liX · December 9, 2020, 6:08pm

Would be the same. Servers wouldn’t connect to each other. But operators and robots can connect to servers. This one may be a bit more flexible, but the initial use would be limited in east-west connectivity within the server group.

Operators can’t connect to each other, but operators can connect to robots and servers

Robots can’t connect to each other, but robots can connect to operators and servers.

zt-travis · December 9, 2020, 7:39pm

I haven’t tried this, but what if you tagged them something like

tag device_type
id 500                 
enum 1 operator #001
enum 2 robot    #010
enum 4 server   #100
default 1

and used allow tdiff 0;

p0liX · December 9, 2020, 7:58pm

I tried that and it’s blocking all traffic between any device. I’ve pasted my entire config below.

# Set device type - Used for communication rules
tag device_type
	id 500                 
	enum 1 operator #001
	enum 2 robot    #010
	enum 4 server   #100
	default 1
;

# Allow only IPv4, IPv4 ARP, and IPv6 Ethernet frames.
drop
	not ethertype ipv4
	and not ethertype arp
	and not ethertype ipv6
;

# drop non-ZeroTier issued and managed IP addresses.
drop
	not chr ipauth
;

accept 
	tdiff device_type 0
;
	
# Accept anything else. This is required since default is 'drop'.
#accept;

zt-travis · December 9, 2020, 10:47pm

Sorry! I should have said tand instead of tdiff.

It appears to work for me using tand. Though now I’m not sure why the tdiff isn’t also working.

tand <id> <value> Tags ANDed together equal value.
tdiff <id> <value> Difference between tags with this ID is less than or equal to the value.

tag device_type
id 500                 
enum 1 operator #001
enum 2 robot    #010
enum 4 server   #100
default 1
;

accept tand device_type 0;

drop;

p0liX · December 9, 2020, 11:08pm

That does appear to do the trick. Thanks so much for the help. I think I was overthinking it a bit.

system · December 16, 2020, 11:08pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.