1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
// SPDX-License-Identifier: GPL-2.0
#define BPF_NO_KFUNC_PROTOTYPES
#include <vmlinux.h>
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_endian.h>
#define ETH_P_IP 0x0800
#define ETH_P_IPV6 0x86dd
#define IP_MF 0x2000 /* "More Fragments" */
#define IP_OFFSET 0x1fff /* "Fragment Offset" */
#define AF_INET 2
#define AF_INET6 10
struct bpf_flowtable_opts___local {
s32 error;
};
struct flow_offload_tuple_rhash *
bpf_xdp_flow_lookup(struct xdp_md *, struct bpf_fib_lookup *,
struct bpf_flowtable_opts___local *, u32) __ksym;
struct {
__uint(type, BPF_MAP_TYPE_ARRAY);
__type(key, __u32);
__type(value, __u32);
__uint(max_entries, 1);
} stats SEC(".maps");
static bool xdp_flowtable_offload_check_iphdr(struct iphdr *iph)
{
/* ip fragmented traffic */
if (iph->frag_off & bpf_htons(IP_MF | IP_OFFSET))
return false;
/* ip options */
if (iph->ihl * 4 != sizeof(*iph))
return false;
if (iph->ttl <= 1)
return false;
return true;
}
static bool xdp_flowtable_offload_check_tcp_state(void *ports, void *data_end,
u8 proto)
{
if (proto == IPPROTO_TCP) {
struct tcphdr *tcph = ports;
if (tcph + 1 > data_end)
return false;
if (tcph->fin || tcph->rst)
return false;
}
return true;
}
struct flow_ports___local {
__be16 source, dest;
} __attribute__((preserve_access_index));
SEC("xdp.frags")
int xdp_flowtable_do_lookup(struct xdp_md *ctx)
{
void *data_end = (void *)(long)ctx->data_end;
struct bpf_flowtable_opts___local opts = {};
struct flow_offload_tuple_rhash *tuplehash;
struct bpf_fib_lookup tuple = {
.ifindex = ctx->ingress_ifindex,
};
void *data = (void *)(long)ctx->data;
struct ethhdr *eth = data;
struct flow_ports___local *ports;
__u32 *val, key = 0;
if (eth + 1 > data_end)
return XDP_DROP;
switch (eth->h_proto) {
case bpf_htons(ETH_P_IP): {
struct iphdr *iph = data + sizeof(*eth);
ports = (struct flow_ports___local *)(iph + 1);
if (ports + 1 > data_end)
return XDP_PASS;
/* sanity check on ip header */
if (!xdp_flowtable_offload_check_iphdr(iph))
return XDP_PASS;
if (!xdp_flowtable_offload_check_tcp_state(ports, data_end,
iph->protocol))
return XDP_PASS;
tuple.family = AF_INET;
tuple.tos = iph->tos;
tuple.l4_protocol = iph->protocol;
tuple.tot_len = bpf_ntohs(iph->tot_len);
tuple.ipv4_src = iph->saddr;
tuple.ipv4_dst = iph->daddr;
tuple.sport = ports->source;
tuple.dport = ports->dest;
break;
}
case bpf_htons(ETH_P_IPV6): {
struct in6_addr *src = (struct in6_addr *)tuple.ipv6_src;
struct in6_addr *dst = (struct in6_addr *)tuple.ipv6_dst;
struct ipv6hdr *ip6h = data + sizeof(*eth);
ports = (struct flow_ports___local *)(ip6h + 1);
if (ports + 1 > data_end)
return XDP_PASS;
if (ip6h->hop_limit <= 1)
return XDP_PASS;
if (!xdp_flowtable_offload_check_tcp_state(ports, data_end,
ip6h->nexthdr))
return XDP_PASS;
tuple.family = AF_INET6;
tuple.l4_protocol = ip6h->nexthdr;
tuple.tot_len = bpf_ntohs(ip6h->payload_len);
*src = ip6h->saddr;
*dst = ip6h->daddr;
tuple.sport = ports->source;
tuple.dport = ports->dest;
break;
}
default:
return XDP_PASS;
}
tuplehash = bpf_xdp_flow_lookup(ctx, &tuple, &opts, sizeof(opts));
if (!tuplehash)
return XDP_PASS;
val = bpf_map_lookup_elem(&stats, &key);
if (val)
__sync_add_and_fetch(val, 1);
return XDP_PASS;
}
char _license[] SEC("license") = "GPL";
|
