mirror/xdp-project-bpf-examples
1
0
Fork 0
mirror of https://github.com/xdp-project/bpf-examples.git synced 2024-05-06 15:54:53 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #111 from vincentmli/xdp-synproxy

Browse Source 
Sync in kernel bpf selftest xdp synproxy fix: erroneous bitmask operation
This commit is contained in:
Toke Høiland-Jørgensen
2023-12-12 15:11:07 +01:00
committed by GitHub
parent 63cd4007b1 3d6baf8905
commit 86ec1b7f15
3 changed files with 29 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
headers/vmlinux/vmlinux_net.h
View File

@@ -142,6 +142,7 @@ struct nf_conn {
enum ip_conntrack_status { enum ip_conntrack_status {
/* Connection is confirmed: originating packet has left box */ /* Connection is confirmed: originating packet has left box */
IPS_CONFIRMED_BIT = 3, IPS_CONFIRMED_BIT = 3,
IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
}; };
#endif /* __VMLINUX_NET_H__ */ #endif /* __VMLINUX_NET_H__ */

26
xdp-synproxy/README.org
View File

@@ -59,3 +59,29 @@ could be built statically and shipped with xdp-synproxy container.
=> 50 syncookie_xdp 908 6c6615566a2e0419 XDP_PASS => 50 syncookie_xdp 908 6c6615566a2e0419 XDP_PASS
#+END_SRC #+END_SRC
XDP SYNPROXY can also be deployed in Linux router/Firewall, it requires iptables SYNPROXY to be added in filter table FORWARD chain. see https://youtu.be/Cj7SeviTXrw?si=adZ0FrGq84Ygmmy0 for example.
#+BEGIN_SRC sh
sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -w net.ipv4.tcp_syncookies=2
sudo sysctl -w net.ipv4.tcp_timestamps=1
sudo sysctl -w net.netfilter.nf_conntrack_tcp_loose=0
sudo iptables -t raw -I PREROUTING -i ens7 -p tcp -m tcp --syn --dport 80 -j CT --notrack
sudo iptables -t filter -A FORWARD -i ens7 -p tcp -m tcp --dport 80 -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
sudo iptables -t filter -A FORWARD -i ens7 -m state --state INVALID -j DROP
sudo ./xdp_synproxy --iface ens7 --ports 80 --mss4 1460 --mss6 1440 --wscale 7 --ttl 64
Simple test diagram
client: server:
ip r add 10.6.6.0/24 ip r add 10.3.3.0/24
via 10.3.3.8 via 10.6.6.8
+---------------+ +----------------------------+ +--------------+
| | | | | |
| client | | Firewall/router | | server |
| 10.3.3.9 eno2---ens7 10.3.3.8 10.6.6.8 ens9----ens9 10.6.6.6 |
| | | | | |
| | | | | |
+---------------+ +----------------------------+ +--------------+
#+END_SRC

4
xdp-synproxy/xdp_synproxy_kern.c
View File

@@ -447,13 +447,13 @@ static __always_inline int tcp_lookup(void *ctx, struct header_pointers *hdr, bo
unsigned long status = ct->status; unsigned long status = ct->status;
bpf_ct_release(ct); bpf_ct_release(ct);
if (status & IPS_CONFIRMED_BIT) if (status & IPS_CONFIRMED)
return XDP_PASS; return XDP_PASS;
} else if (ct_lookup_opts.error != -ENOENT) { } else if (ct_lookup_opts.error != -ENOENT) {
return XDP_ABORTED; return XDP_ABORTED;
} }
/* error == -ENOENT || !(status & IPS_CONFIRMED_BIT) */ /* error == -ENOENT || !(status & IPS_CONFIRMED) */
return XDP_TX; return XDP_TX;
} }