From: Matt Corallo Date: Sun, 4 Apr 2021 20:46:04 +0000 (-0400) Subject: Track ports valid directly - as LLVM will | pointers which BPF wont allow X-Git-Url: http://git.bitcoin.ninja/index.cgi?a=commitdiff_plain;h=a8be3b609743627f58a464d7b75217a778eb4fa9;p=flowspec-xdp Track ports valid directly - as LLVM will | pointers which BPF wont allow --- diff --git a/genrules.py b/genrules.py index edef617..4468c1e 100755 --- a/genrules.py +++ b/genrules.py @@ -232,10 +232,10 @@ def dscp_to_rule(proto, rules): def port_to_rule(ty, rules): if ty == "port" : ast = parse_ast(rules, parse_numbers_expr) - return "if (tcp == NULL && udp == NULL) break;\nif (!( " + ast.write("sport", "dport") + " )) break;" + return "if (!ports_valid) break;\nif (!( " + ast.write("sport", "dport") + " )) break;" ast = parse_ast(rules, parse_numbers_expr) - return "if (tcp == NULL && udp == NULL) break;\nif (!( " + ast.write(ty) + " )) break;" + return "if (!ports_valid) break;\nif (!( " + ast.write(ty) + " )) break;" def tcp_flags_to_rule(rules): ast = parse_ast(rules, parse_bit_expr) diff --git a/xdp.c b/xdp.c index 01feac6..4e4d6c6 100644 --- a/xdp.c +++ b/xdp.c @@ -204,7 +204,7 @@ int xdp_drop_prog(struct xdp_md *ctx) const void *l4hdr = NULL; const struct tcphdr *tcp = NULL; - const struct udphdr *udp = NULL; + uint8_t ports_valid = 0; uint16_t sport, dport; // Host Endian! Only valid with tcp || udp #ifdef NEED_V4_PARSE @@ -227,11 +227,13 @@ int xdp_drop_prog(struct xdp_md *ctx) tcp = (struct tcphdr*) l4hdr; sport = BE16(tcp->source); dport = BE16(tcp->dest); + ports_valid = 1; } else if (ip->protocol == IP_PROTO_UDP) { CHECK_LEN(l4hdr, udphdr); - udp = (struct udphdr*) l4hdr; + const struct udphdr *udp = (struct udphdr*) l4hdr; sport = BE16(udp->source); dport = BE16(udp->dest); + ports_valid = 1; } else if (ip->protocol == IP_PROTO_ICMP) { CHECK_LEN(l4hdr, icmphdr); icmp = (struct icmphdr*) l4hdr; @@ -272,11 +274,13 @@ int xdp_drop_prog(struct xdp_md *ctx) tcp = (struct tcphdr*) l4hdr; sport = BE16(tcp->source); dport = BE16(tcp->dest); + ports_valid = 1; } else if (v6nexthdr == IP_PROTO_UDP) { CHECK_LEN(l4hdr, udphdr); - udp = (struct udphdr*) l4hdr; + const struct udphdr *udp = (struct udphdr*) l4hdr; sport = BE16(udp->source); dport = BE16(udp->dest); + ports_valid = 1; } else if (v6nexthdr == IP6_PROTO_ICMPV6) { CHECK_LEN(l4hdr, icmp6hdr); icmpv6 = (struct icmp6hdr*) l4hdr;