Support v6 fragment parsing

author Matt Corallo <git@bluematt.me>

Sat, 3 Apr 2021 20:41:41 +0000 (16:41 -0400)

committer Matt Corallo <git@bluematt.me>

Sat, 3 Apr 2021 22:11:48 +0000 (18:11 -0400)
author Matt Corallo <git@bluematt.me>
Sat, 3 Apr 2021 20:41:41 +0000 (16:41 -0400)
committer Matt Corallo <git@bluematt.me>
Sat, 3 Apr 2021 22:11:48 +0000 (18:11 -0400)
diff --git a/genrules.py b/genrules.py

index 3f5d9e008cd83ed74077ca0b5c8fac200119cff6..d372806a8e8c99a6b9fed67158cbf6e04e0406ba 100755 (executable)
--- a/genrules.py
+++ b/genrules.py
@@ -13,11 +13,6 @@ if len(sys.argv) > 2 and sys.argv[2].startswith("parse_ihl"):
      PARSE_IHL = True
  else:
      PARSE_IHL = False
      PARSE_IHL = True
  else:
      PARSE_IHL = False
-if len(sys.argv) > 3 and sys.argv[3].startswith("parse_exthdr"):
-    PARSE_EXTHDR = True
-else:
-    PARSE_EXTHDR = False
-
  
  class ASTAction(Enum):
      OR = 1,
  
  class ASTAction(Enum):
      OR = 1,
@@ -106,24 +101,47 @@ def parse_numbers_expr(expr):
          expr = expr[2:]
      return ASTNode(ASTAction.EXPR, NumbersExpr(NumbersAction.EQ, expr))
  
          expr = expr[2:]
      return ASTNode(ASTAction.EXPR, NumbersExpr(NumbersAction.EQ, expr))
  
-class FragExpr:
-    def __init__(self, val):
-        if val == "is_fragment":
-            self.rule = "(ip->frag_off & BE16(IP_MF|IP_OFFSET)) != 0"
-        elif val == "first_fragment":
-            self.rule = "(ip->frag_off & BE16(IP_MF)) != 0 && (ip->frag_off & BE16(IP_OFFSET)) == 0"
-        elif val == "dont_fragment":
-            self.rule = "(ip->frag_off & BE16(IP_DF)) != 0"
-        elif val == "last_fragment":
-            self.rule = "(ip->frag_off & BE16(IP_MF)) == 0 && (ip->frag_off & BE16(IP_OFFSET)) != 0"
+class FragExpr(Enum):
+    IF = 1
+    FF = 2
+    DF = 3
+    LF = 4
+
+    def write(self, ipproto, _param2):
+        if ipproto == 4:
+            if self == FragExpr.IF:
+                return "(ip->frag_off & BE16(IP_MF|IP_OFFSET)) != 0"
+            elif self == FragExpr.FF:
+                return "((ip->frag_off & BE16(IP_MF)) != 0 && (ip->frag_off & BE16(IP_OFFSET)) == 0)"
+            elif self == FragExpr.DF:
+                return "(ip->frag_off & BE16(IP_DF)) != 0"
+            elif self == FragExpr.LF:
+                return "((ip->frag_off & BE16(IP_MF)) == 0 && (ip->frag_off & BE16(IP_OFFSET)) != 0)"
+            else:
+                assert False
          else:
          else:
-            assert False
-
-    def write(self, _param, _param2):
-        return self.rule
+            if self == FragExpr.IF:
+                return "frag6 != NULL"
+            elif self == FragExpr.FF:
+                return "(frag6 != NULL && (frag6->frag_off & BE16(IP6_MF)) != 0 && (frag6->frag_off & BE16(IP6_FRAGOFF)) == 0)"
+            elif self == FragExpr.DF:
+                assert False # No such thing in v6
+            elif self == FragExpr.LF:
+                return "(frag6 != NULL && (frag6->frag_off & BE16(IP6_MF)) == 0 && (frag6->frag_off & BE16(IP6_FRAGOFF)) != 0)"
+            else:
+                assert False
  
  def parse_frag_expr(expr):
  
  def parse_frag_expr(expr):
-    return ASTNode(ASTAction.EXPR, FragExpr(expr))
+    if expr == "is_fragment":
+        return ASTNode(ASTAction.EXPR, FragExpr.IF)
+    elif expr == "first_fragment":
+        return ASTNode(ASTAction.EXPR, FragExpr.FF)
+    elif expr == "dont_fragment":
+        return ASTNode(ASTAction.EXPR, FragExpr.DF)
+    elif expr == "last_fragment":
+        return ASTNode(ASTAction.EXPR, FragExpr.LF)
+    else:
+        assert False
  
  class BitExpr:
      def __init__(self, val):
  
  class BitExpr:
      def __init__(self, val):
@@ -163,10 +181,8 @@ def ip_to_rule(proto, inip, ty, offset):
         break;"""
  
  def fragment_to_rule(ipproto, rules):
         break;"""
  
  def fragment_to_rule(ipproto, rules):
-    if ipproto == 6:
-        assert False # XXX: unimplemented
      ast = parse_ast(rules, parse_frag_expr)
      ast = parse_ast(rules, parse_frag_expr)
-    return "if (!( " + ast.write(()) + " )) break;"
+    return "if (!( " + ast.write(ipproto) + " )) break;"
  
  def len_to_rule(rules):
      ast = parse_ast(rules, parse_numbers_expr)
  
  def len_to_rule(rules):
      ast = parse_ast(rules, parse_numbers_expr)
@@ -178,8 +194,6 @@ def proto_to_rule(ipproto, proto):
      if ipproto == 4:
          return "if (!( " + ast.write("ip->protocol") + " )) break;"
      else:
      if ipproto == 4:
          return "if (!( " + ast.write("ip->protocol") + " )) break;"
      else:
-        if PARSE_EXTHDR:
-            assert False # XXX: unimplemented
          return "if (!( " + ast.write("ip6->nexthdr") + " )) break;"
  
  def icmp_type_to_rule(proto, ty):
          return "if (!( " + ast.write("ip6->nexthdr") + " )) break;"
  
  def icmp_type_to_rule(proto, ty):
diff --git a/test.sh b/test.sh

index 03bc6562e79a2a09ce9a8e76cf6626893d1d247d..bbb38dd363b59b607d51eb79104d38efe6da11d7 100755 (executable)
--- a/test.sh
+++ b/test.sh
@@ -146,4 +146,158 @@ echo "$TEST_PKT" >> rules.h
  echo "#define TEST_EXP XDP_PASS" >> rules.h
  clang -std=c99 -fsanitize=address -pedantic -Wall -Wextra -Wno-pointer-arith -Wno-unused-variable -O0 -g xdp.c -o xdp && ./xdp
  
  echo "#define TEST_EXP XDP_PASS" >> rules.h
  clang -std=c99 -fsanitize=address -pedantic -Wall -Wextra -Wno-pointer-arith -Wno-unused-variable -O0 -g xdp.c -o xdp && ./xdp
  
+echo "flow6 { fragment is_fragment || first_fragment || last_fragment; };" | ./genrules.py
+echo "$TEST_PKT" >> rules.h
+echo "#define TEST_EXP XDP_PASS" >> rules.h
+clang -std=c99 -fsanitize=address -pedantic -Wall -Wextra -Wno-pointer-arith -Wno-unused-variable -O0 -g xdp.c -o xdp && ./xdp
+
+TEST_PKT='#define TEST \
+"\x00\x17\x10\x95\xe8\x96\x00\x0d\xb9\x50\x11\x4c\x86\xdd\x60\x0a" \
+"\x18\xa7\x00\x54\x2c\x3e\x26\x20\x00\x6e\xa0\x07\x02\x33\x00\x00" \
+"\x00\x00\x00\x00\x00\x01\x20\x01\x04\x70\x00\x00\x05\x03\x00\x00" \
+"\x00\x00\x00\x00\x00\x02\x3a\x00\x04\xd0\xe7\x50\x85\x12\xc8\xc9" \
+"\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9" \
+"\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9" \
+"\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9" \
+"\xfa\xfb\xfc\xfd\xfe\xff\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09" \
+"\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13"'
+
+# Last frag ICMPv6 tests
+
+echo "flow6 { src 2620:6e:a007:233::1/128; dst 2001:470:0:503::2/128; fragment is_fragment && !first_fragment && last_fragment; };" | ./genrules.py
+echo "$TEST_PKT" >> rules.h
+echo "#define TEST_EXP XDP_DROP" >> rules.h
+clang -std=c99 -fsanitize=address -pedantic -Wall -Wextra -Wno-pointer-arith -Wno-unused-variable -O0 -g xdp.c -o xdp && ./xdp
+
+echo "flow6 { src 2620:6e:a007:233::1/128; dst 2001:470:0:503::2/128; fragment !is_fragment; };" | ./genrules.py
+echo "$TEST_PKT" >> rules.h
+echo "#define TEST_EXP XDP_PASS" >> rules.h
+clang -std=c99 -fsanitize=address -pedantic -Wall -Wextra -Wno-pointer-arith -Wno-unused-variable -O0 -g xdp.c -o xdp && ./xdp
+
+echo "flow6 { src 2620:6e:a007:233::1/128; dst 2001:470:0:503::2/128; fragment !is_fragment || first_fragment || !last_fragment; };" | ./genrules.py
+echo "$TEST_PKT" >> rules.h
+echo "#define TEST_EXP XDP_PASS" >> rules.h
+clang -std=c99 -fsanitize=address -pedantic -Wall -Wextra -Wno-pointer-arith -Wno-unused-variable -O0 -g xdp.c -o xdp && ./xdp
+
+#TODO Is nextheader frag correct to match on here? Should we support matching on any nexthdr?
+echo "flow6 { next header 44; };" | ./genrules.py
+echo "$TEST_PKT" >> rules.h
+echo "#define TEST_EXP XDP_DROP" >> rules.h
+clang -std=c99 -fsanitize=address -pedantic -Wall -Wextra -Wno-pointer-arith -Wno-unused-variable -O0 -g xdp.c -o xdp && ./xdp
+
+TEST_PKT='#define TEST \
+"\x00\x17\x10\x95\xe8\x96\x00\x0d\xb9\x50\x11\x4c\x86\xdd\x60\x0a" \
+"\x18\xa7\x04\xd8\x2c\x3e\x26\x20\x00\x6e\xa0\x07\x02\x33\x00\x00" \
+"\x00\x00\x00\x00\x00\x01\x20\x01\x04\x70\x00\x00\x05\x03\x00\x00" \
+"\x00\x00\x00\x00\x00\x02\x3a\x00\x00\x01\xe7\x50\x85\x12\x80\x00" \
+"\x31\x09\xa5\xfb\x00\x01\xb1\xaf\x68\x60\x00\x00\x00\x00\xb2\xf0" \
+"\x01\x00\x00\x00\x00\x00\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19" \
+"\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29" \
+"\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39" \
+"\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49" \
+"\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59" \
+"\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69" \
+"\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79" \
+"\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89" \
+"\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99" \
+"\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9" \
+"\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9" \
+"\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9" \
+"\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9" \
+"\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9" \
+"\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9" \
+"\xfa\xfb\xfc\xfd\xfe\xff\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09" \
+"\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19" \
+"\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29" \
+"\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39" \
+"\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49" \
+"\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59" \
+"\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69" \
+"\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79" \
+"\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89" \
+"\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99" \
+"\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9" \
+"\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9" \
+"\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9" \
+"\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9" \
+"\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9" \
+"\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9" \
+"\xfa\xfb\xfc\xfd\xfe\xff\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09" \
+"\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19" \
+"\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29" \
+"\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39" \
+"\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49" \
+"\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59" \
+"\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69" \
+"\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79" \
+"\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89" \
+"\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99" \
+"\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9" \
+"\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9" \
+"\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9" \
+"\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9" \
+"\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9" \
+"\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9" \
+"\xfa\xfb\xfc\xfd\xfe\xff\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09" \
+"\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19" \
+"\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29" \
+"\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39" \
+"\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49" \
+"\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59" \
+"\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69" \
+"\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79" \
+"\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89" \
+"\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99" \
+"\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9" \
+"\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9" \
+"\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9" \
+"\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9" \
+"\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9" \
+"\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9" \
+"\xfa\xfb\xfc\xfd\xfe\xff\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09" \
+"\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19" \
+"\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29" \
+"\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39" \
+"\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49" \
+"\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59" \
+"\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69" \
+"\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79" \
+"\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89" \
+"\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99" \
+"\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9" \
+"\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9" \
+"\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7"'
  
  
+# First frag ICMPv6 tests
+
+echo "flow6 { src 2620:6e:a007:233::1/128; dst 2001:470:0:503::2/128; fragment is_fragment && first_fragment && !last_fragment; };" | ./genrules.py
+echo "$TEST_PKT" >> rules.h
+echo "#define TEST_EXP XDP_DROP" >> rules.h
+clang -std=c99 -fsanitize=address -pedantic -Wall -Wextra -Wno-pointer-arith -Wno-unused-variable -O0 -g xdp.c -o xdp && ./xdp
+
+echo "flow6 { src 2620:6e:a007:233::1/128; dst 2001:470:0:503::2/128; fragment !is_fragment; };" | ./genrules.py
+echo "$TEST_PKT" >> rules.h
+echo "#define TEST_EXP XDP_PASS" >> rules.h
+clang -std=c99 -fsanitize=address -pedantic -Wall -Wextra -Wno-pointer-arith -Wno-unused-variable -O0 -g xdp.c -o xdp && ./xdp
+
+echo "flow6 { src 2620:6e:a007:233::1/128; dst 2001:470:0:503::2/128; fragment !is_fragment || !first_fragment || last_fragment; };" | ./genrules.py
+echo "$TEST_PKT" >> rules.h
+echo "#define TEST_EXP XDP_PASS" >> rules.h
+clang -std=c99 -fsanitize=address -pedantic -Wall -Wextra -Wno-pointer-arith -Wno-unused-variable -O0 -g xdp.c -o xdp && ./xdp
+
+echo "flow6 { src 2620:6e:a007:233::1/128; dst 2001:470:0:503::2/128; fragment is_fragment && first_fragment && !last_fragment; icmp code 0; icmp type 128 };" | ./genrules.py
+echo "$TEST_PKT" >> rules.h
+echo "#define TEST_EXP XDP_DROP" >> rules.h
+clang -std=c99 -fsanitize=address -pedantic -Wall -Wextra -Wno-pointer-arith -Wno-unused-variable -O0 -g xdp.c -o xdp && ./xdp
+
+#TODO Is nextheader frag correct to match on here? Should we support matching on any nexthdr?
+echo "flow6 { next header 44; };" | ./genrules.py
+echo "$TEST_PKT" >> rules.h
+echo "#define TEST_EXP XDP_DROP" >> rules.h
+clang -std=c99 -fsanitize=address -pedantic -Wall -Wextra -Wno-pointer-arith -Wno-unused-variable -O0 -g xdp.c -o xdp && ./xdp
+
+#TODO Is nextheader frag correct to match on here? Should we support matching on any nexthdr?
+echo "flow6 { next header 58; };" | ./genrules.py
+echo "$TEST_PKT" >> rules.h
+echo "#define TEST_EXP XDP_PASS" >> rules.h
+clang -std=c99 -fsanitize=address -pedantic -Wall -Wextra -Wno-pointer-arith -Wno-unused-variable -O0 -g xdp.c -o xdp && ./xdp
diff --git a/xdp.c b/xdp.c

index 87b7eb5edae258cfbe695c21ac30ff4ae9c4a9a5..8623af44c1f0cdbb6b0591e7d4c6db148cf05739 100644 (file)
--- a/xdp.c
+++ b/xdp.c
@@ -18,7 +18,8 @@
  #define IP_PROTO_TCP 6
  #define IP_PROTO_UDP 17
  #define IP_PROTO_ICMP 1
  #define IP_PROTO_TCP 6
  #define IP_PROTO_UDP 17
  #define IP_PROTO_ICMP 1
-#define IP_PROTO_ICMPV6 58
+#define IP6_PROTO_ICMPV6 58
+#define IP6_PROTO_FRAG 44
  
  typedef __uint128_t uint128_t;
  
  
  typedef __uint128_t uint128_t;
  
@@ -43,6 +44,15 @@ struct ip6hdr {
         uint128_t       daddr;
  } __attribute__((packed));
  
         uint128_t       daddr;
  } __attribute__((packed));
  
+#define IP6_MF 1
+#define IP6_FRAGOFF 0xfff8
+struct ip6_fraghdr {
+       uint8_t nexthdr;
+       uint8_t _reserved;
+       uint16_t frag_off; // BE low 3 bits flags, last is "more frags"
+       uint32_t id;
+} __attribute__((packed));
+
  // Our own ethhdr with optional vlan tags
  struct ethhdr_vlan {
         unsigned char   h_dest[ETH_ALEN];       /* destination eth addr */
  // Our own ethhdr with optional vlan tags
  struct ethhdr_vlan {
         unsigned char   h_dest[ETH_ALEN];       /* destination eth addr */
@@ -161,6 +171,7 @@ int xdp_drop_prog(struct xdp_md *ctx)
         const struct udphdr *udp = NULL;
         const struct icmphdr *icmp = NULL;
         const struct icmp6hdr *icmpv6 = NULL;
         const struct udphdr *udp = NULL;
         const struct icmphdr *icmp = NULL;
         const struct icmp6hdr *icmpv6 = NULL;
+       const struct ip6_fraghdr *frag6 = NULL;
         const struct iphdr *ip = NULL;
         const struct ip6hdr *ip6 = NULL;
         const void *l4hdr = NULL;
         const struct iphdr *ip = NULL;
         const struct ip6hdr *ip6 = NULL;
         const void *l4hdr = NULL;
@@ -195,15 +206,27 @@ int xdp_drop_prog(struct xdp_md *ctx)
                 ip6 = (struct ip6hdr*) pktdata;
  
                 l4hdr = pktdata + 40;
                 ip6 = (struct ip6hdr*) pktdata;
  
                 l4hdr = pktdata + 40;
-               if (ip6->nexthdr == IP_PROTO_TCP) {
+
+               uint8_t v6nexthdr;
+               if (ip6->nexthdr == IP6_PROTO_FRAG) {
+                       if (l4hdr + sizeof(struct ip6_fraghdr) > data_end)
+                               return XDP_DROP;
+                       frag6 = (struct ip6_fraghdr*) l4hdr;
+                       l4hdr = l4hdr + sizeof(struct ip6_fraghdr);
+                       v6nexthdr = frag6->nexthdr;
+               } else {
+                       v6nexthdr = ip6->nexthdr;
+               }
+
+               if (v6nexthdr == IP_PROTO_TCP) {
                         if (l4hdr + sizeof(struct tcphdr) > data_end)
                                 return XDP_DROP;
                         tcp = (struct tcphdr*) l4hdr;
                         if (l4hdr + sizeof(struct tcphdr) > data_end)
                                 return XDP_DROP;
                         tcp = (struct tcphdr*) l4hdr;
-               } else if (ip6->nexthdr == IP_PROTO_UDP) {
+               } else if (v6nexthdr == IP_PROTO_UDP) {
                         if (l4hdr + sizeof(struct udphdr) > data_end)
                                 return XDP_DROP;
                         udp = (struct udphdr*) l4hdr;
                         if (l4hdr + sizeof(struct udphdr) > data_end)
                                 return XDP_DROP;
                         udp = (struct udphdr*) l4hdr;
-               } else if (ip6->nexthdr == IP_PROTO_ICMPV6) {
+               } else if (v6nexthdr == IP6_PROTO_ICMPV6) {
                         if (l4hdr + sizeof(struct icmp6hdr) > data_end)
                                 return XDP_DROP;
                         icmpv6 = (struct icmp6hdr*) l4hdr;
                         if (l4hdr + sizeof(struct icmp6hdr) > data_end)
                                 return XDP_DROP;
                         icmpv6 = (struct icmp6hdr*) l4hdr;
author	Matt Corallo <git@bluematt.me>
	Sat, 3 Apr 2021 20:41:41 +0000 (16:41 -0400)
committer	Matt Corallo <git@bluematt.me>
	Sat, 3 Apr 2021 22:11:48 +0000 (18:11 -0400)
genrules.py		patch \| blob \| history
test.sh		patch \| blob \| history
xdp.c		patch \| blob \| history