From 94ae7afe2f87074c7353e247275fe33f7f774bd1 Mon Sep 17 00:00:00 2001 From: Matt Corallo Date: Sat, 3 Apr 2021 16:41:41 -0400 Subject: [PATCH] Support v6 fragment parsing --- genrules.py | 64 +++++++++++++--------- test.sh | 154 ++++++++++++++++++++++++++++++++++++++++++++++++++++ xdp.c | 31 +++++++++-- 3 files changed, 220 insertions(+), 29 deletions(-) diff --git a/genrules.py b/genrules.py index 3f5d9e0..d372806 100755 --- a/genrules.py +++ b/genrules.py @@ -13,11 +13,6 @@ if len(sys.argv) > 2 and sys.argv[2].startswith("parse_ihl"): PARSE_IHL = True else: PARSE_IHL = False -if len(sys.argv) > 3 and sys.argv[3].startswith("parse_exthdr"): - PARSE_EXTHDR = True -else: - PARSE_EXTHDR = False - class ASTAction(Enum): OR = 1, @@ -106,24 +101,47 @@ def parse_numbers_expr(expr): expr = expr[2:] return ASTNode(ASTAction.EXPR, NumbersExpr(NumbersAction.EQ, expr)) -class FragExpr: - def __init__(self, val): - if val == "is_fragment": - self.rule = "(ip->frag_off & BE16(IP_MF|IP_OFFSET)) != 0" - elif val == "first_fragment": - self.rule = "(ip->frag_off & BE16(IP_MF)) != 0 && (ip->frag_off & BE16(IP_OFFSET)) == 0" - elif val == "dont_fragment": - self.rule = "(ip->frag_off & BE16(IP_DF)) != 0" - elif val == "last_fragment": - self.rule = "(ip->frag_off & BE16(IP_MF)) == 0 && (ip->frag_off & BE16(IP_OFFSET)) != 0" +class FragExpr(Enum): + IF = 1 + FF = 2 + DF = 3 + LF = 4 + + def write(self, ipproto, _param2): + if ipproto == 4: + if self == FragExpr.IF: + return "(ip->frag_off & BE16(IP_MF|IP_OFFSET)) != 0" + elif self == FragExpr.FF: + return "((ip->frag_off & BE16(IP_MF)) != 0 && (ip->frag_off & BE16(IP_OFFSET)) == 0)" + elif self == FragExpr.DF: + return "(ip->frag_off & BE16(IP_DF)) != 0" + elif self == FragExpr.LF: + return "((ip->frag_off & BE16(IP_MF)) == 0 && (ip->frag_off & BE16(IP_OFFSET)) != 0)" + else: + assert False else: - assert False - - def write(self, _param, _param2): - return self.rule + if self == FragExpr.IF: + return "frag6 != NULL" + elif self == FragExpr.FF: + return "(frag6 != NULL && (frag6->frag_off & BE16(IP6_MF)) != 0 && (frag6->frag_off & BE16(IP6_FRAGOFF)) == 0)" + elif self == FragExpr.DF: + assert False # No such thing in v6 + elif self == FragExpr.LF: + return "(frag6 != NULL && (frag6->frag_off & BE16(IP6_MF)) == 0 && (frag6->frag_off & BE16(IP6_FRAGOFF)) != 0)" + else: + assert False def parse_frag_expr(expr): - return ASTNode(ASTAction.EXPR, FragExpr(expr)) + if expr == "is_fragment": + return ASTNode(ASTAction.EXPR, FragExpr.IF) + elif expr == "first_fragment": + return ASTNode(ASTAction.EXPR, FragExpr.FF) + elif expr == "dont_fragment": + return ASTNode(ASTAction.EXPR, FragExpr.DF) + elif expr == "last_fragment": + return ASTNode(ASTAction.EXPR, FragExpr.LF) + else: + assert False class BitExpr: def __init__(self, val): @@ -163,10 +181,8 @@ def ip_to_rule(proto, inip, ty, offset): break;""" def fragment_to_rule(ipproto, rules): - if ipproto == 6: - assert False # XXX: unimplemented ast = parse_ast(rules, parse_frag_expr) - return "if (!( " + ast.write(()) + " )) break;" + return "if (!( " + ast.write(ipproto) + " )) break;" def len_to_rule(rules): ast = parse_ast(rules, parse_numbers_expr) @@ -178,8 +194,6 @@ def proto_to_rule(ipproto, proto): if ipproto == 4: return "if (!( " + ast.write("ip->protocol") + " )) break;" else: - if PARSE_EXTHDR: - assert False # XXX: unimplemented return "if (!( " + ast.write("ip6->nexthdr") + " )) break;" def icmp_type_to_rule(proto, ty): diff --git a/test.sh b/test.sh index 03bc656..bbb38dd 100755 --- a/test.sh +++ b/test.sh @@ -146,4 +146,158 @@ echo "$TEST_PKT" >> rules.h echo "#define TEST_EXP XDP_PASS" >> rules.h clang -std=c99 -fsanitize=address -pedantic -Wall -Wextra -Wno-pointer-arith -Wno-unused-variable -O0 -g xdp.c -o xdp && ./xdp +echo "flow6 { fragment is_fragment || first_fragment || last_fragment; };" | ./genrules.py +echo "$TEST_PKT" >> rules.h +echo "#define TEST_EXP XDP_PASS" >> rules.h +clang -std=c99 -fsanitize=address -pedantic -Wall -Wextra -Wno-pointer-arith -Wno-unused-variable -O0 -g xdp.c -o xdp && ./xdp + +TEST_PKT='#define TEST \ +"\x00\x17\x10\x95\xe8\x96\x00\x0d\xb9\x50\x11\x4c\x86\xdd\x60\x0a" \ +"\x18\xa7\x00\x54\x2c\x3e\x26\x20\x00\x6e\xa0\x07\x02\x33\x00\x00" \ +"\x00\x00\x00\x00\x00\x01\x20\x01\x04\x70\x00\x00\x05\x03\x00\x00" \ +"\x00\x00\x00\x00\x00\x02\x3a\x00\x04\xd0\xe7\x50\x85\x12\xc8\xc9" \ +"\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9" \ +"\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9" \ +"\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9" \ +"\xfa\xfb\xfc\xfd\xfe\xff\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09" \ +"\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13"' + +# Last frag ICMPv6 tests + +echo "flow6 { src 2620:6e:a007:233::1/128; dst 2001:470:0:503::2/128; fragment is_fragment && !first_fragment && last_fragment; };" | ./genrules.py +echo "$TEST_PKT" >> rules.h +echo "#define TEST_EXP XDP_DROP" >> rules.h +clang -std=c99 -fsanitize=address -pedantic -Wall -Wextra -Wno-pointer-arith -Wno-unused-variable -O0 -g xdp.c -o xdp && ./xdp + +echo "flow6 { src 2620:6e:a007:233::1/128; dst 2001:470:0:503::2/128; fragment !is_fragment; };" | ./genrules.py +echo "$TEST_PKT" >> rules.h +echo "#define TEST_EXP XDP_PASS" >> rules.h +clang -std=c99 -fsanitize=address -pedantic -Wall -Wextra -Wno-pointer-arith -Wno-unused-variable -O0 -g xdp.c -o xdp && ./xdp + +echo "flow6 { src 2620:6e:a007:233::1/128; dst 2001:470:0:503::2/128; fragment !is_fragment || first_fragment || !last_fragment; };" | ./genrules.py +echo "$TEST_PKT" >> rules.h +echo "#define TEST_EXP XDP_PASS" >> rules.h +clang -std=c99 -fsanitize=address -pedantic -Wall -Wextra -Wno-pointer-arith -Wno-unused-variable -O0 -g xdp.c -o xdp && ./xdp + +#TODO Is nextheader frag correct to match on here? Should we support matching on any nexthdr? +echo "flow6 { next header 44; };" | ./genrules.py +echo "$TEST_PKT" >> rules.h +echo "#define TEST_EXP XDP_DROP" >> rules.h +clang -std=c99 -fsanitize=address -pedantic -Wall -Wextra -Wno-pointer-arith -Wno-unused-variable -O0 -g xdp.c -o xdp && ./xdp + +TEST_PKT='#define TEST \ +"\x00\x17\x10\x95\xe8\x96\x00\x0d\xb9\x50\x11\x4c\x86\xdd\x60\x0a" \ +"\x18\xa7\x04\xd8\x2c\x3e\x26\x20\x00\x6e\xa0\x07\x02\x33\x00\x00" \ +"\x00\x00\x00\x00\x00\x01\x20\x01\x04\x70\x00\x00\x05\x03\x00\x00" \ +"\x00\x00\x00\x00\x00\x02\x3a\x00\x00\x01\xe7\x50\x85\x12\x80\x00" \ +"\x31\x09\xa5\xfb\x00\x01\xb1\xaf\x68\x60\x00\x00\x00\x00\xb2\xf0" \ +"\x01\x00\x00\x00\x00\x00\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19" \ +"\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29" \ +"\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39" \ +"\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49" \ +"\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59" \ +"\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69" \ +"\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79" \ +"\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89" \ +"\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99" \ +"\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9" \ +"\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9" \ +"\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9" \ +"\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9" \ +"\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9" \ +"\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9" \ +"\xfa\xfb\xfc\xfd\xfe\xff\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09" \ +"\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19" \ +"\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29" \ +"\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39" \ +"\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49" \ +"\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59" \ +"\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69" \ +"\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79" \ +"\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89" \ +"\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99" \ +"\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9" \ +"\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9" \ +"\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9" \ +"\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9" \ +"\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9" \ +"\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9" \ +"\xfa\xfb\xfc\xfd\xfe\xff\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09" \ +"\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19" \ +"\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29" \ +"\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39" \ +"\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49" \ +"\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59" \ +"\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69" \ +"\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79" \ +"\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89" \ +"\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99" \ +"\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9" \ +"\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9" \ +"\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9" \ +"\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9" \ +"\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9" \ +"\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9" \ +"\xfa\xfb\xfc\xfd\xfe\xff\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09" \ +"\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19" \ +"\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29" \ +"\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39" \ +"\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49" \ +"\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59" \ +"\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69" \ +"\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79" \ +"\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89" \ +"\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99" \ +"\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9" \ +"\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9" \ +"\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9" \ +"\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9" \ +"\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9" \ +"\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9" \ +"\xfa\xfb\xfc\xfd\xfe\xff\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09" \ +"\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19" \ +"\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29" \ +"\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39" \ +"\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49" \ +"\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59" \ +"\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69" \ +"\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79" \ +"\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89" \ +"\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99" \ +"\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9" \ +"\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9" \ +"\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7"' +# First frag ICMPv6 tests + +echo "flow6 { src 2620:6e:a007:233::1/128; dst 2001:470:0:503::2/128; fragment is_fragment && first_fragment && !last_fragment; };" | ./genrules.py +echo "$TEST_PKT" >> rules.h +echo "#define TEST_EXP XDP_DROP" >> rules.h +clang -std=c99 -fsanitize=address -pedantic -Wall -Wextra -Wno-pointer-arith -Wno-unused-variable -O0 -g xdp.c -o xdp && ./xdp + +echo "flow6 { src 2620:6e:a007:233::1/128; dst 2001:470:0:503::2/128; fragment !is_fragment; };" | ./genrules.py +echo "$TEST_PKT" >> rules.h +echo "#define TEST_EXP XDP_PASS" >> rules.h +clang -std=c99 -fsanitize=address -pedantic -Wall -Wextra -Wno-pointer-arith -Wno-unused-variable -O0 -g xdp.c -o xdp && ./xdp + +echo "flow6 { src 2620:6e:a007:233::1/128; dst 2001:470:0:503::2/128; fragment !is_fragment || !first_fragment || last_fragment; };" | ./genrules.py +echo "$TEST_PKT" >> rules.h +echo "#define TEST_EXP XDP_PASS" >> rules.h +clang -std=c99 -fsanitize=address -pedantic -Wall -Wextra -Wno-pointer-arith -Wno-unused-variable -O0 -g xdp.c -o xdp && ./xdp + +echo "flow6 { src 2620:6e:a007:233::1/128; dst 2001:470:0:503::2/128; fragment is_fragment && first_fragment && !last_fragment; icmp code 0; icmp type 128 };" | ./genrules.py +echo "$TEST_PKT" >> rules.h +echo "#define TEST_EXP XDP_DROP" >> rules.h +clang -std=c99 -fsanitize=address -pedantic -Wall -Wextra -Wno-pointer-arith -Wno-unused-variable -O0 -g xdp.c -o xdp && ./xdp + +#TODO Is nextheader frag correct to match on here? Should we support matching on any nexthdr? +echo "flow6 { next header 44; };" | ./genrules.py +echo "$TEST_PKT" >> rules.h +echo "#define TEST_EXP XDP_DROP" >> rules.h +clang -std=c99 -fsanitize=address -pedantic -Wall -Wextra -Wno-pointer-arith -Wno-unused-variable -O0 -g xdp.c -o xdp && ./xdp + +#TODO Is nextheader frag correct to match on here? Should we support matching on any nexthdr? +echo "flow6 { next header 58; };" | ./genrules.py +echo "$TEST_PKT" >> rules.h +echo "#define TEST_EXP XDP_PASS" >> rules.h +clang -std=c99 -fsanitize=address -pedantic -Wall -Wextra -Wno-pointer-arith -Wno-unused-variable -O0 -g xdp.c -o xdp && ./xdp diff --git a/xdp.c b/xdp.c index 87b7eb5..8623af4 100644 --- a/xdp.c +++ b/xdp.c @@ -18,7 +18,8 @@ #define IP_PROTO_TCP 6 #define IP_PROTO_UDP 17 #define IP_PROTO_ICMP 1 -#define IP_PROTO_ICMPV6 58 +#define IP6_PROTO_ICMPV6 58 +#define IP6_PROTO_FRAG 44 typedef __uint128_t uint128_t; @@ -43,6 +44,15 @@ struct ip6hdr { uint128_t daddr; } __attribute__((packed)); +#define IP6_MF 1 +#define IP6_FRAGOFF 0xfff8 +struct ip6_fraghdr { + uint8_t nexthdr; + uint8_t _reserved; + uint16_t frag_off; // BE low 3 bits flags, last is "more frags" + uint32_t id; +} __attribute__((packed)); + // Our own ethhdr with optional vlan tags struct ethhdr_vlan { unsigned char h_dest[ETH_ALEN]; /* destination eth addr */ @@ -161,6 +171,7 @@ int xdp_drop_prog(struct xdp_md *ctx) const struct udphdr *udp = NULL; const struct icmphdr *icmp = NULL; const struct icmp6hdr *icmpv6 = NULL; + const struct ip6_fraghdr *frag6 = NULL; const struct iphdr *ip = NULL; const struct ip6hdr *ip6 = NULL; const void *l4hdr = NULL; @@ -195,15 +206,27 @@ int xdp_drop_prog(struct xdp_md *ctx) ip6 = (struct ip6hdr*) pktdata; l4hdr = pktdata + 40; - if (ip6->nexthdr == IP_PROTO_TCP) { + + uint8_t v6nexthdr; + if (ip6->nexthdr == IP6_PROTO_FRAG) { + if (l4hdr + sizeof(struct ip6_fraghdr) > data_end) + return XDP_DROP; + frag6 = (struct ip6_fraghdr*) l4hdr; + l4hdr = l4hdr + sizeof(struct ip6_fraghdr); + v6nexthdr = frag6->nexthdr; + } else { + v6nexthdr = ip6->nexthdr; + } + + if (v6nexthdr == IP_PROTO_TCP) { if (l4hdr + sizeof(struct tcphdr) > data_end) return XDP_DROP; tcp = (struct tcphdr*) l4hdr; - } else if (ip6->nexthdr == IP_PROTO_UDP) { + } else if (v6nexthdr == IP_PROTO_UDP) { if (l4hdr + sizeof(struct udphdr) > data_end) return XDP_DROP; udp = (struct udphdr*) l4hdr; - } else if (ip6->nexthdr == IP_PROTO_ICMPV6) { + } else if (v6nexthdr == IP6_PROTO_ICMPV6) { if (l4hdr + sizeof(struct icmp6hdr) > data_end) return XDP_DROP; icmpv6 = (struct icmp6hdr*) l4hdr; -- 2.30.2