Skip to content
Navigation Menu
Toggle navigation
Sign in
In this repository
All GitHub Enterprise
↵
Jump to
↵
No suggested jump to results
In this repository
All GitHub Enterprise
↵
Jump to
↵
In this organization
All GitHub Enterprise
↵
Jump to
↵
In this repository
All GitHub Enterprise
↵
Jump to
↵
Sign in
Reseting focus
You signed in with another tab or window.
Reload
to refresh your session.
You signed out in another tab or window.
Reload
to refresh your session.
You switched accounts on another tab or window.
Reload
to refresh your session.
Dismiss alert
{{ message }}
mariux64
/
linux
Public
Notifications
You must be signed in to change notification settings
Fork
0
Star
0
Code
Issues
2
Pull requests
0
Actions
Projects
0
Wiki
Security
Insights
Additional navigation options
Code
Issues
Pull requests
Actions
Projects
Wiki
Security
Insights
Files
c77e572
Breadcrumbs
linux
/
tools
/
testing
/
selftests
/
bpf
/
progs
/
xdp_flowtable.c
Blame
Blame
Latest commit
History
History
144 lines (117 loc) · 3.23 KB
Breadcrumbs
linux
/
tools
/
testing
/
selftests
/
bpf
/
progs
/
xdp_flowtable.c
Top
File metadata and controls
Code
Blame
144 lines (117 loc) · 3.23 KB
Raw
// SPDX-License-Identifier: GPL-2.0 #define BPF_NO_KFUNC_PROTOTYPES #include <vmlinux.h> #include <bpf/bpf_helpers.h> #include <bpf/bpf_endian.h> #define ETH_P_IP 0x0800 #define ETH_P_IPV6 0x86dd #define IP_MF 0x2000 /* "More Fragments" */ #define IP_OFFSET 0x1fff /* "Fragment Offset" */ #define AF_INET 2 #define AF_INET6 10 struct bpf_flowtable_opts___local { s32 error; }; struct flow_offload_tuple_rhash * bpf_xdp_flow_lookup(struct xdp_md *, struct bpf_fib_lookup *, struct bpf_flowtable_opts___local *, u32) __ksym; struct { __uint(type, BPF_MAP_TYPE_ARRAY); __type(key, __u32); __type(value, __u32); __uint(max_entries, 1); } stats SEC(".maps"); static bool xdp_flowtable_offload_check_iphdr(struct iphdr *iph) { /* ip fragmented traffic */ if (iph->frag_off & bpf_htons(IP_MF | IP_OFFSET)) return false; /* ip options */ if (iph->ihl * 4 != sizeof(*iph)) return false; if (iph->ttl <= 1) return false; return true; } static bool xdp_flowtable_offload_check_tcp_state(void *ports, void *data_end, u8 proto) { if (proto == IPPROTO_TCP) { struct tcphdr *tcph = ports; if (tcph + 1 > data_end) return false; if (tcph->fin || tcph->rst) return false; } return true; } SEC("xdp.frags") int xdp_flowtable_do_lookup(struct xdp_md *ctx) { void *data_end = (void *)(long)ctx->data_end; struct bpf_flowtable_opts___local opts = {}; struct flow_offload_tuple_rhash *tuplehash; struct bpf_fib_lookup tuple = { .ifindex = ctx->ingress_ifindex, }; void *data = (void *)(long)ctx->data; struct ethhdr *eth = data; struct flow_ports *ports; __u32 *val, key = 0; if (eth + 1 > data_end) return XDP_DROP; switch (eth->h_proto) { case bpf_htons(ETH_P_IP): { struct iphdr *iph = data + sizeof(*eth); ports = (struct flow_ports *)(iph + 1); if (ports + 1 > data_end) return XDP_PASS; /* sanity check on ip header */ if (!xdp_flowtable_offload_check_iphdr(iph)) return XDP_PASS; if (!xdp_flowtable_offload_check_tcp_state(ports, data_end, iph->protocol)) return XDP_PASS; tuple.family = AF_INET; tuple.tos = iph->tos; tuple.l4_protocol = iph->protocol; tuple.tot_len = bpf_ntohs(iph->tot_len); tuple.ipv4_src = iph->saddr; tuple.ipv4_dst = iph->daddr; tuple.sport = ports->source; tuple.dport = ports->dest; break; } case bpf_htons(ETH_P_IPV6): { struct in6_addr *src = (struct in6_addr *)tuple.ipv6_src; struct in6_addr *dst = (struct in6_addr *)tuple.ipv6_dst; struct ipv6hdr *ip6h = data + sizeof(*eth); ports = (struct flow_ports *)(ip6h + 1); if (ports + 1 > data_end) return XDP_PASS; if (ip6h->hop_limit <= 1) return XDP_PASS; if (!xdp_flowtable_offload_check_tcp_state(ports, data_end, ip6h->nexthdr)) return XDP_PASS; tuple.family = AF_INET6; tuple.l4_protocol = ip6h->nexthdr; tuple.tot_len = bpf_ntohs(ip6h->payload_len); *src = ip6h->saddr; *dst = ip6h->daddr; tuple.sport = ports->source; tuple.dport = ports->dest; break; } default: return XDP_PASS; } tuplehash = bpf_xdp_flow_lookup(ctx, &tuple, &opts, sizeof(opts)); if (!tuplehash) return XDP_PASS; val = bpf_map_lookup_elem(&stats, &key); if (val) __sync_add_and_fetch(val, 1); return XDP_PASS; } char _license[] SEC("license") = "GPL";
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
You can’t perform that action at this time.