Hi Daniel,
On Fri, Sep 4, 2020 at 11:14 PM Daniel Borkmann <daniel@xxxxxxxxxxxxx> wrote:
>
[...]
>
> Its trivial to achieve with tc/BPF on the existing egress hook today. Probably
> takes less time than to write up this mail ...
>
> root@x:~/x# cat foo.c
>
> #include <linux/bpf.h>
> #include <linux/if_ether.h>
> #include <arpa/inet.h>
>
> #ifndef __section
> # define __section(NAME) \
> __attribute__((section(NAME), used))
> #endif
>
> #define ETH_P_KUNBUSGW 0x419C
>
> #define PASS 0
> #define DROP 2
>
> int foo(struct __sk_buff *skb)
> {
> void *data_end = (void *)(long)skb->data_end;
> void *data = (void *)(long)skb->data;
> struct ethhdr *eth = data;
>
> if (data + sizeof(*eth) > data_end)
> return DROP;
>
> return eth->h_proto == htons(ETH_P_KUNBUSGW) ? PASS : DROP;
> }
>
> char __license[] __section("license") = "";
>
> root@x:~/x# clang -target bpf -Wall -O2 -c foo.c -o foo.o
> root@x:~/x# ip link add dev foo type dummy
> root@x:~/x# ip link set up dev foo
> root@x:~/x# tc qdisc add dev foo clsact
> root@x:~/x# tc filter add dev foo egress bpf da obj foo.o sec .text
>
> There we go, attached to the device on existing egress. Double checking it
> does what we want:
>
> root@x:~/x# cat foo.t
> {
> 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
> 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb,
> 0x41, 0x9c
> }
> root@x:~/x# trafgen -i foo.t -o foo -n 1 -q
> root@x:~/x# tcpdump -i foo
> [...]
> 22:43:42.981112 bb:bb:bb:bb:bb:bb (oui Unknown) > aa:aa:aa:aa:aa:aa (oui Unknown), ethertype Unknown (0x419c), length 14:
>
> root@x:~/x# cat bar.t
> {
> 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
> 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb,
> 0xee, 0xee
> }
> root@x:~/x# trafgen -i bar.t -o foo -n 1 -q
> root@x:~/x# tcpdump -i foo
> [... nothing/filtered ...]
>
Something like this seems more trivial to me:
table netdev mytable {
chain mychain {
type filter hook egress device "eth0" priority 100; policy drop;
meta protocol != 0x419C accept
}
}
Cheers.
