lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 5 Sep 2020 13:18:37 +0200 From: Laura García Liébana <nevola@...il.com> To: Daniel Borkmann <daniel@...earbox.net> Cc: Lukas Wunner <lukas@...ner.de>, John Fastabend <john.fastabend@...il.com>, Pablo Neira Ayuso <pablo@...filter.org>, Jozsef Kadlecsik <kadlec@...filter.org>, Florian Westphal <fw@...len.de>, Netfilter Development Mailing list <netfilter-devel@...r.kernel.org>, coreteam@...filter.org, netdev@...r.kernel.org, Alexei Starovoitov <ast@...nel.org>, Eric Dumazet <edumazet@...gle.com>, Thomas Graf <tgraf@...g.ch>, David Miller <davem@...emloft.net> Subject: Re: [PATCH nf-next v3 3/3] netfilter: Introduce egress hook Hi Daniel, On Fri, Sep 4, 2020 at 11:14 PM Daniel Borkmann <daniel@...earbox.net> wrote: > [...] > > Its trivial to achieve with tc/BPF on the existing egress hook today. Probably > takes less time than to write up this mail ... > > root@x:~/x# cat foo.c > > #include <linux/bpf.h> > #include <linux/if_ether.h> > #include <arpa/inet.h> > > #ifndef __section > # define __section(NAME) \ > __attribute__((section(NAME), used)) > #endif > > #define ETH_P_KUNBUSGW 0x419C > > #define PASS 0 > #define DROP 2 > > int foo(struct __sk_buff *skb) > { > void *data_end = (void *)(long)skb->data_end; > void *data = (void *)(long)skb->data; > struct ethhdr *eth = data; > > if (data + sizeof(*eth) > data_end) > return DROP; > > return eth->h_proto == htons(ETH_P_KUNBUSGW) ? PASS : DROP; > } > > char __license[] __section("license") = ""; > > root@x:~/x# clang -target bpf -Wall -O2 -c foo.c -o foo.o > root@x:~/x# ip link add dev foo type dummy > root@x:~/x# ip link set up dev foo > root@x:~/x# tc qdisc add dev foo clsact > root@x:~/x# tc filter add dev foo egress bpf da obj foo.o sec .text > > There we go, attached to the device on existing egress. Double checking it > does what we want: > > root@x:~/x# cat foo.t > { > 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, > 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, > 0x41, 0x9c > } > root@x:~/x# trafgen -i foo.t -o foo -n 1 -q > root@x:~/x# tcpdump -i foo > [...] > 22:43:42.981112 bb:bb:bb:bb:bb:bb (oui Unknown) > aa:aa:aa:aa:aa:aa (oui Unknown), ethertype Unknown (0x419c), length 14: > > root@x:~/x# cat bar.t > { > 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, > 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, > 0xee, 0xee > } > root@x:~/x# trafgen -i bar.t -o foo -n 1 -q > root@x:~/x# tcpdump -i foo > [... nothing/filtered ...] > Something like this seems more trivial to me: table netdev mytable { chain mychain { type filter hook egress device "eth0" priority 100; policy drop; meta protocol != 0x419C accept } } Cheers.
Powered by blists - more mailing lists