Fixing L4 offset for IP packets with Options field #41
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
evershalik
requested review from
jniesz,
sanfern,
jaysheth2 and
aka320
as code owners
aka320
reviewed
Apr 2, 2023
aka320
reviewed
Apr 2, 2023
aka320
reviewed
Apr 2, 2023
| struct iphdr *iph = (struct iphdr *)(data + sizeof(struct ethhdr)); | ||
| if (iph + 1 > data_end) | ||
| __u8 l4_offset = iph->ihl * 4; // ip header length |
There was a problem hiding this comment.
Endianness is handled in the definition of 'struct iphdr'. However please have a test-case to verify that the value for IHL is read correctly from the packet.
There was a problem hiding this comment.
What sort of check did you have in mind? I am not sure an additional one is necessary beyond what line 281 checks.
aka320
reviewed
Apr 2, 2023
aka320
requested changes
Apr 2, 2023
There was a problem hiding this comment.
-
The comments given are applicable for all the eBPF applications. Please fix in all files even though its not explicitly commented in that specific file.
-
Please include the tests results (different values of IHL including negative cases like invalid IHL value)
-
Add a Commit log message with a short description of RootCause (pointing to the source Issue) & Details of the Fix
|
|
|
Thank you for your feedback. |
|
Changes look good. Please update once testing is done. |
dthaler
reviewed
Apr 12, 2023
dthaler
previously requested changes
Apr 13, 2023
dthaler
reviewed
Apr 19, 2023
|
|
||
| /* Check if its valid ip packet */ |
There was a problem hiding this comment.
Suggested change
| /* Check if its valid ip packet */ | |
| /* Check if it's a valid IPv4 packet */ |
|
|
||
| /* Check if its valid ip packet */ |
There was a problem hiding this comment.
Suggested change
| /* Check if its valid ip packet */ | |
| /* Check if it's a valid IPv4 packet */ |
| return XDP_PASS; | ||
|
|
||
| /* Ignore other than TCP packets */ | ||
| if (iph->protocol != IPPROTO_TCP) | ||
| return XDP_PASS; | ||
|
|
||
| struct tcphdr *tcph = (struct tcphdr *)((unsigned char *)iph + l4_offset); | ||
| __u16 data_offset = tcph->doff * 4; // tcp header length | ||
|
|
||
| /* Check if its valid tcp packet */ |
There was a problem hiding this comment.
Suggested change
| /* Check if its valid tcp packet */ | |
| /* Check if it's a valid TCP packet */ |
dthaler
reviewed
Apr 20, 2023
| make defconfig | ||
|
|
||
| - name: Clone kernel function repository | ||
| uses: actions/checkout@v2 |
There was a problem hiding this comment.
Suggested change
| uses: actions/checkout@v2 | |
| uses: actions/checkout@b0e28b5ac45a892f91e7d036f8200cf5ed489415 |
use hash instead of version. I see some programs use version and others use hash, we should be consistent at always using hash.
.github/workflows/codeql.yml
Outdated
| @@ -0,0 +1,104 @@ | |||
| # Copyright Contributors to the L3AF Project. | |||
| # SPDX-License-Identifier: (GPL-2.0 OR BSD-2-Clause) | |||
There was a problem hiding this comment.
is there a reason the codeql file needs to have GPL in the SPDX?
.github/workflows/codeql.yml
Outdated
|
|
||
| # Initializes the CodeQL tools for scanning. | ||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@v2 |
There was a problem hiding this comment.
Suggested change
| uses: github/codeql-action/init@v2 | |
| uses: github/codeql-action/init@04df1262e6247151b5ac09cd2c303ac36ad3f62b |
.github/workflows/codeql.yml
Outdated
| make defconfig | ||
|
|
||
| - name: Clone eBPF-Package-Repository | ||
| uses: actions/checkout@v2 |
There was a problem hiding this comment.
Suggested change
| uses: actions/checkout@v2 | |
| uses: actions/checkout@b0e28b5ac45a892f91e7d036f8200cf5ed489415 |
buildscript.sh
Outdated
| @@ -0,0 +1,14 @@ | |||
| #!/usr/bin/env bash | |||
| # Copyright Contributors to the L3AF Project. | |||
| # SPDX-License-Identifier: (GPL-2.0 OR BSD-2-Clause) | |||
There was a problem hiding this comment.
Any reason GPL is needed in the build script SPDX for all programs?
| } | ||
|
|
||
| if (allow_all_src_ports == true && allow_all_dst_ports == true) { | ||
| return bpf_clone_redirect(skb, *ifindex, 0); // __bpf_rx_skb |
There was a problem hiding this comment.
What is the comment on the end for? Avoid putting Linux-only things in comments where possible.
| __u8 data[4]; | ||
| }; | ||
|
|
||
| /* TODO: Describe what this PIN_GLOBAL_NS value 2 means??? |
There was a problem hiding this comment.
Can this TODO be done before approving the PR?
| int *ifany; | ||
| int iface_key = 1; | ||
|
|
||
| /* Lookup what ifindex to redirect packets to */ |
There was a problem hiding this comment.
Suggested change
| /* Lookup what ifindex to redirect packets to */ | |
| /* Look up what ifindex to redirect packets to */ |
Comment on lines
167
to
172
| l7_off = l4_off + sizeof(struct tcphdr); // L7 (e.g. HTTP) header offset | ||
| } else if (iph->protocol == IPPROTO_UDP) { | ||
| l7_off = l4_off + sizeof(struct udphdr); // L7 (e.g. HTTP) header offset | ||
| } else if (iph->protocol == IPPROTO_ICMP) { | ||
| l7_off = | ||
| l4_off + sizeof(struct icmphdr); // L7 (e.g. HTTP) header offset |
There was a problem hiding this comment.
Suggested change
| l7_off = l4_off + sizeof(struct tcphdr); // L7 (e.g. HTTP) header offset | |
| } else if (iph->protocol == IPPROTO_UDP) { | |
| l7_off = l4_off + sizeof(struct udphdr); // L7 (e.g. HTTP) header offset | |
| } else if (iph->protocol == IPPROTO_ICMP) { | |
| l7_off = | |
| l4_off + sizeof(struct icmphdr); // L7 (e.g. HTTP) header offset | |
| l7_off = l4_off + sizeof(struct tcphdr); // L7 (e.g., HTTP) header offset | |
| } else if (iph->protocol == IPPROTO_UDP) { | |
| l7_off = l4_off + sizeof(struct udphdr); // L7 (e.g., HTTP) header offset | |
| } else if (iph->protocol == IPPROTO_ICMP) { | |
| l7_off = | |
| l4_off + sizeof(struct icmphdr); // L7 (e.g., HTTP) header offset |
Comment on lines
196
to
197
| // 1th bit True: allow all/any source port | ||
| // 2th bit True: allow all/any destination port |
There was a problem hiding this comment.
Suggested change
| // 1th bit True: allow all/any source port | |
| // 2th bit True: allow all/any destination port | |
| // 1st bit True: allow all/any source port | |
| // 2nd bit True: allow all/any destination port |
|
Sorry for this. I have synced the forked repository by mistake due to which commits made by other people are also showing in this PR. What should I do now to revert this? |
Signed-off-by: Santhosh Fernandes <[email protected]> Signed-off-by: evershalik <[email protected]>
He's moved on to other things. Signed-off-by: evershalik <[email protected]>
Signed-off-by: Santhosh Fernandes <[email protected]> Signed-off-by: evershalik <[email protected]>
Signed-off-by: Santhosh Fernandes <[email protected]> Signed-off-by: evershalik <[email protected]>
Signed-off-by: Dave Thaler <[email protected]> Signed-off-by: evershalik <[email protected]>
Signed-off-by: Dave Thaler <[email protected]> Signed-off-by: evershalik <[email protected]>
Signed-off-by: Dave Thaler <[email protected]> Signed-off-by: evershalik <[email protected]>
Signed-off-by: Dave Thaler <[email protected]> Signed-off-by: evershalik <[email protected]>
Signed-off-by: Dave Thaler <[email protected]> Signed-off-by: evershalik <[email protected]>
Signed-off-by: Dave Thaler <[email protected]> Signed-off-by: evershalik <[email protected]>
Signed-off-by: Dave Thaler <[email protected]> Signed-off-by: evershalik <[email protected]>
Signed-off-by: Dave Thaler <[email protected]> Signed-off-by: evershalik <[email protected]>
Signed-off-by: Dave Thaler <[email protected]> Signed-off-by: evershalik <[email protected]>
Signed-off-by: evershalik <[email protected]>
* Adding Traffic Mirroring Signed-off-by: Jay Sheth <[email protected]> * Fixing Readme Signed-off-by: Jay Sheth <[email protected]> * Removing unnecessary comments and code Signed-off-by: Jay Sheth <[email protected]> * Removing unnecessary files Signed-off-by: Jay Sheth <[email protected]> * Minor Fixes Signed-off-by: [email protected] <[email protected]> --------- Signed-off-by: Jay Sheth <[email protected]> Signed-off-by: [email protected] <[email protected]> Signed-off-by: evershalik <[email protected]>
Signed-off-by: sferna1 <[email protected]> Signed-off-by: evershalik <[email protected]>
Signed-off-by: evershalik <[email protected]>
Signed-off-by: evershalik <[email protected]>
Signed-off-by: Santhosh Fernandes <[email protected]> Signed-off-by: sanfern <[email protected]> Signed-off-by: SHANKAR <[email protected]> Signed-off-by: evershalik <[email protected]>
Signed-off-by: Santhosh Fernandes <[email protected]> Signed-off-by: sferna1 <[email protected]> Signed-off-by: SHANKAR <[email protected]> Signed-off-by: evershalik <[email protected]>
Signed-off-by: sanfern <[email protected]> Signed-off-by: SHANKAR <[email protected]> Signed-off-by: evershalik <[email protected]>
Signed-off-by: Santhosh Fernandes <[email protected]> Signed-off-by: sanfern <[email protected]> Signed-off-by: SHANKAR <[email protected]> Signed-off-by: evershalik <[email protected]>
Signed-off-by: SHANKAR <[email protected]> Signed-off-by: evershalik <[email protected]>
Signed-off-by: SHANKAR <[email protected]> Signed-off-by: evershalik <[email protected]>
Signed-off-by: evershalik <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixed #30
Problem Statement:
The current implementation of the codebase does not handle IP and TCP packets with a header length greater than 20 bytes correctly. This issue is particularly problematic for packets containing options, which increase the header length beyond 20 bytes.
Approach:
To address this issue, we have taken the following approaches:
Firstly, I have modified the code to use the
l4_offsetvariable(IP Header Length) instead ofsizeof(iphdr struct)when adding to the iph pointer. This ensures that the code correctly traverses to the end of the IP header( or the start of the transport layer header), even in cases where the header length is greater than 20 bytes.Secondly, I have modified the code to use the
data_offsetvariable(TCP Header Length) instead ofsizeof(tcphdr struct)when adding to the tcph pointer. This ensures that the code correctly traverses to the end of the TCP header (or start of the payload), even in cases where the header length is greater than 20 bytes.By implementing these changes, I can ensure that IP and TCP packets with options are handled correctly, which improves the reliability and stability of the system.