Skip to content

TCP flags filtering#92

Merged
qdeslandes merged 6 commits into
facebook:mainfrom
qdeslandes:filter_tcp_flags
Aug 22, 2024
Merged

TCP flags filtering#92
qdeslandes merged 6 commits into
facebook:mainfrom
qdeslandes:filter_tcp_flags

Conversation

@qdeslandes

@qdeslandes qdeslandes commented Aug 22, 2024
edited
Loading

Copy link
Copy Markdown
Contributor

Introduce support for TCP flags filtering in bpfilter:

  • Allow a specific operator to be specified in the bfcli rule (ip.saddr eq 192.168.1.1, ip.saddr not 192.168.1.1).
  • Add support for 2 new operators: any and all (see commit for details).
  • Add support for tcp.flags matcher: match a rule based on the packet's TCP flags.

Extra changes:

  • Add support for not operator in ip.proto: ip.proto not icmp.
  • Fix iphdr.protocol size: uses 1 byte instead of 2 bytes. This change resolves a verifier complain.

@qdeslandes
cli: add support for specified matcher operator
ede3ac4 
Until now, user had no control over the matcher operator used in a
matcher, BF_MATCHER_EQ was used, unless `!` was supported, in which case
BF_MATCHER_NE was used.

New matchers (e.g. tcp.flags) will require more complex operators, and
relying on a prefix to the payload won't be sufficient. Hence, the
matcher operator are now matched similarly to the matcher type and the
payload.

The lexer defines the matchers allowed for a given matcher type, and the
parser forward it to the matcher object.
@qdeslandes
matcher: ip.proto: add support for not operator
46445c4 
Allow the following rule:

rule:
    ip.proto not icmp

to match every IPv4 packet with the protocol being anything but ICMP.
@qdeslandes
generator: fix iphdr.protocol size
bd715b3 
The generator code assume iphdr.protocol field is 2 bytes (uint16_t),
when it's actually 1 byte. This lead to BPF verification failure and
other instabilities.

Update every usage of iphdr.protocol to use 1 byte only.
@qdeslandes
matcher: tcp: add support for tcp.flags matcher
6b2ae57 
Create new matcher for TCP flags. It's only possible to test for
equality for now, other operators will be added later.
@qdeslandes
core: matcher: add 'any' and 'all' matcher operators
3cbc77b 
Add two new matcher operators aimed to be used to match TCP flags (but
are not limited to it):
- any: match any of the subset values
       tcp.flags any SYN,ACK -> matches SYN, SYN/ACK, ACK packets
- all: match all of the subset values
       tcp.flags all SYN,ACK -> matches SYN/ACK packets
@qdeslandes
matcher: tcp.flags: add support for not, any, and all operators
3ac3aae 
Add bytecode generation of tcp.flags filtering with 'not', 'any', and
'all' operators.
@qdeslandes qdeslandes marked this pull request as ready for review August 22, 2024 22:25
@qdeslandes qdeslandes merged commit b78ead2 into facebook:main Aug 22, 2024
@qdeslandes qdeslandes deleted the filter_tcp_flags branch August 22, 2024 22:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

cla signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@qdeslandes @facebook-github-bot