mirror of
https://github.com/daeuniverse/dae.git
synced 2025-08-03 16:49:59 +07:00
optimize: also reject TCP to tproxy port
This commit is contained in:
mzz2017
@ -1220,8 +1220,8 @@ int tproxy_lan_egress(struct __sk_buff *skb) {
|
|||||||
ori_src.ip, false, true))) {
|
ori_src.ip, false, true))) {
|
||||||
return TC_ACT_SHOT;
|
return TC_ACT_SHOT;
|
||||||
}
|
}
|
||||||
if ((ret = rewrite_port(skb, l4proto, ihl, tuples.sport, ori_src.port,
|
if ((ret = rewrite_port(skb, l4proto, ihl, tuples.sport, ori_src.port, false,
|
||||||
false, true))) {
|
true))) {
|
||||||
return TC_ACT_SHOT;
|
return TC_ACT_SHOT;
|
||||||
}
|
}
|
||||||
disable_l4_checksum(skb, l4proto, ihl);
|
disable_l4_checksum(skb, l4proto, ihl);
|
||||||
@ -1328,8 +1328,8 @@ new_connection:
|
|||||||
bpf_htonl((ethh.h_source[2] << 24) + (ethh.h_source[3] << 16) +
|
bpf_htonl((ethh.h_source[2] << 24) + (ethh.h_source[3] << 16) +
|
||||||
(ethh.h_source[4] << 8) + (ethh.h_source[5])),
|
(ethh.h_source[4] << 8) + (ethh.h_source[5])),
|
||||||
};
|
};
|
||||||
if ((ret = routing(flag, l4hdr, tuples.sip.u6_addr32,
|
if ((ret = routing(flag, l4hdr, tuples.sip.u6_addr32, tuples.dip.u6_addr32,
|
||||||
tuples.dip.u6_addr32, mac)) < 0) {
|
mac)) < 0) {
|
||||||
bpf_printk("shot routing: %d", ret);
|
bpf_printk("shot routing: %d", ret);
|
||||||
return TC_ACT_SHOT;
|
return TC_ACT_SHOT;
|
||||||
}
|
}
|
||||||
@ -1801,36 +1801,30 @@ int tproxy_wan_ingress(struct __sk_buff *skb) {
|
|||||||
__u16 tproxy_typ = bpf_ntohs(*(__u16 *)ðh.h_source[4]);
|
__u16 tproxy_typ = bpf_ntohs(*(__u16 *)ðh.h_source[4]);
|
||||||
if (*(__u32 *)ðh.h_source[0] != bpf_htonl(0x02000203) || tproxy_typ > 1) {
|
if (*(__u32 *)ðh.h_source[0] != bpf_htonl(0x02000203) || tproxy_typ > 1) {
|
||||||
// Check for security. Reject packets that is UDP and sent to tproxy port.
|
// Check for security. Reject packets that is UDP and sent to tproxy port.
|
||||||
if (l4proto == IPPROTO_UDP) {
|
__be16 *tproxy_port = bpf_map_lookup_elem(¶m_map, &tproxy_port_key);
|
||||||
__be16 *tproxy_port = bpf_map_lookup_elem(¶m_map, &tproxy_port_key);
|
if (!tproxy_port) {
|
||||||
if (!tproxy_port) {
|
goto accept;
|
||||||
goto accept;
|
}
|
||||||
|
if (unlikely(*tproxy_port == tuples.dport)) {
|
||||||
|
struct bpf_sock_tuple tuple = {0};
|
||||||
|
__u32 tuple_size;
|
||||||
|
|
||||||
|
if (ipversion == 4) {
|
||||||
|
tuple.ipv4.daddr = tuples.dip.u6_addr32[3];
|
||||||
|
tuple.ipv4.dport = tuples.dport;
|
||||||
|
tuple_size = sizeof(tuple.ipv4);
|
||||||
|
} else {
|
||||||
|
__builtin_memcpy(tuple.ipv6.daddr, &tuples.dip, IPV6_BYTE_LENGTH);
|
||||||
|
tuple.ipv6.dport = tuples.dport;
|
||||||
|
tuple_size = sizeof(tuple.ipv6);
|
||||||
}
|
}
|
||||||
if (unlikely(*tproxy_port == tuples.dport)) {
|
|
||||||
struct bpf_sock_tuple tuple = {0};
|
|
||||||
__u32 tuple_size;
|
|
||||||
|
|
||||||
if (ipversion == 4) {
|
struct bpf_sock *sk =
|
||||||
tuple.ipv4.daddr = tuples.dip.u6_addr32[3];
|
bpf_sk_lookup_udp(skb, &tuple, tuple_size, BPF_F_CURRENT_NETNS, 0);
|
||||||
tuple.ipv4.saddr = tuples.sip.u6_addr32[3];
|
if (sk) {
|
||||||
tuple.ipv4.dport = tuples.dport;
|
// Scope is host.
|
||||||
tuple.ipv4.sport = tuples.sport;
|
bpf_sk_release(sk);
|
||||||
tuple_size = sizeof(tuple.ipv4);
|
return TC_ACT_SHOT;
|
||||||
} else {
|
|
||||||
__builtin_memcpy(tuple.ipv6.daddr, &tuples.dip, IPV6_BYTE_LENGTH);
|
|
||||||
__builtin_memcpy(tuple.ipv6.saddr, &tuples.sip, IPV6_BYTE_LENGTH);
|
|
||||||
tuple.ipv6.dport = tuples.dport;
|
|
||||||
tuple.ipv6.sport = tuples.sport;
|
|
||||||
tuple_size = sizeof(tuple.ipv6);
|
|
||||||
}
|
|
||||||
|
|
||||||
struct bpf_sock *sk =
|
|
||||||
bpf_sk_lookup_udp(skb, &tuple, tuple_size, BPF_F_CURRENT_NETNS, 0);
|
|
||||||
if (sk) {
|
|
||||||
// Scope is host.
|
|
||||||
bpf_sk_release(sk);
|
|
||||||
return TC_ACT_SHOT;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
accept:
|
accept:
|
||||||
@ -1905,16 +1899,15 @@ int tproxy_wan_ingress(struct __sk_buff *skb) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Rewrite udp src ip
|
// Rewrite udp src ip
|
||||||
if ((ret =
|
if ((ret = rewrite_ip(skb, ipversion, IPPROTO_UDP, ihl,
|
||||||
rewrite_ip(skb, ipversion, IPPROTO_UDP, ihl,
|
tuples.sip.u6_addr32, ori_src.ip, false, true))) {
|
||||||
tuples.sip.u6_addr32, ori_src.ip, false, true))) {
|
|
||||||
bpf_printk("Shot IP: %d", ret);
|
bpf_printk("Shot IP: %d", ret);
|
||||||
return TC_ACT_SHOT;
|
return TC_ACT_SHOT;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Rewrite udp src port
|
// Rewrite udp src port
|
||||||
if ((ret = rewrite_port(skb, IPPROTO_UDP, ihl, tuples.sport,
|
if ((ret = rewrite_port(skb, IPPROTO_UDP, ihl, tuples.sport, ori_src.port,
|
||||||
ori_src.port, false, true))) {
|
false, true))) {
|
||||||
bpf_printk("Shot Port: %d", ret);
|
bpf_printk("Shot Port: %d", ret);
|
||||||
return TC_ACT_SHOT;
|
return TC_ACT_SHOT;
|
||||||
}
|
}
|
||||||
@ -1956,8 +1949,8 @@ int tproxy_wan_ingress(struct __sk_buff *skb) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Rewrite dst port.
|
// Rewrite dst port.
|
||||||
if ((ret = rewrite_port(skb, l4proto, ihl, tuples.dport, *tproxy_port,
|
if ((ret = rewrite_port(skb, l4proto, ihl, tuples.dport, *tproxy_port, true,
|
||||||
true, true))) {
|
true))) {
|
||||||
bpf_printk("Shot Port: %d", ret);
|
bpf_printk("Shot Port: %d", ret);
|
||||||
return TC_ACT_SHOT;
|
return TC_ACT_SHOT;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user