From fc4f6540be1b1eccceae19800a85af5c0cae8bf9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= Date: Fri, 22 Jan 2021 22:19:45 -0800 Subject: [PATCH] bpf tether offload - do not offload TCP SYN/FIN/RST packets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We want connection establishment/shutdown to flow through the kernel code path so connection tracking state is at least somewhat correct. Test: atest, TreeHugger Signed-off-by: Maciej Żenczykowski Change-Id: Iee97baa65750188f3436937b16c9b320f0495a5a --- Tethering/bpf_progs/offload.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Tethering/bpf_progs/offload.c b/Tethering/bpf_progs/offload.c index cce94ee5d8..852de1e3da 100644 --- a/Tethering/bpf_progs/offload.c +++ b/Tethering/bpf_progs/offload.c @@ -66,6 +66,18 @@ static inline __always_inline int do_forward(struct __sk_buff* skb, const bool i // Let the kernel's stack handle these cases and generate appropriate ICMP errors. if (ip6->hop_limit <= 1) return TC_ACT_OK; + // If hardware offload is running and programming flows based on conntrack entries, + // try not to interfere with it. + if (ip6->nexthdr == IPPROTO_TCP) { + struct tcphdr* tcph = (void*)(ip6 + 1); + + // Make sure we can get at the tcp header + if (data + l2_header_size + sizeof(*ip6) + sizeof(*tcph) > data_end) return TC_ACT_OK; + + // Do not offload TCP packets with any one of the SYN/FIN/RST flags + if (tcph->syn || tcph->fin || tcph->rst) return TC_ACT_OK; + } + // Protect against forwarding packets sourced from ::1 or fe80::/64 or other weirdness. __be32 src32 = ip6->saddr.s6_addr32[0]; if (src32 != htonl(0x0064ff9b) && // 64:ff9b:/32 incl. XLAT464 WKP