1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
|
/* SPDX-License-Identifier: GPL-2.0 */
#include <linux/bpf.h>
#include <linux/in.h>
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_endian.h>
// The parsing helper functions from the packet01 lesson have moved here
#include "common/parsing_helpers.h"
#include "common/rewrite_helpers.h"
/* Defines xdp_stats_map */
#include "common/xdp_stats_kern_user.h"
#include "common/xdp_stats_kern.h"
#ifndef memcpy
#define memcpy(dest, src, n) __builtin_memcpy((dest), (src), (n))
#endif
struct {
__uint(type, BPF_MAP_TYPE_DEVMAP);
__type(key, int);
__type(value, int);
__uint(max_entries, 256);
} tx_port SEC(".maps");
struct {
__uint(type, BPF_MAP_TYPE_HASH);
__type(key, ETH_ALEN);
__type(value, ETH_ALEN);
__uint(max_entries, 1);
} redirect_params SEC(".maps");
static __always_inline __u16 csum_fold_helper(__u32 csum)
{
return ~((csum & 0xffff) + (csum >> 16));
}
/*
* The icmp_checksum_diff function takes pointers to old and new structures and
* the old checksum and returns the new checksum. It uses the bpf_csum_diff
* helper to compute the checksum difference. Note that the sizes passed to the
* bpf_csum_diff helper should be multiples of 4, as it operates on 32-bit
* words.
*/
static __always_inline __u16 icmp_checksum_diff(
__u16 seed,
struct icmphdr_common *icmphdr_new,
struct icmphdr_common *icmphdr_old)
{
__u32 csum, size = sizeof(struct icmphdr_common);
csum = bpf_csum_diff((__be32 *)icmphdr_old, size, (__be32 *)icmphdr_new, size, seed);
return csum_fold_helper(csum);
}
/* Solution to packet03/assignment-1 */
SEC("xdp_icmp_echo")
int xdp_icmp_echo_func(struct xdp_md *ctx)
{
void *data_end = (void *)(long)ctx->data_end;
void *data = (void *)(long)ctx->data;
struct hdr_cursor nh;
struct ethhdr *eth;
int eth_type;
int ip_type;
int icmp_type;
struct iphdr *iphdr;
struct ipv6hdr *ipv6hdr;
__u16 echo_reply, old_csum;
struct icmphdr_common *icmphdr;
struct icmphdr_common icmphdr_old;
__u32 action = XDP_PASS;
/* These keep track of the next header type and iterator pointer */
nh.pos = data;
/* Parse Ethernet and IP/IPv6 headers */
eth_type = parse_ethhdr(&nh, data_end, ð);
if (eth_type == bpf_htons(ETH_P_IP)) {
ip_type = parse_iphdr(&nh, data_end, &iphdr);
if (ip_type != IPPROTO_ICMP)
goto out;
} else if (eth_type == bpf_htons(ETH_P_IPV6)) {
ip_type = parse_ip6hdr(&nh, data_end, &ipv6hdr);
if (ip_type != IPPROTO_ICMPV6)
goto out;
} else {
goto out;
}
/*
* We are using a special parser here which returns a stucture
* containing the "protocol-independent" part of an ICMP or ICMPv6
* header. For purposes of this Assignment we are not interested in
* the rest of the structure.
*/
icmp_type = parse_icmphdr_common(&nh, data_end, &icmphdr);
if (eth_type == bpf_htons(ETH_P_IP) && icmp_type == ICMP_ECHO) {
/* Swap IP source and destination */
swap_src_dst_ipv4(iphdr);
echo_reply = ICMP_ECHOREPLY;
} else if (eth_type == bpf_htons(ETH_P_IPV6)
&& icmp_type == ICMPV6_ECHO_REQUEST) {
/* Swap IPv6 source and destination */
swap_src_dst_ipv6(ipv6hdr);
echo_reply = ICMPV6_ECHO_REPLY;
} else {
goto out;
}
/* Swap Ethernet source and destination */
swap_src_dst_mac(eth);
/* Patch the packet and update the checksum.*/
old_csum = icmphdr->cksum;
icmphdr->cksum = 0;
icmphdr_old = *icmphdr;
icmphdr->type = echo_reply;
icmphdr->cksum = icmp_checksum_diff(~old_csum, icmphdr, &icmphdr_old);
/* Another, less generic, but a bit more efficient way to update the
* checksum is listed below. As only one 16-bit word changed, the sum
* can be patched using this formula: sum' = ~(~sum + ~m0 + m1), where
* sum' is a new sum, sum is an old sum, m0 and m1 are the old and new
* 16-bit words, correspondingly. In the formula above the + operation
* is defined as the following function:
*
* static __always_inline __u16 csum16_add(__u16 csum, __u16 addend)
* {
* csum += addend;
* return csum + (csum < addend);
* }
*
* So an alternative code to update the checksum might look like this:
*
* __u16 m0 = * (__u16 *) icmphdr;
* icmphdr->type = echo_reply;
* __u16 m1 = * (__u16 *) icmphdr;
* icmphdr->checksum = ~(csum16_add(csum16_add(~icmphdr->checksum, ~m0), m1));
*/
action = XDP_TX;
out:
return xdp_stats_record_action(ctx, action);
}
/* Solution to packet03/assignment-2 */
SEC("xdp_redirect")
int xdp_redirect_func(struct xdp_md *ctx)
{
void *data_end = (void *)(long)ctx->data_end;
void *data = (void *)(long)ctx->data;
struct hdr_cursor nh;
struct ethhdr *eth;
int eth_type;
int action = XDP_PASS;
unsigned char dst[ETH_ALEN] = { /* TODO: put your values here */ };
unsigned ifindex = 0/* TODO: put your values here */;
/* These keep track of the next header type and iterator pointer */
nh.pos = data;
/* Parse Ethernet and IP/IPv6 headers */
eth_type = parse_ethhdr(&nh, data_end, ð);
if (eth_type == -1)
goto out;
/* Set a proper destination address */
memcpy(eth->h_dest, dst, ETH_ALEN);
action = bpf_redirect(ifindex, 0);
out:
return xdp_stats_record_action(ctx, action);
}
/* Solution to packet03/assignment-3 */
SEC("xdp_redirect_map")
int xdp_redirect_map_func(struct xdp_md *ctx)
{
void *data_end = (void *)(long)ctx->data_end;
void *data = (void *)(long)ctx->data;
struct hdr_cursor nh;
struct ethhdr *eth;
int eth_type;
int action = XDP_PASS;
unsigned char *dst;
/* These keep track of the next header type and iterator pointer */
nh.pos = data;
/* Parse Ethernet and IP/IPv6 headers */
eth_type = parse_ethhdr(&nh, data_end, ð);
if (eth_type == -1)
goto out;
/* Do we know where to redirect this packet? */
dst = bpf_map_lookup_elem(&redirect_params, eth->h_source);
if (!dst)
goto out;
/* Set a proper destination address */
memcpy(eth->h_dest, dst, ETH_ALEN);
action = bpf_redirect_map(&tx_port, 0, 0);
out:
return xdp_stats_record_action(ctx, action);
}
#ifndef AF_INET
#define AF_INET 2
#endif
#ifndef AF_INET6
#define AF_INET6 10
#endif
#define IPV6_FLOWINFO_MASK bpf_htonl(0x0FFFFFFF)
/* from include/net/ip.h */
static __always_inline int ip_decrease_ttl(struct iphdr *iph)
{
__u32 check = iph->check;
check += bpf_htons(0x0100);
iph->check = (__u16)(check + (check >= 0xFFFF));
return --iph->ttl;
}
/* Solution to packet03/assignment-4 */
/* xdp_router is the name of the xdp program */
SEC("xdp_router")
int xdp_router_func(struct xdp_md *ctx)
{
/* this is the packet context*/
void *data_end = (void *)(long)ctx->data_end;
void *data = (void *)(long)ctx->data;
struct bpf_fib_lookup fib_params = {};
struct ethhdr *eth = data;
struct ipv6hdr *ip6h;
struct iphdr *iph;
__u16 h_proto;
__u64 nh_off;
int rc;
/* default action is to pass */
int action = XDP_PASS;
nh_off = sizeof(*eth);
if (data + nh_off > data_end) {
action = XDP_DROP;
goto out;
}
/* determine if this is IP4 or IPv6 by looking at the Ethernet protocol field */
h_proto = eth->h_proto;
if (h_proto == bpf_htons(ETH_P_IP)) {
/* IPv4 part of the code */
iph = data + nh_off;
if (iph + 1 > data_end) {
action = XDP_DROP;
goto out;
}
/* as a real router, we need to check the TTL to prevent never ending loops*/
if (iph->ttl <= 1)
goto out;
/* populate the fib_params fields to prepare for the lookup */
fib_params.family = AF_INET;
fib_params.tos = iph->tos;
fib_params.l4_protocol = iph->protocol;
fib_params.sport = 0;
fib_params.dport = 0;
fib_params.tot_len = bpf_ntohs(iph->tot_len);
fib_params.ipv4_src = iph->saddr;
fib_params.ipv4_dst = iph->daddr;
} else if (h_proto == bpf_htons(ETH_P_IPV6)) {
/* IPv6 part of the code */
struct in6_addr *src = (struct in6_addr *) fib_params.ipv6_src;
struct in6_addr *dst = (struct in6_addr *) fib_params.ipv6_dst;
ip6h = data + nh_off;
if (ip6h + 1 > data_end) {
action = XDP_DROP;
goto out;
}
/* as a real router, we need to check the TTL to prevent never ending loops*/
if (ip6h->hop_limit <= 1)
goto out;
/* populate the fib_params fields to prepare for the lookup */
fib_params.family = AF_INET6;
fib_params.flowinfo = *(__be32 *) ip6h & IPV6_FLOWINFO_MASK;
fib_params.l4_protocol = ip6h->nexthdr;
fib_params.sport = 0;
fib_params.dport = 0;
fib_params.tot_len = bpf_ntohs(ip6h->payload_len);
*src = ip6h->saddr;
*dst = ip6h->daddr;
} else {
goto out;
}
fib_params.ifindex = ctx->ingress_ifindex;
/* this is where the FIB lookup happens. If the lookup is successful */
/* it will populate the fib_params.ifindex with the egress interface index */
rc = bpf_fib_lookup(ctx, &fib_params, sizeof(fib_params), 0);
switch (rc) {
case BPF_FIB_LKUP_RET_SUCCESS: /* lookup successful */
/* we are a router, so we need to decrease the ttl */
if (h_proto == bpf_htons(ETH_P_IP))
ip_decrease_ttl(iph);
else if (h_proto == bpf_htons(ETH_P_IPV6))
ip6h->hop_limit--;
/* set the correct new source and destionation mac addresses */
/* can be found in fib_params.dmac and fib_params.smac */
memcpy(eth->h_dest, fib_params.dmac, ETH_ALEN);
memcpy(eth->h_source, fib_params.smac, ETH_ALEN);
/* and done, now we set the action to bpf_redirect_map with fib_params.ifindex which is the egress port as paramater */
action = bpf_redirect_map(&tx_port, fib_params.ifindex, 0);
break;
case BPF_FIB_LKUP_RET_BLACKHOLE: /* dest is blackholed; can be dropped */
case BPF_FIB_LKUP_RET_UNREACHABLE: /* dest is unreachable; can be dropped */
case BPF_FIB_LKUP_RET_PROHIBIT: /* dest not allowed; can be dropped */
action = XDP_DROP;
break;
case BPF_FIB_LKUP_RET_NOT_FWDED: /* packet is not forwarded */
case BPF_FIB_LKUP_RET_FWD_DISABLED: /* fwding is not enabled on ingress */
case BPF_FIB_LKUP_RET_UNSUPP_LWT: /* fwd requires encapsulation */
case BPF_FIB_LKUP_RET_NO_NEIGH: /* no neighbor entry for nh */
case BPF_FIB_LKUP_RET_FRAG_NEEDED: /* fragmentation required to fwd */
/* PASS */
break;
}
out:
/* and done, update stats and return action */
return xdp_stats_record_action(ctx, action);
}
SEC("xdp_pass")
int xdp_pass_func(struct xdp_md *ctx)
{
return xdp_stats_record_action(ctx, XDP_PASS);
}
char _license[] SEC("license") = "GPL";
|