feat(bpf): implement allow_dns program#43
Open
leodido wants to merge 5 commits intofeat/allow-portfrom
Open
Conversation
leodido
changed the title
allow_dns program
fntlnz
reviewed
Apr 30, 2026
Collaborator
fntlnz
left a comment
fntlnz
left a comment
There was a problem hiding this comment.
almost the same comments as the other ones
| } | ||
|
|
||
| struct iphdr *ip_header = data + l3_offset; | ||
| const int l4_offset = l3_offset + sizeof(*ip_header); |
Collaborator
There was a problem hiding this comment.
not sure this is right in this pr as well
| return TC_ACT_OK; | ||
| } | ||
|
|
||
| if (ip_is_fragment(skb, l3_offset)) |
Drops DNS packets (UDP/TCP port 53) not destined for the input resolver IP address. Non-DNS traffic passes through unaffected. Intended for agent quarantine: restrict DNS resolution to a controlled resolver without affecting other traffic. Co-authored-by: Ona <no-reply@ona.com>
CLI functional: permits DNS to approved resolver, blocks DNS to other resolvers, does not block non-DNS traffic. CLI flags: missing input, invalid IP. CNI functional: allow_dns via JSON config. CNI flags: missing input rejected. 7 new tests (50 total). Co-authored-by: Ona <no-reply@ona.com>
Co-authored-by: Ona <no-reply@ona.com>
…ry checks - Use IHL field for dynamic IP header length instead of fixed sizeof(iphdr) - Validate IHL >= 5 and bounds-check the full IP header - Drop subsequent fragments (no L4 headers to verify) - Fail-closed (TC_ACT_SHOT) on all boundary check failures - Document passthroughs: non-IPv4, non-TCP/UDP, and non-DNS traffic passes through Co-authored-by: Ona <no-reply@ona.com>
The allow_dns CNI test uses python3 for a TCP socket listener on port 53. The Arch Linux container image does not include python by default, causing the test to fail with 'python3: command not found'. Co-authored-by: Ona <no-reply@ona.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Drops DNS packets (UDP/TCP port 53) not destined for the input resolver IP address. Non-DNS traffic passes through unaffected.
Intended for agent quarantine: restrict DNS resolution to a controlled resolver without affecting other traffic. The agent's
resolv.confshould point to the approved resolver; this program enforces that no DNS escapes to unauthorized resolvers.Depends on #42 (
allow_port) → #41 (allow_ip).Commits
feat(bpf): implement allow_dns program— BPF program,api.luaregistration,input_parse.hwiringtest(bpf): add allow_dns tests— 7 new tests (50 total)docs: add allow_dns to built-in programs— README.txt, docs/README.mdHow to test
xmake clean -a xmake f --generate-vmlinux=y xmake sudo XMAKE_ROOT=y xmake run testAll 50 tests pass (43 from PR #42 + 7 new).
Design notes
allow_portorblock_portin a chainipinput field type asallow_ipandblock_ip