feat(bpf): implement allow_proto L3 protocol gatekeeper#53
Open
leodido wants to merge 7 commits intofeat/ethertype-vlan-namesfrom
Open
feat(bpf): implement allow_proto L3 protocol gatekeeper#53leodido wants to merge 7 commits intofeat/ethertype-vlan-namesfrom
allow_proto L3 protocol gatekeeper#53leodido wants to merge 7 commits intofeat/ethertype-vlan-namesfrom
Conversation
L3 IP protocol allowlist program. Drops IPv4 packets whose IP protocol is not in the allowed set. Non-IPv4 traffic passes through (L2 filtering is allow_ethertype's job). Rodata layout: __u8 allowed[MAX_MULTI_VALUES] + __u8 num_allowed + __u32 slot. Same pattern as allow_ethertype but with __u8 values for IP protocol numbers. No fragment handling needed — the protocol field is in the fixed 20-byte IP header, always readable regardless of fragmentation. Co-authored-by: Ona <no-reply@ona.com>
Add case program_allow_proto in parse_input() calling the existing
parse_protos() helper. Add to program_requires_input(). Add sctp (132)
to g_proto_names[] as the 4th symbolic protocol name.
Add input_fields entry in api.lua:
allow_proto = { field = "protos", multi = true }.
Co-authored-by: Ona <no-reply@ona.com>
Add case program_allow_proto in load_chain_program(). Passes the protos struct (values[] + count) to set_chain_rodata(). Add to program_supports_chaining(). Co-authored-by: Ona <no-reply@ona.com>
Flag tests (11): missing input, unknown name, invalid decimal, out of range (256), duplicate, cross-representation duplicate (tcp+6), trailing/leading +, consecutive ++, too many values, sctp+132 dup. Integration tests (4): standalone tcp+udp+icmp allows ping, standalone tcp+udp blocks ping (ICMP not in set), decimal input 6+17+1, chain allow_ethertype+allow_proto blocks ICMP at L3. CNI test (1): allow_proto with tcp+udp+icmp via CNI fixture. Fix missing trailing newline in cni.bats. Co-authored-by: Ona <no-reply@ona.com>
Co-authored-by: Ona <no-reply@ona.com>
…0 test Add missing #include "allow_proto.skel.h" in chain.h. Without it, the chain loader compiles only because of accidental include ordering in traffico.c. Split parse_protos error into two distinct messages: "unknown protocol name (use a number 0-255)" for non-numeric tokens and "protocol number out of range (0-255)" for values > 255. Previously both cases used the ambiguous "invalid protocol number". Add test verifying protocol 0 (HOPOPT) is accepted by the parser, documenting the intentional difference from EtherType 0x0000 which is rejected. Co-authored-by: Ona <no-reply@ona.com>
Reject whitespace in multi-value input tokens. Both parse_ethertypes and parse_protos now call token_has_whitespace() before processing each token. Prevents strtoul from silently accepting inputs like "tcp+ 6" via CNI JSON where the CLI argument parser would not split on spaces. Remove stale "(future)" annotations from ethertypes and protos union fields in api.h.in and chain.h — both programs are implemented. Add chain integration test verifying TCP traffic passes through allow_ethertype:ipv4+arp,allow_proto:tcp+udp (allow path). The existing chain test only covered the block path (ICMP dropped). Co-authored-by: Ona <no-reply@ona.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
L3 IP protocol allowlist program. Drops IPv4 packets whose IP protocol
is not in the allowed set. Non-IPv4 traffic passes through (L2 filtering
is
allow_ethertype's job). Accepts a+-delimited list of symbolicnames (
tcp,udp,icmp,sctp) or decimal numbers.Second multi-value input program, following the pattern established by
allow_ethertypein PR #51.Changes
BPF program (
bpf/allow_proto.bpf.c): readsip_header->protocol,linear scans
allowed[MAX_MULTI_VALUES]array. Match: tail-call next.No match:
TC_ACT_SHOT. Non-IPv4 passthrough (TC_ACT_OK).Fail-closed on truncated headers and invalid IHL.
Parser wiring:
case program_allow_protoinparse_input()calling the existing
parse_protos()helper. Added toprogram_requires_input(). Addedsctp(132) tog_proto_names[].input_fieldsentry inapi.lua:allow_proto = { field = "protos", multi = true }.Chain loader:
case program_allow_protoinload_chain_program(). Passes the protos struct (values + count)to
set_chain_rodata(). Added toprogram_supports_chaining().Tests: 11 flag validation tests (missing input, unknown name,
invalid decimal, out of range, duplicates, delimiter edge cases,
too many values, sctp cross-repr). 4 integration tests (standalone
allow, standalone block, decimal input, chain with allow_ethertype).
1 CNI test with fixture.
Docs:
README.txtanddocs/README.mdwith chain ordering notes.Design decisions
allow_ipv4,allow_port,allow_dns. The chain ordering bypass where L3+ passthroughshort-circuits downstream L2 filters is a chain-model issue, not
specific to this program.
IP header, always readable regardless of fragmentation.
allow_ethertype, beforeallow_port(L2 → L3 → L4).Stacked on
vlanandqinqsymbolic names forallow_ethertype#52 (feat/ethertype-vlan-names) — vlan/qinq symbolic namesallow_ethertypeL2 gatekeeper #51 (feat/allow-ethertype) — L2 gatekeeperfeat/multi-value-rodata) — multi-value input infrastructure