Implement specific filter for ICMP

Related to #43 Add a rule to match bytes at a specific position of the packet for ICMP filter. * **firewall-common/src/lib.rs** - Add a new variant `BytesAtPosition { position: usize, value: u8 }` to the `Match` enum. * **firewall-ebpf/src/main.rs** - Update the `try_firewall` function to handle the new `Match::BytesAtPosition` variant. - Add logic to match bytes at a specific position of the packet. --- For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/AOx0/adam/issues/43?shareId=XXXX-XXXX-XXXX-XXXX).
AOx0 · Nov 28, 2024 · 8de807d · 8de807d
1 parent 1bdfdc2
commit 8de807d
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/firewall-common/src/lib.rs b/firewall-common/src/lib.rs
@@ -39,6 +39,7 @@ pub enum Match {
     Socket(core::net::SocketAddr),
     Port(u16),
     Protocol(InetProtocol),
+    BytesAtPosition { position: usize, value: u8 },
 }
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]

diff --git a/firewall-ebpf/src/main.rs b/firewall-ebpf/src/main.rs
@@ -86,6 +86,12 @@ fn try_firewall(ctx: XdpContext) -> Result<u32, u32> {
                     return emit(ctx, rule.action, Some((i, socket_addr)));
                 }
             }
+
+            if let Match::BytesAtPosition { position, value } = rule.matches {
+                if rem.get(position).copied() == Some(value) {
+                    return emit(ctx, rule.action, Some((i, socket_addr)));
+                }
+            }
         }
 
         unsafe { PROCESSOR.tail_call(&ctx, processor::IPV4_TCP).or_drop()? };