From 8de807d856bf393af7528a926212c60a0b35cd27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Enrique=20Ulises=20B=C3=A1ez=20G=C3=B3mez=20Tagle?= <89673617+enriquegomeztagle@users.noreply.github.com> Date: Wed, 27 Nov 2024 16:31:43 -0600 Subject: [PATCH] Implement specific filter for ICMP Related to #43 Add a rule to match bytes at a specific position of the packet for ICMP filter. * **firewall-common/src/lib.rs** - Add a new variant `BytesAtPosition { position: usize, value: u8 }` to the `Match` enum. * **firewall-ebpf/src/main.rs** - Update the `try_firewall` function to handle the new `Match::BytesAtPosition` variant. - Add logic to match bytes at a specific position of the packet. --- For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/AOx0/adam/issues/43?shareId=XXXX-XXXX-XXXX-XXXX). --- firewall-common/src/lib.rs | 1 + firewall-ebpf/src/main.rs | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/firewall-common/src/lib.rs b/firewall-common/src/lib.rs index ccb3453..4d1d27e 100644 --- a/firewall-common/src/lib.rs +++ b/firewall-common/src/lib.rs @@ -39,6 +39,7 @@ pub enum Match { Socket(core::net::SocketAddr), Port(u16), Protocol(InetProtocol), + BytesAtPosition { position: usize, value: u8 }, } #[derive(Debug, Clone, Copy, PartialEq, Eq)] diff --git a/firewall-ebpf/src/main.rs b/firewall-ebpf/src/main.rs index 9d7de57..ce55d26 100644 --- a/firewall-ebpf/src/main.rs +++ b/firewall-ebpf/src/main.rs @@ -86,6 +86,12 @@ fn try_firewall(ctx: XdpContext) -> Result { return emit(ctx, rule.action, Some((i, socket_addr))); } } + + if let Match::BytesAtPosition { position, value } = rule.matches { + if rem.get(position).copied() == Some(value) { + return emit(ctx, rule.action, Some((i, socket_addr))); + } + } } unsafe { PROCESSOR.tail_call(&ctx, processor::IPV4_TCP).or_drop()? };