ebpf tethering offload - only offload some src ips.
We don't want things like src ip ::, ::1, fe80::/64 being blindly
forwarded, since we're trying to behave like an ipv6 router.
Test: atest
Bug: 150808346
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Original-Change: https://android-review.googlesource.com/1321095
Merged-In: I43da7829caa7fc831bd17ada5750dc06b276804d
Change-Id: I43da7829caa7fc831bd17ada5750dc06b276804d
diff --git a/bpf_progs/offload.c b/bpf_progs/offload.c
index 9bcfdcd..f3334b4 100644
--- a/bpf_progs/offload.c
+++ b/bpf_progs/offload.c
@@ -59,6 +59,12 @@
// Let the kernel's stack handle these cases and generate appropriate ICMP errors.
if (ip6->hop_limit <= 1) return TC_ACT_OK;
+ // Protect against forwarding packets sourced from ::1 or fe80::/64 or other weirdness.
+ __be32 src32 = ip6->saddr.s6_addr32[0];
+ if (src32 != htonl(0x0064ff9b) && // 64:ff9b:/32 incl. XLAT464 WKP
+ (src32 & htonl(0xe0000000)) != htonl(0x20000000)) // 2000::/3 Global Unicast
+ return TC_ACT_OK;
+
TetherIngressKey k = {
.iif = skb->ifindex,
.neigh6 = ip6->daddr,
diff --git a/tests/netd_test.cpp b/tests/netd_test.cpp
index 77ff112..dd25f96 100644
--- a/tests/netd_test.cpp
+++ b/tests/netd_test.cpp
@@ -251,9 +251,9 @@
uint64_t limit = ~0uLL;
ASSERT_OK(bpfLimitMap.writeValue(k, limit, BPF_NOEXIST));
- // minimal 'acceptable' 40-byte hoplimit 255 IPv6 packet
+ // minimal 'acceptable' 40-byte hoplimit 255 IPv6 packet, src ip 2000::
uint8_t pkt[mtu] = {
- 0x60, 0, 0, 0, 0, 40, 0, 255,
+ 0x60, 0, 0, 0, 0, 40, 0, 255, 0x20,
};
// Iterate over all packet sizes from minimal ipv6 packet to mtu.