ebpf tethering offload - only offload some src ips. We don't want things like src ip ::, ::1, fe80::/64 being blindly forwarded, since we're trying to behave like an ipv6 router. Test: atest Bug: 150808346 Signed-off-by: Maciej Żenczykowski <maze@google.com> Original-Change: https://android-review.googlesource.com/1321095 Merged-In: I43da7829caa7fc831bd17ada5750dc06b276804d Change-Id: I43da7829caa7fc831bd17ada5750dc06b276804d

commit: a28a1da33498341eec9f73b79d92d43ee93a068f [log] [tgz]
author: Maciej Żenczykowski <maze@google.com> Wed Jun 03 10:18:45 2020 +0000
committer: Maciej Zenczykowski <maze@google.com> Thu Jun 04 07:14:22 2020 +0000
tree: f6cc4c11c338883fe2bf20a928357b573a92e72a
parent: f3436112a67df828745e0febeb25b4c0dfcc7f2d [diff] [blame]
diff --git a/bpf_progs/offload.c b/bpf_progs/offload.c
index 9bcfdcd..f3334b4 100644
--- a/bpf_progs/offload.c
+++ b/bpf_progs/offload.c

@@ -59,6 +59,12 @@
     // Let the kernel's stack handle these cases and generate appropriate ICMP errors.
     if (ip6->hop_limit <= 1) return TC_ACT_OK;
 
+    // Protect against forwarding packets sourced from ::1 or fe80::/64 or other weirdness.
+    __be32 src32 = ip6->saddr.s6_addr32[0];
+    if (src32 != htonl(0x0064ff9b) &&                        // 64:ff9b:/32 incl. XLAT464 WKP
+        (src32 & htonl(0xe0000000)) != htonl(0x20000000))    // 2000::/3 Global Unicast
+        return TC_ACT_OK;
+
     TetherIngressKey k = {
             .iif = skb->ifindex,
             .neigh6 = ip6->daddr,
commit	a28a1da33498341eec9f73b79d92d43ee93a068f	[log] [tgz]
author	Maciej Żenczykowski <maze@google.com>	Wed Jun 03 10:18:45 2020 +0000
committer	Maciej Zenczykowski <maze@google.com>	Thu Jun 04 07:14:22 2020 +0000
tree	f6cc4c11c338883fe2bf20a928357b573a92e72a
parent	f3436112a67df828745e0febeb25b4c0dfcc7f2d [diff] [blame]