* [PATCH] selftests/bpf: remove xdp_synproxy IP_DF check
@ 2024-10-25 3:19 Vincent Li
2024-10-29 19:30 ` patchwork-bot+netdevbpf
0 siblings, 1 reply; 2+ messages in thread
From: Vincent Li @ 2024-10-25 3:19 UTC (permalink / raw)
To: bpf; +Cc: Alexei Starovoitov, Martin KaFai Lau, Vincent Li
In real world production websites, the IP_DF flag
is not always set for each packet from these websites.
the IP_DF flag check breaks Internet connection to
these websites for home based firewall like BPFire
when XDP synproxy program is attached to firewall
Internet facing side interface. see [0]
[0] https://github.com/vincentmli/BPFire/issues/59
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
---
tools/testing/selftests/bpf/progs/xdp_synproxy_kern.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/tools/testing/selftests/bpf/progs/xdp_synproxy_kern.c b/tools/testing/selftests/bpf/progs/xdp_synproxy_kern.c
index f8f5dc9f72b8..62b8e29ced9f 100644
--- a/tools/testing/selftests/bpf/progs/xdp_synproxy_kern.c
+++ b/tools/testing/selftests/bpf/progs/xdp_synproxy_kern.c
@@ -21,7 +21,6 @@
#define tcp_flag_word(tp) (((union tcp_word_hdr *)(tp))->words[3])
-#define IP_DF 0x4000
#define IP_MF 0x2000
#define IP_OFFSET 0x1fff
@@ -442,7 +441,7 @@ static __always_inline int tcp_lookup(void *ctx, struct header_pointers *hdr, bo
/* TCP doesn't normally use fragments, and XDP can't reassemble
* them.
*/
- if ((hdr->ipv4->frag_off & bpf_htons(IP_DF | IP_MF | IP_OFFSET)) != bpf_htons(IP_DF))
+ if ((hdr->ipv4->frag_off & bpf_htons(IP_MF | IP_OFFSET)) != 0)
return XDP_DROP;
tup.ipv4.saddr = hdr->ipv4->saddr;
--
2.34.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] selftests/bpf: remove xdp_synproxy IP_DF check
2024-10-25 3:19 [PATCH] selftests/bpf: remove xdp_synproxy IP_DF check Vincent Li
@ 2024-10-29 19:30 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 2+ messages in thread
From: patchwork-bot+netdevbpf @ 2024-10-29 19:30 UTC (permalink / raw)
To: Vincent Li; +Cc: bpf, ast, martin.lau
Hello:
This patch was applied to bpf/bpf-next.git (net)
by Martin KaFai Lau <martin.lau@kernel.org>:
On Fri, 25 Oct 2024 03:19:52 +0000 you wrote:
> In real world production websites, the IP_DF flag
> is not always set for each packet from these websites.
> the IP_DF flag check breaks Internet connection to
> these websites for home based firewall like BPFire
> when XDP synproxy program is attached to firewall
> Internet facing side interface. see [0]
>
> [...]
Here is the summary with links:
- selftests/bpf: remove xdp_synproxy IP_DF check
https://git.kernel.org/bpf/bpf-next/c/0ab7cd1f1864
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-10-29 19:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-25 3:19 [PATCH] selftests/bpf: remove xdp_synproxy IP_DF check Vincent Li
2024-10-29 19:30 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox