[strongSwan-dev] farp plugin bpf filter

Martin Willi martin at strongswan.org
Tue Jun 1 10:13:42 CEST 2010 

Hi Sven,

> Maybe this behaviour comes form some settings on the ipsec gateway
> system (this is btw. a brand new Ubuntu 10.04 LTS)?

I'm running the same on my testing boxes, but use a custom kernel based
on 2.6.34.

> +    /* Make sure this is an ARP packet... */
> +    BPF_STMT (BPF_LD + BPF_H + BPF_ABS, 12),
> +    BPF_JUMP (BPF_JMP + BPF_JEQ + BPF_K, ETHERTYPE_ARP, 0, 3),

> +    arp_request_filter_code[1].jf = 0; /* skip the IP packet type check */

This actually disables the packet type check above...

> +    /* Make sure this is an ARP REPLY... */
> +    BPF_STMT (BPF_LD + BPF_H + BPF_ABS, 20),
> +    BPF_JUMP (BPF_JMP + BPF_JEQ + BPF_K, ARPOP_REQUEST, 0, 1),

> +    arp_request_filter_code[2].k -= ETH_HLEN;

... and reduces the offset of the Opcode field. Makes sense, as Linux
does not return the Ethernet header, only the ARP header. 

This will actually result in the same test as ours:

> -    BPF_STMT(BPF_LD+BPF_H+BPF_ABS, offsetof(arp_t, opcode)),
> -    BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARPOP_REQUEST, 0, 3),


After applying your patch, there is not much left of our packet filter.

It would help if we know which statement is actually the problem. You
can replace each test by a NOP using the patch below, and then re-enable
one by one to find out which one is causing troubles.

For a reference of BPF, have a look at:
   http://www.pcausa.com/support/bpfhelp.htm

Best regards
Martin


--- a/src/libcharon/plugins/farp/farp_spoofer.c
+++ b/src/libcharon/plugins/farp/farp_spoofer.c
@@ -148,13 +148,13 @@ farp_spoofer_t *farp_spoofer_create(farp_listener_t *listener)
     private_farp_spoofer_t *this;
     struct sock_filter arp_request_filter_code[] = {
         BPF_STMT(BPF_LD+BPF_H+BPF_ABS, offsetof(arp_t, protocol_type)),
-        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETH_P_IP, 0, 9),
+        BPF_JUMP(BPF_JMP+BPF_JA, 0, 0, 0),
         BPF_STMT(BPF_LD+BPF_B+BPF_ABS, offsetof(arp_t, hardware_size)),
-        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 6, 0, 7),
+        BPF_JUMP(BPF_JMP+BPF_JA, 0, 0, 0),
         BPF_STMT(BPF_LD+BPF_B+BPF_ABS, offsetof(arp_t, protocol_size)),
-        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 4, 0, 4),
+        BPF_JUMP(BPF_JMP+BPF_JA, 0, 0, 0),
         BPF_STMT(BPF_LD+BPF_H+BPF_ABS, offsetof(arp_t, opcode)),
-        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARPOP_REQUEST, 0, 3),
+        BPF_JUMP(BPF_JMP+BPF_JA, 0, 0, 0),
         BPF_STMT(BPF_LD+BPF_W+BPF_LEN, 0),
         BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 28, 0, 1),
         BPF_STMT(BPF_RET+BPF_A, 0),

More information about the Dev mailing list