eBPF: Filter out ppp-session & GTP-U for non tracking match

While restarting GTP-Guard, remote peer, GTP & PPP as well, are still tracking session. While restarting its generate unknown lookup which was punt to userland. We just need to protect userland from being flooded during restart, so we are just filtering out data-plane from unknown session.
acassen · Nov 23, 2024 · c8473b1 · c8473b1
1 parent d6b4254
commit c8473b1
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 4 deletions.
diff --git a/src/bpf/gtp_route.c b/src/bpf/gtp_route.c
@@ -545,9 +545,12 @@ gtp_route_ppp_decap(struct parse_pkt *pkt)
 	__builtin_memcpy(ppp_k.hw, ethh->h_dest, ETH_ALEN);
 	ppp_k.session_id = bpf_ntohs(pppoeh->session);
 
+	/* If no session is matching then we drop to prevent against
+	 * userland overflow while restarting. Only PPP-LCP are punt
+	 * to the userland. */
 	rt_rule = bpf_map_lookup_elem(&ppp_ingress, &ppp_k);
 	if (!rt_rule)
-		return XDP_PASS;
+		return XDP_DROP;
 	gtp_route_stats_update(rt_rule, payload_len);
 
 	/* Phase 0 : Got it ! perform GTP-U encapsulation, prepare headroom */
@@ -748,9 +751,12 @@ gtp_route_traffic_selector(struct parse_pkt *pkt)
 	rt_key.id = gtph->teid;
 	rt_key.addr = iph->daddr;
 
+	/* If no session is matching then we drop to prevent against
+	 * userland overflow while restarting. Only GTP-U bound to an
+	 * existing session are kept into account. */
 	rule = bpf_map_lookup_elem(&teid_egress, &rt_key);
 	if (!rule)
-		return XDP_PASS;
+		return XDP_DROP;
 
 	/* remote GTP-U udp port learning */
 	if (rule->flags & GTP_RT_FL_UDP_LEARNING && rule->gtp_udp_port == 0)

diff --git a/src/gtp_pppoe_proto.c b/src/gtp_pppoe_proto.c
@@ -577,8 +577,14 @@ pppoe_dispatch_disc_pkt(gtp_pppoe_t *pppoe, pkt_t *pkt)
 	 * session init */
 	if (s && s->pppoe->bundle &&
 	    __test_bit(PPPOE_FL_IGNORE_INGRESS_PPP_BRD_BIT, &s->pppoe->bundle->flags) &&
-	    (s->pppoe->ifindex != pppoe->ifindex))
+	    (s->pppoe->ifindex != pppoe->ifindex)) {
+		PPPDEBUG(("%s: pppoe brd filtering..."
+			  " s->pppoe->ifindex(%d)!=pppoe->ifindex(%d)"
+			  " for %.2x:%.2x:%.2x:%.2x:%.2x:%.2x session = 0x%.4x",
+			  pppoe->ifname, s->pppoe->ifindex, pppoe->ifindex,
+			  ETHER_BYTES(eh->ether_dhost), session));
 		return;
+	}
 
 	switch (code) {
 	case PPPOE_CODE_PADI:
@@ -720,8 +726,14 @@ pppoe_dispatch_session_pkt(gtp_pppoe_t *pppoe, pkt_t *pkt)
 	 * session init */
 	if (sp->pppoe->bundle &&
 	    __test_bit(PPPOE_FL_IGNORE_INGRESS_PPP_BRD_BIT, &sp->pppoe->bundle->flags) &&
-	    (sp->pppoe->ifindex != pppoe->ifindex))
+	    (sp->pppoe->ifindex != pppoe->ifindex)) {
+		PPPDEBUG(("%s: pppoe brd filtering..."
+			  " sp->pppoe->ifindex(%d)!=pppoe->ifindex(%d)"
+			  " for %.2x:%.2x:%.2x:%.2x:%.2x:%.2x session = 0x%.4x",
+			  pppoe->ifname, sp->pppoe->ifindex, pppoe->ifindex,
+			  ETHER_BYTES(eh->ether_dhost), session));
 		return;
+	}
 
 	sppp_input(sp->s_ppp, pkt);
 }