Blocking (All Protocols, not just TCP) Traffic Problem performing Deep Packet Inspection with eBPF

[samueljaydan]

Working on a project using AF_XDP for both monitoring and filtering purposes.

I have below code on eBPF side. And also has userspace written by GoLang. With the userspace programming, I want to manipulate or modify a packet at the Ethernet/IPv4/TCP layers and then send it to the kernel. This way, for example, I can block it. I actually found that when I segmented the packet into Ethernet, IPv4, and TCP layers in the user space, setting TCP.rst = true, recalculating the checksum, modifying the packet, it worked, but not stable actually. I could send a TCP Connection Reset this way. However, this approach only applies to TCP.eBPF Packet Analysis and Blocking Implementation

I want to experiment with the scenario where TCP.rst = false, then block it. So with that way, I can block all the protocols included for example UDP in user space writing packet to socket.

SEC("xdp_sock")
int xdp_sock_prog(struct xdp_md *ctx) {
  int index = ctx->rx_queue_index;
  // L2
  __u32 *pkt_count;
  pkt_count = bpf_map_lookup_elem(&xdp_stats_map, &index);
  if (pkt_count) {
      /* We pass every other packet */
      if ((*pkt_count)++ & 1)
          return XDP_PASS;
  }
  /* A set entry here means that the correspnding queue_id
    * has an active AF_XDP socket bound to it. */
    if (bpf_map_lookup_elem(&xsks_map, &index)){
        return bpf_redirect_map(&xsks_map, index, 0);
    }
  return XDP_PASS;
}