nghttp2/nghttp2
1
0
Fork 0
mirror of https://github.com/nghttp2/nghttp2.git synced 2025-12-07 02:28:53 +08:00
Code Issues Projects Releases Wiki Activity

bpf: Drop bad QUIC packet

Browse Source 
Drop QUIC packet if it is less than valid QUIC packet or it is coming
from one of remote ports that are known to be a UDP service that can
be used as a UDP reflection attack.
This commit is contained in:
Tatsuhiro Tsujikawa
2024-03-31 18:39:15 +09:00
parent 5483edded8
commit e8c45f4bfd
1 changed files with 26 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
bpf/reuseport_kern.c
View File

@@ -484,6 +484,32 @@ int select_reuseport(struct sk_reuseport_md *reuse_md) {
__u8 qpktbuf[6 + MAX_DCIDLEN]; __u8 qpktbuf[6 + MAX_DCIDLEN];
struct AES_ctx *aes_ctx; struct AES_ctx *aes_ctx;
__u8 *worker_id; __u8 *worker_id;
__u16 remote_port;
__u8 *data = reuse_md->data;
/* Packets less than 22 bytes never be a valid QUIC packet. */
if (reuse_md->len < sizeof(struct udphdr) + 22) {
return SK_DROP;
}
if (reuse_md->data + sizeof(struct udphdr) > reuse_md->data_end) {
return SK_DROP;
}
remote_port = (data[0] << 8) + data[1];
switch (remote_port) {
case 1900:
case 5353:
case 11211:
case 20800:
case 27015:
return SK_DROP;
default:
if (remote_port < 1024) {
return SK_DROP;
}
}
if (bpf_skb_load_bytes(reuse_md, sizeof(struct udphdr), qpktbuf, if (bpf_skb_load_bytes(reuse_md, sizeof(struct udphdr), qpktbuf,
sizeof(qpktbuf)) != 0) { sizeof(qpktbuf)) != 0) {