add bpf filter to icmp sockets

Author: Arian8j2

Cargo.lock

@@ -10,3 +10,4 @@ socket2 = { version = "0.5.5", features = ["all"] }
 mio = { version = "1.0.2", features = ["net", "os-poll"] }
 parking_lot = "0.12.3"
 smoltcp = { version = "0.12.0", default-features = false, features = ["proto-ipv4", "proto-ipv6"] }
+libc = "0.2.158"

forwarder/Cargo.toml

@@ -35,8 +35,8 @@ pub fn run(listen_uri: Uri, remote_uri: Uri, passphrase: Option<String>) -> anyh
     let socket = Arc::new(socket);
     log::info!("listen on '{listen_addr}'");
 
-    let poll = poll::new(remote_uri.protocol, remote_uri.addr.is_ipv6())
-        .with_context(|| "couldn't create poll")?;
+    let poll =
+        poll::new(remote_uri.protocol, remote_uri.addr).with_context(|| "couldn't create poll")?;
     let registry = poll
         .get_registry()
         .with_context(|| "couldn't create poll registry")?;

forwarder/src/lib.rs

@@ -5,7 +5,7 @@ use crate::{
 };
 use icmp::IcmpPoll;
 use parking_lot::RwLock;
-use std::sync::Arc;
+use std::{net::SocketAddr, sync::Arc};
 use udp::UdpPoll;
 
 type OnPeerRecvCallback = dyn Fn(&Peer, &mut [u8]);
@@ -34,9 +34,9 @@ pub trait Registry: Send + Sync {
 mod icmp;
 mod udp;
 
-pub fn new(protocol: Protocol, is_ipv6: bool) -> anyhow::Result<Box<dyn Poll>> {
+pub fn new(protocol: Protocol, remote_addr: SocketAddr) -> anyhow::Result<Box<dyn Poll>> {
     Ok(match protocol {
         Protocol::Udp => Box::new(UdpPoll::new()?),
-        Protocol::Icmp => Box::new(IcmpPoll { is_ipv6 }),
+        Protocol::Icmp => Box::new(IcmpPoll { remote_addr }),
     })
 }

forwarder/src/poll.rs

@@ -7,11 +7,11 @@ use crate::{
     MAX_PACKET_SIZE,
 };
 use parking_lot::RwLock;
-use std::sync::Arc;
+use std::{net::SocketAddr, sync::Arc};
 
 #[derive(Debug)]
 pub struct IcmpPoll {
-    pub is_ipv6: bool,
+    pub remote_addr: SocketAddr,
 }
 
 impl Poll for IcmpPoll {
@@ -24,17 +24,27 @@ impl Poll for IcmpPoll {
         peers: Arc<RwLock<PeerManager>>,
         on_peer_recv: Box<dyn Fn(&Peer, &mut [u8])>,
     ) -> anyhow::Result<()> {
-        let listen_addr = crate::peer::create_any_addr(self.is_ipv6);
+        let is_ipv6 = self.remote_addr.is_ipv6();
+        let listen_addr = crate::peer::create_any_addr(is_ipv6);
         let socket: socket2::Socket = IcmpSocket::inner_bind(listen_addr)?;
+
+        #[cfg(target_os = "linux")]
+        {
+            let filter =
+                crate::socket::icmp::create_bfp_seq_filter(is_ipv6, self.remote_addr.port());
+            if let Err(error) = socket.attach_filter(&filter) {
+                log::warn!("couldn't attach bpf filter: {error:?}");
+            }
+        }
+
         let mut buffer = [0u8; MAX_PACKET_SIZE];
-        let header_offset = header_offset(self.is_ipv6);
+        let header_offset = header_offset(is_ipv6);
 
         loop {
             let Ok(size) = socket.recv(cast_maybe_uninit(&mut buffer)) else {
                 continue;
             };
-            let Some(icmp_packet) =
-                parse_icmp_packet(&buffer[header_offset..size], self.is_ipv6, true)
+            let Some(icmp_packet) = parse_icmp_packet(&buffer[header_offset..size], is_ipv6, true)
             else {
                 continue;
             };

forwarder/src/poll/icmp.rs

@@ -4,7 +4,7 @@ use socket2::{Domain, Protocol, Type};
 use std::{
     io,
     mem::MaybeUninit,
-    net::{IpAddr, Ipv6Addr, SocketAddr},
+    net::{IpAddr, Ipv6Addr, SocketAddr, UdpSocket},
     slice,
 };
 
@@ -18,20 +18,27 @@ pub struct IcmpSocket {
     /// actual underlying icmp socket
     socket: socket2::Socket,
     /// udp socket that is kept alive for avoiding duplicate port
-    _udp_socket: std::net::UdpSocket,
-    /// address of udp socket same as `udp_socket.local_addr()`
-    udp_socket_addr: SocketAddr,
+    _udp_socket: UdpSocket,
+    addr: SocketAddr,
 }
 
 impl IcmpSocket {
     pub fn bind(addr: &SocketAddr) -> io::Result<Self> {
-        let udp_socket = std::net::UdpSocket::bind(addr)?;
+        let udp_socket = UdpSocket::bind(addr)?;
         let udp_socket_addr = udp_socket.local_addr()?;
         let socket = IcmpSocket::inner_bind(*addr)?;
 
+        #[cfg(target_os = "linux")]
+        {
+            let filter = create_bfp_seq_filter(udp_socket_addr.is_ipv6(), udp_socket_addr.port());
+            if let Err(error) = socket.attach_filter(&filter) {
+                log::warn!("couldn't attach bpf filter: {error:?}");
+            }
+        }
+
         Ok(IcmpSocket {
             _udp_socket: udp_socket,
-            udp_socket_addr,
+            addr: udp_socket_addr,
             socket,
         })
     }
@@ -50,30 +57,29 @@ impl IcmpSocket {
 impl SocketTrait for IcmpSocket {
     fn send_to(&self, buffer: &mut [u8], to: &SocketAddr) -> io::Result<usize> {
         let buffer_with_header = unsafe { slice_sub(buffer, ICMP_HEADER_LEN) };
-        craft_icmp_packet(buffer_with_header, &self.udp_socket_addr, to, true);
+        craft_icmp_packet(buffer_with_header, &self.addr, to, true);
         let mut to_addr = *to;
         // in linux `send_to` on icmpv6 socket requires destination port to be zero
         to_addr.set_port(0);
         self.socket.send_to(buffer_with_header, &to_addr.into())
     }
 
     fn recv_from(&self, buffer: &mut [u8]) -> io::Result<(usize, SocketAddr)> {
-        let local_addr = self.udp_socket_addr;
-        loop {
-            let icmp_header_offset = header_offset(local_addr.is_ipv6());
+        let is_ipv6 = self.addr.is_ipv6();
+        let icmp_header_offset = header_offset(is_ipv6);
+        // aligning in a way that the icmp payload gets written into buffer
+        let payload_offset = icmp_header_offset + ICMP_HEADER_LEN;
 
-            // aligning in a way that the icmp payload gets written into buffer
-            let payload_offset = icmp_header_offset + ICMP_HEADER_LEN;
+        loop {
             let buffer_with_header = unsafe { slice_sub(buffer, payload_offset) };
-
             let (size, from_addr) = self
                 .socket
                 .recv_from(cast_maybe_uninit(buffer_with_header))?;
             let icmp_packet = &mut buffer_with_header[icmp_header_offset..size];
-            let Some(packet) = parse_icmp_packet(icmp_packet, local_addr.is_ipv6(), false) else {
+            let Some(packet) = parse_icmp_packet(icmp_packet, is_ipv6, false) else {
                 continue;
             };
-            if packet.dst_port != local_addr.port() {
+            if packet.dst_port != self.addr.port() {
                 continue;
             }
             // doesn't panic because from_addr is either ipv6 or ipv4
@@ -85,13 +91,16 @@ impl SocketTrait for IcmpSocket {
     }
 
     fn local_addr(&self) -> io::Result<SocketAddr> {
-        Ok(self.udp_socket_addr)
+        Ok(self.addr)
     }
 }
 
 #[derive(Debug)]
 pub struct NonBlockingIcmpSocket {
-    icmp_socket: IcmpSocket,
+    socket: socket2::Socket,
+    /// udp socket that is kept alive for avoiding duplicate port
+    _udp_socket: UdpSocket,
+    addr: SocketAddr,
     // we need to have a copy of connected addr because we
     // need it to craft packet, in ipv6 we need addr + port and
     // in ipv4 we need port
@@ -100,11 +109,15 @@ pub struct NonBlockingIcmpSocket {
 
 impl NonBlockingIcmpSocket {
     pub fn bind(addr: &SocketAddr) -> io::Result<Self> {
-        let icmp_socket = IcmpSocket::bind(addr)?;
-        icmp_socket.socket.set_nonblocking(true)?;
+        let udp_socket = UdpSocket::bind(addr)?;
+        let addr = udp_socket.local_addr()?;
+        let socket = IcmpSocket::inner_bind(addr)?;
+        socket.set_nonblocking(true)?;
         Ok(Self {
-            icmp_socket,
+            socket,
             connected_addr: None,
+            _udp_socket: udp_socket,
+            addr,
         })
     }
 }
@@ -116,26 +129,21 @@ impl NonBlockingSocketTrait for NonBlockingIcmpSocket {
             .ok_or_else(|| Into::<io::Error>::into(io::ErrorKind::NotConnected))?;
         // it's safe because the main buffer has reserved bytes
         let buffer_with_header = unsafe { slice_sub(buffer, ICMP_HEADER_LEN) };
-        craft_icmp_packet(
-            buffer_with_header,
-            &self.icmp_socket.udp_socket_addr,
-            &dst_addr,
-            false,
-        );
-        self.icmp_socket.socket.send(buffer_with_header)
+        craft_icmp_packet(buffer_with_header, &self.addr, &dst_addr, false);
+        self.socket.send(buffer_with_header)
     }
 
     fn connect(&mut self, addr: &SocketAddr) -> io::Result<()> {
         self.connected_addr = Some(*addr);
         let mut addr = *addr;
         // in linux icmpv6 socket requires destination port to be zero
         addr.set_port(0);
-        self.icmp_socket.socket.connect(&addr.into())?;
+        self.socket.connect(&addr.into())?;
         Ok(())
     }
 
     fn local_addr(&self) -> io::Result<SocketAddr> {
-        self.icmp_socket.local_addr()
+        Ok(self.addr)
     }
 }
 
@@ -241,3 +249,19 @@ fn as_ipv6(ip: &IpAddr) -> &Ipv6Addr {
         _ => panic!(),
     }
 }
+
+// bpf filter is really useful when having multiple forwarder instances
+// on same kernel, by default all icmp sockets receives all packets and then
+// we in user mode filter them but with this the packets get filtered on kernel
+#[cfg(target_os = "linux")]
+pub fn create_bfp_seq_filter(is_ipv6: bool, value: u16) -> [libc::sock_filter; 4] {
+    let icmp_header_offset = header_offset(is_ipv6);
+    let offset = icmp_header_offset + 6;
+    [
+        (0x28, 0, 0, offset as u32), // ldh [offset]
+        (0x15, 0, 1, value as u32),  // jne val, drop
+        (0x06, 0, 0, 0xffffffff),    // ret #-1
+        (0x06, 0, 0, 0000000000),    // drop: ret #0
+    ]
+    .map(|(code, jt, jf, k)| libc::sock_filter { code, jt, jf, k })
+}