search

gamemann / XDP-Firewall

A firewall that utilizes the Linux kernel's XDP hook. The XDP hook allows for very fast network processing on Linux systems. This is great for dropping malicious traffic from a (D)DoS attack. IPv6 is supported with this firewall! I hope this helps network engineers/programmers interested in utilizing XDP!
https://deaconn.net/
MIT License
545 stars 92 forks source link

Improve the TCP flags checking process #40

Open D4nnyLee opened 1 year ago

D4nnyLee commented 1 year ago

Hello, I noticed that while filtering the packets, the filter check all TCP flags one after another.

I think we can make use of the tcp_flag_word() macro and TCP_FLAG_* defined in <linux/tcp.h> to simplify the process of checking flags.

gamemann commented 1 year ago

Hey! Thank you for the information on tcp_flag_word(). This is the first time I'm seeing the function.

I'm unsure if using this would simplify the checking flags process, though. Initially, I thought using bitwise operations instead of logical could increase performance, but most modern compilers optimize both operations so that they should have similar performance. We'd still have to use multiple operations when checking against the flags from what I've seen.

I haven't dug too deeply into this function. If you have any examples of how it could simplify the process, please let me know!

D4nnyLee commented 1 year ago

I tried to make a commit for this.

The checking process will become:

if (tcp_flag_word(tcph) & filter->tcpopts.enabled_flags) != filter->tcpopts.expected_flags)
{
    continue;
}

Flags that the filter want to check will set the corresponding bits in enabled_flags and expected_flags.

gamemann commented 1 year ago

Thank you for making that commit! I'm going to look further into this when I have more time.

Was the firewall and new TCP flag check method working under the commit/fork you made? If so, feel free to create a pull request so you'll get credit for this change :smile: