Closed xd121614 closed 7 months ago
tohojo
commented
7 months ago xd121614 @.***> writes:
I use AF XDP redirect traffic to use-space program successfully. And user-space program just print and forward the packet. Is it possible to do some complex action, such as drop or modify tcp payload? So that AF XDP technology could be used in the application-layer-firewall or db-firewall field.
Erm, yes, you have the full payload of the packet available, so you can do whatever you want with it :)
xd121614
commented
7 months ago What I know it's easy to drop(don't put pkt in tx queue), but hard to modify tcp payload when modify pkt len > raw pkt len. Is there some opensource example for action modify and forward new pkt with different len.
tohojo
commented
7 months ago xd121614 @.***> writes:
What I know it's easy to drop(don't put pkt in tx queue), but hard to modify tcp payload when modify pkt len > raw pkt len.
Ah, right, if by "modify the TCP payload" you mean "build a full-fledged TCP middlebox" then yeah, you're going to have to do some more work that just modifying the packet contents.
Is there some opensource example for action modify and forward new pkt with different len.
No idea. TCP middleboxes fall squarely into the "don't do that" category for me personally, so I have no interest in helping with this, sorry.
xd121614
commented
7 months ago Not extractly full-fledged.Just modify pkt and put it in tx. What confused me is that how to adjust tx xdp_desc struct xdp_desc { u64 addr; u32 len; __u32 options; } When pkt len changed ,addr and len also need change.
I use AF XDP redirect traffic to user-space program successfully. And user-space program just print and forward the packet. Is it possible to do some complex action, such as drop or modify tcp payload(pkt len maybe changed)? So that AF XDP technology could be used in the application-layer-firewall or db-firewall field.