bpf: drop packets not redirected from wan/lan

skb->mark will be reset when going across netns (skb_scrub_packet), so this commit sets a special value in cb[0] which can survive bpf_redirect and netns crossing. This solves issues like: level=warning msg="No AddrPort presented: reading map: key [[::ffff:0.0.0.0]:68, 17, 255.255.255.255:67]: lookup: key does not exist"
daeuniverse · Feb 29, 2024 · a1a4012 · a1a4012
1 parent 7c924d1
commit a1a4012
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/control/kern/tproxy.c b/control/kern/tproxy.c
@@ -902,6 +902,7 @@ redirect_to_control_plane(struct __sk_buff *skb, __u32 link_h_len,
   __builtin_memcpy(redirect_entry.dmac, ethh->h_dest, sizeof(ethh->h_dest));
   bpf_map_update_elem(&redirect_track, &redirect_tuple, &redirect_entry, BPF_ANY);
 
+  skb->cb[0] = TPROXY_MARK;
   return bpf_redirect(PARAM.dae0_ifindex, 0);
 }
 
@@ -1382,6 +1383,11 @@ int tproxy_dae0peer_ingress(struct __sk_buff *skb) {
   __u8 ihl;
   __u8 l4proto;
   __u32 link_h_len = 14;
+
+  if (skb->cb[0] != TPROXY_MARK) {
+    return TC_ACT_SHOT;
+  }
+
   int ret = parse_transport(skb, link_h_len, &ethh, &iph, &ipv6h, &icmp6h,
                             &tcph, &udph, &ihl, &l4proto);
   if (ret) {