-
Notifications
You must be signed in to change notification settings - Fork 0
/
ingress-node-firewall.db
executable file
·1 lines (1 loc) · 7.47 KB
/
ingress-node-firewall.db
1
{"gitRepoUrl": "https://github.com/openshift/ingress-node-firewall.git", "commitId": "7bf8d11f60420be51488fca94d9469ecb4bd855c", "humanFuncDescription": [{"filePath": "bpf/ingress_node_firewall_kernel.c", "funcName": "ip_extract_l4info", "startLine": 95, "endLine": 174, "description": "This function takes in an xdp_md *ctx, a pointer to u8 *proto, pointer to u16 *dstPort, pointer to u8 *icmpType, pointer to u8 *icmpCode and u8 flag is_v4.Based on the packet if the packet protocol is TCP/UDP/SCTP it parses the packet protocol and dstPort and sets the values to the pointers proto and dstPort if the packet protocol is ICMP it dereferences icmpType and icmpCode and sets to the icmpType and icmpCode along with setting the protocol to ICMP. If able to successfully parse the information it returns 0 else -1.", "author": "Theophilus A. Benson", "authorEmail": "theophilus@cmu.edu", "date": "05-Apr-2023"}, {"filePath": "bpf/ingress_node_firewall_kernel.c", "funcName": "ipv4_firewall_lookup", "startLine": 189, "endLine": 259, "description": "This function takes in an xdp_md *ctx and a u32 as ifID. It first calls ip_extract_l4info to extract protocol type, dst port, icmp type and icmp code from the packet. The function dereferences source address from the ip header of the packet. It next forms a struct lpm_ip_key_st key with packetlen as 64(ipv4 address + size of ifId) fixed, ip_data byte array as the srcAddr represented as bytes and ingress_interface as the ifId. It performs a lookup on the map ingress_node_firewall_table_map using the constructed key to retrive the firewall rules to be applied to this packet. The map returns a struct rulesVal_st *rulesVal which is an array of struct ruleType_st. If the map lookup returns null it will return UNDEF action else it will perform a lookup on all the rules in the array one by one. Any rule in the array which has id set to INVALID_RULE_ID is skipped and for any valid rule the firewall rule is applied like this, if the rule contains no protocol info then a blanket action is applied to all packets which is programmed in the rule, else if the protocol in the rule matches the packet protocol, for TCP/UDP/SCTP packets if the rule contains dst port start but not end then the dst port of the packet is matched against the dst port start, else if dst port start and dst port end both are set then the packet dst port is checked to be in the range of [dst port start: end]. For ICMP packets the rule checks if the icmp code and icmp type of the packet matches that present in the rule. For any match, the rule's action is applied to the packet and the function returns. If a particular rule does not match according to the above algorithm then the next rule is tried and so on. If no match then action UNDEF is returned", "author": "Theophilus A. Benson", "authorEmail": "theophilus@cmu.edu", "date": "05-Apr-2023"}, {"filePath": "bpf/ingress_node_firewall_kernel.c", "funcName": "ipv6_firewall_lookup", "startLine": 274, "endLine": 337, "description": "This function takes in an xdp_md *ctx and a u32 as ifID. It first calls ip_extract_l4info to extract protocol type, dst port, icmp type and icmp code from the packet. The function dereferences source address from the ip header of the packet. It next forms a struct lpm_ip_key_st key with packetlen as 160(size of ipv6 address + size of ifId) fixed, ip_data byte array as the srcAddr represented as bytes and ingress_interface as the ifId. It performs a lookup on the map ingress_node_firewall_table_map using the constructed key to retrive the firewall rules to be applied to this packet. The map returns a struct rulesVal_st *rulesVal which is an array of struct ruleType_st. If the map lookup returns null it will return UNDEF action else it will perform a lookup on all the rules in the array one by one. Any rule in the array which has id set to INVALID_RULE_ID is skipped and for any valid rule the firewall rule is applied like this, if the rule contains no protocol info then a blanket action is applied to all packets which is programmed in the rule, else if the protocol in the rule matches the packet protocol, for TCP/UDP/SCTP packets if the rule contains dst port start but not end then the dst port of the packet is matched against the dst port start, else if dst port start and dst port end both are set then the packet dst port is checked to be in the range of [dst port start: end]. For ICMP packets the rule checks if the icmp code and icmp type of the packet matches that present in the rule. For any match, the rule's action is applied to the packet and the function returns. If a particular rule does not match according to the above algorithm then the next rule is tried and so on. If no match then action UNDEF is returned", "author": "Theophilus A. Benson", "authorEmail": "theophilus@cmu.edu", "date": "05-Apr-2023"}, {"filePath": "bpf/ingress_node_firewall_kernel.c", "funcName": "generate_event_and_update_statistics", "startLine": 354, "endLine": 393, "description": "This function takes in a packet as xdp_md *ctx, packet_length, action, ruleId, generateEvent flag and the interface id as ifId. It looks up a map ingress_node_firewall_statistics_map with ruleId as the key, the map returns a struct ruleStatistics_st *statistics, if its not null then based on action either allow or deny statistic is updated with packet counter in the statistic incremented by 1 and the size counter in statistic incremented by packet_len. If it returns null then an initial statistic with values set to zero is updated in the map against the same ruleId as the key. Next if the generateEvent flag was set in the arguments it will send a perf event to userspace by calling bpf_perf_event_output helper function in the ingress_node_firewall_events_map events map. The passed event is of the form struct event_hdr_st and contians the information about ruleId, action, packet_len, ifId. This function returns nothing and has a void return type.", "author": "Theophilus A. Benson", "authorEmail": "theophilus@cmu.edu", "date": "05-Apr-2023"}, {"filePath": "bpf/ingress_node_firewall_kernel.c", "funcName": "ingress_node_firewall_main", "startLine": 405, "endLine": 450, "description": "This function takes in a packet as struct xdp_mp *ctx. It first checks if the packet is well formed if not it returns XDP_DROP. Then it checks if the packet is an ipv4 or ipv6 packet and calls respective firewll lookup function ipv4_firewall_lookup/ipv6_firewall_lookup with ctx and ifId which is the packet ingress interface. Both the functions return a firewall rule and action to be applied to the packet and then this function will record the action and rule for this packet by calling generate_event_and_update_statistics function and will return XDP_DROP to drop the packet if the action is DENY else XDP_PASS to allow the packet if action is ALLOW or undefined.", "author": "Theophilus A. Benson", "authorEmail": "theophilus@cmu.edu", "date": "05-Apr-2023"}, {"filePath": "bpf/ingress_node_firewall_kernel.c", "funcName": "ingress_node_firewall_process", "startLine": 453, "endLine": 455, "description": "This is a wrapper funciton which attaches itself at XDP hook point and calls the function ingress_node_firewall_main and returns its results.", "author": "Theophilus A. Benson", "authorEmail": "theophilus@cmu.edu", "date": "05-Apr-2023"}, {"filePath": "bpf/headers/bpf_helpers.h", "funcName": "bpf_tail_call_static", "startLine": 135, "endLine": 160, "description": "This function performs a static tail call to another function.", "author": "Theophilus A. Benson", "authorEmail": "theophilus@cmu.edu", "date": "05-Apr-2023"}]}