1

I'm looking for a way to process packets in a Linux server in a particular fashion - I need to run some custom logic on every packet, then (possibly) take some actions on the packets and let the kernel route it as it wants. My use specific use cases are:

  1. Catch IGMP packets (that are being passed inside a Linux bridge on my host) and validate their inner fields (multicast group and checksum) against some list of allowed values I have. If no match is found, drop the packet.
  2. When receiving an IPv6 packet (that's being routed via my Linux machine) compare the source address against some dictionary of "suspicious" addresses. If true, open the packet (up until HTTP headers and inside) and run some tests to make sure it's valid (e.g. verify port numbers, content length, headers structure)
  3. Upon capturing a TCP segment, check the number of flags enabled in it and if the number is greater than 5 send a copy of the packet to another destination (let's say, an IDS appliance) and forward the packet normally.

I've looked at some Linux utilities and tools such as tc, XDP, DPDK and other FD.io solutions (VPP), but could not find an easy way to work those technologies out in a simple fashion in order to achieve what I want. It's preferable if my validations and actions could run in a modern, flexible environment and code (not asking for python or Java here but bash would be preferable to some kernel-like C code).

What is the common way to implement such actions in a Linux machine? Any best practice or technology which allows all of the mentioned modifications and features in a programmatic way?

Cheers.

FitzChivalry
  • 177
  • 8
  • Updating after some private messages - iptables/nftables produce some basic manipulation tools, but they are far from enough for what I've asked. They allow basic actions only and not deep manipulations and script execution. – FitzChivalry Dec 22 '19 at 20:39

1 Answers1

1

Using XDP INGRESS would be an ideal candidate for igmp, and tcp scenarios. But for ipv6 since you have more checks and bounds not sure how it will translate. Disadvantage here is there is no specific user application hence can not make use user zero copy mode and eBPF process packet by packet in the sandbox JIT. Packet mirror for ids will be difficult too.

DPDK with TAP or KNI can be indeed a way to go as you can batch and amortize the cost. But this involves user space interception.

Here are my suggestions

  1. If you have hw ack or flow.director, then bi-furcate interested traffic to custom port or queue.
  2. Use DPDK on custom port and inspect. If match mirror for ida and then inject to kernel via tap or kni.

Or

  1. If there are no hw filters, try userspace ebpf to filter igmp, ipv6 and tcp content from incoming traffic.
  2. User space application then runs the filter and mirror logic then injects back to kernel.
Vipin Varghese
  • 178
  • 5