XDP syncookie not compatible with layer 2 Linux bridge middle box setup

XDP-Newbies Archive mirror
 help / color / mirror / Atom feed

From: Vincent Li <vincent.mc.li@gmail.com>
To: xdp-newbies@vger.kernel.org
Subject: XDP syncookie not compatible with layer 2 Linux bridge middle box setup
Date: Fri, 25 Aug 2023 17:30:35 -0700	[thread overview]
Message-ID: <CAK3+h2w6E1YXBHPX9wTqqoJo2B68akCmxb7C2rk-rAhJQptbCw@mail.gmail.com> (raw)

Hi,

I have been experimenting with
https://elixir.bootlin.com/linux/latest/source/tools/testing/selftests/bpf/progs/xdp_synproxy_kern.c
with suricata in AF_PACKET IPS inline bridge mode, my intention is to
attach the XDP syncookie program to the same network interface that
suricata inline mode runs on so the XDP syncookie could do SYN flood
protection, the packet path is like

client <-->xdp syncookie<-->suricata AF_PACKET bridge<-->server

What I found out is:

1, client send SYN,
2, XDP syncookie respond with SYN+ACK (with cookie), return XDP_TX
3, client send good ACK, XDP syncookie return XDP_PASS, ACK to AF_PACKET bridge

 The ACK from client is verified by XDP syncookie program and passed
on (XDP_PASS) to suricata AF_PACKET and bridged to server, but the
initial SYN from client is not passed on to suricata's AF_PACKET and
not bridged to server, so server send RST to the ACK.

My understanding is that XDP syncookie uses netfilter connection
tracking,  if the packet  destinationated to the host, it works fine.
But in layer 2 middle box bridge scenario, AF_PACKET bridge by
suricata or Linux bridge does not know  about the initial SYN (XDP
syncookie returns XDP_TX). I am wondering if there is any solution to
get this work.

If I run a firewall based on netfilter/iptables as a middle box, XDP
syncookie attached to the firewall network interface works to protect
the server, so my assumption is since XDP syncookie uses netfilter
connection tracking, layer 2 bridge has no visibility to the
connection tracking and initial SYN.

Thanks!

                 reply	other threads:[~2023-08-26  0:31 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAK3+h2w6E1YXBHPX9wTqqoJo2B68akCmxb7C2rk-rAhJQptbCw@mail.gmail.com \
    --to=vincent.mc.li@gmail.com \
    --cc=xdp-newbies@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).