We need to extend the current filtration rules to cover filtration abilities according to RFC 8955 and 8956
RFC 8955 4.2.2.1 Destination Prefix
Add netmasks to the destination filter
4.2.2.10 Packet Length
Introduce ip_anomaly_filter, similar to TCP anomlay:
ip4_pkt_len <op> <uint>
ip6_pkt_len <op> <uint>
e.g.
<op> can be ==, !=, <, >, <=, =>. This must be an optimized code, not a simple if/switch on the operator type. Ideally, if we can insert a eBPF opcode right into the binary code. Or we can move this into a separate eBPF subprogram and compile on per-configuration basis. This could be a Tempesta Language (TL) section.
RFC 8955 4.2.2.8 & RFC 8956 3.5 ICMPv4 and ICMPv6 Code
Add ICMPv4 and ICMPv6 code to the ICMP filter
RFC 8955 4.2.2.12 & RFC 8956 3.6 Fragment
At the moment we prohibit any IP fragments, but it's not reliable for broader (ISP) cases. IP Anomaly Filter should be replaced with
ip6_frag <IsF,FF,LF,0>
ip4_frag <DF,IsF,FF,LF,0>
, which allows only specified values (RFC 8955 4.2.2.12 and RFC 8956 3.6). Note that DF is ignored for IPv6.
We need to extend the current filtration rules to cover filtration abilities according to RFC 8955 and 8956
RFC 8955 4.2.2.1 Destination Prefix
Add netmasks to the destination filter
4.2.2.10 Packet Length
Introduce
ip_anomaly_filter, similar to TCP anomlay:e.g.
<op>can be==,!=,<,>,<=,=>. This must be an optimized code, not a simple if/switch on the operator type. Ideally, if we can insert a eBPF opcode right into the binary code. Or we can move this into a separate eBPF subprogram and compile on per-configuration basis. This could be a Tempesta Language (TL) section.RFC 8955 4.2.2.8 & RFC 8956 3.5 ICMPv4 and ICMPv6 Code
Add ICMPv4 and ICMPv6 code to the ICMP filter
RFC 8955 4.2.2.12 & RFC 8956 3.6 Fragment
At the moment we prohibit any IP fragments, but it's not reliable for broader (ISP) cases. IP Anomaly Filter should be replaced with
, which allows only specified values (RFC 8955 4.2.2.12 and RFC 8956 3.6). Note that
DFis ignored for IPv6.