ip4: packet filtering (RFC-1122) and experimental vip/loopback

Author: alfreb

api/net/ip4/addr.hpp

@@ -316,6 +316,23 @@ struct Addr {
   std::string to_string() const
   { return str(); }
 
+  /**
+   * RFC-1122 / IANA IP4 address space defines 127.* as loopback
+   **/
+  bool is_loopback() const noexcept
+  { return part(3) == 127; }
+
+  /**
+   * Determine if an address is a-priori illegal as source address in *all* cases.
+   *
+   * @note: The class E range 240/4 for "future use" is not illegal here
+   * @note: RFC-1122 prohibits 0.0.0.0 as source, but with exceptions
+   */
+  bool is_illegal_src() const noexcept {
+    return (part(3) >= 224 and part(3) < 240) // Multicast
+      or (part(0) == 255); // Limited and directed broadcast
+  }
+
   /* Data member */
   uint32_t whole;
 } __attribute__((packed)); //< struct Addr

api/net/ip4/ip4.hpp

@@ -30,12 +30,23 @@ namespace net {
   /** IP4 layer */
   class IP4 {
   public:
+
+    enum class Drop_reason
+    { None, Bad_source, Bad_destination, Wrong_version, Wrong_checksum,
+        Unknown_proto, TTL0 };
+
+    enum class Direction
+    { Upstream, Downstream };
+
+
     using Stack = Inet<IP4>;
     using addr = ip4::Addr;
     using header = ip4::Header;
     using IP_packet = PacketIP4;
     using IP_packet_ptr = std::unique_ptr<IP_packet>;
     using downstream_arp = delegate<void(Packet_ptr, IP4::addr)>;
+    using Packet_filter = delegate<IP_packet_ptr(IP_packet_ptr)>;
+    using drop_handler = delegate<void(IP_packet_ptr, Direction, Drop_reason)>;
 
     /** Initialize. Sets a dummy linklayer out. */
     explicit IP4(Stack&) noexcept;
@@ -69,14 +80,25 @@ namespace net {
     void set_tcp_handler(upstream s)
     { tcp_handler_ = s; }
 
+    /** Set packet dropped handler */
+    void set_drop_handler(drop_handler s)
+    { drop_handler_ = s; }
+
     /** Set handler for packets not addressed to this interface (upstream) */
     void set_packet_forwarding(Stack::Forward_delg fwd)
     { forward_packet_ = fwd; }
 
     /** Set linklayer out (downstream) */
     void set_linklayer_out(downstream_arp s)
-    { linklayer_out_ = s; };
+    { linklayer_out_ = s; }
 
+    /** Assign function to determine which upstream packets gets filtered */
+    void set_upstream_filter(Packet_filter f)
+    { upstream_filter_ = f; }
+
+    /** Assign function to determine which downstream packets gets filtered */
+    void set_downstream_filter(Packet_filter f)
+    { downstream_filter_ = f; }
 
     //
     // Delegate getters
@@ -120,6 +142,7 @@ namespace net {
       return stack_.ip_addr();
     }
 
+
     /**
      * Stats getters
      **/
@@ -132,6 +155,15 @@ namespace net {
     uint64_t get_packets_dropped()
     { return packets_dropped_; }
 
+    /**  Default upstream packet filter */
+    IP_packet_ptr filter_upstream(IP_packet_ptr packet);
+
+    /**  Default downstream packet filter */
+    IP_packet_ptr filter_downstream(IP_packet_ptr packet);
+
+
+
+
   private:
     /** Stats */
     uint64_t& packets_rx_;
@@ -151,9 +183,19 @@ namespace net {
     /** Packet forwarding  */
     Stack::Forward_delg forward_packet_;
 
-  }; //< class IP4
+    /** Packet filters */
+    Packet_filter upstream_filter_;
+    Packet_filter downstream_filter_;
 
 
+    /** All dropped packets go here */
+    drop_handler drop_handler_;
+
+    /** Drop a packet, calling drop handler if set */
+    IP_packet_ptr drop(IP_packet_ptr ptr, Direction direction, Drop_reason reason);
+
+  }; //< class IP4
+
 } //< namespace net
 
 #endif

api/net/ip4/packet_ip4.hpp

@@ -39,7 +39,10 @@ namespace net {
 
     /** Get IP protocol version field. Must be 4 (RFC 1122) */
     uint8_t ip_version() const noexcept
-    { return ip_header().version_ihl & 0x0f; }
+    { return (ip_header().version_ihl >> 4) & 0xf; }
+
+    bool is_ipv4() const noexcept
+    { return (ip_header().version_ihl & 0xf0) == 0x40; }
 
     /** Get IP header length field as-is. */
     uint8_t ip_ihl() const noexcept
@@ -71,7 +74,7 @@ namespace net {
 
     /** Get Fragment offset field */
     uint16_t ip_frag_offs() const noexcept
-    { return ntohs(ip_header().frag_off_flags) | 0xe; }
+    { return ntohs(ip_header().frag_off_flags) & 0xe; }
 
     /** Get Time-To-Live field */
     uint8_t ip_ttl() const noexcept
@@ -104,6 +107,9 @@ namespace net {
     uint16_t ip_capacity() const noexcept
     { return capacity() - ip_header_length(); }
 
+    /** Compute IP header checksum on header as-is */
+    uint16_t compute_checksum() noexcept
+    { return net::checksum(&ip_header(), ip_header_length()); };
 
 
     //
@@ -208,6 +214,8 @@ namespace net {
       hdr.frag_off_flags = 0;
       hdr.ttl            = DEFAULT_TTL;
       hdr.protocol       = static_cast<uint8_t>(proto);
+      hdr.check          = 0;
+      hdr.tot_len        = 0x1400; // Big-endian 20
       increment_data_end(sizeof(IP4::header));
     }
 
@@ -219,7 +227,6 @@ namespace net {
       return {ip_data_ptr(), ip_data_length()};
     }
 
-
   protected:
 
     /** Get pointer to IP data */

src/net/ip4/ip4.cpp

@@ -15,8 +15,8 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// #define DEBUG // Allow debugging
-// #define DEBUG2 // Allow debug lvl 2
+#define DEBUG // Allow debugging
+#define DEBUG2 // Allow debug lvl 2
 
 #include <net/ip4/ip4.hpp>
 #include <net/ip4/packet_ip4.hpp>
@@ -32,33 +32,90 @@ namespace net {
   packets_rx_       {Statman::get().create(Stat::UINT64, inet.ifname() + ".ip4.packets_rx").get_uint64()},
   packets_tx_       {Statman::get().create(Stat::UINT64, inet.ifname() + ".ip4.packets_tx").get_uint64()},
   packets_dropped_  {Statman::get().create(Stat::UINT32, inet.ifname() + ".ip4.packets_dropped").get_uint32()},
-  stack_            {inet}
+  stack_            {inet},
+  upstream_filter_  {this, &IP4::filter_upstream},
+  downstream_filter_{this, &IP4::filter_downstream}
  { }
 
+
+  IP4::IP_packet_ptr IP4::drop(IP_packet_ptr ptr, Direction direction, Drop_reason reason) {
+      packets_dropped_++;
+
+      if(drop_handler_)
+        drop_handler_(std::move(ptr), direction, reason);
+
+      return nullptr;
+    }
+
+
+  IP4::IP_packet_ptr IP4::filter_upstream(IP4::IP_packet_ptr packet)
+  {
+
+    IP4::Direction up = IP4::Direction::Upstream;
+
+    // RFC-1122 3.2.1.1, Silently discard Version != 4
+    if (UNLIKELY(not packet->is_ipv4()))
+      return drop(std::move(packet), up, Drop_reason::Wrong_version);
+
+    // RFC-1122 3.2.1.2, Verify IP checksum, silently discard bad dgram
+    if (UNLIKELY(packet->compute_checksum() != 0))
+      return drop(std::move(packet), up, Drop_reason::Wrong_checksum);
+
+    // RFC-1122 3.2.1.3, Silently discard datagram with bad src addr
+    if (UNLIKELY(packet->ip_src().is_illegal_src()))
+      return drop(std::move(packet), up, Drop_reason::Bad_source);
+
+
+    return packet;
+
+  };
+
+
+  IP4::IP_packet_ptr IP4::filter_downstream(IP4::IP_packet_ptr packet)
+  {
+
+    // RFC-1122 3.2.1.7, MUST NOT send packet with TTL of 0
+    if (packet->ip_ttl() == 0)
+      return drop(std::move(packet), Direction::Downstream, Drop_reason::TTL0);
+
+    // RFC-1122 3.2.1.7, MUST NOT send packet addressed to 127.*
+    if (packet->ip_dst().part(0) == 127)
+      drop(std::move(packet), Direction::Downstream, Drop_reason::Bad_destination);
+
+    return packet;
+  }
+
+
   void IP4::receive(Packet_ptr pckt)
   {
     // Cast to IP4 Packet
     auto packet = static_unique_ptr_cast<net::PacketIP4>(std::move(pckt));
 
-    // Stat increment packets received
-    packets_rx_++;
-
-    debug2("\t Source IP: %s Dest.IP: %s Type: 0x%x\n",
+    debug("<IP4> received packet \n");
+    debug2("\t* Source IP: %s Dest.IP: %s Type: 0x%x\n",
            packet->ip_src().str().c_str(),
            packet->ip_dst().str().c_str(),
            packet->ip_protocol());
 
-    // Drop if my ip address doesn't match destination ip address or broadcast
+
+    // Stat increment packets received
+    packets_rx_++;
+
+    packet = upstream_filter_(std::move(packet));
+    if (UNLIKELY(packet == nullptr)) return;
+
+    // Drop / forward if my ip address doesn't match dest. or broadcast
     if (UNLIKELY(packet->ip_dst() != local_ip()
-            and (packet->ip_dst() | stack_.netmask()) != ADDR_BCAST
-            and local_ip() != ADDR_ANY)) {
+                 and (packet->ip_dst() | stack_.netmask()) != ADDR_BCAST
+                 and local_ip() != ADDR_ANY
+                 and not stack_.is_loopback(packet->ip_dst()))) {
 
       if (forward_packet_) {
         forward_packet_(stack_, std::move(packet));
         debug("Packet forwarded \n");
       } else {
         debug("Packet dropped \n");
-        packets_dropped_++;
+        drop(std::move(packet), Direction::Upstream, Drop_reason::Bad_destination);
       }
 
       return;
@@ -79,6 +136,7 @@ namespace net {
       break;
     default:
       debug("\t Type: UNKNOWN %hhu\n", packet->ip_protocol());
+      drop(std::move(packet), Direction::Upstream, Drop_reason::Unknown_proto);
       break;
     }
   }
@@ -97,8 +155,15 @@ namespace net {
   {
     auto ip4_pckt = static_unique_ptr_cast<PacketIP4>(std::move(pckt));
 
+    // Send loopback packets right back
+    if (UNLIKELY(stack_.is_loopback(ip4_pckt->ip_dst()))) {
+      debug("<IP4> Destination address is loopback \n");
+      IP4::receive(std::move(ip4_pckt));
+      return;
+    }
+
     addr next_hop;
-    // Keep IP when broadcasting to all
+
     if (ip4_pckt->ip_dst() != IP4::ADDR_BCAST)
     {
       // Create local and target subnets
@@ -114,11 +179,15 @@ namespace net {
           stack_.ip_addr().str().c_str(),
           stack_.gateway().str().c_str(),
           next_hop.str().c_str());
-    }
-    else {
+
+    } else {
       next_hop = IP4::ADDR_BCAST;
     }
 
+    // Filter illegal egress packets
+    ip4_pckt = upstream_filter_(std::move(ip4_pckt));
+    if (ip4_pckt == nullptr) return;
+
     // Stat increment packets transmitted
     packets_tx_++;