xdp-filter in deny policy, denies all packets in native mode

[DivyanshuSaxena]

I am a beginner with XDP, and I was trying to run xdp-filter to deny all packets destined to port 8080. I'm using it as follows:

$ sudo ./xdp-filter load -m native -p deny eno1d1
$ sudo ./xdp-filter port -m dst -p tcp -s 8080
Filtered ports:
                                           Mode             Hit counter
  8080                                     dst,tcp          0

From another machine, I send out packets using nping:

$ sudo nping -c 1 --tcp -p 8080 10.10.1.1

Starting Nping 0.7.80 ( https://nmap.org/nping ) at 2022-08-24 21:38 MDT
SENT (0.0323s) TCP 10.10.1.2:58302 > 10.10.1.1:8080 S ttl=64 id=21309 iplen=40  seq=4286983008 win=1480

Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
Raw packets sent: 1 (40B) | Rcvd: 0 (0B) | Lost: 1 (100.00%)
Nping done: 1 IP address pinged in 1.06 seconds
$ sudo nping -c 1 --tcp -p 8081 10.10.1.1

Starting Nping 0.7.80 ( https://nmap.org/nping ) at 2022-08-24 21:39 MDT
SENT (0.0397s) TCP 10.10.1.2:48477 > 10.10.1.1:8081 S ttl=64 id=40611 iplen=40  seq=3410690624 win=1480

Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
Raw packets sent: 1 (40B) | Rcvd: 0 (0B) | Lost: 1 (100.00%)
Nping done: 1 IP address pinged in 1.07 seconds

The expected output (which works if I use the generic mode) is:

$ sudo nping -c 1 --tcp -p 8081 10.10.1.1

Starting Nping 0.7.80 ( https://nmap.org/nping ) at 2022-08-24 21:19 MDT
SENT (0.0595s) TCP 10.10.1.2:17666 > 10.10.1.1:8081 S ttl=64 id=61030 iplen=40  seq=2678198273 win=1480
RCVD (0.0598s) TCP 10.10.1.1:8081 > 10.10.1.2:17666 RA ttl=64 id=0 iplen=40  seq=0 win=0

Max rtt: 0.198ms | Min rtt: 0.198ms | Avg rtt: 0.198ms
Raw packets sent: 1 (40B) | Rcvd: 1 (46B) | Lost: 0 (0.00%)
Nping done: 1 IP address pinged in 1.09 seconds
$ sudo nping -c 1 --tcp -p 8080 10.10.1.1

Starting Nping 0.7.80 ( https://nmap.org/nping ) at 2022-08-24 21:21 MDT
SENT (0.0369s) TCP 10.10.1.2:6221 > 10.10.1.1:8080 S ttl=64 id=28160 iplen=40  seq=277663282 win=1480

Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
Raw packets sent: 1 (40B) | Rcvd: 0 (0B) | Lost: 1 (100.00%)
Nping done: 1 IP address pinged in 1.07 seconds

Edit: I am using a machine with Mellanox driver -- so the native mode should be supported.

$ ethtool -i eno1d1
driver: mlx4_en
version: 4.0-0
firmware-version: 2.36.7000
expansion-rom-version:
bus-info: 0000:09:00.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: no
supports-register-dump: no
supports-priv-flags: yes

[tohojo]

Divyanshu Saxena ***@***.***> writes:

I am a beginner with XDP, and I was trying to run xdp-filter to deny all packets destined to port 8080. I'm using it as follows:

The 'policy' is what happens to packets that are *not* matched by any rules. So if you want to only drop packets with port 8080, you should use -p allow and then add the port. This is explained in the man page.

The expected output (which works if I use the generic mode) is: ``` $ sudo nping -c 1 --tcp -p 8081 10.10.1.1 Starting Nping 0.7.80 ( https://nmap.org/nping ) at 2022-08-24 21:19 MDT SENT (0.0595s) TCP 10.10.1.2:17666 > 10.10.1.1:8081 S ttl=64 id=61030 iplen=40 seq=2678198273 win=1480 RCVD (0.0598s) TCP 10.10.1.1:8081 > 10.10.1.2:17666 RA ttl=64 id=0 iplen=40 seq=0 win=0 Max rtt: 0.198ms | Min rtt: 0.198ms | Avg rtt: 0.198ms Raw packets sent: 1 (40B) | Rcvd: 1 (46B) | Lost: 0 (0.00%) Nping done: 1 IP address pinged in 1.09 seconds $ sudo nping -c 1 --tcp -p 8080 10.10.1.1 Starting Nping 0.7.80 ( https://nmap.org/nping ) at 2022-08-24 21:21 MDT SENT (0.0369s) TCP 10.10.1.2:6221 > 10.10.1.1:8080 S ttl=64 id=28160 iplen=40 seq=277663282 win=1480 Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A Raw packets sent: 1 (40B) | Rcvd: 0 (0B) | Lost: 1 (100.00%) Nping done: 1 IP address pinged in 1.07 seconds ```

Hmm, it shouldn't work differently in generic mode; could you please post the output of 'xdp-filter status' after running that test?

[DivyanshuSaxena]

The 'policy' is what happens to packets that are not matched by any rules. So if you want to only drop packets with port 8080, you should use -p allow and then add the port. This is explained in the man page.

I thought that the reverse rules will apply to the matched packets. So if I understand correctly, all packets that match any rules are automatically dropped - right?

Hmm, it shouldn't work differently in generic mode; could you please post the output of 'xdp-filter status' after running that test?

So, when you mentioned it, I re-ran the test and found a strange behavior. If I load a filter in allow mode, then unload and re-load it in deny mode, it actually lets matching packets pass through (the behavior that I mentioned as "expected behavior" in my earlier comment). However, if I unload and reload it again in deny mode, then it denies matching packets (which should be the correct behavior?)

$ sudo ./xdp-filter unload eno1d1
$ sudo ./xdp-filter load -m skb eno1d1
$ sudo ./xdp-filter port -m dst -p tcp 8080
$
$ sudo ./xdp-filter unload eno1d1
$ sudo ./xdp-filter load -m skb -p deny eno1d1
$ sudo ./xdp-filter port -m dst -p tcp 8080
$ sudo ./xdp-filter status
CURRENT XDP-FILTER STATUS:

Aggregate per-action statistics:
  XDP_ABORTED                                   0 pkts           0 KiB
  XDP_DROP                                      0 pkts           0 KiB
  XDP_PASS                                      1 pkts           0 KiB

Loaded on interfaces:
                                           Enabled features
xdpfilt_dny_all
  eno1d1 (skb mode)                        tcp,udp,ipv6,ipv4,ethernet,deny

Filtered ports:
                                           Mode             Hit counter
  8080                                     dst,tcp          1

Filtered IP addresses:
                                           Mode             Hit counter

Filtered MAC addresses:
                                           Mode             Hit counter

$ sudo ./xdp-filter unload eno1d1
$ sudo ./xdp-filter load -m skb -p deny eno1d1
$ sudo ./xdp-filter port -m dst -p tcp 8080
$ sudo ./xdp-filter status
CURRENT XDP-FILTER STATUS:

Aggregate per-action statistics:
  XDP_ABORTED                                   0 pkts           0 KiB
  XDP_DROP                                      3 pkts           0 KiB
  XDP_PASS                                      1 pkts           0 KiB

Loaded on interfaces:
                                           Enabled features
xdpfilt_dny_all
  eno1d1 (skb mode)                        tcp,udp,ipv6,ipv4,ethernet,deny

Filtered ports:
                                           Mode             Hit counter
  8080                                     dst,tcp          1

Filtered IP addresses:
                                           Mode             Hit counter

Filtered MAC addresses:
                                           Mode             Hit counter

Could it be somehow that the maps are not getting cleaned up during unload?

[tohojo]

Hmm, could you try running all those commands with a '-v' switch passed to xdp-filter? And also add a 'status' command after each time you've unloaded everything?