clat: just return max uint32 from AF_PACKET cbpf filter
kernel's net/packet/af_packet.c packet_rcv() does (paraphrased):
unsigned int snaplen = skb->len;
unsigned int res = run_filter(skb, sk, snaplen);
if (!res) goto drop_n_restore;
if (snaplen > res) snaplen = res;
which makes it clear that cbpf filter returning 0 means drop,
while any other unsigned int (ie. u32) value means capture that
many bytes - but no more than packet length.
Might as well just use the maximum u32 as the snaplen,
since it will be truncated to skb->len as needed.
Of course additionally IPv6 packets can have a payload size of 65535
(which does not include the IPv6 header itself, and assumes we
don't bother with IPv6 jumbograms, which we can't translate to IPv4
anyways), so the L3 mtu should actually be 65535 + 40.
Except that is also too large to translate to ipv4,
so instead the max L3 mtu should be 65535 - 20 + 40 + 8
(which is the max IPv4 packet size - sizeof ipv4 header + sizeof
ipv6 header + sizeof ipv6 fragmentation extension header).
Since the cBPF currently deals with L3 packets it should return
an L3 length (ie. not including L2 headers), but this will change
when we switch to using L2 af_packet sockets (this change will
mean we will not need to change this code at that point in time).
Furthermore, this should have always returned MAXMTU, and not
PACKETLEN, as it does not care about the tun_pi extra header
(which is added later).
ie. this *should* have always been:
#define MAXMTU (0xFFFF + 28)
BPF_STMT(BPF_RET | BPF_K, MAXMTU)
but:
BPF_STMT(BPF_RET | BPF_K, 0xFFFFFFFFu)
is even simpler.
Bug: 259872525
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I2cc4960f0092720b5ee196e8716f07826bd7f362
diff --git a/service/native/libs/libclat/clatutils.cpp b/service/native/libs/libclat/clatutils.cpp
index be86612..64e5b91 100644
--- a/service/native/libs/libclat/clatutils.cpp
+++ b/service/native/libs/libclat/clatutils.cpp
@@ -29,10 +29,6 @@
#include "checksum.h"
}
-// Sync from external/android-clat/clatd.h
-#define MAXMTU 65536
-#define PACKETLEN (MAXMTU + sizeof(struct tun_pi))
-
// Sync from system/netd/include/netid_client.h.
#define MARK_UNSET 0u
@@ -235,7 +231,7 @@
// Compare it against the first four bytes of our IPv6 address, in host byte order (BPF loads
// are always in host byte order). If it matches, continue with next instruction (JMP 0). If it
// doesn't match, jump ahead to statement that returns 0 (ignore packet). Repeat for the other
- // three words of the IPv6 address, and if they all match, return PACKETLEN (accept packet).
+ // three words of the IPv6 address, and if they all match, return full packet (accept packet).
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, 24),
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, htonl(ipv6[0]), 0, 7),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, 28),
@@ -244,7 +240,7 @@
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, htonl(ipv6[2]), 0, 3),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, 36),
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, htonl(ipv6[3]), 0, 1),
- BPF_STMT(BPF_RET | BPF_K, PACKETLEN),
+ BPF_STMT(BPF_RET | BPF_K, 0xFFFFFFFF),
BPF_STMT(BPF_RET | BPF_K, 0),
};
// clang-format on