commit 7002f0bee14cc161a7ee5a6cb13ec1c8aa361d46
author Maciej Żenczykowski <maze@google.com> Tue Apr 18 23:37:54 2023 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Apr 18 23:37:54 2023 +0000
tree e7ac63513d2ce8ce1083bf97a6b4ceb2ab1b542e
parent 95c49cb9b882199b7b26ca1339e83a053d035410
parent bdccc50824a1e7a36cd48bd5f00ca3ca8ab776ce

Merge "allow ingress TCP FINs in doze mode"

bpf_progs/netd.c

diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c
index d98fa5f..ce3315b 100644
--- a/bpf_progs/netd.c
+++ b/bpf_progs/netd.c
@@ -300,7 +300,8 @@
     bpf_packet_trace_ringbuf_submit(pkt);
 }
 
-static __always_inline inline bool skip_owner_match(struct __sk_buff* skb, const unsigned kver) {
+static __always_inline inline bool skip_owner_match(struct __sk_buff* skb, bool egress,
+                                                    const unsigned kver) {
     uint32_t flag = 0;
     if (skb->protocol == htons(ETH_P_IP)) {
         uint8_t proto;
@@ -330,7 +331,8 @@
     } else {
         return false;
     }
-    return flag & TCP_FLAG_RST;  // false on read failure
+    // Always allow RST's, and additionally allow ingress FINs
+    return flag & (TCP_FLAG_RST | (egress ? 0 : TCP_FLAG_FIN));  // false on read failure
 }
 
 static __always_inline inline BpfConfig getConfig(uint32_t configKey) {
@@ -352,7 +354,7 @@
                                                   bool egress, const unsigned kver) {
     if (is_system_uid(uid)) return PASS;
 
-    if (skip_owner_match(skb, kver)) return PASS;
+    if (skip_owner_match(skb, egress, kver)) return PASS;
 
     BpfConfig enabledRules = getConfig(UID_RULES_CONFIGURATION_KEY);