-
Notifications
You must be signed in to change notification settings - Fork 50
Conversation
ede6e9a
to
af7c72e
Compare
Codecov Report
@@ Coverage Diff @@
## master #178 +/- ##
===========================================
+ Coverage 22.87% 33.36% +10.48%
===========================================
Files 66 66
Lines 7876 7876
===========================================
+ Hits 1802 2628 +826
+ Misses 5861 4928 -933
- Partials 213 320 +107
|
Pull Request Test Coverage Report for Build 2128
💛 - Coveralls |
af7c72e
to
da94e83
Compare
Waiting on @rgulewich's changes before this will be merged / pass. |
vpc/bpf/filter.c
Outdated
@@ -36,8 +36,10 @@ int classifier_egress_filter(struct __sk_buff *skb) { | |||
|
|||
if (eth->h_proto == __constant_htons(ETH_P_IP) && iph->daddr == __constant_htonl(METADATA_SERVICE_IP)) | |||
return TC_ACT_SHOT; | |||
|
|||
/* See the explanation behind this in allocation_network_linux.go */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that file does not exist anymore
if err != nil { | ||
return err | ||
} | ||
|
||
return setupIFB(ctx, vpc.EgressIFB, "classifier_egress") | ||
return setupIFB(ctx, vpc.EgressIFB, "classifier_egress", unix.ETH_P_ALL) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it seems that for !unix.ETH_P_ALL
, the bpf filter is a noop and will always do TC_ACT_OK
, or are you relying on it to validate the L2 and L3 header lengths and formats?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That should never happen (we should never get non-ethernet traffic on the interface veth that goes into the ifb).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
my bad, I meant !unix.ETH_P_IP
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, except for the block rule, it passes through all IP traffic. The amount of non-IP traffic we receive should be minimal, but it is on my long-term TODO list (there's a JIRA for it), to make this capture and classify all container traffic, not just IPv4 traffic.
da94e83
to
e858243
Compare
e858243
to
183e427
Compare
Description of the Change
This fixes a potential bypass allowing users to get to the real AWS metadata service.