ignore PSH in TCP filtering

take `payload > 10` into account, instead.
ring0networks · Jan 9, 2025 · 56b7b4e · 56b7b4e
1 parent 64d9e3c
commit 56b7b4e
Showing 1 changed file with 8 additions and 5 deletions.
diff --git a/filter.c b/filter.c
@@ -1,12 +1,14 @@
 /*
-* SPDX-FileCopyrightText: (c) 2024 Ring Zero Desenvolvimento de Software LTDA
+* SPDX-FileCopyrightText: (c) 2024-2025 Ring Zero Desenvolvimento de Software LTDA
 * SPDX-License-Identifier: GPL-2.0-only
 */
 
 #include "vmlinux.h"
 #include <bpf/bpf_helpers.h>
 #include <bpf/bpf_endian.h>
 
+#define SNI_MIN 10
+
 #define ETH_ALEN 6
 
 #define memcpy __builtin_memcpy
@@ -65,14 +67,15 @@ int filter(struct xdp_md *ctx)
 	if (tcp + 1 > (struct tcphdr *)data_end)
 		goto allow;
 
-	__u16 dport = bpf_ntohs(tcp->dest);
-	if ((dport != 80 && dport != 443) || !tcp->psh)
-		goto allow;
-
 	void *payload = (void *)tcp + (tcp->doff * 4);
 	if (payload > data_end)
 		goto allow;
 
+	__u16 dport = bpf_ntohs(tcp->dest);
+	ptrdiff_t payload_len = data_end - payload;
+	if ((dport != 80 && dport != 443) || payload_len < SNI_MIN)
+		goto allow;
+
 	arg.offset = (__u16)(payload - data);
 	arg.saddr = ip->saddr;
 	arg.daddr = ip->daddr;