xdp-synproxy: drop IP_DF check

When XDP synproxy receives tcp packet that does not have IP DF flag set, tcp packet is dropped. Not all website has IP DF set for each tcp packet, do drop IP_DF check. fix: vincentmli/BPFire#59 Signed-off-by: Vincent Li <[email protected]>
vincentmli · Nov 11, 2024 · 2a7e3ef · 2a7e3ef
1 parent 37024e2
commit 2a7e3ef
Showing 1 changed file with 1 addition and 2 deletions.
diff --git a/xdp-synproxy/xdp_synproxy.bpf.c b/xdp-synproxy/xdp_synproxy.bpf.c
@@ -26,7 +26,6 @@
 
 #define tcp_flag_word(tp) (((union tcp_word_hdr *)(tp))->words[3])
 
-#define IP_DF 0x4000
 #define IP_MF 0x2000
 #define IP_OFFSET 0x1fff
 
@@ -443,7 +442,7 @@ static __always_inline int tcp_lookup(void *ctx, struct header_pointers *hdr, bo
 		/* TCP doesn't normally use fragments, and XDP can't reassemble
 		 * them.
 		 */
-		if ((hdr->ipv4->frag_off & bpf_htons(IP_DF | IP_MF | IP_OFFSET)) != bpf_htons(IP_DF))
+		if ((hdr->ipv4->frag_off & bpf_htons(IP_MF | IP_OFFSET)) != 0)
 			return XDP_DROP;
 
 		tup.ipv4.saddr = hdr->ipv4->saddr;