使用 BPF 应答 ARP 请求

$ ip netns add ns1$ ip link add ns1-veth type veth peer name ns1-eth0$ ip link set ns1-eth0 netns ns1$ ip netns exec ns1 ip addr add 10.0.1.1/24 dev ns1-eth0$ ip netns exec ns1 ip link set dev ns1-eth0 up$ ip link set ns1-veth up

$ ip netns exec ns1 ping -I ns1-eth0 -c 1 -w 1 10.0.2.1PING 10.0.2.1 (10.0.2.1) from 10.0.1.1 ns1-eth0: 56(84) bytes of data.
--- 10.0.2.1 ping statistics ---1 packets transmitted, 0 received, 100% packet loss, time 0ms
$ ip netns exec ns1 arp -i ns1-eth0Address                  HWtype  HWaddress           Flags Mask            Iface10.0.2.1                         (incomplete)                              ns1-eth0

struct ethhdr {  unsigned char h_dest[6];  unsigned char h_source[6];  __be16 h_proto;};

struct arphdr {  __be16 ar_hrd;  __be16 ar_pro;  unsigned char ar_hln;  unsigned char ar_pln;  __be16 ar_op;};

struct arpdata {  __u8 sha[6];  __u32 sip;  __u8 tha[6];  __u32 tip;} __attribute__((packed));

#include <vmlinux.h>#include <bpf/bpf_endian.h>#include <bpf/bpf_helpers.h>#include <bpf/bpf_tracing.h>
#define TC_ACT_OK  0
#define ETH_P_ARP  0x0806    /* Address Resolution packet  */
#define  ARPOP_REQUEST  1    /* ARP request      */#define  ARPOP_REPLY  2    /* ARP reply      */
union macaddr {  struct {    __u32 p1;    __u16 p2;  };  __u8 addr[6];};
struct arpdata {  __u8 sha[6];  __u32 sip;  __u8 tha[6];  __u32 tip;} __attribute__((packed));
void swap_macaddr(union macaddr *saddr, union macaddr *daddr){  __u32 p1;  __u16 p2;
  p1 = saddr->p1;  p2 = saddr->p2;  saddr->p1 = daddr->p1;  saddr->p2 = daddr->p2;  daddr->p1 = p1;  daddr->p2 = p2;}
SEC("tc")int tc_ingress_ns1(struct __sk_buff *ctx){  void *data_end = (void *)(__u64)ctx->data_end;  void *data = (void *)(__u64)ctx->data;  struct ethhdr *ethhdr;  struct arphdr *arphdr;  struct arpdata *arpdata;  union macaddr *daddr, *saddr;  __u32 ip;
  ethhdr = data;  if ((void *)(ethhdr + 1) > data_end)    return TC_ACT_OK;
  if (ethhdr->h_proto != bpf_ntohs(ETH_P_ARP))    return TC_ACT_OK;
  arphdr = (struct arphdr *)(ethhdr + 1);  if ((void *)(arphdr + 1) > data_end)    return TC_ACT_OK;
  arpdata = (struct arpdata *)(arphdr + 1);  if ((void *)(arpdata + 1) > data_end)    return TC_ACT_OK;
  if (arphdr->ar_op != bpf_htons(ARPOP_REQUEST))    return TC_ACT_OK;
  /*   * construct APR response, we will always return 12:34:56:78:9a:bc   */  daddr = (union macaddr *)ethhdr->h_dest;  daddr->addr[0] = 0x12;  daddr->addr[1] = 0x34;  daddr->addr[2] = 0x56;  daddr->addr[3] = 0x78;  daddr->addr[4] = 0x9a;  daddr->addr[5] = 0xbc;
  /* update ethernet header */  saddr = (union macaddr *)ethhdr->h_source;  swap_macaddr(saddr, daddr);
  /* update ARP header */  arphdr->ar_op = bpf_htons(ARPOP_REPLY);
  /* update ARP payload */  ip = arpdata->sip;  arpdata->sip = arpdata->tip;  arpdata->tip = ip;
  __builtin_memcpy(arpdata->sha, ethhdr->h_source, sizeof(ethhdr->h_source));  __builtin_memcpy(arpdata->tha, ethhdr->h_dest, sizeof(ethhdr->h_dest));
  return bpf_redirect(ctx->ingress_ifindex, 0);}
char __license[] SEC("license") = "GPL";

ip netns exec ns1 ping -I ns1-eth0 -c 1 -w 1 10.0.2.1PING 10.0.2.1 (10.0.2.1) from 10.0.1.1 ns1-eth0: 56(84) bytes of data.
--- 10.0.2.1 ping statistics ---1 packets transmitted, 0 received, 100% packet loss, time 0ms
$ ip netns exec ns1 arp -i ns1-eth0Address                  HWtype  HWaddress           Flags Mask            Iface10.0.2.1                 ether   12:34:56:78:9a:bc   C                     ns1-eth0