facebook
Support for wildcard address masks
Add wildcard mask support for (primarily IPv6) address filtering to enable partial address matching. AFAIK, there is no open-source BPF implementations currently support IPv6 wildcard masks.
Typical use case: encode some metadata (k8s cluster/namespaceID e.g.) in specific IPv6 prefix bits and perform filtering based on these values regardless of the base prefix.
Example:
Cluster A: 2001:db8:00a0::/48 (cluster ID a in bits 32-35)
Filter: Match all traffic from cluster A name regardless of base prefix
Hi @pasteley ,
Do you mean you would like to specify which bits to use for address comparison? Reusing your example, only compare bits 32 to 35 of an IPv6 address to a reference value, ignoring everything before bit 32 and after bit 35?
Hi @pasteley ,
Do you mean you would like to specify which bits to use for address comparison? Reusing your example, only compare bits 32 to 35 of an IPv6 address to a reference value, ignoring everything before bit 32 and after bit 35?
But exactly the opposite scenario is also valid: match specific network prefix and suffix, skip middle segments.
Better example, matching address 2001:db8:1111:2222:5678:9abc:dead:beef :
Scenario 1: Match specific encoded bits (skip prefix)
Address: 2001:db8:1111:2222:5678:9abc:def0:1234
Mask: 0000:0000:00f0:0000:0000:0000:0000:0000
---- ---- ^^^^ ---- ---- ---- ---- ----
Pattern: 0000:0000:0010:0000:0000:0000:0000:0000
Result: Match only if bits 32-35 = 0001 (cluster ID)
Scenario 2: Match /64 prefix except middle segment
Address: 2001:db8:1111:2222:5678:9abc:def0:1234
Mask: ffff:ffff:0000:ffff:0000:0000:0000:0000
^^^^ ^^^^ ---- ^^^^ ---- ---- ---- ----
Pattern: 2001:db8:0000:2222:0000:0000:0000:0000
Result: Match network + subnet ID, ignore metadata in 3rd segment
Thanks for the clear example. I have nothing against it, do you have any example of tools that supports it? The only concern on my end would be to find a good way to implement it in the current rule definition format, so it's not confusing for end users.