feat: session timeout after 60s by default

rhargreaves · rhargreaves · commit 7e8c0d09a613 · 2025-08-31T22:09:00.000+01:00
diff --git a/src/cli_args.cpp b/src/cli_args.cpp
@@ -33,6 +33,9 @@ std::optional<cli_args> parse_args(int argc, char** argv)
     app.add_option("-t,--timeout", args.timeout, "Sequence timeout in milliseconds")
         ->default_val(5000);
 
+    app.add_option("-s,--session-timeout", args.session_timeout, "Session timeout in milliseconds")
+        ->default_val(60000);
+
     try {
         app.parse(argc, argv);
     } catch (const CLI::ParseError& e) {
diff --git a/src/cli_args.hpp b/src/cli_args.hpp
@@ -9,6 +9,7 @@ struct cli_args {
     std::uint16_t target_port;
     std::vector<std::uint16_t> sequence;
     std::uint64_t timeout;
+    std::uint64_t session_timeout;
 };
 
 std::optional<cli_args> parse_args(int argc, char** argv);
diff --git a/src/knock.bpf.c b/src/knock.bpf.c
@@ -65,7 +65,7 @@ static __always_inline int handle_udp_knock(
     return XDP_PASS;
 }
 
-static __always_inline int handle_tcp(u32 source_ip, u16 port, u16 target_port)
+static __always_inline int handle_tcp(u32 source_ip, u16 port, u16 target_port, u64 session_timeout)
 {
     if (port != target_port) {
         return XDP_PASS;
@@ -81,6 +81,13 @@ static __always_inline int handle_tcp(u32 source_ip, u16 port, u16 target_port)
     }
 
     if (state->sequence_complete) {
+
+        const __u64 current_time = bpf_ktime_get_ns();
+        if (current_time - state->last_packet_time > MS_TO_NS(session_timeout)) {
+            log_info("session timed out");
+            return XDP_DROP;
+        }
+
         log_info("allowing packet because sequence is complete");
         return XDP_PASS;
     }
@@ -105,7 +112,7 @@ int knock(struct xdp_md* ctx)
     case IPPROTO_UDP:
         return handle_udp_knock(source_ip, port, &config->seq);
     case IPPROTO_TCP:
-        return handle_tcp(source_ip, port, config->target_port);
+        return handle_tcp(source_ip, port, config->target_port, config->session_timeout);
     }
 
     return XDP_PASS;
diff --git a/src/knock.h b/src/knock.h
@@ -22,4 +22,5 @@ struct ip_state {
 struct knock_config {
     __u16 target_port;
     struct port_sequence seq;
+    __u64 session_timeout;
 };
diff --git a/src/main.cpp b/src/main.cpp
@@ -30,7 +30,8 @@ static void print_config(const struct knock_config& config)
         std::cout << port << ' ';
     }
     std::cout << '\n';
-    std::cout << "timeout: " << config.seq.timeout_ms << " ms\n";
+    std::cout << "sequence timeout: " << config.seq.timeout_ms << " ms\n";
+    std::cout << "session timeout: " << config.session_timeout << " ms\n";
 }
 
 static void set_memory_limit()
@@ -59,6 +60,7 @@ static void parse_config(const cli_args& args, struct knock_config& config)
     for (size_t i = 0; i < args.sequence.size(); i++) {
         config.seq.ports[i] = static_cast<__u16>(args.sequence[i]);
     }
+    config.session_timeout = static_cast<__u64>(args.session_timeout);
 }
 
 int main(int argc, char** argv)
diff --git a/test/test_knock.py b/test/test_knock.py
@@ -121,7 +121,11 @@ def test_port_filtered_when_wrong_code_udp_packet_sent():
     assert port_filtered(DST_IP, DEFAULT_TARGET_PORT)
 
 
-@pytest.mark.parametrize("loader", [{"extra_args": ["-t", "500"]}], indirect=True)
+@pytest.mark.parametrize(
+    "loader",
+    [{"extra_args": ["-t", "500"]}, {"extra_args": ["--timeout", "500"]}],
+    indirect=True,
+)
 def test_port_filtered_when_wrong_code_udp_packet_sent_with_timeout(loader):
     send_udp_packet(DST_IP, DEFAULT_KNOCK_SEQUENCE[0])
     assert wait_for_trace("info: code 1 passed")
@@ -132,3 +136,23 @@ def test_port_filtered_when_wrong_code_udp_packet_sent_with_timeout(loader):
     assert wait_for_trace("info: sequence timeout")
 
     assert port_filtered(DST_IP, DEFAULT_TARGET_PORT)
+
+
+@pytest.mark.parametrize(
+    "loader",
+    [
+        {"knock_sequence": [111], "extra_args": ["-s", "500"]},
+        {"knock_sequence": [111], "extra_args": ["--session-timeout", "500"]},
+    ],
+    indirect=True,
+)
+def test_port_filtered_when_wrong_code_udp_packet_sent_with_session_timeout(loader):
+    config, _ = loader
+    send_udp_packet(DST_IP, config["knock_sequence"][0])
+    assert wait_for_trace("info: code 1 passed")
+    assert wait_for_trace("info: sequence complete")
+
+    assert port_closed(DST_IP, DEFAULT_TARGET_PORT)
+    time.sleep(1)
+    assert port_filtered(DST_IP, DEFAULT_TARGET_PORT)
+    assert wait_for_trace("info: session timed out")

Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,7 @@ static __always_inline int handle_udp_knock(`
`65`	`65`	`return XDP_PASS;`
`66`	`66`	`}`
`67`	`67`
`68`		`-static __always_inline int handle_tcp(u32 source_ip, u16 port, u16 target_port)`
	`68`	`+static __always_inline int handle_tcp(u32 source_ip, u16 port, u16 target_port, u64 session_timeout)`
`69`	`69`	`{`
`70`	`70`	`if (port != target_port) {`
`71`	`71`	`return XDP_PASS;`
`@@ -81,6 +81,13 @@ static __always_inline int handle_tcp(u32 source_ip, u16 port, u16 target_port)`
`81`	`81`	`}`
`82`	`82`
`83`	`83`	`if (state->sequence_complete) {`
	`84`	`+`
	`85`	`+ const __u64 current_time = bpf_ktime_get_ns();`
	`86`	`+ if (current_time - state->last_packet_time > MS_TO_NS(session_timeout)) {`
	`87`	`+ log_info("session timed out");`
	`88`	`+ return XDP_DROP;`
	`89`	`+ }`
	`90`	`+`
`84`	`91`	`log_info("allowing packet because sequence is complete");`
`85`	`92`	`return XDP_PASS;`
`86`	`93`	`}`
`@@ -105,7 +112,7 @@ int knock(struct xdp_md* ctx)`
`105`	`112`	`case IPPROTO_UDP:`
`106`	`113`	`return handle_udp_knock(source_ip, port, &config->seq);`
`107`	`114`	`case IPPROTO_TCP:`
`108`		`- return handle_tcp(source_ip, port, config->target_port);`
	`115`	`+ return handle_tcp(source_ip, port, config->target_port, config->session_timeout);`
`109`	`116`	`}`
`110`	`117`
`111`	`118`	`return XDP_PASS;`
Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,8 @@ static void print_config(const struct knock_config& config)`
`30`	`30`	`std::cout << port << ' ';`
`31`	`31`	`}`
`32`	`32`	`std::cout << '\n';`
`33`		`- std::cout << "timeout: " << config.seq.timeout_ms << " ms\n";`
	`33`	`+ std::cout << "sequence timeout: " << config.seq.timeout_ms << " ms\n";`
	`34`	`+ std::cout << "session timeout: " << config.session_timeout << " ms\n";`
`34`	`35`	`}`
`35`	`36`
`36`	`37`	`static void set_memory_limit()`
`@@ -59,6 +60,7 @@ static void parse_config(const cli_args& args, struct knock_config& config)`
`59`	`60`	`for (size_t i = 0; i < args.sequence.size(); i++) {`
`60`	`61`	`config.seq.ports[i] = static_cast<__u16>(args.sequence[i]);`
`61`	`62`	`}`
	`63`	`+ config.session_timeout = static_cast<__u64>(args.session_timeout);`
`62`	`64`	`}`
`63`	`65`
`64`	`66`	`int main(int argc, char** argv)`