able to filter only less packets every time using ebpf

Question

This is the ebpf code which i am using to filter the packets.

SEC("xdp")
int icmp_timestamp(struct xdp_md *xdp) {
    void *data_end = (void *)(long)xdp->data_end;
    void *data = (void *)(long)xdp->data;

    if (data + sizeof(struct ethhdr) <= data_end) {
        struct ethhdr *eth = data;

        if (eth->h_proto == htons(ETH_P_IP) &&
            data + sizeof(struct ethhdr) + sizeof(struct iphdr) <= data_end) {

            struct iphdr *ip = data + sizeof(struct ethhdr);

            if (ip->protocol == IPPROTO_ICMP) {
                // Do some processing for ICMP packets

                // Allow the packet to pass
                return XDP_PASS;
            }
        }
    }

    return XDP_DROP;
}

Each time while i was pinging only certain number of packets are going and then it is showing that the destination host is unreachable.

len=46 ip=10.0.2.6 ttl=63 id=29041 icmp_seq=2 rtt=8.5 ms 
len=46 ip=10.0.2.6 ttl=63 id=29172 icmp_seq=3 rtt=7.1 ms 
len=46 ip=10.0.2.6 ttl=63 id=29276 icmp_seq=4 rtt=5.8 ms 
len=46 ip=10.0.2.6 ttl=63 id=29496 icmp_seq=5 rtt=8.9 ms 
len=46 ip=10.0.2.6 ttl=63 id=29567 icmp_seq=6 rtt=4.6 ms 
len=46 ip=10.0.2.6 ttl=63 id=29721 icmp_seq=7 rtt=7.2 ms 
len=46 ip=10.0.2.6 ttl=63 id=29728 icmp_seq=8 rtt=10.1 ms
From 10.0.2.5 icmp_seq=10 Destination Host Unreachable
From 10.0.2.5 1cmp_seq=11 Destination Host Unreachable
From 10.0.2.5 tcmp_seq=12 Destination Host Unreachable
From 10.0.2.5 icmp_seq=13 Destination Host Unreachable 
From 10.0.2.5 icmp_seq=14 Destination Host Unreachable
From 10.0.2.5 icmp_seq=15 Destination Host Unreachable

10.0.2.6 hping statistic... 
15 packets transmitted, 9 packets received, 40% packet loss 
round-trip min/avg/max_= 2.9/7.1/10.1 ns

Help me with this situation.

Answer 1

You are only allowing ICMP traffic, but there are a number of protocols which you likely use without knowing that you shouldn't block. ARP(Address Resolution Protocol) is one of these, it does IP to MAC address conversion on your L2 network. if you stop responding to ARP queries of your L2 peers then they will stop sending traffic after their cache entry runs out.

I suspect the above is the case, although not conclusively.

You should also think about NTP, DHCP and DNS, depending on if you use these or not. If you don't know, I would recommend running a packet capture with TCPDump or Wireshark for a while to see what you do and don't use.