Mimic now doesn't filter out incoming UDP packets if the tuple is in the whitelist but instead directly pass it to the next step. To align the behaviour when probed with an unopened port, Mimic could either do the following in XDP:
- Drop the UDP packets and only expect TCP
- Returns ICMP Port Unreachable (default behaviour of Linux)
For outbound packets, since Mimic operates without the interference of Linux firewall rules, there's no perfect options (other than setting up another firewall in Mimic's traffic path), but service dependency at startup can at least ensure no UDP packets leak at startup. This could be only done in documentation level, though.
Todos
Mimic now doesn't filter out incoming UDP packets if the tuple is in the whitelist but instead directly pass it to the next step. To align the behaviour when probed with an unopened port, Mimic could either do the following in XDP:
For outbound packets, since Mimic operates without the interference of Linux firewall rules, there's no perfect options (other than setting up another firewall in Mimic's traffic path), but service dependency at startup can at least ensure no UDP packets leak at startup. This could be only done in documentation level, though.
Todos