diff --git a/firewall/interception/ebpf/bpf_bpfeb.go b/firewall/interception/ebpf/bpf_bpfeb.go index 32c45c38..f7fe5544 100644 --- a/firewall/interception/ebpf/bpf_bpfeb.go +++ b/firewall/interception/ebpf/bpf_bpfeb.go @@ -67,8 +67,8 @@ type bpfSpecs struct { type bpfProgramSpecs struct { TcpV4Connect *ebpf.ProgramSpec `ebpf:"tcp_v4_connect"` TcpV6Connect *ebpf.ProgramSpec `ebpf:"tcp_v6_connect"` - UdpSendmsg *ebpf.ProgramSpec `ebpf:"udp_sendmsg"` - Udpv6Sendmsg *ebpf.ProgramSpec `ebpf:"udpv6_sendmsg"` + UdpV4Connect *ebpf.ProgramSpec `ebpf:"udp_v4_connect"` + UdpV6Connect *ebpf.ProgramSpec `ebpf:"udp_v6_connect"` } // bpfMapSpecs contains maps before they are loaded into the kernel. @@ -112,16 +112,16 @@ func (m *bpfMaps) Close() error { type bpfPrograms struct { TcpV4Connect *ebpf.Program `ebpf:"tcp_v4_connect"` TcpV6Connect *ebpf.Program `ebpf:"tcp_v6_connect"` - UdpSendmsg *ebpf.Program `ebpf:"udp_sendmsg"` - Udpv6Sendmsg *ebpf.Program `ebpf:"udpv6_sendmsg"` + UdpV4Connect *ebpf.Program `ebpf:"udp_v4_connect"` + UdpV6Connect *ebpf.Program `ebpf:"udp_v6_connect"` } func (p *bpfPrograms) Close() error { return _BpfClose( p.TcpV4Connect, p.TcpV6Connect, - p.UdpSendmsg, - p.Udpv6Sendmsg, + p.UdpV4Connect, + p.UdpV6Connect, ) } diff --git a/firewall/interception/ebpf/bpf_bpfel.go b/firewall/interception/ebpf/bpf_bpfel.go index 59acb8d2..9b0acf67 100644 --- a/firewall/interception/ebpf/bpf_bpfel.go +++ b/firewall/interception/ebpf/bpf_bpfel.go @@ -67,8 +67,8 @@ type bpfSpecs struct { type bpfProgramSpecs struct { TcpV4Connect *ebpf.ProgramSpec `ebpf:"tcp_v4_connect"` TcpV6Connect *ebpf.ProgramSpec `ebpf:"tcp_v6_connect"` - UdpSendmsg *ebpf.ProgramSpec `ebpf:"udp_sendmsg"` - Udpv6Sendmsg *ebpf.ProgramSpec `ebpf:"udpv6_sendmsg"` + UdpV4Connect *ebpf.ProgramSpec `ebpf:"udp_v4_connect"` + UdpV6Connect *ebpf.ProgramSpec `ebpf:"udp_v6_connect"` } // bpfMapSpecs contains maps before they are loaded into the kernel. @@ -112,16 +112,16 @@ func (m *bpfMaps) Close() error { type bpfPrograms struct { TcpV4Connect *ebpf.Program `ebpf:"tcp_v4_connect"` TcpV6Connect *ebpf.Program `ebpf:"tcp_v6_connect"` - UdpSendmsg *ebpf.Program `ebpf:"udp_sendmsg"` - Udpv6Sendmsg *ebpf.Program `ebpf:"udpv6_sendmsg"` + UdpV4Connect *ebpf.Program `ebpf:"udp_v4_connect"` + UdpV6Connect *ebpf.Program `ebpf:"udp_v6_connect"` } func (p *bpfPrograms) Close() error { return _BpfClose( p.TcpV4Connect, p.TcpV6Connect, - p.UdpSendmsg, - p.Udpv6Sendmsg, + p.UdpV4Connect, + p.UdpV6Connect, ) } diff --git a/firewall/interception/ebpf/program/monitor.c b/firewall/interception/ebpf/program/monitor.c index 8b74e3c4..341aaa8c 100644 --- a/firewall/interception/ebpf/program/monitor.c +++ b/firewall/interception/ebpf/program/monitor.c @@ -57,8 +57,8 @@ int BPF_PROG(tcp_v4_connect, struct sock *sk) { tcp_info->pid = __builtin_bswap32((u32)bpf_get_current_pid_tgid()); // Set src and dist ports - tcp_info->dport = sk->__sk_common.skc_dport; tcp_info->sport = sk->__sk_common.skc_num; + tcp_info->dport = sk->__sk_common.skc_dport; // Set src and dist IPs tcp_info->saddr[0] = __builtin_bswap32(sk->__sk_common.skc_rcv_saddr); @@ -101,8 +101,8 @@ int BPF_PROG(tcp_v6_connect, struct sock *sk) { tcp_info->pid = __builtin_bswap32((u32)bpf_get_current_pid_tgid()); // Set src and dist ports - tcp_info->dport = sk->__sk_common.skc_dport; tcp_info->sport = sk->__sk_common.skc_num; + tcp_info->dport = sk->__sk_common.skc_dport; // Set src and dist IPs for(int i = 0; i < 4; i++) { @@ -123,10 +123,10 @@ int BPF_PROG(tcp_v6_connect, struct sock *sk) { return 0; }; -// Fentry(function enter) of udp_sendmsg will be executed before equivalent kernel function is called. -// [this-function] -> udp_sendmsg -SEC("fentry/udp_sendmsg") -int BPF_PROG(udp_sendmsg, struct sock *sk) { +// Fexit(function exit) of udp_v4_connect will be executed after the ip4_datagram_connect kernel function is called. +// ip4_datagram_connect -> udp_v4_connect +SEC("fexit/ip4_datagram_connect") +int BPF_PROG(udp_v4_connect, struct sock *sk) { // Ignore everything else then IPv4 if (sk->__sk_common.skc_family != AF_INET) { return 0; @@ -143,8 +143,8 @@ int BPF_PROG(udp_sendmsg, struct sock *sk) { udp_info->pid = __builtin_bswap32((u32)bpf_get_current_pid_tgid()); // Set src and dist ports - udp_info->dport = sk->__sk_common.skc_dport; udp_info->sport = sk->__sk_common.skc_num; + udp_info->dport = sk->__sk_common.skc_dport; // Set src and dist IPs udp_info->saddr[0] = __builtin_bswap32(sk->__sk_common.skc_rcv_saddr); @@ -161,10 +161,10 @@ int BPF_PROG(udp_sendmsg, struct sock *sk) { return 0; } -// Fentry(function enter) of udpv6_sendmsg will be executed before equivalent kernel function is called. -// [this-function] -> udpv6_sendmsg -SEC("fentry/udpv6_sendmsg") -int BPF_PROG(udpv6_sendmsg, struct sock *sk) { +// Fentry(function enter) of udp_v6_connect will be executed after the ip6_datagram_connect kernel function is called. +// ip6_datagram_connect -> udp_v6_connect +SEC("fexit/ip6_datagram_connect") +int BPF_PROG(udp_v6_connect, struct sock *sk) { // Ignore everything else then IPv6 if (sk->__sk_common.skc_family != AF_INET6) { return 0; @@ -187,8 +187,8 @@ int BPF_PROG(udpv6_sendmsg, struct sock *sk) { udp_info->pid = __builtin_bswap32((u32)bpf_get_current_pid_tgid()); // Set src and dist ports - udp_info->dport = sk->__sk_common.skc_dport; udp_info->sport = sk->__sk_common.skc_num; + udp_info->dport = sk->__sk_common.skc_dport; // Set src and dist IPs for(int i = 0; i < 4; i++) { diff --git a/firewall/interception/ebpf/worker.go b/firewall/interception/ebpf/worker.go index c9de3c2e..b1798315 100644 --- a/firewall/interception/ebpf/worker.go +++ b/firewall/interception/ebpf/worker.go @@ -33,31 +33,40 @@ func StartEBPFWorker(ch chan packet.Packet) { defer objs.Close() // Create a link to the tcp_v4_connect program. - linkv4, err := link.AttachTracing(link.TracingOptions{ + linkTCPIPv4, err := link.AttachTracing(link.TracingOptions{ Program: objs.bpfPrograms.TcpV4Connect, }) if err != nil { log.Errorf("ebpf: failed to attach to tcp_v4_connect: %s ", err) } - defer linkv4.Close() + defer linkTCPIPv4.Close() // Create a link to the tcp_v6_connect program. - linkv6, err := link.AttachTracing(link.TracingOptions{ + linkTCPIPv6, err := link.AttachTracing(link.TracingOptions{ Program: objs.bpfPrograms.TcpV6Connect, }) if err != nil { log.Errorf("ebpf: failed to attach to tcp_v6_connect: %s ", err) } - defer linkv6.Close() + defer linkTCPIPv6.Close() - // Create a link to the tcp_v6_connect program. - linkudp, err := link.AttachTracing(link.TracingOptions{ - Program: objs.bpfPrograms.UdpSendmsg, + // Create a link to the udp_v4_connect program. + linkUDPV4, err := link.AttachTracing(link.TracingOptions{ + Program: objs.bpfPrograms.UdpV4Connect, }) if err != nil { - log.Errorf("ebpf: failed to attach to udp_sendmsg: %s ", err) + log.Errorf("ebpf: failed to attach to udp_v4_connect: %s ", err) } - defer linkudp.Close() + defer linkUDPV4.Close() + + // Create a link to the udp_v6_connect program. + linkUDPV6, err := link.AttachTracing(link.TracingOptions{ + Program: objs.bpfPrograms.UdpV6Connect, + }) + if err != nil { + log.Errorf("ebpf: failed to attach to udp_v6_connect: %s ", err) + } + defer linkUDPV6.Close() rd, err := ringbuf.NewReader(objs.bpfMaps.Events) if err != nil { @@ -103,7 +112,7 @@ func StartEBPFWorker(ch chan packet.Packet) { Dst: arrayToIP(event.Daddr, packet.IPVersion(event.IpVersion)), PID: event.Pid, } - log.Debugf("ebpf: PID: %d conn: %s:%d -> %s:%d %s %s", info.PID, info.LocalIP(), info.LocalPort(), info.RemoteIP(), info.LocalPort(), info.Version.String(), info.Protocol.String()) + log.Debugf("ebpf: PID: %d conn: %s:%d -> %s:%d %s %s", info.PID, info.LocalIP(), info.LocalPort(), info.RemoteIP(), info.RemotePort(), info.Version.String(), info.Protocol.String()) p := &infoPacket{} p.SetPacketInfo(info)