From cb242e2948e06c445d1d9670d8ae5a79decb9017 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Sun, 1 Sep 2024 20:12:05 +0000 Subject: [PATCH 1/7] added fix to incorrect waitpid exit check in zfw.c and zfw_tunnel_wrapper.c --- src/zfw.c | 26 +++++--------------------- src/zfw_tunnel_wrapper.c | 10 +++++----- 2 files changed, 10 insertions(+), 26 deletions(-) diff --git a/src/zfw.c b/src/zfw.c index ded555a..b90cb4b 100644 --- a/src/zfw.c +++ b/src/zfw.c @@ -560,22 +560,11 @@ void set_tc(char *action) else { int status = 0; - if (waitpid(pid, &status, 0) > 0) + if(!(waitpid(pid, &status, 0) < 0)) { - if (WIFEXITED(status) && !WEXITSTATUS(status)) + if(!(WIFEXITED(status) && !WEXITSTATUS(status))) { - printf("tc parent %s : %s\n", action, tc_interface); - } - else - { - if (!strcmp("add", action)) - { - printf("tc parent already exists : %s\n", tc_interface); - } - else - { - printf("tc parent does not exist : %s\n", tc_interface); - } + printf("could not set tc parent %s : %s\n", action, tc_interface); } } } @@ -626,18 +615,13 @@ void set_tc_filter(char *action) else { int status = 0; - if (!(waitpid(pid, &status, 0) > 0)) + if(!(waitpid(pid, &status, 0) < 0)) { - if (WIFEXITED(status) && !WEXITSTATUS(status)) + if(!(WIFEXITED(status) && !WEXITSTATUS(status))) { printf("tc %s filter not set : %s\n", direction_string, tc_interface); } } - if (status) - { - printf("tc %s filter action/%d not set : %s\n", direction_string, x, tc_interface); - close_maps(1); - } } } } diff --git a/src/zfw_tunnel_wrapper.c b/src/zfw_tunnel_wrapper.c index e8c89bb..4355a8d 100644 --- a/src/zfw_tunnel_wrapper.c +++ b/src/zfw_tunnel_wrapper.c @@ -843,7 +843,7 @@ void bind_route(struct in_addr *address, unsigned short mask) printf("execv error: unknown error binding route"); }else{ int status =0; - if(!(waitpid(pid, &status, 0) > 0)){ + if(!(waitpid(pid, &status, 0) < 0)){ if(WIFEXITED(status) && !WEXITSTATUS(status)){ printf("bound %s to dev lo\n", cidr_block); } @@ -870,7 +870,7 @@ void unbind_route_loopback(struct in_addr *address, unsigned short mask) printf("execv error: unknown error unbinding route"); }else{ int status =0; - if(!(waitpid(pid, &status, 0) > 0)){ + if(!(waitpid(pid, &status, 0) < 0)){ if(WIFEXITED(status) && !WEXITSTATUS(status)){ printf("unbound %s from dev lo\n", cidr_block); } @@ -897,7 +897,7 @@ void unbind_route(struct in_addr *address, unsigned short mask, char *dev) printf("execv error: unknown error unbinding route"); }else{ int status =0; - if(!(waitpid(pid, &status, 0) > 0)){ + if(!(waitpid(pid, &status, 0) < 0)){ if(WIFEXITED(status) && !WEXITSTATUS(status)){ printf("unbound %s from dev %s\n", cidr_block, dev); } @@ -1025,7 +1025,7 @@ void zfw_update(char *ip, char *mask, char *lowport, char *highport, char *proto printf("execv error: unknown error binding\n"); }else{ int status =0; - if(!(waitpid(pid, &status, 0) > 0)){ + if(!(waitpid(pid, &status, 0) < 0)){ if(WIFEXITED(status) && !WEXITSTATUS(status)){ printf("zfw %s action for : %s set\n", action, ip); } @@ -1043,7 +1043,7 @@ bool check_diag(){ printf("execv error: unknown error binding\n"); }else{ int status =0; - if(!(waitpid(pid, &status, 0) > 0)){ + if(!(waitpid(pid, &status, 0) < 0)){ if(WIFEXITED(status) && !WEXITSTATUS(status)){ printf("Diag Interface Listed!\n"); return false; From 65fa13b9b692c791286daf8fb03cecacff4a8ddc Mon Sep 17 00:00:00 2001 From: r-caamano Date: Mon, 2 Sep 2024 15:16:06 +0000 Subject: [PATCH 2/7] Updated CHANGELOG, README and version #s --- CHANGELOG.md | 6 ++++++ README.md | 2 +- src/zfw.c | 2 +- src/zfw_monitor.c | 2 +- 4 files changed, 9 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5ed7296..6b1d15b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,12 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). --- +### +# [0.8.16] - 2024-09-02 +- Fixed incorrect waitpid success/failure conditional checks in zfw.c and zfw_tunnel_wrapper.c. This did not cause an operational issue but would not + report correctly in case system call failures. +- Updated README with latest ```zfw -Q``` printout. + ### # [0.8.15] - 2024-08-26 - Refactored all startup scripts to default InternalInterfaces to have outbound tracking enabled diff --git a/README.md b/README.md index fe63b9a..5989b8d 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ This function requires that both ingress and egress TC filters are enabled on ou static PAT. Note: When running on later kernels i.e. 6+ some older network hardware may not work with ebpf Dynamic PAT. ### Explicit Deny Rules -This feature adds the ability to enter explicit deny rules by appending ```-d, --disable to the -I, --insert rule``` to both ingress and egress rules. Rule precedence is based on longest match prefix. If the prefix is the same then the precedence follows the order entry of the rules, which when listed will go from top to bottom for ports with in the same prefix e.g. +This feature adds the ability to enter explicit deny rules by appending ```-d, --disable``` to the ```-I, --insert rule``` to either ingress or egress rules. Rule precedence is based on longest match prefix. If the prefix is the same then the precedence follows the order entry of the rules, which when listed will go from top to bottom for ports with in the same prefix e.g. If you wanted to allow all tcp 443 traffic outbound except to 10.1.0.0/16 you would enter the following egress rules: diff --git a/src/zfw.c b/src/zfw.c index b90cb4b..32deec3 100644 --- a/src/zfw.c +++ b/src/zfw.c @@ -246,7 +246,7 @@ char *direction_string; char *masq_interface; char check_alt[IF_NAMESIZE]; -const char *argp_program_version = "0.8.15"; +const char *argp_program_version = "0.8.16"; struct ring_buffer *ring_buffer; __u32 if_list[MAX_IF_LIST_ENTRIES]; diff --git a/src/zfw_monitor.c b/src/zfw_monitor.c index 9d9806d..3f3b629 100644 --- a/src/zfw_monitor.c +++ b/src/zfw_monitor.c @@ -85,7 +85,7 @@ char check_alt[IF_NAMESIZE]; char doc[] = "zfw_monitor -- ebpf firewall monitor tool"; const char *rb_map_path = "/sys/fs/bpf/tc/globals/rb_map"; const char *tproxy_map_path = "/sys/fs/bpf/tc/globals/zt_tproxy_map"; -const char *argp_program_version = "0.8.15"; +const char *argp_program_version = "0.8.16"; union bpf_attr rb_map; int rb_fd = -1; From 276cf2c7e771df58cd8cf70b2c26b7a1853fc9f4 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Mon, 2 Sep 2024 15:16:51 +0000 Subject: [PATCH 3/7] Updated CHANGELOG, README and version #s --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 5989b8d..b23436b 100644 --- a/README.md +++ b/README.md @@ -745,7 +745,6 @@ Example: Remove all tc-ebpf on router sudo zfw --disable-ebpf ``` ``` -tc parent del : ens33 removing /sys/fs/bpf/tc/globals/zt_tproxy_map removing /sys/fs/bpf/tc/globals/diag_map removing /sys/fs/bpf/tc/globals/ifindex_ip_map @@ -780,6 +779,9 @@ removing /sys/fs/bpf/tc//globals/egress_matched_map removing /sys/fs/bpf/tc/globals/udp_ingress_map removing /sys/fs/bpf/tc/globals/tcp_ingress_map removing /sys/fs/bpf/tc/globals/masquerade_map +removing /sys/fs/bpf/tc/globals/icmp_masquerade_map +removing /sys/fs/bpf/tc/globals/icmp_echo_map +removing /sys/fs/bpf/tc/globals/masquerade_reverse_map ``` From 8c97b871c1bb0523fa6c393eaa92bc2115745abb Mon Sep 17 00:00:00 2001 From: r-caamano Date: Thu, 5 Sep 2024 02:08:38 +0000 Subject: [PATCH 4/7] Reverting to static PAT for udp DNS --- CHANGELOG.md | 2 ++ src/zfw_tc_ingress.c | 32 ++++++++++--------- src/zfw_tc_outbound_track.c | 62 +++++++++++++++++++++---------------- 3 files changed, 55 insertions(+), 41 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b1d15b..2539c69 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,8 @@ All notable changes to this project will be documented in this file. The format - Fixed incorrect waitpid success/failure conditional checks in zfw.c and zfw_tunnel_wrapper.c. This did not cause an operational issue but would not report correctly in case system call failures. - Updated README with latest ```zfw -Q``` printout. +- Reverting to static PAT masquerade for DNS due to random udp checksum calculation failures that seem to only affect DNS. Will re-add back when a solution + is found. ### # [0.8.15] - 2024-08-26 diff --git a/src/zfw_tc_ingress.c b/src/zfw_tc_ingress.c index 97af5a4..b368bc9 100644 --- a/src/zfw_tc_ingress.c +++ b/src/zfw_tc_ingress.c @@ -2138,22 +2138,26 @@ int bpf_sk_splice(struct __sk_buff *skb){ if ((unsigned long)(udph + 1) > (unsigned long)skb->data_end){ return TC_ACT_SHOT; } - udph->dest = mv->o_sport; - bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct udphdr, check), mk.sport , mv->o_sport, flags | 2); - iph = (struct iphdr *)(skb->data + sizeof(*eth)); - if ((unsigned long)(iph + 1) > (unsigned long)skb->data_end){ - return TC_ACT_SHOT; - } - tuple = (struct bpf_sock_tuple *)(void*)(long)&iph->saddr; - if(!tuple){ - return TC_ACT_SHOT; - } - tuple_len = sizeof(tuple->ipv4); - if ((unsigned long)tuple + tuple_len > (unsigned long)skb->data_end){ - return TC_ACT_SHOT; + if(udph->dest != mv->o_sport){ + udph->dest = mv->o_sport; + bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct udphdr, check), mk.sport , mv->o_sport, flags | 2); + iph = (struct iphdr *)(skb->data + sizeof(*eth)); + if ((unsigned long)(iph + 1) > (unsigned long)skb->data_end){ + return TC_ACT_SHOT; + } + tuple = (struct bpf_sock_tuple *)(void*)(long)&iph->saddr; + if(!tuple){ + return TC_ACT_SHOT; + } + tuple_len = sizeof(tuple->ipv4); + if ((unsigned long)tuple + tuple_len > (unsigned long)skb->data_end){ + return TC_ACT_SHOT; + } } }else{ - udph->dest = mv->o_sport; + if(udph->dest != mv->o_sport){ + udph->dest = mv->o_sport; + } } } } diff --git a/src/zfw_tc_outbound_track.c b/src/zfw_tc_outbound_track.c index 226e6ff..4ac2a98 100644 --- a/src/zfw_tc_outbound_track.c +++ b/src/zfw_tc_outbound_track.c @@ -2573,20 +2573,24 @@ int bpf_sk_splice6(struct __sk_buff *skb){ revk.protocol = IPPROTO_UDP; revk.ifindex = skb->ifindex; __u16 rand_source_port = 0; - struct masq_value *revv = get_reverse_masquerade(revk); - if(revv){ - rand_source_port = revv->o_sport; - } - else{ - rand_source_port = bpf_htons(1024 + bpf_get_prandom_u32() % (65535 -1023)); - struct masq_value rev_new_val = {0}; - rev_new_val.o_sport = rand_source_port; - rev_new_val.__in46_u_origin.ip = 0; - insert_reverse_masquerade(rev_new_val,revk); - if(local_diag->verbose){ - event.tracking_code = REVERSE_MASQUERADE_ENTRY_ADDED; - send_event(&event); + if(tuple->ipv4.dport != bpf_ntohs(53)){ + struct masq_value *revv = get_reverse_masquerade(revk); + if(revv){ + rand_source_port = revv->o_sport; } + else{ + rand_source_port = bpf_htons(1024 + bpf_get_prandom_u32() % (65535 -1023)); + struct masq_value rev_new_val = {0}; + rev_new_val.o_sport = rand_source_port; + rev_new_val.__in46_u_origin.ip = 0; + insert_reverse_masquerade(rev_new_val,revk); + if(local_diag->verbose){ + event.tracking_code = REVERSE_MASQUERADE_ENTRY_ADDED; + send_event(&event); + } + } + }else{ + rand_source_port = tuple->ipv4.sport; } __u32 l3_sum = bpf_csum_diff((__u32 *)&tuple->ipv4.saddr, sizeof(tuple->ipv4.saddr), (__u32 *)&local_ip4->ipaddr[0], sizeof(local_ip4->ipaddr[0]), 0); struct masq_value mv = {0}; @@ -2647,22 +2651,26 @@ int bpf_sk_splice6(struct __sk_buff *skb){ if ((unsigned long)(udph + 1) > (unsigned long)skb->data_end){ return TC_ACT_SHOT; } - udph->source = rand_source_port; - bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct udphdr, check), mv.o_sport , rand_source_port, flags | 2); - iph = (struct iphdr *)(skb->data + sizeof(*eth)); - if ((unsigned long)(iph + 1) > (unsigned long)skb->data_end){ - return TC_ACT_SHOT; - } - tuple = (struct bpf_sock_tuple *)(void*)(long)&iph->saddr; - if(!tuple){ - return TC_ACT_SHOT; + if(rand_source_port != udph->source){ + udph->source = rand_source_port; + bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct udphdr, check), mv.o_sport , rand_source_port, flags | 2); + iph = (struct iphdr *)(skb->data + sizeof(*eth)); + if ((unsigned long)(iph + 1) > (unsigned long)skb->data_end){ + return TC_ACT_SHOT; + } + tuple = (struct bpf_sock_tuple *)(void*)(long)&iph->saddr; + if(!tuple){ + return TC_ACT_SHOT; + } + tuple_len = sizeof(tuple->ipv4); + if ((unsigned long)tuple + tuple_len > (unsigned long)skb->data_end){ + return TC_ACT_SHOT; + } } - tuple_len = sizeof(tuple->ipv4); - if ((unsigned long)tuple + tuple_len > (unsigned long)skb->data_end){ - return TC_ACT_SHOT; - } }else{ - udph->source = rand_source_port; + if(rand_source_port != udph->source){ + udph->source = rand_source_port; + } } } struct udp_state *ustate = get_udp(udp_state_key); From 8f81a04536f363b70a117f4660af55dba3892bea Mon Sep 17 00:00:00 2001 From: r-caamano Date: Thu, 5 Sep 2024 02:29:11 +0000 Subject: [PATCH 5/7] refactored dns PAT bypass --- src/zfw_tc_outbound_track.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/zfw_tc_outbound_track.c b/src/zfw_tc_outbound_track.c index 4ac2a98..3f33df7 100644 --- a/src/zfw_tc_outbound_track.c +++ b/src/zfw_tc_outbound_track.c @@ -2573,13 +2573,18 @@ int bpf_sk_splice6(struct __sk_buff *skb){ revk.protocol = IPPROTO_UDP; revk.ifindex = skb->ifindex; __u16 rand_source_port = 0; - if(tuple->ipv4.dport != bpf_ntohs(53)){ + struct masq_value *revv = get_reverse_masquerade(revk); if(revv){ rand_source_port = revv->o_sport; } else{ - rand_source_port = bpf_htons(1024 + bpf_get_prandom_u32() % (65535 -1023)); + if(tuple->ipv4.dport != bpf_ntohs(53)){ + rand_source_port = bpf_htons(1024 + bpf_get_prandom_u32() % (65535 -1023)); + } + else{ + rand_source_port = tuple->ipv4.sport; + } struct masq_value rev_new_val = {0}; rev_new_val.o_sport = rand_source_port; rev_new_val.__in46_u_origin.ip = 0; @@ -2589,9 +2594,7 @@ int bpf_sk_splice6(struct __sk_buff *skb){ send_event(&event); } } - }else{ - rand_source_port = tuple->ipv4.sport; - } + __u32 l3_sum = bpf_csum_diff((__u32 *)&tuple->ipv4.saddr, sizeof(tuple->ipv4.saddr), (__u32 *)&local_ip4->ipaddr[0], sizeof(local_ip4->ipaddr[0]), 0); struct masq_value mv = {0}; struct masq_key mk = {0}; From cc54233c228ead9fbd13932f3693a69c85689316 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Thu, 5 Sep 2024 17:32:11 +0000 Subject: [PATCH 6/7] Removed reversion of DNS to static PAT and made changes to both udp and tcp csum calculations on both ingress and egress --- CHANGELOG.md | 2 -- src/zfw_tc_ingress.c | 36 +++++++++---------- src/zfw_tc_outbound_track.c | 71 ++++++++++++++++--------------------- 3 files changed, 46 insertions(+), 63 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2539c69..6b1d15b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,8 +8,6 @@ All notable changes to this project will be documented in this file. The format - Fixed incorrect waitpid success/failure conditional checks in zfw.c and zfw_tunnel_wrapper.c. This did not cause an operational issue but would not report correctly in case system call failures. - Updated README with latest ```zfw -Q``` printout. -- Reverting to static PAT masquerade for DNS due to random udp checksum calculation failures that seem to only affect DNS. Will re-add back when a solution - is found. ### # [0.8.15] - 2024-08-26 diff --git a/src/zfw_tc_ingress.c b/src/zfw_tc_ingress.c index b368bc9..87a5307 100644 --- a/src/zfw_tc_ingress.c +++ b/src/zfw_tc_ingress.c @@ -1897,7 +1897,7 @@ int bpf_sk_splice(struct __sk_buff *skb){ } /*Calculate l4 Checksum*/ int flags = BPF_F_PSEUDO_HDR; - bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct tcphdr, check), local_ip4->ipaddr[0] ,mv->__in46_u_origin.ip, flags | 4); + bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct tcphdr, check), 0, l3_sum, flags); iph = (struct iphdr *)(skb->data + sizeof(*eth)); if ((unsigned long)(iph + 1) > (unsigned long)skb->data_end){ return TC_ACT_SHOT; @@ -2121,7 +2121,7 @@ int bpf_sk_splice(struct __sk_buff *skb){ /*Calculate l4 Checksum*/ if(udph->check != 0){ int flags = BPF_F_PSEUDO_HDR; - bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct udphdr, check),local_ip4->ipaddr[0], iph->daddr, flags | 4); + bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct udphdr, check), 0, l3_sum, flags); iph = (struct iphdr *)(skb->data + sizeof(*eth)); if ((unsigned long)(iph + 1) > (unsigned long)skb->data_end){ return TC_ACT_SHOT; @@ -2138,26 +2138,22 @@ int bpf_sk_splice(struct __sk_buff *skb){ if ((unsigned long)(udph + 1) > (unsigned long)skb->data_end){ return TC_ACT_SHOT; } - if(udph->dest != mv->o_sport){ - udph->dest = mv->o_sport; - bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct udphdr, check), mk.sport , mv->o_sport, flags | 2); - iph = (struct iphdr *)(skb->data + sizeof(*eth)); - if ((unsigned long)(iph + 1) > (unsigned long)skb->data_end){ - return TC_ACT_SHOT; - } - tuple = (struct bpf_sock_tuple *)(void*)(long)&iph->saddr; - if(!tuple){ - return TC_ACT_SHOT; - } - tuple_len = sizeof(tuple->ipv4); - if ((unsigned long)tuple + tuple_len > (unsigned long)skb->data_end){ - return TC_ACT_SHOT; - } + udph->dest = mv->o_sport; + bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct udphdr, check), mk.sport , mv->o_sport, flags | 2); + iph = (struct iphdr *)(skb->data + sizeof(*eth)); + if ((unsigned long)(iph + 1) > (unsigned long)skb->data_end){ + return TC_ACT_SHOT; } - }else{ - if(udph->dest != mv->o_sport){ - udph->dest = mv->o_sport; + tuple = (struct bpf_sock_tuple *)(void*)(long)&iph->saddr; + if(!tuple){ + return TC_ACT_SHOT; } + tuple_len = sizeof(tuple->ipv4); + if ((unsigned long)tuple + tuple_len > (unsigned long)skb->data_end){ + return TC_ACT_SHOT; + } + }else{ + udph->dest = mv->o_sport; } } } diff --git a/src/zfw_tc_outbound_track.c b/src/zfw_tc_outbound_track.c index 3f33df7..8c58084 100644 --- a/src/zfw_tc_outbound_track.c +++ b/src/zfw_tc_outbound_track.c @@ -2374,7 +2374,7 @@ int bpf_sk_splice6(struct __sk_buff *skb){ } /*Calculate l4 Checksum*/ int flags = BPF_F_PSEUDO_HDR; - bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct tcphdr, check), mv.__in46_u_origin.ip ,local_ip4->ipaddr[0], flags | 4); + bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct tcphdr, check), 0, l3_sum, flags); iph = (struct iphdr *)(skb->data + sizeof(*eth)); if ((unsigned long)(iph + 1) > (unsigned long)skb->data_end){ return TC_ACT_SHOT; @@ -2573,28 +2573,21 @@ int bpf_sk_splice6(struct __sk_buff *skb){ revk.protocol = IPPROTO_UDP; revk.ifindex = skb->ifindex; __u16 rand_source_port = 0; - - struct masq_value *revv = get_reverse_masquerade(revk); - if(revv){ - rand_source_port = revv->o_sport; - } - else{ - if(tuple->ipv4.dport != bpf_ntohs(53)){ - rand_source_port = bpf_htons(1024 + bpf_get_prandom_u32() % (65535 -1023)); - } - else{ - rand_source_port = tuple->ipv4.sport; - } - struct masq_value rev_new_val = {0}; - rev_new_val.o_sport = rand_source_port; - rev_new_val.__in46_u_origin.ip = 0; - insert_reverse_masquerade(rev_new_val,revk); - if(local_diag->verbose){ - event.tracking_code = REVERSE_MASQUERADE_ENTRY_ADDED; - send_event(&event); - } + struct masq_value *revv = get_reverse_masquerade(revk); + if(revv){ + rand_source_port = revv->o_sport; + } + else{ + rand_source_port = bpf_htons(1024 + bpf_get_prandom_u32() % (65535 -1023)); + struct masq_value rev_new_val = {0}; + rev_new_val.o_sport = rand_source_port; + rev_new_val.__in46_u_origin.ip = 0; + insert_reverse_masquerade(rev_new_val,revk); + if(local_diag->verbose){ + event.tracking_code = REVERSE_MASQUERADE_ENTRY_ADDED; + send_event(&event); } - + } __u32 l3_sum = bpf_csum_diff((__u32 *)&tuple->ipv4.saddr, sizeof(tuple->ipv4.saddr), (__u32 *)&local_ip4->ipaddr[0], sizeof(local_ip4->ipaddr[0]), 0); struct masq_value mv = {0}; struct masq_key mk = {0}; @@ -2637,7 +2630,7 @@ int bpf_sk_splice6(struct __sk_buff *skb){ /*Calculate l4 Checksum if checksum not equal to zero*/ if(udph->check != 0){ int flags = BPF_F_PSEUDO_HDR; - bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct udphdr, check), mv.__in46_u_origin.ip, iph->saddr, flags | 4); + bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct udphdr, check), 0, l3_sum, flags); iph = (struct iphdr *)(skb->data + sizeof(*eth)); if ((unsigned long)(iph + 1) > (unsigned long)skb->data_end){ return TC_ACT_SHOT; @@ -2654,26 +2647,22 @@ int bpf_sk_splice6(struct __sk_buff *skb){ if ((unsigned long)(udph + 1) > (unsigned long)skb->data_end){ return TC_ACT_SHOT; } - if(rand_source_port != udph->source){ - udph->source = rand_source_port; - bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct udphdr, check), mv.o_sport , rand_source_port, flags | 2); - iph = (struct iphdr *)(skb->data + sizeof(*eth)); - if ((unsigned long)(iph + 1) > (unsigned long)skb->data_end){ - return TC_ACT_SHOT; - } - tuple = (struct bpf_sock_tuple *)(void*)(long)&iph->saddr; - if(!tuple){ - return TC_ACT_SHOT; - } - tuple_len = sizeof(tuple->ipv4); - if ((unsigned long)tuple + tuple_len > (unsigned long)skb->data_end){ - return TC_ACT_SHOT; - } + udph->source = rand_source_port; + bpf_l4_csum_replace(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + offsetof(struct udphdr, check), mv.o_sport , rand_source_port, flags | 2); + iph = (struct iphdr *)(skb->data + sizeof(*eth)); + if ((unsigned long)(iph + 1) > (unsigned long)skb->data_end){ + return TC_ACT_SHOT; } - }else{ - if(rand_source_port != udph->source){ - udph->source = rand_source_port; + tuple = (struct bpf_sock_tuple *)(void*)(long)&iph->saddr; + if(!tuple){ + return TC_ACT_SHOT; } + tuple_len = sizeof(tuple->ipv4); + if ((unsigned long)tuple + tuple_len > (unsigned long)skb->data_end){ + return TC_ACT_SHOT; + } + }else{ + udph->source = rand_source_port; } } struct udp_state *ustate = get_udp(udp_state_key); From 4364a5e9ea317162872b8b1ccbde2f6da5b5ee21 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Thu, 5 Sep 2024 19:28:43 +0000 Subject: [PATCH 7/7] refactored csum calc for both tcp and udp --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b1d15b..12f9b54 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ All notable changes to this project will be documented in this file. The format # [0.8.16] - 2024-09-02 - Fixed incorrect waitpid success/failure conditional checks in zfw.c and zfw_tunnel_wrapper.c. This did not cause an operational issue but would not report correctly in case system call failures. +- Refactored csum calc for both ipv4 tcp / udp. - Updated README with latest ```zfw -Q``` printout. ###