Skip to content

Commit

Permalink
Added logging for IPv4 Masquerade, updated CHANGELOG
Browse files Browse the repository at this point in the history
  • Loading branch information
@r-caamano
r-caamano committed Aug 28, 2024
1 parent 3b6b8c3 commit 79147e6
Show file tree
Hide file tree
Showing 5 changed files with 171 additions and 20 deletions.
4 changes: 3 additions & 1 deletion CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,9 @@ All notable changes to this project will be documented in this file. The format
###
# [0.8.15] - 2024-08-26
- Refactored all startup scripts to default InternalInterfaces to have outbound tracking enabled
- Refactored masquerade to use dynamic PAT vs static PAT
- Refactored IPv4 masquerade to use dynamic PAT vs static PAT and added RB logging
- Fixed issue where if IPv4 udp checksum was 0 masquerade erroneously attempted to recalculate the checksum



###
Expand Down
36 changes: 36 additions & 0 deletions src/zfw.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,10 @@
#define CLIENT_INITIATED_ICMP_ECHO 29
#define IP6_HEADER_TOO_BIG 30
#define IPV6_TUPLE_TOO_BIG 31
#define REVERSE_MASQUERADE_ENTRY_REMOVED 32
#define MASQUERADE_ENTRY_REMOVED 33
#define REVERSE_MASQUERADE_ENTRY_ADDED 34
#define MASQUERADE_ENTRY_ADDED 35

bool ddos = false;
bool add = false;
Expand Down Expand Up @@ -3110,6 +3114,22 @@ static int process_events(void *ctx, void *data, size_t len)
{
state = "MATCHED_DROP_FILTER";
}
else if (code == REVERSE_MASQUERADE_ENTRY_ADDED)
{
state = "REVERSE_MASQUERADE_ENTRY_ADDED";
}
else if (code == REVERSE_MASQUERADE_ENTRY_REMOVED)
{
state = "REVERSE_MASQUERADE_ENTRY_REMOVED";
}
else if (code == MASQUERADE_ENTRY_ADDED)
{
state = "MASQUERADE_ENTRY_ADDED";
}
else if (code == MASQUERADE_ENTRY_REMOVED)
{
state = "MASQUERADE_ENTRY_REMOVED";
}

if (state)
{
Expand Down Expand Up @@ -3448,6 +3468,22 @@ static int process_events(void *ctx, void *data, size_t len)
{
state = "MATCHED_DROP_FILTER";
}
else if (code == REVERSE_MASQUERADE_ENTRY_ADDED)
{
state = "REVERSE_MASQUERADE_ENTRY_ADDED";
}
else if (code == REVERSE_MASQUERADE_ENTRY_REMOVED)
{
state = "REVERSE_MASQUERADE_ENTRY_REMOVED";
}
else if (code == MASQUERADE_ENTRY_ADDED)
{
state = "MASQUERADE_ENTRY_ADDED";
}
else if (code == MASQUERADE_ENTRY_REMOVED)
{
state = "MASQUERADE_ENTRY_REMOVED";
}


if (state)
Expand Down
36 changes: 36 additions & 0 deletions src/zfw_monitor.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,10 @@
#define CLIENT_INITIATED_ICMP_ECHO 29
#define IP6_HEADER_TOO_BIG 30
#define IPV6_TUPLE_TOO_BIG 31
#define REVERSE_MASQUERADE_ENTRY_REMOVED 32
#define MASQUERADE_ENTRY_REMOVED 33
#define REVERSE_MASQUERADE_ENTRY_ADDED 34
#define MASQUERADE_ENTRY_ADDED 35

bool logging = false;
bool monitor = false;
Expand Down Expand Up @@ -510,6 +514,22 @@ static int process_events(void *ctx, void *data, size_t len)
{
state = "MATCHED_DROP_FILTER";
}
else if (code == REVERSE_MASQUERADE_ENTRY_ADDED)
{
state = "REVERSE_MASQUERADE_ENTRY_ADDED";
}
else if (code == REVERSE_MASQUERADE_ENTRY_REMOVED)
{
state = "REVERSE_MASQUERADE_ENTRY_REMOVED";
}
else if (code == MASQUERADE_ENTRY_ADDED)
{
state = "MASQUERADE_ENTRY_ADDED";
}
else if (code == MASQUERADE_ENTRY_REMOVED)
{
state = "MASQUERADE_ENTRY_REMOVED";
}

if (state)
{
Expand Down Expand Up @@ -848,6 +868,22 @@ static int process_events(void *ctx, void *data, size_t len)
{
state = "MATCHED_DROP_FILTER";
}
else if (code == REVERSE_MASQUERADE_ENTRY_ADDED)
{
state = "REVERSE_MASQUERADE_ENTRY_ADDED";
}
else if (code == REVERSE_MASQUERADE_ENTRY_REMOVED)
{
state = "REVERSE_MASQUERADE_ENTRY_REMOVED";
}
else if (code == MASQUERADE_ENTRY_ADDED)
{
state = "MASQUERADE_ENTRY_ADDED";
}
else if (code == MASQUERADE_ENTRY_REMOVED)
{
state = "MASQUERADE_ENTRY_REMOVED";
}


if (state)
Expand Down
51 changes: 38 additions & 13 deletions src/zfw_tc_ingress.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,8 @@
#define ICMP_MATCHED_ACTIVE_STATE 28
#define IP6_HEADER_TOO_BIG 30
#define IPV6_TUPLE_TOO_BIG 31
#define REVERSE_MASQUERADE_ENTRY_REMOVED 32
#define MASQUERADE_ENTRY_REMOVED 33
#ifndef memcpy
#define memcpy(dest, src, n) __builtin_memcpy((dest), (src), (n))
#endif
Expand Down Expand Up @@ -1964,11 +1966,11 @@ int bpf_sk_splice(struct __sk_buff *skb){
else if(tcph->rst){
if(local_diag->masquerade){
struct masq_reverse_key rk = {0};
rk.dport = tcp_state_key.sport;
rk.sport = tcp_state_key.dport;
rk.dport = tcp_state_key.dport;
rk.sport = tcp_state_key.sport;
rk.ifindex = event.ifindex;
rk.__in46_u_dest.ip = tcp_state_key.__in46_u_src.ip;
rk.__in46_u_src.ip = tcp_state_key.__in46_u_dst.ip;
rk.__in46_u_dest.ip = tcp_state_key.__in46_u_dst.ip;
rk.__in46_u_src.ip = tcp_state_key.__in46_u_src.ip;
rk.protocol = IPPROTO_TCP;
struct masq_value *rv = get_reverse_masquerade(rk);
if(rv){
Expand All @@ -1979,8 +1981,16 @@ int bpf_sk_splice(struct __sk_buff *skb){
mk.ifindex = event.ifindex;
mk.protocol = IPPROTO_TCP;
del_masq(mk);
if(local_diag->verbose){
event.tracking_code = MASQUERADE_ENTRY_REMOVED;
send_event(&event);
}
}
del_reverse_masq(rk);
if(local_diag->verbose){
event.tracking_code = REVERSE_MASQUERADE_ENTRY_REMOVED;
send_event(&event);
}
}
del_tcp(tcp_state_key);
tstate = get_tcp(tcp_state_key);
Expand All @@ -1996,11 +2006,11 @@ int bpf_sk_splice(struct __sk_buff *skb){
if((tstate->est) && (tstate->sfin == 1) && (tstate->cfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1))){
if(local_diag->masquerade){
struct masq_reverse_key rk = {0};
rk.dport = tcp_state_key.sport;
rk.sport = tcp_state_key.dport;
rk.dport = tcp_state_key.dport;
rk.sport = tcp_state_key.sport;
rk.ifindex = event.ifindex;
rk.__in46_u_dest.ip = tcp_state_key.__in46_u_src.ip;
rk.__in46_u_src.ip = tcp_state_key.__in46_u_dst.ip;
rk.__in46_u_dest.ip = tcp_state_key.__in46_u_dst.ip;
rk.__in46_u_src.ip = tcp_state_key.__in46_u_src.ip;
rk.protocol = IPPROTO_TCP;
struct masq_value *rv = get_reverse_masquerade(rk);
if(rv){
Expand All @@ -2011,8 +2021,16 @@ int bpf_sk_splice(struct __sk_buff *skb){
mk.ifindex = event.ifindex;
mk.protocol = IPPROTO_TCP;
del_masq(mk);
if(local_diag->verbose){
event.tracking_code = MASQUERADE_ENTRY_REMOVED;
send_event(&event);
}
}
del_reverse_masq(rk);
if(local_diag->verbose){
event.tracking_code = REVERSE_MASQUERADE_ENTRY_REMOVED;
send_event(&event);
}
}
del_tcp(tcp_state_key);
tstate = get_tcp(tcp_state_key);
Expand All @@ -2022,7 +2040,6 @@ int bpf_sk_splice(struct __sk_buff *skb){
send_event(&event);
}
}

}
else if((tstate->est) && (tstate->cfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1))){
tstate->sfack = 1;
Expand Down Expand Up @@ -2159,11 +2176,11 @@ int bpf_sk_splice(struct __sk_buff *skb){
return TC_ACT_SHOT;
}
struct masq_reverse_key rk = {0};
rk.dport = udp_state_key.sport;
rk.sport = udp_state_key.dport;
rk.dport = udp_state_key.dport;
rk.sport = udp_state_key.sport;
rk.ifindex = event.ifindex;
rk.__in46_u_dest.ip = udp_state_key.__in46_u_src.ip;
rk.__in46_u_src.ip = udp_state_key.__in46_u_dst.ip;
rk.__in46_u_dest.ip = udp_state_key.__in46_u_dst.ip;
rk.__in46_u_src.ip = udp_state_key.__in46_u_src.ip;
rk.protocol = IPPROTO_UDP;
struct masq_value *rv = get_reverse_masquerade(rk);
if(rv){
Expand All @@ -2174,8 +2191,16 @@ int bpf_sk_splice(struct __sk_buff *skb){
mk.ifindex = event.ifindex;
mk.protocol = IPPROTO_UDP;
del_masq(mk);
if(local_diag->verbose){
event.tracking_code = MASQUERADE_ENTRY_REMOVED;
send_event(&event);
}
}
del_reverse_masq(rk);
if(local_diag->verbose){
event.tracking_code = REVERSE_MASQUERADE_ENTRY_REMOVED;
send_event(&event);
}
}
del_udp(udp_state_key);
ustate = get_udp(udp_state_key);
Expand Down
64 changes: 58 additions & 6 deletions src/zfw_tc_outbound_track.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,10 @@
#define CLIENT_INITIATED_ICMP_ECHO 29
#define IP6_HEADER_TOO_BIG 30
#define IPV6_TUPLE_TOO_BIG 31
#define REVERSE_MASQUERADE_ENTRY_REMOVED 32
#define MASQUERADE_ENTRY_REMOVED 33
#define REVERSE_MASQUERADE_ENTRY_ADDED 34
#define MASQUERADE_ENTRY_ADDED 35
#define memcpy(dest, src, n) __builtin_memcpy((dest), (src), (n))

struct bpf_event{
Expand Down Expand Up @@ -543,6 +547,12 @@ static inline void insert_masquerade(struct masq_value mv, struct masq_key key){
bpf_map_update_elem(&masquerade_map, &key, &mv,0);
}

static inline struct masq_value *get_masquerade(struct masq_key key){
struct masq_value *mv;
mv = bpf_map_lookup_elem(&masquerade_map, &key);
return mv;
}

/*Remove entry from masq state table*/
static inline void del_masq(struct masq_key key){
bpf_map_delete_elem(&masquerade_map, &key);
Expand Down Expand Up @@ -2318,18 +2328,31 @@ int bpf_sk_splice6(struct __sk_buff *skb){
rev_new_val.o_sport = rand_source_port;
rev_new_val.__in46_u_origin.ip = 0;
insert_reverse_masquerade(rev_new_val,revk);
if(local_diag->verbose){
event.tracking_code = REVERSE_MASQUERADE_ENTRY_ADDED;
send_event(&event);
}
}
__u32 l3_sum = bpf_csum_diff((__u32 *)&tuple->ipv4.saddr, sizeof(tuple->ipv4.saddr), (__u32 *)&local_ip4->ipaddr[0], sizeof(local_ip4->ipaddr[0]), 0);
struct masq_value mv = {0};
mv.__in46_u_origin.ip = tuple->ipv4.saddr;
mv.o_sport = tuple->ipv4.sport;
struct masq_key mk = {0};
mk.__in46_u_dest.ip = tuple->ipv4.daddr;
mk.dport = tuple->ipv4.dport;
mk.sport = rand_source_port;
mk.ifindex = skb->ifindex;
mk.protocol = IPPROTO_TCP;
insert_masquerade(mv, mk);
struct masq_value *mvptr = get_masquerade(mk);
if(!mvptr){
mv.__in46_u_origin.ip = tuple->ipv4.saddr;
mv.o_sport = tuple->ipv4.sport;
insert_masquerade(mv, mk);
if(local_diag->verbose){
event.tracking_code = MASQUERADE_ENTRY_ADDED;
send_event(&event);
}
}else{
mv = *mvptr;
}
iph->saddr = local_ip4->ipaddr[0];
/*Calculate l3 Checksum*/
bpf_l3_csum_replace(skb, sizeof(struct ethhdr) + offsetof(struct iphdr, check), 0, l3_sum, 0);
Expand Down Expand Up @@ -2433,13 +2456,21 @@ int bpf_sk_splice6(struct __sk_buff *skb){
rk.__in46_u_src.ip = tcp_state_key.__in46_u_src.ip;
rk.protocol = IPPROTO_TCP;
del_reverse_masq(rk);
if(local_diag->verbose){
event.tracking_code = REVERSE_MASQUERADE_ENTRY_REMOVED;
send_event(&event);
}
struct masq_key mk = {0};
mk.dport = tcph->dest;
mk.sport = tcph->source;
mk.__in46_u_dest.ip = iph->daddr;
mk.ifindex = event.ifindex;
mk.protocol = IPPROTO_TCP;
del_masq(mk);
if(local_diag->verbose){
event.tracking_code = MASQUERADE_ENTRY_REMOVED;
send_event(&event);
}
}
del_tcp(tcp_state_key);
tstate = get_tcp(tcp_state_key);
Expand Down Expand Up @@ -2473,13 +2504,21 @@ int bpf_sk_splice6(struct __sk_buff *skb){
rk.__in46_u_src.ip = tcp_state_key.__in46_u_src.ip;
rk.protocol = IPPROTO_TCP;
del_reverse_masq(rk);
if(local_diag->verbose){
event.tracking_code = REVERSE_MASQUERADE_ENTRY_REMOVED;
send_event(&event);
}
struct masq_key mk = {0};
mk.dport = tcph->dest;
mk.sport = tcph->source;
mk.__in46_u_dest.ip = iph->daddr;
mk.ifindex = event.ifindex;
mk.protocol = IPPROTO_TCP;
del_masq(mk);
if(local_diag->verbose){
event.tracking_code = MASQUERADE_ENTRY_REMOVED;
send_event(&event);
}
}
del_tcp(tcp_state_key);
tstate = get_tcp(tcp_state_key);
Expand Down Expand Up @@ -2544,18 +2583,31 @@ int bpf_sk_splice6(struct __sk_buff *skb){
rev_new_val.o_sport = rand_source_port;
rev_new_val.__in46_u_origin.ip = 0;
insert_reverse_masquerade(rev_new_val,revk);
if(local_diag->verbose){
event.tracking_code = REVERSE_MASQUERADE_ENTRY_ADDED;
send_event(&event);
}
}
__u32 l3_sum = bpf_csum_diff((__u32 *)&tuple->ipv4.saddr, sizeof(tuple->ipv4.saddr), (__u32 *)&local_ip4->ipaddr[0], sizeof(local_ip4->ipaddr[0]), 0);
struct masq_value mv = {0};
mv.__in46_u_origin.ip = tuple->ipv4.saddr;
mv.o_sport = tuple->ipv4.sport;
struct masq_key mk = {0};
mk.__in46_u_dest.ip = tuple->ipv4.daddr;
mk.dport = tuple->ipv4.dport;
mk.sport = rand_source_port;
mk.ifindex = skb->ifindex;
mk.protocol = IPPROTO_UDP;
insert_masquerade(mv, mk);
struct masq_value *mvptr = get_masquerade(mk);
if(!mvptr){
mv.__in46_u_origin.ip = tuple->ipv4.saddr;
mv.o_sport = tuple->ipv4.sport;
insert_masquerade(mv, mk);
if(local_diag->verbose){
event.tracking_code = MASQUERADE_ENTRY_ADDED;
send_event(&event);
}
}else{
mv = *mvptr;
}
iph->saddr = local_ip4->ipaddr[0];
/*Calculate l3 Checksum*/
bpf_l3_csum_replace(skb, sizeof(struct ethhdr) + offsetof(struct iphdr, check), 0, l3_sum, 0);
Expand Down

0 comments on commit 79147e6

Please sign in to comment.