diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 56fc63d..f3e57cb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,9 +2,9 @@ name: release on: - pull_request: - types: [closed] - + push: + branches: + - main env: APP_NAME: 'zfw' MAINTAINER: 'Robert Caamano' diff --git a/CHANGELOG.md b/CHANGELOG.md index b3ade16..eac5467 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,15 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). --- +# [0.6.1] - 2024-05-14 + +### + +- Added support for ziti service id tracking. Will need to update ziti-router via pr. +- Fixed issue where passthrough rules would not generate log data when in verbose mode. +- Fixed release workflow where if a non merged pull request was closed it would trigger a release + build action. + # [0.5.18] - 2024-05-08 ### diff --git a/README.md b/README.md index c5274b2..3f89b1d 100644 --- a/README.md +++ b/README.md @@ -111,10 +111,10 @@ If running: ``` Assuming you are using the default address range for ziti-edge-tunnel should see output like: -target proto origin destination mapping: interface list --------- ----- ----------------- ------------------ ------------------------------------------------------- ----------------- -TUNMODE tcp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 TUNMODE redirect:tun0 [] -TUNMODE udp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 TUNMODE redirect:tun0 [] +service id proto origin destination mapping: interface list +---------------------- ----- --------------- ------------------ --------------------------------------------------------- ---------------- +0000000000000000000000 tcp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 TUNMODE redirect:tun0 [] +0000000000000000000000 udp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 TUNMODE redirect:tun0 [] ``` Verify running: (zfw-router) @@ -125,8 +125,8 @@ If running: ``` Assuming no services configured yet: -target proto origin destination mapping: interface list --------- ----- ----------------- ------------------ ------------------------------------------------------- ----------------- +service id proto origin destination mapping: interface list +---------------------- ----- --------------- ------------------ --------------------------------------------------------- ---------------- Rule Count: 0 prefix_tuple_count: 0 / 100000 @@ -367,19 +367,19 @@ Example: List all rules in Firewall sudo zfw -L ``` ``` -target proto origin destination mapping: interface list ------- ----- --------------- ------------------ --------------------------------------------------------- ---------------- -TPROXY tcp 0.0.0.0/0 10.0.0.16/28 dpts=22:22 TPROXY redirect 127.0.0.1:33381 [ens33,lo] -TPROXY tcp 0.0.0.0/0 10.0.0.16/28 dpts=30000:40000 TPROXY redirect 127.0.0.1:33381 [] -TPROXY udp 0.0.0.0/0 172.20.1.0/24 dpts=5000:10000 TPROXY redirect 127.0.0.1:59394 [] -TPROXY tcp 0.0.0.0/0 172.16.1.0/24 dpts=22:22 TPROXY redirect 127.0.0.1:33381 [] -TPROXY tcp 0.0.0.0/0 172.16.1.0/24 dpts=30000:40000 TPROXY redirect 127.0.0.1:33381 [] -PASSTHRU udp 0.0.0.0/0 192.168.3.0/24 dpts=5:7 PASSTHRU to 192.168.3.0/24 [] -PASSTHRU udp 10.1.1.1/32 192.168.100.100/32 dpts=50000:60000 PASSTHRU to 192.168.100.100/32 [] -PASSTHRU tcp 10.230.40.1/32 192.168.100.100/32 dpts=60000:65535 PASSTHRU to 192.168.100.100/32 [] -TPROXY udp 0.0.0.0/0 192.168.0.3/32 dpts=5000:10000 TPROXY redirect 127.0.0.1:59394 [] -PASSTHRU tcp 0.0.0.0/0 192.168.100.100/32 dpts=60000:65535 PASSTHRU to 192.168.100.100/32 [] -TUNMODE udp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 TUNMODE redirect:tun0 [] +service id proto origin destination mapping: interface list +---------------------- ----- --------------- ------------------ --------------------------------------------------------- ---------------- +5XzC8mf1RrFO2vmfHGG5GL tcp 0.0.0.0/0 10.0.0.16/28 dpts=22:22 TPROXY redirect 127.0.0.1:33381 [ens33,lo] +5XzC8mf1RrFO2vmfHGG5GL tcp 0.0.0.0/0 10.0.0.16/28 dpts=30000:40000 TPROXY redirect 127.0.0.1:33381 [] +0000000000000000000000 udp 0.0.0.0/0 172.20.1.0/24 dpts=5000:10000 TPROXY redirect 127.0.0.1:59394 [] +5XzC8mf1RrFO2vmfHGG5GL tcp 0.0.0.0/0 172.16.1.0/24 dpts=22:22 TPROXY redirect 127.0.0.1:33381 [] +5XzC8mf1RrFO2vmfHGG5GL tcp 0.0.0.0/0 172.16.1.0/24 dpts=30000:40000 TPROXY redirect 127.0.0.1:33381 [] +0000000000000000000000 udp 0.0.0.0/0 192.168.3.0/24 dpts=5:7 PASSTHRU to 192.168.3.0/24 [] +0000000000000000000000 udp 10.1.1.1/32 192.168.100.100/32 dpts=50000:60000 PASSTHRU to 192.168.100.100/32 [] +0000000000000000000000 tcp 10.230.40.1/32 192.168.100.100/32 dpts=60000:65535 PASSTHRU to 192.168.100.100/32 [] +FO2vmfHGG5GLvmfHGG5GLU udp 0.0.0.0/0 192.168.0.3/32 dpts=5000:10000 TPROXY redirect 127.0.0.1:59394 [] +0000000000000000000000 tcp 0.0.0.0/0 192.168.100.100/32 dpts=60000:65535 PASSTHRU to 192.168.100.100/32 [] +FO2vmfHGG5GLvmfHGG5GLU udp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 TUNMODE redirect:tun0 [] ``` - Example: List rules in firewall for a given prefix and protocol. If source specific you must include the o @@ -389,9 +389,9 @@ TUNMODE udp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 sudo zfw -L -c 192.168.100.100 -m 32 -p udp ``` ``` -target proto origin destination mapping: interface list ------- ----- -------- ------------------ --------------------------------------------------------- ------------------ -PASSTHRU udp 0.0.0.0/0 192.168.100.100/32 dpts=50000:60000 PASSTHRU to 192.168.100.100/32 [] +service id proto origin destination mapping: interface list +---------- ----- -------- ------------------ --------------------------------------------------------- ------------------ +0000000000000000000000 udp 0.0.0.0/0 192.168.100.100/32 dpts=50000:60000 PASSTHRU to 192.168.100.100/32 [] ``` - Example: List rules in firewall for a given prefix @@ -400,10 +400,10 @@ Usage: zfw -L -c -m -p sudo zfw -L -c 192.168.100.100 -m 32 ``` ``` -target proto origin destination mapping: interface list ------- ----- -------- ------------------ --------------------------------------------------------- ------------------- -PASSTHRU udp 0.0.0.0/0 192.168.100.100/32 dpts=50000:60000 PASSTHRU to 192.168.100.100/32 [] -PASSTHRU tcp 0.0.0.0/0 192.168.100.100/32 dpts=60000:65535 PASSTHRU to 192.168.100.100/32 [] +service id proto origin destination mapping: interface list +---------- ----- -------- ------------------ --------------------------------------------------------- ------------------ +0000000000000000000000 udp 0.0.0.0/0 192.168.100.100/32 dpts=50000:60000 PASSTHRU to 192.168.100.100/32 [] +0000000000000000000000 tcp 0.0.0.0/0 192.168.100.100/32 dpts=60000:65535 PASSTHRU to 192.168.100.100/32 [] ``` - Example: List all interface settings diff --git a/src/zfw.c b/src/zfw.c index 7e07e69..1ee309d 100644 --- a/src/zfw.c +++ b/src/zfw.c @@ -100,6 +100,7 @@ bool interface = false; bool disable = false; bool all_interface = false; bool ssh_disable = false; +bool service = false; bool tc = false; bool tcfilter = false; bool direction = false; @@ -165,10 +166,11 @@ char *vrrp_interface; char *ddos_interface; char *monitor_interface; char *tc_interface; +char *service_string; char *log_file_name; char *object_file; char *direction_string; -const char *argp_program_version = "0.5.18"; +const char *argp_program_version = "0.6.1"; struct ring_buffer *ring_buffer; __u32 if_list[MAX_IF_LIST_ENTRIES]; @@ -250,6 +252,7 @@ struct tproxy_port_mapping __u16 high_port; __u16 tproxy_port; __u32 if_list[MAX_IF_LIST_ENTRIES]; + char service_id[23]; }; struct tproxy_tuple @@ -668,14 +671,14 @@ void print_rule(struct tproxy_key *key, struct tproxy_tuple *tuple, int *rule_co bool entry_exists = false; if (tun_mode && ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port) == 65535) { - printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTUNMODE redirect:%-15s", "TUNMODE", proto, scidr_block, dcidr_block, + printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTUNMODE redirect:%-15s", tuple->port_mapping[tuple->index_table[x]].service_id, proto, scidr_block, dcidr_block, dpts, o_tunif.ifname); entry_exists = true; *rule_count += 1; } else if (ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port) > 0) { - printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTPROXY redirect 127.0.0.1:%-6d", "TPROXY", proto, scidr_block, dcidr_block, + printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTPROXY redirect 127.0.0.1:%-6d", tuple->port_mapping[tuple->index_table[x]].service_id, proto, scidr_block, dcidr_block, dpts, ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port)); entry_exists = true; *rule_count += 1; @@ -709,7 +712,7 @@ void print_rule(struct tproxy_key *key, struct tproxy_tuple *tuple, int *rule_co { if (ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port) == 0) { - printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\t%s to %-20s", "PASSTHRU", proto, scidr_block, dcidr_block, + printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\t%s to %-20s", tuple->port_mapping[tuple->index_table[x]].service_id, proto, scidr_block, dcidr_block, dpts, "PASSTHRU", dcidr_block); char interfaces[IF_NAMESIZE * MAX_IF_LIST_ENTRIES + 8] = ""; for (int i = 0; i < MAX_IF_LIST_ENTRIES; i++) @@ -742,17 +745,17 @@ void print_rule(struct tproxy_key *key, struct tproxy_tuple *tuple, int *rule_co { if (tun_mode && ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port) == 65535) { - printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTUNMODE redirect:%-15s", "TUNMODE", proto, scidr_block, dcidr_block, + printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTUNMODE redirect:%-15s", tuple->port_mapping[tuple->index_table[x]].service_id, proto, scidr_block, dcidr_block, dpts, o_tunif.ifname); } else if (ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port) > 0) { - printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTPROXY redirect 127.0.0.1:%-6d", "TPROXY", proto, scidr_block, dcidr_block, + printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTPROXY redirect 127.0.0.1:%-6d", tuple->port_mapping[tuple->index_table[x]].service_id, proto, scidr_block, dcidr_block, dpts, ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port)); } else { - printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\t%s to %-20s", "PASSTHRU", proto, scidr_block, dcidr_block, + printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\t%s to %-20s", tuple->port_mapping[tuple->index_table[x]].service_id, proto, scidr_block, dcidr_block, dpts, "PASSTHRU", dcidr_block); } char interfaces[IF_NAMESIZE * MAX_IF_LIST_ENTRIES + 8] = ""; @@ -1682,8 +1685,8 @@ bool interface_map() uint32_t ip_index_count = 0; uint32_t all_index_count = 0; uint32_t addr_array[MAX_ADDRESSES]; - struct interface ip_index_array[MAX_IF_ENTRIES]; - struct interface all_index_array[MAX_IF_ENTRIES]; + struct interface ip_index_array[MAX_IF_ENTRIES] = {0}; + struct interface all_index_array[MAX_IF_ENTRIES] = {0}; char *cur_name; uint32_t cur_idx; uint8_t addr_count = 0; @@ -2258,11 +2261,19 @@ void map_insert() route_insert = interface_map(); } union bpf_attr map; - struct tproxy_key key = {dcidr.s_addr, scidr.s_addr, dplen, splen, protocol, 0}; + memset(&map, 0, sizeof(map)); + struct tproxy_key *key = (struct tproxy_key *)malloc(sizeof(struct tproxy_key)); + memset(key,0 ,sizeof(struct tproxy_key)); + key->dst_ip = dcidr.s_addr; + key->src_ip = scidr.s_addr; + key->dprefix_len = dplen; + key->sprefix_len = splen; + key->protocol = protocol; + key->pad = 0; + struct tproxy_tuple *rule = (struct tproxy_tuple *)malloc(sizeof(struct tproxy_tuple)); + memset(rule, 0, sizeof(struct tproxy_tuple)); struct tproxy_tuple *orule = (struct tproxy_tuple *)malloc(sizeof(struct tproxy_tuple)); memset(orule, 0, sizeof(struct tproxy_tuple)); - /* open BPF zt_tproxy_map map */ - memset(&map, 0, sizeof(map)); /* set path name with location of map in filesystem */ map.pathname = (uint64_t)tproxy_map_path; map.bpf_fd = 0; @@ -2272,15 +2283,18 @@ void map_insert() if (fd == -1) { printf("BPF_OBJ_GET: %s \n", strerror(errno)); + free(key); free(orule); close_maps(1); } map.map_fd = fd; - map.key = (uint64_t)&key; + map.key = (uint64_t)key; map.value = (uint64_t)orule; /* make system call to lookup prefix/mask in map */ int lookup = syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &map, sizeof(map)); - unsigned short index = htons(low_port); + unsigned short *index = (unsigned short *)malloc(sizeof(unsigned short)); + memset(index, 0, sizeof(unsigned short)); + *index = htons(low_port); /* pupulate a struct for a port mapping */ struct tproxy_port_mapping *port_mapping = (struct tproxy_port_mapping *)malloc(sizeof(struct tproxy_port_mapping)); memset(port_mapping, 0, sizeof(struct tproxy_port_mapping)); @@ -2294,8 +2308,19 @@ void map_insert() port_mapping->if_list[x] = if_list[x]; } } + /*if(service){ + sprintf(port_mapping->service_id, "%s", service_string); + }else{ + sprintf(port_mapping->service_id, "%s", "0000000000000000000000"); + }*/ + char *sid = "0000000000000000000000"; + if(service){ + memcpy(port_mapping->service_id, service_string, strlen(service_string) + 1); + }else{ + memcpy(port_mapping->service_id, sid, strlen(sid) + 1); + } /* - * Check result of lookup if not 0 then create a new entery + * Check result of lookup if not 0 then create a new entry * else edit an existing entry */ if (protocol == IPPROTO_UDP) @@ -2309,6 +2334,8 @@ void map_insert() else { printf("Unsupported Protocol\n"); + free(key); + free(index); free(port_mapping); free(orule); close(fd); @@ -2317,15 +2344,16 @@ void map_insert() if (lookup) { /* create a new tproxy prefix entry and add port range to it */ - struct tproxy_tuple rule = { - 1, - {index}, - {}}; - memcpy((void *)&rule.port_mapping[index], (void *)port_mapping, sizeof(struct tproxy_port_mapping)); - map.value = (uint64_t)&rule; - if (!rule.port_mapping[index].low_port) + rule->index_len = 1; + rule->index_table[0] = *index; + memcpy((void *)&rule->port_mapping[*index], (void *)port_mapping, sizeof(struct tproxy_port_mapping)); + map.value = (uint64_t)rule; + if (!rule->port_mapping[*index].low_port) { printf("memcpy failed"); + free(rule); + free(key); + free(index); free(port_mapping); free(orule); close(fd); @@ -2344,6 +2372,9 @@ void map_insert() if (count_fd == -1) { printf("BPF_OBJ_GET: %s \n", strerror(errno)); + free(rule); + free(key); + free(index); free(port_mapping); free(orule); close(fd); @@ -2376,26 +2407,32 @@ void map_insert() { /* modify existing prefix entry and add or modify existing port mapping entry */ printf("lookup success\n"); - add_index(index, port_mapping, orule); - if (!(orule->port_mapping[index].low_port == index)) + add_index(*index, port_mapping, orule); + if (!(orule->port_mapping[*index].low_port == *index)) { printf("Insert failed\n"); + free(key); + free(index); free(port_mapping); free(orule); close(fd); close_maps(1); } } + free(index); map.flags = BPF_ANY; int result = syscall(__NR_bpf, BPF_MAP_UPDATE_ELEM, &map, sizeof(map)); if (result) { printf("MAP_UPDATE_ELEM: %s \n", strerror(errno)); + free(key); free(port_mapping); free(orule); close(fd); close_maps(1); } + free(rule); + free(key); free(port_mapping); free(orule); close(fd); @@ -2502,10 +2539,17 @@ void map_delete() route_delete = interface_map(); } union bpf_attr map; - struct tproxy_key key = {dcidr.s_addr, scidr.s_addr, dplen, splen, protocol, 0}; - struct tproxy_tuple orule; - // Open BPF zt_tproxy_map map memset(&map, 0, sizeof(map)); + struct tproxy_key *key = (struct tproxy_key *)malloc(sizeof(struct tproxy_key)); + memset(key,0 ,sizeof(struct tproxy_key)); + key->dst_ip = dcidr.s_addr; + key->src_ip = scidr.s_addr; + key->dprefix_len = dplen; + key->sprefix_len = splen; + key->protocol = protocol; + key->pad = 0; + struct tproxy_tuple *orule = (struct tproxy_tuple *)malloc(sizeof(struct tproxy_tuple)); + memset(orule, 0, sizeof(struct tproxy_tuple)); map.pathname = (uint64_t)tproxy_map_path; map.bpf_fd = 0; map.file_flags = 0; @@ -2516,13 +2560,15 @@ void map_delete() close_maps(1); } map.map_fd = fd; - map.key = (uint64_t)&key; - map.value = (uint64_t)&orule; + map.key = (uint64_t)key; + map.value = (uint64_t)orule; int lookup = syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &map, sizeof(map)); unsigned short index = htons(low_port); if (lookup) { printf("MAP_DELETE_ELEM: %s\n", strerror(errno)); + free(key); + free(orule); close_maps(1); } else @@ -2539,28 +2585,36 @@ void map_delete() else { printf("Unsupported Protocol\n"); + close(fd); + free(orule); + free(key); close_maps(1); } - remove_index(index, &orule); - if (orule.index_len == 0) + remove_index(index, orule); + if (orule->index_len == 0) { memset(&map, 0, sizeof(map)); map.pathname = (uint64_t)tproxy_map_path; map.bpf_fd = 0; - int fd = syscall(__NR_bpf, BPF_OBJ_GET, &map, sizeof(map)); - if (fd == -1) + int end_fd = syscall(__NR_bpf, BPF_OBJ_GET, &map, sizeof(map)); + if (end_fd == -1) { printf("BPF_OBJ_GET: %s\n", strerror(errno)); + free(key); + free(orule); close_maps(1); } // delete element with specified key - map.map_fd = fd; - map.key = (uint64_t)&key; + map.map_fd = end_fd; + map.key = (uint64_t)key; int result = syscall(__NR_bpf, BPF_MAP_DELETE_ELEM, &map, sizeof(map)); if (result) { printf("MAP_DELETE_ELEM: %s\n", strerror(errno)); + close(end_fd); close(fd); + free(orule); + free(key); close_maps(1); } else @@ -2576,6 +2630,10 @@ void map_delete() if (count_fd == -1) { printf("BPF_OBJ_GET: %s \n", strerror(errno)); + free(key); + close(end_fd); + close(fd); + free(orule); close_maps(1); } uint32_t count_key = 0; @@ -2600,10 +2658,14 @@ void map_delete() { unbind_prefix(&dcidr, dplen); } + close(end_fd); + close(fd); + free(orule); + free(key); close_maps(0); } } - map.value = (uint64_t)&orule; + map.value = (uint64_t)orule; map.flags = BPF_ANY; /*Flush Map changes to system -- Needed when removing an entry that is not the last range associated *with a prefix/protocol pair*/ @@ -2612,9 +2674,12 @@ void map_delete() { printf("MAP_UPDATE_ELEM: %s \n", strerror(errno)); close(fd); + free(orule); close_maps(1); } } + free(orule); + free(key); close(fd); } @@ -2704,8 +2769,8 @@ void map_list() map.key = (uint64_t)&key; map.value = (uint64_t)&orule; int lookup = 0; - printf("%-8s\t%-3s\t%-20s\t%-32s%-24s\t\t\t\t%-32s\n", "target", "proto", "origin", "destination", "mapping:", " interface list"); - printf("--------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\n"); + printf("%-22s\t%-3s\t%-20s\t%-32s%-24s\t\t\t\t%-32s\n", "service id", "proto", "origin", "destination", "mapping:", " interface list"); + printf("----------------------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\n"); int rule_count = 0; if (prot) { @@ -2732,8 +2797,8 @@ void map_list() printf("Rule Count: %d\n", rule_count); if (x == 0) { - printf("%-8s\t%-3s\t%-20s\t%-32s%-24s\t\t\t\t%-32s\n", "target", "proto", "origin", "destination", "mapping:", " interface list"); - printf("--------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\n"); + printf("%-22s\t%-3s\t%-20s\t%-32s%-24s\t\t\t\t%-32s\n", "service id", "proto", "origin", "destination", "mapping:", " interface list"); + printf("----------------------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\n"); } } } @@ -2907,7 +2972,6 @@ void map_list_all() struct tproxy_key *key = &init_key; struct tproxy_key current_key; struct tproxy_tuple orule; - // Open BPF zt_tproxy_map map memset(&map, 0, sizeof(map)); map.pathname = (uint64_t)tproxy_map_path; map.bpf_fd = 0; @@ -2923,8 +2987,8 @@ void map_list_all() map.value = (uint64_t)&orule; int lookup = 0; int ret = 0; - printf("%-8s\t%-3s\t%-20s\t%-32s%-24s\t\t\t\t%-32s\n", "target", "proto", "origin", "destination", "mapping:", " interface list"); - printf("--------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\n"); + printf("%-22s\t%-3s\t%-20s\t%-32s%-24s\t\t\t\t%-32s\n", "service id", "proto", "origin", "destination", "mapping:", " interface list"); + printf("----------------------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\n"); int rule_count = 0; while (true) { @@ -2980,6 +3044,7 @@ static struct argp_option options[] = { {"oprefix-len", 'n', "", 0, "Set origin prefix length (1-32) ", 0}, {"ocidr-block", 'o', "", 0, "Set origin ip prefix i.e. 192.168.1.0 ", 0}, {"protocol", 'p', "", 0, "Set protocol (tcp or udp) ", 0}, + {"service-id", 's', "", 0, "set ziti service id", 0}, {"route", 'r', NULL, 0, "Add or Delete static ip/prefix for intercept dest to lo interface ", 0}, {"tproxy-port", 't', "", 0, "Set high-port value (0-65535)> ", 0}, {"verbose", 'v', "", 0, "Enable verbose tracing on interface", 0}, @@ -3295,6 +3360,20 @@ static error_t parse_opt(int key, char *arg, struct argp_state *state) case 'r': route = true; break; + case 's': + if (!strlen(arg)) + { + fprintf(stderr, "service id required as arg to -s, --service-id: %s\n", arg); + fprintf(stderr, "%s --help for more info\n", program_name); + exit(1); + } + if(strlen(arg) > 22){ + printf("Invalid service ID: ID too long\n"); + exit(1); + } + service = true; + service_string = arg; + break; case 't': tproxy_port = port2s(arg); tpt = true; @@ -3559,6 +3638,10 @@ int main(int argc, char **argv) signal(SIGTERM, INThandler); argp_parse(&argp, argc, argv, 0, 0, 0); + if(service && (!add && !delete)){ + usage("-s, --service-id requires -I, --insert or -D, --delete"); + } + if (tcfilter && !object && !disable) { usage("-X, --set-tc-filter requires -O, --object-file for add operation"); diff --git a/src/zfw_tc_ingress.c b/src/zfw_tc_ingress.c index 63ebc23..e7a48ba 100644 --- a/src/zfw_tc_ingress.c +++ b/src/zfw_tc_ingress.c @@ -71,7 +71,8 @@ struct tproxy_port_mapping { __u16 low_port; __u16 high_port; __u16 tproxy_port; - __u32 if_list[MAX_IF_LIST_ENTRIES]; + __u32 if_list[MAX_IF_LIST_ENTRIES]; + char service_id[23]; }; struct tproxy_tuple { @@ -118,7 +119,6 @@ struct bpf_event{ __u8 tracking_code; unsigned char source[6]; unsigned char dest[6]; - }; /*Key to tcp_map*/ @@ -1468,6 +1468,11 @@ int bpf_sk_splice5(struct __sk_buff *skb){ if(!tuple){ return TC_ACT_SHOT; } + /* determine length of tuple */ + tuple_len = sizeof(tuple->ipv4); + if ((unsigned long)tuple + tuple_len > (unsigned long)skb->data_end){ + return TC_ACT_SHOT; + } unsigned long long tstamp = bpf_ktime_get_ns(); struct bpf_event event = { @@ -1487,11 +1492,6 @@ int bpf_sk_splice5(struct __sk_buff *skb){ {} }; - /* determine length of tuple */ - tuple_len = sizeof(tuple->ipv4); - if ((unsigned long)tuple + tuple_len > (unsigned long)skb->data_end){ - return TC_ACT_SHOT; - } struct tproxy_key key; /*look up attached interface IP address*/ struct ifindex_ip4 *local_ip4 = get_local_ip4(skb->ingress_ifindex); @@ -1534,10 +1534,10 @@ int bpf_sk_splice5(struct __sk_buff *skb){ sockcheck.ipv4.dport = tproxy->port_mapping[port_key].tproxy_port; if(!local_diag->per_interface){ if(tproxy->port_mapping[port_key].tproxy_port == 0){ - return TC_ACT_OK; if(local_diag->verbose){ send_event(&event); } + return TC_ACT_OK; } if(!local_diag->tun_mode){ sk = get_sk(key, skb, sockcheck); @@ -1586,10 +1586,10 @@ int bpf_sk_splice5(struct __sk_buff *skb){ for(int x = 0; x < MAX_IF_LIST_ENTRIES; x++){ if(tproxy->port_mapping[port_key].if_list[x] == skb->ifindex){ if(tproxy->port_mapping[port_key].tproxy_port == 0){ - return TC_ACT_OK; if(local_diag->verbose){ send_event(&event); } + return TC_ACT_OK; } if(!local_diag->tun_mode){ sk = get_sk(key, skb, sockcheck); diff --git a/src/zfw_tunnel_wrapper.c b/src/zfw_tunnel_wrapper.c index d802266..18797a6 100644 --- a/src/zfw_tunnel_wrapper.c +++ b/src/zfw_tunnel_wrapper.c @@ -58,7 +58,7 @@ typedef unsigned char byte; void close_maps(int code); void open_transp_map(); void open_tun_map(); -void zfw_update(char *ip, char *mask, char *lowport, char *highport, char *protocol, char *action); +void zfw_update(char *ip, char *mask, char *lowport, char *highport, char *protocol, char *service_id, char *action); void unbind_route_loopback(struct in_addr *address, unsigned short mask); void INThandler(int sig); void map_delete_key(char *service_id); @@ -358,7 +358,7 @@ void string2Byte(char* string, byte* bytes) } } -void zfw_update(char *ip, char *mask, char *lowport, char *highport, char *protocol, char *action){ +void zfw_update(char *ip, char *mask, char *lowport, char *highport, char *protocol, char *service_id, char *action){ if (access("/usr/sbin/zfw", F_OK) != 0) { printf("ebpf not running: Cannot find /usr/sbin/zfw\n"); @@ -366,8 +366,8 @@ void zfw_update(char *ip, char *mask, char *lowport, char *highport, char *proto } pid_t pid; //("%s, %s\n", action ,rules_temp->parmList[3]); - char *const parmList[15] = {"/usr/sbin/zfw", action, "-c", ip, "-m", mask, "-l", - lowport, "-h", highport, "-t", "65535", "-p", protocol, NULL}; + char *const parmList[17] = {"/usr/sbin/zfw", action, "-c", ip, "-m", mask, "-l", + lowport, "-h", highport, "-t", "65535", "-p", protocol, "-s", service_id, NULL}; if ((pid = fork()) == -1){ perror("fork error: can't spawn bind"); }else if (pid == 0) { @@ -491,6 +491,9 @@ int process_bind(json_object *jobj, char *action) } int process_dial(json_object *jobj, char *action){ + struct json_object *service_id_obj = json_object_object_get(jobj, "Id"); + char service_id[strlen(json_object_get_string(service_id_obj)) + 1]; + sprintf(service_id, "%s", json_object_get_string(service_id_obj)); struct json_object *addresses_obj = json_object_object_get(jobj, "Addresses"); if(addresses_obj) { @@ -587,7 +590,7 @@ int process_dial(json_object *jobj, char *action){ } } } - zfw_update(ip, mask, lowport, highport, protocol, action); + zfw_update(ip, mask, lowport, highport, protocol, service_id, action); } } } @@ -745,8 +748,8 @@ int run(){ if((sizeof(o_tunif.cidr) > 0) && (sizeof(o_tunif.mask) >0)){ sprintf(tunip_string, "%s" , o_tunif.cidr); sprintf(tunip_mask_string, "%s", o_tunif.mask); - zfw_update(tunip_string, tunip_mask_string, "1", "65535", "tcp", "-I"); - zfw_update(tunip_string, tunip_mask_string, "1", "65535", "udp", "-I"); + zfw_update(tunip_string, tunip_mask_string, "1", "65535", "tcp", "0000000000000000000000", "-I"); + zfw_update(tunip_string, tunip_mask_string, "1", "65535", "udp", "0000000000000000000000", "-I"); tun_ifname = o_tunif.ifname; } }