From 2c2c6210e685894d6a6d7c33936e1a8a2472a12c Mon Sep 17 00:00:00 2001 From: r-caamano Date: Thu, 9 May 2024 14:56:45 +0000 Subject: [PATCH 01/15] initial work on service id tracking --- src/zfw.c | 44 +++++++++++++++++++++++++++++++++++++------- src/zfw_tc_ingress.c | 3 ++- 2 files changed, 39 insertions(+), 8 deletions(-) diff --git a/src/zfw.c b/src/zfw.c index 7e07e69..a821e26 100644 --- a/src/zfw.c +++ b/src/zfw.c @@ -100,6 +100,7 @@ bool interface = false; bool disable = false; bool all_interface = false; bool ssh_disable = false; +bool service = false; bool tc = false; bool tcfilter = false; bool direction = false; @@ -165,6 +166,7 @@ char *vrrp_interface; char *ddos_interface; char *monitor_interface; char *tc_interface; +char *service_string; char *log_file_name; char *object_file; char *direction_string; @@ -250,6 +252,7 @@ struct tproxy_port_mapping __u16 high_port; __u16 tproxy_port; __u32 if_list[MAX_IF_LIST_ENTRIES]; + char service_id[23]; }; struct tproxy_tuple @@ -2280,7 +2283,9 @@ void map_insert() map.value = (uint64_t)orule; /* make system call to lookup prefix/mask in map */ int lookup = syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &map, sizeof(map)); - unsigned short index = htons(low_port); + unsigned short *index = (unsigned short *)malloc(sizeof(unsigned short)); + memset(index, 0, sizeof(unsigned short)); + *index = htons(low_port); /* pupulate a struct for a port mapping */ struct tproxy_port_mapping *port_mapping = (struct tproxy_port_mapping *)malloc(sizeof(struct tproxy_port_mapping)); memset(port_mapping, 0, sizeof(struct tproxy_port_mapping)); @@ -2294,8 +2299,13 @@ void map_insert() port_mapping->if_list[x] = if_list[x]; } } + if(service){ + sprintf(port_mapping->service_id, "%s", service_string); + }else{ + sprintf(port_mapping->service_id, "%s", "ID NOT SET"); + } /* - * Check result of lookup if not 0 then create a new entery + * Check result of lookup if not 0 then create a new entry * else edit an existing entry */ if (protocol == IPPROTO_UDP) @@ -2309,6 +2319,7 @@ void map_insert() else { printf("Unsupported Protocol\n"); + free(index); free(port_mapping); free(orule); close(fd); @@ -2319,13 +2330,14 @@ void map_insert() /* create a new tproxy prefix entry and add port range to it */ struct tproxy_tuple rule = { 1, - {index}, + {*index}, {}}; - memcpy((void *)&rule.port_mapping[index], (void *)port_mapping, sizeof(struct tproxy_port_mapping)); + memcpy((void *)&rule.port_mapping[*index], (void *)port_mapping, sizeof(struct tproxy_port_mapping)); map.value = (uint64_t)&rule; - if (!rule.port_mapping[index].low_port) + if (!rule.port_mapping[*index].low_port) { printf("memcpy failed"); + free(index); free(port_mapping); free(orule); close(fd); @@ -2344,6 +2356,7 @@ void map_insert() if (count_fd == -1) { printf("BPF_OBJ_GET: %s \n", strerror(errno)); + free(index); free(port_mapping); free(orule); close(fd); @@ -2376,16 +2389,18 @@ void map_insert() { /* modify existing prefix entry and add or modify existing port mapping entry */ printf("lookup success\n"); - add_index(index, port_mapping, orule); - if (!(orule->port_mapping[index].low_port == index)) + add_index(*index, port_mapping, orule); + if (!(orule->port_mapping[*index].low_port == *index)) { printf("Insert failed\n"); + free(index); free(port_mapping); free(orule); close(fd); close_maps(1); } } + free(index); map.flags = BPF_ANY; int result = syscall(__NR_bpf, BPF_MAP_UPDATE_ELEM, &map, sizeof(map)); if (result) @@ -2980,6 +2995,7 @@ static struct argp_option options[] = { {"oprefix-len", 'n', "", 0, "Set origin prefix length (1-32) ", 0}, {"ocidr-block", 'o', "", 0, "Set origin ip prefix i.e. 192.168.1.0 ", 0}, {"protocol", 'p', "", 0, "Set protocol (tcp or udp) ", 0}, + {"service-id", 's', "", 0, "set ziti service id", 0}, {"route", 'r', NULL, 0, "Add or Delete static ip/prefix for intercept dest to lo interface ", 0}, {"tproxy-port", 't', "", 0, "Set high-port value (0-65535)> ", 0}, {"verbose", 'v', "", 0, "Enable verbose tracing on interface", 0}, @@ -3295,6 +3311,20 @@ static error_t parse_opt(int key, char *arg, struct argp_state *state) case 'r': route = true; break; + case 's': + if (!strlen(arg)) + { + fprintf(stderr, "service id required as arg to -s, --service-id: %s\n", arg); + fprintf(stderr, "%s --help for more info\n", program_name); + exit(1); + } + if(strlen(arg) > 31){ + printf("Invalid service ID: ID too long\n"); + exit(1); + } + service = true; + service_string = arg; + break; case 't': tproxy_port = port2s(arg); tpt = true; diff --git a/src/zfw_tc_ingress.c b/src/zfw_tc_ingress.c index 63ebc23..b90277a 100644 --- a/src/zfw_tc_ingress.c +++ b/src/zfw_tc_ingress.c @@ -71,7 +71,8 @@ struct tproxy_port_mapping { __u16 low_port; __u16 high_port; __u16 tproxy_port; - __u32 if_list[MAX_IF_LIST_ENTRIES]; + __u32 if_list[MAX_IF_LIST_ENTRIES]; + char service_id[23]; }; struct tproxy_tuple { From 40e90597a33c91629b882107822fad88b4082889 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Thu, 9 May 2024 20:40:27 +0000 Subject: [PATCH 02/15] Adding support for ziti service id tracking added new field to struct tproxy_port_mapping and modified userspace as needed to support the new field --- CHANGELOG.md | 7 +++ src/zfw.c | 128 +++++++++++++++++++++++++++++-------------- src/zfw_tc_ingress.c | 2 +- 3 files changed, 96 insertions(+), 41 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b3ade16..a2291db 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,13 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). --- +# [0.6.0] - 2024-05-09 + +### + +- Added support for ziti service id tracking. Will need to update ziti-router and zfw_tunnel_wrapper to add service id + when a rule is inserted. + # [0.5.18] - 2024-05-08 ### diff --git a/src/zfw.c b/src/zfw.c index a821e26..cf42f08 100644 --- a/src/zfw.c +++ b/src/zfw.c @@ -170,7 +170,7 @@ char *service_string; char *log_file_name; char *object_file; char *direction_string; -const char *argp_program_version = "0.5.18"; +const char *argp_program_version = "0.6.0"; struct ring_buffer *ring_buffer; __u32 if_list[MAX_IF_LIST_ENTRIES]; @@ -252,7 +252,7 @@ struct tproxy_port_mapping __u16 high_port; __u16 tproxy_port; __u32 if_list[MAX_IF_LIST_ENTRIES]; - char service_id[23]; + char service_id[32]; }; struct tproxy_tuple @@ -671,14 +671,14 @@ void print_rule(struct tproxy_key *key, struct tproxy_tuple *tuple, int *rule_co bool entry_exists = false; if (tun_mode && ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port) == 65535) { - printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTUNMODE redirect:%-15s", "TUNMODE", proto, scidr_block, dcidr_block, + printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTUNMODE redirect:%-15s", tuple->port_mapping[tuple->index_table[x]].service_id, proto, scidr_block, dcidr_block, dpts, o_tunif.ifname); entry_exists = true; *rule_count += 1; } else if (ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port) > 0) { - printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTPROXY redirect 127.0.0.1:%-6d", "TPROXY", proto, scidr_block, dcidr_block, + printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTPROXY redirect 127.0.0.1:%-6d", tuple->port_mapping[tuple->index_table[x]].service_id, proto, scidr_block, dcidr_block, dpts, ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port)); entry_exists = true; *rule_count += 1; @@ -712,7 +712,7 @@ void print_rule(struct tproxy_key *key, struct tproxy_tuple *tuple, int *rule_co { if (ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port) == 0) { - printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\t%s to %-20s", "PASSTHRU", proto, scidr_block, dcidr_block, + printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\t%s to %-20s", tuple->port_mapping[tuple->index_table[x]].service_id, proto, scidr_block, dcidr_block, dpts, "PASSTHRU", dcidr_block); char interfaces[IF_NAMESIZE * MAX_IF_LIST_ENTRIES + 8] = ""; for (int i = 0; i < MAX_IF_LIST_ENTRIES; i++) @@ -745,17 +745,17 @@ void print_rule(struct tproxy_key *key, struct tproxy_tuple *tuple, int *rule_co { if (tun_mode && ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port) == 65535) { - printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTUNMODE redirect:%-15s", "TUNMODE", proto, scidr_block, dcidr_block, + printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTUNMODE redirect:%-15s", tuple->port_mapping[tuple->index_table[x]].service_id, proto, scidr_block, dcidr_block, dpts, o_tunif.ifname); } else if (ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port) > 0) { - printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTPROXY redirect 127.0.0.1:%-6d", "TPROXY", proto, scidr_block, dcidr_block, + printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTPROXY redirect 127.0.0.1:%-6d", tuple->port_mapping[tuple->index_table[x]].service_id, proto, scidr_block, dcidr_block, dpts, ntohs(tuple->port_mapping[tuple->index_table[x]].tproxy_port)); } else { - printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\t%s to %-20s", "PASSTHRU", proto, scidr_block, dcidr_block, + printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\t%s to %-20s", tuple->port_mapping[tuple->index_table[x]].service_id, proto, scidr_block, dcidr_block, dpts, "PASSTHRU", dcidr_block); } char interfaces[IF_NAMESIZE * MAX_IF_LIST_ENTRIES + 8] = ""; @@ -1685,8 +1685,8 @@ bool interface_map() uint32_t ip_index_count = 0; uint32_t all_index_count = 0; uint32_t addr_array[MAX_ADDRESSES]; - struct interface ip_index_array[MAX_IF_ENTRIES]; - struct interface all_index_array[MAX_IF_ENTRIES]; + struct interface ip_index_array[MAX_IF_ENTRIES] = {0}; + struct interface all_index_array[MAX_IF_ENTRIES] = {0}; char *cur_name; uint32_t cur_idx; uint8_t addr_count = 0; @@ -2261,11 +2261,19 @@ void map_insert() route_insert = interface_map(); } union bpf_attr map; - struct tproxy_key key = {dcidr.s_addr, scidr.s_addr, dplen, splen, protocol, 0}; + memset(&map, 0, sizeof(map)); + struct tproxy_key *key = (struct tproxy_key *)malloc(sizeof(struct tproxy_key)); + memset(key,0 ,sizeof(struct tproxy_key)); + key->dst_ip = dcidr.s_addr; + key->src_ip = scidr.s_addr; + key->dprefix_len = dplen; + key->sprefix_len = splen; + key->protocol = protocol; + key->pad = 0; + struct tproxy_tuple *rule = (struct tproxy_tuple *)malloc(sizeof(struct tproxy_tuple)); + memset(rule, 0, sizeof(struct tproxy_tuple)); struct tproxy_tuple *orule = (struct tproxy_tuple *)malloc(sizeof(struct tproxy_tuple)); memset(orule, 0, sizeof(struct tproxy_tuple)); - /* open BPF zt_tproxy_map map */ - memset(&map, 0, sizeof(map)); /* set path name with location of map in filesystem */ map.pathname = (uint64_t)tproxy_map_path; map.bpf_fd = 0; @@ -2275,11 +2283,12 @@ void map_insert() if (fd == -1) { printf("BPF_OBJ_GET: %s \n", strerror(errno)); + free(key); free(orule); close_maps(1); } map.map_fd = fd; - map.key = (uint64_t)&key; + map.key = (uint64_t)key; map.value = (uint64_t)orule; /* make system call to lookup prefix/mask in map */ int lookup = syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &map, sizeof(map)); @@ -2302,7 +2311,7 @@ void map_insert() if(service){ sprintf(port_mapping->service_id, "%s", service_string); }else{ - sprintf(port_mapping->service_id, "%s", "ID NOT SET"); + sprintf(port_mapping->service_id, "%s", "0000000000000000000000"); } /* * Check result of lookup if not 0 then create a new entry @@ -2319,6 +2328,7 @@ void map_insert() else { printf("Unsupported Protocol\n"); + free(key); free(index); free(port_mapping); free(orule); @@ -2328,15 +2338,15 @@ void map_insert() if (lookup) { /* create a new tproxy prefix entry and add port range to it */ - struct tproxy_tuple rule = { - 1, - {*index}, - {}}; - memcpy((void *)&rule.port_mapping[*index], (void *)port_mapping, sizeof(struct tproxy_port_mapping)); - map.value = (uint64_t)&rule; - if (!rule.port_mapping[*index].low_port) + rule->index_len = 1; + rule->index_table[0] = *index; + memcpy((void *)&rule->port_mapping[*index], (void *)port_mapping, sizeof(struct tproxy_port_mapping)); + map.value = (uint64_t)rule; + if (!rule->port_mapping[*index].low_port) { printf("memcpy failed"); + free(rule); + free(key); free(index); free(port_mapping); free(orule); @@ -2356,6 +2366,8 @@ void map_insert() if (count_fd == -1) { printf("BPF_OBJ_GET: %s \n", strerror(errno)); + free(rule); + free(key); free(index); free(port_mapping); free(orule); @@ -2393,6 +2405,7 @@ void map_insert() if (!(orule->port_mapping[*index].low_port == *index)) { printf("Insert failed\n"); + free(key); free(index); free(port_mapping); free(orule); @@ -2406,11 +2419,14 @@ void map_insert() if (result) { printf("MAP_UPDATE_ELEM: %s \n", strerror(errno)); + free(key); free(port_mapping); free(orule); close(fd); close_maps(1); } + free(rule); + free(key); free(port_mapping); free(orule); close(fd); @@ -2517,10 +2533,17 @@ void map_delete() route_delete = interface_map(); } union bpf_attr map; - struct tproxy_key key = {dcidr.s_addr, scidr.s_addr, dplen, splen, protocol, 0}; - struct tproxy_tuple orule; - // Open BPF zt_tproxy_map map memset(&map, 0, sizeof(map)); + struct tproxy_key *key = (struct tproxy_key *)malloc(sizeof(struct tproxy_key)); + memset(key,0 ,sizeof(struct tproxy_key)); + key->dst_ip = dcidr.s_addr; + key->src_ip = scidr.s_addr; + key->dprefix_len = dplen; + key->sprefix_len = splen; + key->protocol = protocol; + key->pad = 0; + struct tproxy_tuple *orule = (struct tproxy_tuple *)malloc(sizeof(struct tproxy_tuple)); + memset(orule, 0, sizeof(struct tproxy_tuple)); map.pathname = (uint64_t)tproxy_map_path; map.bpf_fd = 0; map.file_flags = 0; @@ -2531,13 +2554,15 @@ void map_delete() close_maps(1); } map.map_fd = fd; - map.key = (uint64_t)&key; - map.value = (uint64_t)&orule; + map.key = (uint64_t)key; + map.value = (uint64_t)orule; int lookup = syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &map, sizeof(map)); unsigned short index = htons(low_port); if (lookup) { printf("MAP_DELETE_ELEM: %s\n", strerror(errno)); + free(key); + free(orule); close_maps(1); } else @@ -2554,28 +2579,36 @@ void map_delete() else { printf("Unsupported Protocol\n"); + close(fd); + free(orule); + free(key); close_maps(1); } - remove_index(index, &orule); - if (orule.index_len == 0) + remove_index(index, orule); + if (orule->index_len == 0) { memset(&map, 0, sizeof(map)); map.pathname = (uint64_t)tproxy_map_path; map.bpf_fd = 0; - int fd = syscall(__NR_bpf, BPF_OBJ_GET, &map, sizeof(map)); - if (fd == -1) + int end_fd = syscall(__NR_bpf, BPF_OBJ_GET, &map, sizeof(map)); + if (end_fd == -1) { printf("BPF_OBJ_GET: %s\n", strerror(errno)); + free(key); + free(orule); close_maps(1); } // delete element with specified key - map.map_fd = fd; - map.key = (uint64_t)&key; + map.map_fd = end_fd; + map.key = (uint64_t)key; int result = syscall(__NR_bpf, BPF_MAP_DELETE_ELEM, &map, sizeof(map)); if (result) { printf("MAP_DELETE_ELEM: %s\n", strerror(errno)); + close(end_fd); close(fd); + free(orule); + free(key); close_maps(1); } else @@ -2591,6 +2624,10 @@ void map_delete() if (count_fd == -1) { printf("BPF_OBJ_GET: %s \n", strerror(errno)); + free(key); + close(end_fd); + close(fd); + free(orule); close_maps(1); } uint32_t count_key = 0; @@ -2615,10 +2652,14 @@ void map_delete() { unbind_prefix(&dcidr, dplen); } + close(end_fd); + close(fd); + free(orule); + free(key); close_maps(0); } } - map.value = (uint64_t)&orule; + map.value = (uint64_t)orule; map.flags = BPF_ANY; /*Flush Map changes to system -- Needed when removing an entry that is not the last range associated *with a prefix/protocol pair*/ @@ -2627,9 +2668,12 @@ void map_delete() { printf("MAP_UPDATE_ELEM: %s \n", strerror(errno)); close(fd); + free(orule); close_maps(1); } } + free(orule); + free(key); close(fd); } @@ -2719,8 +2763,8 @@ void map_list() map.key = (uint64_t)&key; map.value = (uint64_t)&orule; int lookup = 0; - printf("%-8s\t%-3s\t%-20s\t%-32s%-24s\t\t\t\t%-32s\n", "target", "proto", "origin", "destination", "mapping:", " interface list"); - printf("--------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\n"); + printf("%-22s\t%-3s\t%-20s\t%-32s%-24s\t\t\t\t%-32s\n", "service id", "proto", "origin", "destination", "mapping:", " interface list"); + printf("----------------------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\n"); int rule_count = 0; if (prot) { @@ -2747,8 +2791,8 @@ void map_list() printf("Rule Count: %d\n", rule_count); if (x == 0) { - printf("%-8s\t%-3s\t%-20s\t%-32s%-24s\t\t\t\t%-32s\n", "target", "proto", "origin", "destination", "mapping:", " interface list"); - printf("--------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\n"); + printf("%-22s\t%-3s\t%-20s\t%-32s%-24s\t\t\t\t%-32s\n", "service id", "proto", "origin", "destination", "mapping:", " interface list"); + printf("----------------------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\n"); } } } @@ -2938,8 +2982,8 @@ void map_list_all() map.value = (uint64_t)&orule; int lookup = 0; int ret = 0; - printf("%-8s\t%-3s\t%-20s\t%-32s%-24s\t\t\t\t%-32s\n", "target", "proto", "origin", "destination", "mapping:", " interface list"); - printf("--------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\n"); + printf("%-22s\t%-3s\t%-20s\t%-32s%-24s\t\t\t\t%-32s\n", "service id", "proto", "origin", "destination", "mapping:", " interface list"); + printf("----------------------\t-----\t-----------------\t------------------\t\t-------------------------------------------------------\t-----------------\n"); int rule_count = 0; while (true) { @@ -3589,6 +3633,10 @@ int main(int argc, char **argv) signal(SIGTERM, INThandler); argp_parse(&argp, argc, argv, 0, 0, 0); + if(service && !add){ + usage("-s, --service-id requires -I, --insert"); + } + if (tcfilter && !object && !disable) { usage("-X, --set-tc-filter requires -O, --object-file for add operation"); diff --git a/src/zfw_tc_ingress.c b/src/zfw_tc_ingress.c index b90277a..0fb1abf 100644 --- a/src/zfw_tc_ingress.c +++ b/src/zfw_tc_ingress.c @@ -72,7 +72,7 @@ struct tproxy_port_mapping { __u16 high_port; __u16 tproxy_port; __u32 if_list[MAX_IF_LIST_ENTRIES]; - char service_id[23]; + char service_id[32]; }; struct tproxy_tuple { From cb70cb3ab87a9a944a30b9afdf8c52ababa2273e Mon Sep 17 00:00:00 2001 From: r-caamano Date: Mon, 13 May 2024 01:12:35 +0000 Subject: [PATCH 03/15] Initial dev to add service_id to logging --- CHANGELOG.md | 1 + src/zfw.c | 45 ++++++++-------- src/zfw_tc_ingress.c | 105 ++++++++++++++++++++++-------------- src/zfw_tc_outbound_track.c | 2 + src/zfw_tunnel_wrapper.c | 17 +++--- src/zfw_xdp_tun_ingress.c | 66 ++++++++++++++--------- 6 files changed, 140 insertions(+), 96 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a2291db..524494a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ All notable changes to this project will be documented in this file. The format - Added support for ziti service id tracking. Will need to update ziti-router and zfw_tunnel_wrapper to add service id when a rule is inserted. +- Fixed issue where passthrough rules would not generate log data when in verbose mode. # [0.5.18] - 2024-05-08 diff --git a/src/zfw.c b/src/zfw.c index cf42f08..3c9a8bd 100644 --- a/src/zfw.c +++ b/src/zfw.c @@ -230,6 +230,7 @@ struct bpf_event __u8 tracking_code; unsigned char source[6]; unsigned char dest[6]; + char service_id[29]; }; struct diag_ip4 @@ -252,7 +253,7 @@ struct tproxy_port_mapping __u16 high_port; __u16 tproxy_port; __u32 if_list[MAX_IF_LIST_ENTRIES]; - char service_id[32]; + char service_id[29]; }; struct tproxy_tuple @@ -1904,13 +1905,14 @@ static int process_events(void *ctx, void *data, size_t len) char *ts = get_ts(evt->tstamp); char message[250]; int res = 0; + char *service_id = evt->service_id; if (((ifname && monitor_interface && !strcmp(monitor_interface, ifname)) || all_interface) && ts) { if (evt->error_code) { if (evt->error_code == IP_HEADER_TOO_BIG) { - sprintf(message, "%s : %s : %s : IP Header Too Big\n", ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); + sprintf(message, "%s : %-22s : %s : %s : IP Header Too Big\n", ts, service_id, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); if (logging) { res = write_log(log_file_name, message); @@ -1922,7 +1924,7 @@ static int process_events(void *ctx, void *data, size_t len) } else if (evt->error_code == NO_IP_OPTIONS_ALLOWED) { - sprintf(message, "%s : %s : %s : No IP Options Allowed\n", ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); + sprintf(message, "%s : %-22s : %s : %s : No IP Options Allowed\n", ts, service_id, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); if (logging) { res = write_log(log_file_name, message); @@ -1934,7 +1936,7 @@ static int process_events(void *ctx, void *data, size_t len) } else if (evt->error_code == UDP_HEADER_TOO_BIG) { - sprintf(message, "%s : %s : %s : UDP Header Too Big\n", ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); + sprintf(message, "%s : %-22s : %s : %s : UDP Header Too Big\n", ts, service_id, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); if (logging) { res = write_log(log_file_name, message); @@ -1946,7 +1948,7 @@ static int process_events(void *ctx, void *data, size_t len) } else if (evt->error_code == GENEVE_HEADER_TOO_BIG) { - sprintf(message, "%s : %s : %s : Geneve Header Too Big\n", ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); + sprintf(message, "%s : %-22s : %s : %s : Geneve Header Too Big\n", ts, service_id ,ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); if (logging) { res = write_log(log_file_name, message); @@ -1958,7 +1960,7 @@ static int process_events(void *ctx, void *data, size_t len) } else if (evt->error_code == GENEVE_HEADER_LENGTH_VERSION_ERROR) { - sprintf(message, "%s : %s : %s : Geneve Header Length: Version Error\n", ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); + sprintf(message, "%s : %-22s : %s : %s : Geneve Header Length: Version Error\n", ts, service_id ,ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); if (logging) { res = write_log(log_file_name, message); @@ -1970,7 +1972,7 @@ static int process_events(void *ctx, void *data, size_t len) } else if (evt->error_code == SKB_ADJUST_ERROR) { - sprintf(message, "%s : %s : %s : SKB Adjust Error\n", ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); + sprintf(message, "%s : %-22s : %s : %s : SKB Adjust Error\n", ts, service_id ,ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); if (logging) { res = write_log(log_file_name, message); @@ -1982,7 +1984,7 @@ static int process_events(void *ctx, void *data, size_t len) } else if (evt->error_code == ICMP_HEADER_TOO_BIG) { - sprintf(message, "%s : %s : %s : ICMP Header Too Big\n", ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); + sprintf(message, "%s : %-22s : %s : %s : ICMP Header Too Big\n", ts, service_id , ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); if (logging) { res = write_log(log_file_name, message); @@ -1994,7 +1996,7 @@ static int process_events(void *ctx, void *data, size_t len) } else if (evt->error_code == ICMP_INNER_IP_HEADER_TOO_BIG) { - sprintf(message, "%s : %s : %s : ICMP Inner IP Header Too Big\n", ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); + sprintf(message, "%s : %-22s : %s : %s : ICMP Inner IP Header Too Big\n", ts, service_id,ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); if (logging) { res = write_log(log_file_name, message); @@ -2006,7 +2008,7 @@ static int process_events(void *ctx, void *data, size_t len) } else if (evt->error_code == IF_LIST_MATCH_ERROR) { - sprintf(message, "%s : %s : %s : Interface did not match and per interface filtering is enabled\n", ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); + sprintf(message, "%s : %-22s : %s : %s : Interface did not match and per interface filtering is enabled\n", ts, service_id ,ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); if (logging) { res = write_log(log_file_name, message); @@ -2018,7 +2020,7 @@ static int process_events(void *ctx, void *data, size_t len) } else if (evt->error_code == NO_REDIRECT_STATE_FOUND) { - sprintf(message, "%s : %s : %s : No Redirect State found\n", ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); + sprintf(message, "%s : %-22s : %s : %s : No Redirect State found\n", ts, service_id, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); if (logging) { res = write_log(log_file_name, message); @@ -2052,7 +2054,7 @@ static int process_events(void *ctx, void *data, size_t len) char *tun_ifname = if_indextoname(evt->tun_ifindex, tbuf); if (tun_ifname) { - sprintf(message, "%s : %s : %s :%s:%d[%x:%x:%x:%x:%x:%x] > %s:%d[%x:%x:%x:%x:%x:%x] redirect ---> %s\n", ts, ifname, protocol, saddr, ntohs(evt->sport), + sprintf(message, "%s : %-22s: %s : %s : %s:%d[%x:%x:%x:%x:%x:%x] > %s:%d[%x:%x:%x:%x:%x:%x] redirect ---> %s\n", ts, service_id, ifname, protocol, saddr, ntohs(evt->sport), evt->source[0], evt->source[1], evt->source[2], evt->source[3], evt->source[4], evt->source[5], daddr, ntohs(evt->dport), evt->dest[0], evt->dest[1], evt->dest[2], evt->dest[3], evt->dest[4], evt->dest[5], tun_ifname); if (logging) @@ -2067,8 +2069,8 @@ static int process_events(void *ctx, void *data, size_t len) } else if (evt->tport && ifname) { - sprintf(message, "%s : %s : %s : %s :%s:%d > %s:%d | tproxy ---> 127.0.0.1:%d\n", - ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol, saddr, ntohs(evt->sport), + sprintf(message, "%s : %-22s : %s : %s : %s : %s:%d > %s:%d | tproxy ---> 127.0.0.1:%d\n", + ts, service_id, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol, saddr, ntohs(evt->sport), daddr, ntohs(evt->dport), ntohs(evt->tport)); if (logging) { @@ -2134,7 +2136,7 @@ static int process_events(void *ctx, void *data, size_t len) } if (state) { - sprintf(message, "%s : %s : %s : %s :%s:%d > %s:%d outbound_tracking ---> %s\n", ts, ifname, + sprintf(message, "%s : %-22s : %s : %s : %s : %s:%d > %s:%d outbound_tracking ---> %s\n", ts, service_id, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol, saddr, ntohs(evt->sport), daddr, ntohs(evt->dport), state); if (logging) { @@ -2154,7 +2156,7 @@ static int process_events(void *ctx, void *data, size_t len) if (code == 4) { /*evt->sport is use repurposed store next hop mtu*/ - sprintf(message, "%s : %s : %s : %s :%s --> reported next hop mtu:%d > FRAGMENTATION NEEDED IN PATH TO:%s:%d\n", ts, ifname, + sprintf(message, "%s : %-22s : %s : %s : %s : %s --> reported next hop mtu:%d > FRAGMENTATION NEEDED IN PATH TO:%s:%d\n", ts, service_id ,ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol, saddr, ntohs(evt->sport), daddr, ntohs(evt->dport)); if (logging) { @@ -2196,7 +2198,7 @@ static int process_events(void *ctx, void *data, size_t len) if (code_string) { - sprintf(message, "%s : %s : %s : %s :%s --> REPORTED:%s > in PATH TO:%s:%s:%d OUTER-TTL:%d INNER-TTL:%d\n", ts, ifname, + sprintf(message, "%s : %-22s : %s : %s : %s : %s --> REPORTED:%s > in PATH TO:%s:%s:%d OUTER-TTL:%d INNER-TTL:%d\n", ts, service_id,ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol, saddr, code_string, daddr, protocol_string, ntohs(evt->dport), outer_ttl, inner_ttl); if (logging) { @@ -2211,7 +2213,7 @@ static int process_events(void *ctx, void *data, size_t len) } else if (ifname) { - sprintf(message, "%s : %s : %s : %s :%s:%d > %s:%d\n", ts, ifname, + sprintf(message, "%s : %-22s : %s : %s : %s : %s:%d > %s:%d\n", ts, service_id,ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol, saddr, ntohs(evt->sport), daddr, ntohs(evt->dport)); if (logging) { @@ -2966,7 +2968,6 @@ void map_list_all() struct tproxy_key *key = &init_key; struct tproxy_key current_key; struct tproxy_tuple orule; - // Open BPF zt_tproxy_map map memset(&map, 0, sizeof(map)); map.pathname = (uint64_t)tproxy_map_path; map.bpf_fd = 0; @@ -3362,7 +3363,7 @@ static error_t parse_opt(int key, char *arg, struct argp_state *state) fprintf(stderr, "%s --help for more info\n", program_name); exit(1); } - if(strlen(arg) > 31){ + if(strlen(arg) > 28){ printf("Invalid service ID: ID too long\n"); exit(1); } @@ -3633,8 +3634,8 @@ int main(int argc, char **argv) signal(SIGTERM, INThandler); argp_parse(&argp, argc, argv, 0, 0, 0); - if(service && !add){ - usage("-s, --service-id requires -I, --insert"); + if(service && (!add && !delete)){ + usage("-s, --service-id requires -I, --insert or -D, --delete"); } if (tcfilter && !object && !disable) diff --git a/src/zfw_tc_ingress.c b/src/zfw_tc_ingress.c index 0fb1abf..4458e86 100644 --- a/src/zfw_tc_ingress.c +++ b/src/zfw_tc_ingress.c @@ -72,7 +72,7 @@ struct tproxy_port_mapping { __u16 high_port; __u16 tproxy_port; __u32 if_list[MAX_IF_LIST_ENTRIES]; - char service_id[32]; + char service_id[29]; }; struct tproxy_tuple { @@ -119,7 +119,7 @@ struct bpf_event{ __u8 tracking_code; unsigned char source[6]; unsigned char dest[6]; - + char service_id[29]; }; /*Key to tcp_map*/ @@ -211,6 +211,7 @@ struct tun_state { unsigned int ifindex; unsigned char source[6]; unsigned char dest[6]; + char service_id[29]; }; /*key to transp_map*/ @@ -437,6 +438,14 @@ struct { __uint(pinning, LIBBPF_PIN_BY_NAME); } rb_map SEC(".maps"); +/*MAP to hold event data when stack is full*/ +struct { + __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); + __uint(max_entries, 1); + __type(key, int); + __type(value, struct bpf_event); + } heap SEC(".maps"); + /* Function used by ebpf program to access ifindex_ip_map * in order to lookup the ip associated with its attached interface * This allows distinguishing between socket to the local system i.e. ssh @@ -556,6 +565,9 @@ static inline void send_event(struct bpf_event *new_event){ rb_event->source[x] = new_event->source[x]; rb_event->dest[x] = new_event->dest[x]; } + for(int i = 0; i < 29; i++){ + rb_event->service_id[i] = new_event->service_id[i]; + } bpf_ringbuf_submit(rb_event, 0); } } @@ -748,8 +760,12 @@ int bpf_sk_splice(struct __sk_buff *skb){ 0, 0, {0}, - {0} + {0}, + {0}, }; + + char service_id[23] = {'0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','\0'}; + memcpy(event.service_id, service_id, sizeof(service_id)); /*look up attached interface inbound diag status*/ struct diag_ip4 *local_diag = get_diag_ip4(skb->ingress_ifindex); @@ -1469,24 +1485,27 @@ int bpf_sk_splice5(struct __sk_buff *skb){ if(!tuple){ return TC_ACT_SHOT; } - + if ((unsigned long)(tuple + 1) > (unsigned long)skb->data_end){ + return TC_ACT_SHOT; + } unsigned long long tstamp = bpf_ktime_get_ns(); - struct bpf_event event = { - tstamp, - skb->ifindex, - 0, - tuple->ipv4.daddr, - tuple->ipv4.saddr, - tuple->ipv4.sport, - tuple->ipv4.dport, - 0, - 0, - INGRESS, - 0, - 0, - {}, - {} - }; + int ekey = 0; + struct bpf_event *event = bpf_map_lookup_elem(&heap, &ekey); + if(!event){ + return TC_ACT_SHOT; + } + event->tstamp = tstamp; + event->ifindex = skb->ifindex; + event->tun_ifindex = 0; + event->saddr = tuple->ipv4.saddr; + event->daddr = tuple->ipv4.daddr; + event->dport = tuple->ipv4.dport; + event->sport = tuple->ipv4.sport; + event->tport = 0; + event->proto = 0; + event->direction = INGRESS; + event->error_code = 0; + event->tracking_code = 0; /* determine length of tuple */ tuple_len = sizeof(tuple->ipv4); @@ -1514,7 +1533,6 @@ int bpf_sk_splice5(struct __sk_buff *skb){ }else{ break; } - if((tproxy = get_tproxy(key)) && tuple) { __u16 max_entries = tproxy->index_len; @@ -1527,18 +1545,19 @@ int bpf_sk_splice5(struct __sk_buff *skb){ if ((bpf_ntohs(tuple->ipv4.dport) >= bpf_ntohs(tproxy->port_mapping[port_key].low_port)) && (bpf_ntohs(tuple->ipv4.dport) <= bpf_ntohs(tproxy->port_mapping[port_key].high_port))) { - event.proto = key.protocol; - event.tport = tproxy->port_mapping[port_key].tproxy_port; + event->proto = key.protocol; + event->tport = tproxy->port_mapping[port_key].tproxy_port; + memcpy(event->service_id, tproxy->port_mapping[port_key].service_id, sizeof(event->service_id)); /*check if interface is set for per interface rule awarness and if yes check if it is in the rules interface list. If not in the interface list drop it on all interfaces accept loopback. If its not aware then forward based on mapping*/ sockcheck.ipv4.daddr = 0x0100007f; sockcheck.ipv4.dport = tproxy->port_mapping[port_key].tproxy_port; if(!local_diag->per_interface){ if(tproxy->port_mapping[port_key].tproxy_port == 0){ - return TC_ACT_OK; if(local_diag->verbose){ - send_event(&event); + send_event(event); } + return TC_ACT_OK; } if(!local_diag->tun_mode){ sk = get_sk(key, skb, sockcheck); @@ -1546,7 +1565,7 @@ int bpf_sk_splice5(struct __sk_buff *skb){ return TC_ACT_SHOT; } if(!(key.protocol == IPPROTO_UDP) || local_diag->verbose){ - send_event(&event); + send_event(event); } goto assign; }else @@ -1561,8 +1580,10 @@ int bpf_sk_splice5(struct __sk_buff *skb){ tstamp, skb->ifindex, {0}, + {0}, {0} }; + memcpy(&tus.service_id, tproxy->port_mapping[port_key].service_id, sizeof(tus.service_id)); memcpy(&tus.source, ð->h_source, 6); memcpy(&tus.dest, ð->h_dest, 6); insert_tun(tus, tun_state_key); @@ -1574,10 +1595,10 @@ int bpf_sk_splice5(struct __sk_buff *skb){ struct ifindex_tun *tun_index = get_tun_index(0); if(tun_index){ if(local_diag->verbose){ - memcpy(event.source, eth->h_source, 6); - memcpy(event.dest, eth->h_dest, 6); - event.tun_ifindex = tun_index->index; - send_event(&event); + memcpy(event->source, eth->h_source, 6); + memcpy(event->dest, eth->h_dest, 6); + event->tun_ifindex = tun_index->index; + send_event(event); } return bpf_redirect(tun_index->index, 0); } @@ -1587,10 +1608,10 @@ int bpf_sk_splice5(struct __sk_buff *skb){ for(int x = 0; x < MAX_IF_LIST_ENTRIES; x++){ if(tproxy->port_mapping[port_key].if_list[x] == skb->ifindex){ if(tproxy->port_mapping[port_key].tproxy_port == 0){ - return TC_ACT_OK; if(local_diag->verbose){ - send_event(&event); + send_event(event); } + return TC_ACT_OK; } if(!local_diag->tun_mode){ sk = get_sk(key, skb, sockcheck); @@ -1598,7 +1619,7 @@ int bpf_sk_splice5(struct __sk_buff *skb){ return TC_ACT_SHOT; } if(!(key.protocol == IPPROTO_UDP) || local_diag->verbose){ - send_event(&event); + send_event(event); } goto assign; }else{ @@ -1613,8 +1634,10 @@ int bpf_sk_splice5(struct __sk_buff *skb){ tstamp, skb->ifindex, {0}, + {0}, {0} }; + memcpy(&tus.service_id, tproxy->port_mapping[port_key].service_id, sizeof(tus.service_id)); memcpy(&tus.source, ð->h_source, 6); memcpy(&tus.dest, ð->h_dest, 6); insert_tun(tus, tun_state_key); @@ -1626,10 +1649,10 @@ int bpf_sk_splice5(struct __sk_buff *skb){ struct ifindex_tun *tun_index = get_tun_index(0); if(tun_index){ if(local_diag->verbose){ - memcpy(event.source, eth->h_source, 6); - memcpy(event.dest, eth->h_dest, 6); - event.tun_ifindex = tun_index->index; - send_event(&event); + memcpy(event->source, eth->h_source, 6); + memcpy(event->dest, eth->h_dest, 6); + event->tun_ifindex = tun_index->index; + send_event(event); } return bpf_redirect(tun_index->index, 0); } @@ -1638,13 +1661,13 @@ int bpf_sk_splice5(struct __sk_buff *skb){ } if(skb->ifindex == 1){ - event.error_code = IF_LIST_MATCH_ERROR; - send_event(&event); + event->error_code = IF_LIST_MATCH_ERROR; + send_event(event); return TC_ACT_OK; } else{ - event.error_code = IF_LIST_MATCH_ERROR; - send_event(&event); + event->error_code = IF_LIST_MATCH_ERROR; + send_event(event); return TC_ACT_SHOT; } } diff --git a/src/zfw_tc_outbound_track.c b/src/zfw_tc_outbound_track.c index 34f11b4..61e3e4e 100644 --- a/src/zfw_tc_outbound_track.c +++ b/src/zfw_tc_outbound_track.c @@ -58,6 +58,7 @@ struct bpf_event{ __u8 tracking_code; unsigned char source[6]; unsigned char dest[6]; + char service_id[29]; }; /*Key to tcp_map and udp_map*/ @@ -294,6 +295,7 @@ int bpf_sk_splice(struct __sk_buff *skb){ 0, 0, {0}, + {0}, {0} }; diff --git a/src/zfw_tunnel_wrapper.c b/src/zfw_tunnel_wrapper.c index d802266..18797a6 100644 --- a/src/zfw_tunnel_wrapper.c +++ b/src/zfw_tunnel_wrapper.c @@ -58,7 +58,7 @@ typedef unsigned char byte; void close_maps(int code); void open_transp_map(); void open_tun_map(); -void zfw_update(char *ip, char *mask, char *lowport, char *highport, char *protocol, char *action); +void zfw_update(char *ip, char *mask, char *lowport, char *highport, char *protocol, char *service_id, char *action); void unbind_route_loopback(struct in_addr *address, unsigned short mask); void INThandler(int sig); void map_delete_key(char *service_id); @@ -358,7 +358,7 @@ void string2Byte(char* string, byte* bytes) } } -void zfw_update(char *ip, char *mask, char *lowport, char *highport, char *protocol, char *action){ +void zfw_update(char *ip, char *mask, char *lowport, char *highport, char *protocol, char *service_id, char *action){ if (access("/usr/sbin/zfw", F_OK) != 0) { printf("ebpf not running: Cannot find /usr/sbin/zfw\n"); @@ -366,8 +366,8 @@ void zfw_update(char *ip, char *mask, char *lowport, char *highport, char *proto } pid_t pid; //("%s, %s\n", action ,rules_temp->parmList[3]); - char *const parmList[15] = {"/usr/sbin/zfw", action, "-c", ip, "-m", mask, "-l", - lowport, "-h", highport, "-t", "65535", "-p", protocol, NULL}; + char *const parmList[17] = {"/usr/sbin/zfw", action, "-c", ip, "-m", mask, "-l", + lowport, "-h", highport, "-t", "65535", "-p", protocol, "-s", service_id, NULL}; if ((pid = fork()) == -1){ perror("fork error: can't spawn bind"); }else if (pid == 0) { @@ -491,6 +491,9 @@ int process_bind(json_object *jobj, char *action) } int process_dial(json_object *jobj, char *action){ + struct json_object *service_id_obj = json_object_object_get(jobj, "Id"); + char service_id[strlen(json_object_get_string(service_id_obj)) + 1]; + sprintf(service_id, "%s", json_object_get_string(service_id_obj)); struct json_object *addresses_obj = json_object_object_get(jobj, "Addresses"); if(addresses_obj) { @@ -587,7 +590,7 @@ int process_dial(json_object *jobj, char *action){ } } } - zfw_update(ip, mask, lowport, highport, protocol, action); + zfw_update(ip, mask, lowport, highport, protocol, service_id, action); } } } @@ -745,8 +748,8 @@ int run(){ if((sizeof(o_tunif.cidr) > 0) && (sizeof(o_tunif.mask) >0)){ sprintf(tunip_string, "%s" , o_tunif.cidr); sprintf(tunip_mask_string, "%s", o_tunif.mask); - zfw_update(tunip_string, tunip_mask_string, "1", "65535", "tcp", "-I"); - zfw_update(tunip_string, tunip_mask_string, "1", "65535", "udp", "-I"); + zfw_update(tunip_string, tunip_mask_string, "1", "65535", "tcp", "0000000000000000000000", "-I"); + zfw_update(tunip_string, tunip_mask_string, "1", "65535", "udp", "0000000000000000000000", "-I"); tun_ifname = o_tunif.ifname; } } diff --git a/src/zfw_xdp_tun_ingress.c b/src/zfw_xdp_tun_ingress.c index 0d3c822..f69e327 100644 --- a/src/zfw_xdp_tun_ingress.c +++ b/src/zfw_xdp_tun_ingress.c @@ -31,7 +31,8 @@ #define BPF_MAX_SESSIONS 10000 #define INGRESS 0 #define NO_REDIRECT_STATE_FOUND 10 - +bool udp = false; +bool tcp = false; struct bpf_event{ unsigned long long tstamp; __u32 ifindex; @@ -47,6 +48,7 @@ struct bpf_event{ __u8 tracking_code; unsigned char source[6]; unsigned char dest[6]; + char service_id[29]; }; /*Key to tun_map, tcp_map and udp_map*/ @@ -69,6 +71,7 @@ struct tun_state { unsigned int ifindex; unsigned char source[6]; unsigned char dest[6]; + char service_id[29]; }; /*value to ifindex_tun_map*/ @@ -138,6 +141,10 @@ static inline void send_event(struct bpf_event *new_event){ rb_event->source[x] = new_event->source[x]; rb_event->dest[x] = new_event->dest[x]; } + for (int i = 0; i < 29; i++) + { + rb_event->service_id[i] = new_event->service_id[i]; + } bpf_ringbuf_submit(rb_event, 0); } } @@ -176,12 +183,37 @@ int xdp_redirect_prog(struct xdp_md *ctx) 0, 0, {0}, + {0}, {0} }; struct tun_key tun_state_key; - tun_state_key.daddr = iph->saddr; - tun_state_key.saddr = iph->daddr; + uint32_t daddr = iph->daddr; + uint32_t saddr = iph->saddr; + uint8_t protocol = iph->protocol; + uint16_t dport = 0; + uint16_t sport = 0; + tun_state_key.daddr = saddr; + tun_state_key.saddr = daddr; + if(iph->protocol == IPPROTO_TCP){ + struct tcphdr *tcph = (struct tcphdr *)((unsigned long)iph + sizeof(*iph)); + if ((unsigned long)(tcph + 1) > (unsigned long)ctx->data_end){ + return XDP_PASS; + } + tcp = true; + sport = tcph->source; + dport = tcph->dest; + }else if (iph->protocol == IPPROTO_UDP){ + struct udphdr *udph = (struct udphdr *)((unsigned long)iph + sizeof(*iph)); + if ((unsigned long)(udph + 1) > (unsigned long)ctx->data_end){ + return XDP_PASS; + } + udp = true; + sport = udph->source; + dport = udph->dest; + } + char service_id[23] = {'0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '\0'}; + memcpy(event.service_id, service_id, sizeof(service_id)); struct tun_state *tus = get_tun(tun_state_key); if(tus){ bpf_xdp_adjust_head(ctx, -14); @@ -191,31 +223,13 @@ int xdp_redirect_prog(struct xdp_md *ctx) return XDP_PASS; } if(tun_diag->verbose){ - struct iphdr *iph = (struct iphdr *)(ctx->data + sizeof(*eth)); - /* ensure ip header is in packet bounds */ - if ((unsigned long)(iph + 1) > (unsigned long)ctx->data_end){ - return XDP_PASS; - } - __u8 protocol = iph->protocol; - if(protocol == IPPROTO_TCP){ - struct tcphdr *tcph = (struct tcphdr *)((unsigned long)iph + sizeof(*iph)); - if ((unsigned long)(tcph + 1) > (unsigned long)ctx->data_end){ - return XDP_PASS; - } - event.dport = tcph->dest; - event.sport = tcph->source; - }else if (protocol == IPPROTO_UDP){ - struct udphdr *udph = (struct udphdr *)((unsigned long)iph + sizeof(*iph)); - if ((unsigned long)(udph + 1) > (unsigned long)ctx->data_end){ - return XDP_PASS; - } - event.dport = udph->dest; - event.sport = udph->source; - } + event.dport = dport; + event.sport = sport; event.tun_ifindex = tus->ifindex; event.proto = protocol; - event.saddr = iph->saddr; - event.daddr = iph->daddr; + event.saddr = saddr; + event.daddr = daddr; + memcpy(event.service_id, tus->service_id, sizeof(event.service_id)); memcpy(&event.source, &tus->dest, 6); memcpy(&event.dest, &tus->source, 6); send_event(&event); From e876e9b89170fcc0ccadcc0b4c014eaaf3913ee2 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Mon, 13 May 2024 02:10:02 +0000 Subject: [PATCH 04/15] backing out some changed to zfw_zdp_tun_ingress.c --- src/zfw_xdp_tun_ingress.c | 55 ++++++++++++++------------------------- 1 file changed, 19 insertions(+), 36 deletions(-) diff --git a/src/zfw_xdp_tun_ingress.c b/src/zfw_xdp_tun_ingress.c index f69e327..21170ac 100644 --- a/src/zfw_xdp_tun_ingress.c +++ b/src/zfw_xdp_tun_ingress.c @@ -188,30 +188,8 @@ int xdp_redirect_prog(struct xdp_md *ctx) }; struct tun_key tun_state_key; - uint32_t daddr = iph->daddr; - uint32_t saddr = iph->saddr; - uint8_t protocol = iph->protocol; - uint16_t dport = 0; - uint16_t sport = 0; - tun_state_key.daddr = saddr; - tun_state_key.saddr = daddr; - if(iph->protocol == IPPROTO_TCP){ - struct tcphdr *tcph = (struct tcphdr *)((unsigned long)iph + sizeof(*iph)); - if ((unsigned long)(tcph + 1) > (unsigned long)ctx->data_end){ - return XDP_PASS; - } - tcp = true; - sport = tcph->source; - dport = tcph->dest; - }else if (iph->protocol == IPPROTO_UDP){ - struct udphdr *udph = (struct udphdr *)((unsigned long)iph + sizeof(*iph)); - if ((unsigned long)(udph + 1) > (unsigned long)ctx->data_end){ - return XDP_PASS; - } - udp = true; - sport = udph->source; - dport = udph->dest; - } + tun_state_key.daddr = iph->saddr; + tun_state_key.saddr = iph->daddr; char service_id[23] = {'0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '\0'}; memcpy(event.service_id, service_id, sizeof(service_id)); struct tun_state *tus = get_tun(tun_state_key); @@ -222,24 +200,29 @@ int xdp_redirect_prog(struct xdp_md *ctx) if ((unsigned long)(eth + 1) > (unsigned long)ctx->data_end){ return XDP_PASS; } - if(tun_diag->verbose){ - event.dport = dport; - event.sport = sport; - event.tun_ifindex = tus->ifindex; - event.proto = protocol; - event.saddr = saddr; - event.daddr = daddr; - memcpy(event.service_id, tus->service_id, sizeof(event.service_id)); - memcpy(&event.source, &tus->dest, 6); - memcpy(&event.dest, &tus->source, 6); - send_event(&event); + struct iphdr *iph = (struct iphdr *)(ctx->data + sizeof(*eth)); + /* ensure ip header is in packet bounds */ + if ((unsigned long)(iph + 1) > (unsigned long)ctx->data_end){ + return XDP_PASS; + } + /* ip options not allowed */ + if (iph->ihl != 5){ + return XDP_PASS; } + __u8 protocol = iph->protocol; + event.tun_ifindex = tus->ifindex; + event.proto = protocol; + event.saddr = iph->saddr; + event.daddr = iph->daddr; + memcpy(&event.source, &tus->dest, 6); + memcpy(&event.dest, &tus->source, 6); + send_event(&event); memcpy(ð->h_dest, &tus->source,6); memcpy(ð->h_source, &tus->dest,6); unsigned short proto = bpf_htons(ETH_P_IP); memcpy(ð->h_proto, &proto, sizeof(proto)); return bpf_redirect(tus->ifindex,0); - } + } if(tun_diag->verbose){ event.error_code = NO_REDIRECT_STATE_FOUND; send_event(&event); From 16c9db515817aa6bc1a898fc952b06a680034495 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Mon, 13 May 2024 02:45:54 +0000 Subject: [PATCH 05/15] backing out changes --- src/zfw_tc_ingress.c | 5 ++-- src/zfw_xdp_tun_ingress.c | 55 +++++++++++++++++++++++---------------- 2 files changed, 34 insertions(+), 26 deletions(-) diff --git a/src/zfw_tc_ingress.c b/src/zfw_tc_ingress.c index 4458e86..ff2f859 100644 --- a/src/zfw_tc_ingress.c +++ b/src/zfw_tc_ingress.c @@ -211,7 +211,6 @@ struct tun_state { unsigned int ifindex; unsigned char source[6]; unsigned char dest[6]; - char service_id[29]; }; /*key to transp_map*/ @@ -1583,7 +1582,7 @@ int bpf_sk_splice5(struct __sk_buff *skb){ {0}, {0} }; - memcpy(&tus.service_id, tproxy->port_mapping[port_key].service_id, sizeof(tus.service_id)); + //memcpy(&tus.service_id, tproxy->port_mapping[port_key].service_id, sizeof(tus.service_id)); memcpy(&tus.source, ð->h_source, 6); memcpy(&tus.dest, ð->h_dest, 6); insert_tun(tus, tun_state_key); @@ -1637,7 +1636,7 @@ int bpf_sk_splice5(struct __sk_buff *skb){ {0}, {0} }; - memcpy(&tus.service_id, tproxy->port_mapping[port_key].service_id, sizeof(tus.service_id)); + //memcpy(&tus.service_id, tproxy->port_mapping[port_key].service_id, sizeof(tus.service_id)); memcpy(&tus.source, ð->h_source, 6); memcpy(&tus.dest, ð->h_dest, 6); insert_tun(tus, tun_state_key); diff --git a/src/zfw_xdp_tun_ingress.c b/src/zfw_xdp_tun_ingress.c index 21170ac..51f0e33 100644 --- a/src/zfw_xdp_tun_ingress.c +++ b/src/zfw_xdp_tun_ingress.c @@ -71,7 +71,6 @@ struct tun_state { unsigned int ifindex; unsigned char source[6]; unsigned char dest[6]; - char service_id[29]; }; /*value to ifindex_tun_map*/ @@ -182,16 +181,13 @@ int xdp_redirect_prog(struct xdp_md *ctx) INGRESS, 0, 0, - {0}, - {0}, - {0} }; + char service_id[23] = {'0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '\0'}; + memcpy(event.service_id, service_id, sizeof(service_id)); struct tun_key tun_state_key; tun_state_key.daddr = iph->saddr; tun_state_key.saddr = iph->daddr; - char service_id[23] = {'0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '\0'}; - memcpy(event.service_id, service_id, sizeof(service_id)); struct tun_state *tus = get_tun(tun_state_key); if(tus){ bpf_xdp_adjust_head(ctx, -14); @@ -200,29 +196,42 @@ int xdp_redirect_prog(struct xdp_md *ctx) if ((unsigned long)(eth + 1) > (unsigned long)ctx->data_end){ return XDP_PASS; } - struct iphdr *iph = (struct iphdr *)(ctx->data + sizeof(*eth)); - /* ensure ip header is in packet bounds */ - if ((unsigned long)(iph + 1) > (unsigned long)ctx->data_end){ - return XDP_PASS; - } - /* ip options not allowed */ - if (iph->ihl != 5){ - return XDP_PASS; + if(tun_diag->verbose){ + struct iphdr *iph = (struct iphdr *)(ctx->data + sizeof(*eth)); + /* ensure ip header is in packet bounds */ + if ((unsigned long)(iph + 1) > (unsigned long)ctx->data_end){ + return XDP_PASS; + } + __u8 protocol = iph->protocol; + if(protocol == IPPROTO_TCP){ + struct tcphdr *tcph = (struct tcphdr *)((unsigned long)iph + sizeof(*iph)); + if ((unsigned long)(tcph + 1) > (unsigned long)ctx->data_end){ + return XDP_PASS; + } + event.dport = tcph->dest; + event.sport = tcph->source; + }else if (protocol == IPPROTO_UDP){ + struct udphdr *udph = (struct udphdr *)((unsigned long)iph + sizeof(*iph)); + if ((unsigned long)(udph + 1) > (unsigned long)ctx->data_end){ + return XDP_PASS; + } + event.dport = udph->dest; + event.sport = udph->source; + } + event.tun_ifindex = tus->ifindex; + event.proto = protocol; + event.saddr = iph->saddr; + event.daddr = iph->daddr; + memcpy(&event.source, &tus->dest, 6); + memcpy(&event.dest, &tus->source, 6); + send_event(&event); } - __u8 protocol = iph->protocol; - event.tun_ifindex = tus->ifindex; - event.proto = protocol; - event.saddr = iph->saddr; - event.daddr = iph->daddr; - memcpy(&event.source, &tus->dest, 6); - memcpy(&event.dest, &tus->source, 6); - send_event(&event); memcpy(ð->h_dest, &tus->source,6); memcpy(ð->h_source, &tus->dest,6); unsigned short proto = bpf_htons(ETH_P_IP); memcpy(ð->h_proto, &proto, sizeof(proto)); return bpf_redirect(tus->ifindex,0); - } + } if(tun_diag->verbose){ event.error_code = NO_REDIRECT_STATE_FOUND; send_event(&event); From 1fbf48d975d634d78818dc7a26bb693a8f135379 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Mon, 13 May 2024 02:48:40 +0000 Subject: [PATCH 06/15] backing out changes --- src/zfw_tc_ingress.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/zfw_tc_ingress.c b/src/zfw_tc_ingress.c index ff2f859..6761395 100644 --- a/src/zfw_tc_ingress.c +++ b/src/zfw_tc_ingress.c @@ -1580,7 +1580,6 @@ int bpf_sk_splice5(struct __sk_buff *skb){ skb->ifindex, {0}, {0}, - {0} }; //memcpy(&tus.service_id, tproxy->port_mapping[port_key].service_id, sizeof(tus.service_id)); memcpy(&tus.source, ð->h_source, 6); @@ -1634,7 +1633,6 @@ int bpf_sk_splice5(struct __sk_buff *skb){ skb->ifindex, {0}, {0}, - {0} }; //memcpy(&tus.service_id, tproxy->port_mapping[port_key].service_id, sizeof(tus.service_id)); memcpy(&tus.source, ð->h_source, 6); From a73b141dad723b200edf37c37fb9fb0302a8e3a3 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Mon, 13 May 2024 03:33:01 +0000 Subject: [PATCH 07/15] Backing out event changes completely --- CHANGELOG.md | 3 +- src/zfw.c | 36 +++++++------- src/zfw_tc_ingress.c | 102 +++++++++++++++----------------------- src/zfw_xdp_tun_ingress.c | 12 ++--- 4 files changed, 62 insertions(+), 91 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 524494a..cc7aa9f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,8 +7,7 @@ All notable changes to this project will be documented in this file. The format ### -- Added support for ziti service id tracking. Will need to update ziti-router and zfw_tunnel_wrapper to add service id - when a rule is inserted. +- Added support for ziti service id tracking. Will need to update ziti-router via pr. - Fixed issue where passthrough rules would not generate log data when in verbose mode. # [0.5.18] - 2024-05-08 diff --git a/src/zfw.c b/src/zfw.c index 3c9a8bd..e00feb4 100644 --- a/src/zfw.c +++ b/src/zfw.c @@ -230,7 +230,6 @@ struct bpf_event __u8 tracking_code; unsigned char source[6]; unsigned char dest[6]; - char service_id[29]; }; struct diag_ip4 @@ -1905,14 +1904,13 @@ static int process_events(void *ctx, void *data, size_t len) char *ts = get_ts(evt->tstamp); char message[250]; int res = 0; - char *service_id = evt->service_id; if (((ifname && monitor_interface && !strcmp(monitor_interface, ifname)) || all_interface) && ts) { if (evt->error_code) { if (evt->error_code == IP_HEADER_TOO_BIG) { - sprintf(message, "%s : %-22s : %s : %s : IP Header Too Big\n", ts, service_id, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); + sprintf(message, "%s : %s : %s : IP Header Too Big\n", ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); if (logging) { res = write_log(log_file_name, message); @@ -1924,7 +1922,7 @@ static int process_events(void *ctx, void *data, size_t len) } else if (evt->error_code == NO_IP_OPTIONS_ALLOWED) { - sprintf(message, "%s : %-22s : %s : %s : No IP Options Allowed\n", ts, service_id, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); + sprintf(message, "%s : %s : %s : No IP Options Allowed\n", ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); if (logging) { res = write_log(log_file_name, message); @@ -1936,7 +1934,7 @@ static int process_events(void *ctx, void *data, size_t len) } else if (evt->error_code == UDP_HEADER_TOO_BIG) { - sprintf(message, "%s : %-22s : %s : %s : UDP Header Too Big\n", ts, service_id, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); + sprintf(message, "%s : %s : %s : UDP Header Too Big\n", ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); if (logging) { res = write_log(log_file_name, message); @@ -1948,7 +1946,7 @@ static int process_events(void *ctx, void *data, size_t len) } else if (evt->error_code == GENEVE_HEADER_TOO_BIG) { - sprintf(message, "%s : %-22s : %s : %s : Geneve Header Too Big\n", ts, service_id ,ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); + sprintf(message, "%s : %s : %s : Geneve Header Too Big\n", ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); if (logging) { res = write_log(log_file_name, message); @@ -1960,7 +1958,7 @@ static int process_events(void *ctx, void *data, size_t len) } else if (evt->error_code == GENEVE_HEADER_LENGTH_VERSION_ERROR) { - sprintf(message, "%s : %-22s : %s : %s : Geneve Header Length: Version Error\n", ts, service_id ,ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); + sprintf(message, "%s : %s : %s : Geneve Header Length: Version Error\n", ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); if (logging) { res = write_log(log_file_name, message); @@ -1972,7 +1970,7 @@ static int process_events(void *ctx, void *data, size_t len) } else if (evt->error_code == SKB_ADJUST_ERROR) { - sprintf(message, "%s : %-22s : %s : %s : SKB Adjust Error\n", ts, service_id ,ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); + sprintf(message, "%s : %s : %s : SKB Adjust Error\n", ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); if (logging) { res = write_log(log_file_name, message); @@ -1984,7 +1982,7 @@ static int process_events(void *ctx, void *data, size_t len) } else if (evt->error_code == ICMP_HEADER_TOO_BIG) { - sprintf(message, "%s : %-22s : %s : %s : ICMP Header Too Big\n", ts, service_id , ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); + sprintf(message, "%s : %s : %s : ICMP Header Too Big\n", ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); if (logging) { res = write_log(log_file_name, message); @@ -1996,7 +1994,7 @@ static int process_events(void *ctx, void *data, size_t len) } else if (evt->error_code == ICMP_INNER_IP_HEADER_TOO_BIG) { - sprintf(message, "%s : %-22s : %s : %s : ICMP Inner IP Header Too Big\n", ts, service_id,ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); + sprintf(message, "%s : %s : %s : ICMP Inner IP Header Too Big\n", ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); if (logging) { res = write_log(log_file_name, message); @@ -2008,7 +2006,7 @@ static int process_events(void *ctx, void *data, size_t len) } else if (evt->error_code == IF_LIST_MATCH_ERROR) { - sprintf(message, "%s : %-22s : %s : %s : Interface did not match and per interface filtering is enabled\n", ts, service_id ,ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); + sprintf(message, "%s : %s : %s : Interface did not match and per interface filtering is enabled\n", ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); if (logging) { res = write_log(log_file_name, message); @@ -2020,7 +2018,7 @@ static int process_events(void *ctx, void *data, size_t len) } else if (evt->error_code == NO_REDIRECT_STATE_FOUND) { - sprintf(message, "%s : %-22s : %s : %s : No Redirect State found\n", ts, service_id, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); + sprintf(message, "%s : %s : %s : No Redirect State found\n", ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS"); if (logging) { res = write_log(log_file_name, message); @@ -2054,7 +2052,7 @@ static int process_events(void *ctx, void *data, size_t len) char *tun_ifname = if_indextoname(evt->tun_ifindex, tbuf); if (tun_ifname) { - sprintf(message, "%s : %-22s: %s : %s : %s:%d[%x:%x:%x:%x:%x:%x] > %s:%d[%x:%x:%x:%x:%x:%x] redirect ---> %s\n", ts, service_id, ifname, protocol, saddr, ntohs(evt->sport), + sprintf(message, "%s : %s : %s :%s:%d[%x:%x:%x:%x:%x:%x] > %s:%d[%x:%x:%x:%x:%x:%x] redirect ---> %s\n", ts, ifname, protocol, saddr, ntohs(evt->sport), evt->source[0], evt->source[1], evt->source[2], evt->source[3], evt->source[4], evt->source[5], daddr, ntohs(evt->dport), evt->dest[0], evt->dest[1], evt->dest[2], evt->dest[3], evt->dest[4], evt->dest[5], tun_ifname); if (logging) @@ -2069,8 +2067,8 @@ static int process_events(void *ctx, void *data, size_t len) } else if (evt->tport && ifname) { - sprintf(message, "%s : %-22s : %s : %s : %s : %s:%d > %s:%d | tproxy ---> 127.0.0.1:%d\n", - ts, service_id, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol, saddr, ntohs(evt->sport), + sprintf(message, "%s : %s : %s : %s :%s:%d > %s:%d | tproxy ---> 127.0.0.1:%d\n", + ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol, saddr, ntohs(evt->sport), daddr, ntohs(evt->dport), ntohs(evt->tport)); if (logging) { @@ -2136,7 +2134,7 @@ static int process_events(void *ctx, void *data, size_t len) } if (state) { - sprintf(message, "%s : %-22s : %s : %s : %s : %s:%d > %s:%d outbound_tracking ---> %s\n", ts, service_id, ifname, + sprintf(message, "%s : %s : %s : %s :%s:%d > %s:%d outbound_tracking ---> %s\n", ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol, saddr, ntohs(evt->sport), daddr, ntohs(evt->dport), state); if (logging) { @@ -2156,7 +2154,7 @@ static int process_events(void *ctx, void *data, size_t len) if (code == 4) { /*evt->sport is use repurposed store next hop mtu*/ - sprintf(message, "%s : %-22s : %s : %s : %s : %s --> reported next hop mtu:%d > FRAGMENTATION NEEDED IN PATH TO:%s:%d\n", ts, service_id ,ifname, + sprintf(message, "%s : %s : %s : %s :%s --> reported next hop mtu:%d > FRAGMENTATION NEEDED IN PATH TO:%s:%d\n", ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol, saddr, ntohs(evt->sport), daddr, ntohs(evt->dport)); if (logging) { @@ -2198,7 +2196,7 @@ static int process_events(void *ctx, void *data, size_t len) if (code_string) { - sprintf(message, "%s : %-22s : %s : %s : %s : %s --> REPORTED:%s > in PATH TO:%s:%s:%d OUTER-TTL:%d INNER-TTL:%d\n", ts, service_id,ifname, + sprintf(message, "%s : %s : %s : %s :%s --> REPORTED:%s > in PATH TO:%s:%s:%d OUTER-TTL:%d INNER-TTL:%d\n", ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol, saddr, code_string, daddr, protocol_string, ntohs(evt->dport), outer_ttl, inner_ttl); if (logging) { @@ -2213,7 +2211,7 @@ static int process_events(void *ctx, void *data, size_t len) } else if (ifname) { - sprintf(message, "%s : %-22s : %s : %s : %s : %s:%d > %s:%d\n", ts, service_id,ifname, + sprintf(message, "%s : %s : %s : %s :%s:%d > %s:%d\n", ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol, saddr, ntohs(evt->sport), daddr, ntohs(evt->dport)); if (logging) { diff --git a/src/zfw_tc_ingress.c b/src/zfw_tc_ingress.c index 6761395..c468aac 100644 --- a/src/zfw_tc_ingress.c +++ b/src/zfw_tc_ingress.c @@ -72,7 +72,7 @@ struct tproxy_port_mapping { __u16 high_port; __u16 tproxy_port; __u32 if_list[MAX_IF_LIST_ENTRIES]; - char service_id[29]; + char service_id[29]; }; struct tproxy_tuple { @@ -119,7 +119,7 @@ struct bpf_event{ __u8 tracking_code; unsigned char source[6]; unsigned char dest[6]; - char service_id[29]; + }; /*Key to tcp_map*/ @@ -437,14 +437,6 @@ struct { __uint(pinning, LIBBPF_PIN_BY_NAME); } rb_map SEC(".maps"); -/*MAP to hold event data when stack is full*/ -struct { - __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); - __uint(max_entries, 1); - __type(key, int); - __type(value, struct bpf_event); - } heap SEC(".maps"); - /* Function used by ebpf program to access ifindex_ip_map * in order to lookup the ip associated with its attached interface * This allows distinguishing between socket to the local system i.e. ssh @@ -564,9 +556,6 @@ static inline void send_event(struct bpf_event *new_event){ rb_event->source[x] = new_event->source[x]; rb_event->dest[x] = new_event->dest[x]; } - for(int i = 0; i < 29; i++){ - rb_event->service_id[i] = new_event->service_id[i]; - } bpf_ringbuf_submit(rb_event, 0); } } @@ -759,12 +748,8 @@ int bpf_sk_splice(struct __sk_buff *skb){ 0, 0, {0}, - {0}, - {0}, + {0} }; - - char service_id[23] = {'0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','\0'}; - memcpy(event.service_id, service_id, sizeof(service_id)); /*look up attached interface inbound diag status*/ struct diag_ip4 *local_diag = get_diag_ip4(skb->ingress_ifindex); @@ -1484,27 +1469,24 @@ int bpf_sk_splice5(struct __sk_buff *skb){ if(!tuple){ return TC_ACT_SHOT; } - if ((unsigned long)(tuple + 1) > (unsigned long)skb->data_end){ - return TC_ACT_SHOT; - } + unsigned long long tstamp = bpf_ktime_get_ns(); - int ekey = 0; - struct bpf_event *event = bpf_map_lookup_elem(&heap, &ekey); - if(!event){ - return TC_ACT_SHOT; - } - event->tstamp = tstamp; - event->ifindex = skb->ifindex; - event->tun_ifindex = 0; - event->saddr = tuple->ipv4.saddr; - event->daddr = tuple->ipv4.daddr; - event->dport = tuple->ipv4.dport; - event->sport = tuple->ipv4.sport; - event->tport = 0; - event->proto = 0; - event->direction = INGRESS; - event->error_code = 0; - event->tracking_code = 0; + struct bpf_event event = { + tstamp, + skb->ifindex, + 0, + tuple->ipv4.daddr, + tuple->ipv4.saddr, + tuple->ipv4.sport, + tuple->ipv4.dport, + 0, + 0, + INGRESS, + 0, + 0, + {}, + {} + }; /* determine length of tuple */ tuple_len = sizeof(tuple->ipv4); @@ -1532,6 +1514,7 @@ int bpf_sk_splice5(struct __sk_buff *skb){ }else{ break; } + if((tproxy = get_tproxy(key)) && tuple) { __u16 max_entries = tproxy->index_len; @@ -1544,9 +1527,8 @@ int bpf_sk_splice5(struct __sk_buff *skb){ if ((bpf_ntohs(tuple->ipv4.dport) >= bpf_ntohs(tproxy->port_mapping[port_key].low_port)) && (bpf_ntohs(tuple->ipv4.dport) <= bpf_ntohs(tproxy->port_mapping[port_key].high_port))) { - event->proto = key.protocol; - event->tport = tproxy->port_mapping[port_key].tproxy_port; - memcpy(event->service_id, tproxy->port_mapping[port_key].service_id, sizeof(event->service_id)); + event.proto = key.protocol; + event.tport = tproxy->port_mapping[port_key].tproxy_port; /*check if interface is set for per interface rule awarness and if yes check if it is in the rules interface list. If not in the interface list drop it on all interfaces accept loopback. If its not aware then forward based on mapping*/ sockcheck.ipv4.daddr = 0x0100007f; @@ -1554,7 +1536,7 @@ int bpf_sk_splice5(struct __sk_buff *skb){ if(!local_diag->per_interface){ if(tproxy->port_mapping[port_key].tproxy_port == 0){ if(local_diag->verbose){ - send_event(event); + send_event(&event); } return TC_ACT_OK; } @@ -1564,7 +1546,7 @@ int bpf_sk_splice5(struct __sk_buff *skb){ return TC_ACT_SHOT; } if(!(key.protocol == IPPROTO_UDP) || local_diag->verbose){ - send_event(event); + send_event(&event); } goto assign; }else @@ -1579,9 +1561,8 @@ int bpf_sk_splice5(struct __sk_buff *skb){ tstamp, skb->ifindex, {0}, - {0}, + {0} }; - //memcpy(&tus.service_id, tproxy->port_mapping[port_key].service_id, sizeof(tus.service_id)); memcpy(&tus.source, ð->h_source, 6); memcpy(&tus.dest, ð->h_dest, 6); insert_tun(tus, tun_state_key); @@ -1593,10 +1574,10 @@ int bpf_sk_splice5(struct __sk_buff *skb){ struct ifindex_tun *tun_index = get_tun_index(0); if(tun_index){ if(local_diag->verbose){ - memcpy(event->source, eth->h_source, 6); - memcpy(event->dest, eth->h_dest, 6); - event->tun_ifindex = tun_index->index; - send_event(event); + memcpy(event.source, eth->h_source, 6); + memcpy(event.dest, eth->h_dest, 6); + event.tun_ifindex = tun_index->index; + send_event(&event); } return bpf_redirect(tun_index->index, 0); } @@ -1607,7 +1588,7 @@ int bpf_sk_splice5(struct __sk_buff *skb){ if(tproxy->port_mapping[port_key].if_list[x] == skb->ifindex){ if(tproxy->port_mapping[port_key].tproxy_port == 0){ if(local_diag->verbose){ - send_event(event); + send_event(&event); } return TC_ACT_OK; } @@ -1617,7 +1598,7 @@ int bpf_sk_splice5(struct __sk_buff *skb){ return TC_ACT_SHOT; } if(!(key.protocol == IPPROTO_UDP) || local_diag->verbose){ - send_event(event); + send_event(&event); } goto assign; }else{ @@ -1632,9 +1613,8 @@ int bpf_sk_splice5(struct __sk_buff *skb){ tstamp, skb->ifindex, {0}, - {0}, + {0} }; - //memcpy(&tus.service_id, tproxy->port_mapping[port_key].service_id, sizeof(tus.service_id)); memcpy(&tus.source, ð->h_source, 6); memcpy(&tus.dest, ð->h_dest, 6); insert_tun(tus, tun_state_key); @@ -1646,10 +1626,10 @@ int bpf_sk_splice5(struct __sk_buff *skb){ struct ifindex_tun *tun_index = get_tun_index(0); if(tun_index){ if(local_diag->verbose){ - memcpy(event->source, eth->h_source, 6); - memcpy(event->dest, eth->h_dest, 6); - event->tun_ifindex = tun_index->index; - send_event(event); + memcpy(event.source, eth->h_source, 6); + memcpy(event.dest, eth->h_dest, 6); + event.tun_ifindex = tun_index->index; + send_event(&event); } return bpf_redirect(tun_index->index, 0); } @@ -1658,13 +1638,13 @@ int bpf_sk_splice5(struct __sk_buff *skb){ } if(skb->ifindex == 1){ - event->error_code = IF_LIST_MATCH_ERROR; - send_event(event); + event.error_code = IF_LIST_MATCH_ERROR; + send_event(&event); return TC_ACT_OK; } else{ - event->error_code = IF_LIST_MATCH_ERROR; - send_event(event); + event.error_code = IF_LIST_MATCH_ERROR; + send_event(&event); return TC_ACT_SHOT; } } diff --git a/src/zfw_xdp_tun_ingress.c b/src/zfw_xdp_tun_ingress.c index 51f0e33..0d3c822 100644 --- a/src/zfw_xdp_tun_ingress.c +++ b/src/zfw_xdp_tun_ingress.c @@ -31,8 +31,7 @@ #define BPF_MAX_SESSIONS 10000 #define INGRESS 0 #define NO_REDIRECT_STATE_FOUND 10 -bool udp = false; -bool tcp = false; + struct bpf_event{ unsigned long long tstamp; __u32 ifindex; @@ -48,7 +47,6 @@ struct bpf_event{ __u8 tracking_code; unsigned char source[6]; unsigned char dest[6]; - char service_id[29]; }; /*Key to tun_map, tcp_map and udp_map*/ @@ -140,10 +138,6 @@ static inline void send_event(struct bpf_event *new_event){ rb_event->source[x] = new_event->source[x]; rb_event->dest[x] = new_event->dest[x]; } - for (int i = 0; i < 29; i++) - { - rb_event->service_id[i] = new_event->service_id[i]; - } bpf_ringbuf_submit(rb_event, 0); } } @@ -181,10 +175,10 @@ int xdp_redirect_prog(struct xdp_md *ctx) INGRESS, 0, 0, + {0}, + {0} }; - char service_id[23] = {'0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '\0'}; - memcpy(event.service_id, service_id, sizeof(service_id)); struct tun_key tun_state_key; tun_state_key.daddr = iph->saddr; tun_state_key.saddr = iph->daddr; From 8898858ee4ffcc4428a649b763f159ce5fcc10a2 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Mon, 13 May 2024 03:40:22 +0000 Subject: [PATCH 08/15] reverted outbound_track --- src/zfw_tc_outbound_track.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/zfw_tc_outbound_track.c b/src/zfw_tc_outbound_track.c index 61e3e4e..34f11b4 100644 --- a/src/zfw_tc_outbound_track.c +++ b/src/zfw_tc_outbound_track.c @@ -58,7 +58,6 @@ struct bpf_event{ __u8 tracking_code; unsigned char source[6]; unsigned char dest[6]; - char service_id[29]; }; /*Key to tcp_map and udp_map*/ @@ -295,7 +294,6 @@ int bpf_sk_splice(struct __sk_buff *skb){ 0, 0, {0}, - {0}, {0} }; From 90167b33d7e775d39fc15f91b67a474e57b26db3 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Mon, 13 May 2024 13:36:08 +0000 Subject: [PATCH 09/15] reducing size of service_id to 23 bytes from 29 due to substantially increased rule load times --- src/zfw.c | 4 ++-- src/zfw_tc_ingress.c | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/src/zfw.c b/src/zfw.c index e00feb4..769c5a2 100644 --- a/src/zfw.c +++ b/src/zfw.c @@ -252,7 +252,7 @@ struct tproxy_port_mapping __u16 high_port; __u16 tproxy_port; __u32 if_list[MAX_IF_LIST_ENTRIES]; - char service_id[29]; + char service_id[23]; }; struct tproxy_tuple @@ -3361,7 +3361,7 @@ static error_t parse_opt(int key, char *arg, struct argp_state *state) fprintf(stderr, "%s --help for more info\n", program_name); exit(1); } - if(strlen(arg) > 28){ + if(strlen(arg) > 22){ printf("Invalid service ID: ID too long\n"); exit(1); } diff --git a/src/zfw_tc_ingress.c b/src/zfw_tc_ingress.c index c468aac..a5f38fe 100644 --- a/src/zfw_tc_ingress.c +++ b/src/zfw_tc_ingress.c @@ -72,7 +72,7 @@ struct tproxy_port_mapping { __u16 high_port; __u16 tproxy_port; __u32 if_list[MAX_IF_LIST_ENTRIES]; - char service_id[29]; + char service_id[23]; }; struct tproxy_tuple { @@ -119,7 +119,6 @@ struct bpf_event{ __u8 tracking_code; unsigned char source[6]; unsigned char dest[6]; - }; /*Key to tcp_map*/ From 2a7e36a72237fa47f382e3dbf0c8691ceaebd173 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Mon, 13 May 2024 14:25:12 +0000 Subject: [PATCH 10/15] swapped sprintf for memcpy to see if there is a performance gain --- src/zfw.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/zfw.c b/src/zfw.c index 769c5a2..44f4cd5 100644 --- a/src/zfw.c +++ b/src/zfw.c @@ -2308,10 +2308,16 @@ void map_insert() port_mapping->if_list[x] = if_list[x]; } } - if(service){ + /*if(service){ sprintf(port_mapping->service_id, "%s", service_string); }else{ sprintf(port_mapping->service_id, "%s", "0000000000000000000000"); + }*/ + char service_id[23] = {'0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','\0'}; + if(service){ + memcpy(port_mapping->service_id, service_string, strlen(service_string) + 1); + }else{ + memcpy(port_mapping->service_id, service_id, sizeof(service_id)); } /* * Check result of lookup if not 0 then create a new entry From dd7042209de0a547d39d7c3f4b04287b814be455 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Mon, 13 May 2024 14:36:19 +0000 Subject: [PATCH 11/15] fixed issue causing seg fault in memcpy --- src/zfw.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/zfw.c b/src/zfw.c index 44f4cd5..857aaef 100644 --- a/src/zfw.c +++ b/src/zfw.c @@ -2313,11 +2313,11 @@ void map_insert() }else{ sprintf(port_mapping->service_id, "%s", "0000000000000000000000"); }*/ - char service_id[23] = {'0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','0','\0'}; + char *sid = "0000000000000000000000"; if(service){ memcpy(port_mapping->service_id, service_string, strlen(service_string) + 1); }else{ - memcpy(port_mapping->service_id, service_id, sizeof(service_id)); + memcpy(port_mapping->service_id, sid, strlen(sid) + 1); } /* * Check result of lookup if not 0 then create a new entry From cc46f270fba6a0a080d483fb3dcfb6d37eac66da Mon Sep 17 00:00:00 2001 From: r-caamano Date: Tue, 14 May 2024 18:21:18 +0000 Subject: [PATCH 12/15] added tuple bounds check --- src/zfw_tc_ingress.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/zfw_tc_ingress.c b/src/zfw_tc_ingress.c index a5f38fe..54dc7ab 100644 --- a/src/zfw_tc_ingress.c +++ b/src/zfw_tc_ingress.c @@ -1468,6 +1468,9 @@ int bpf_sk_splice5(struct __sk_buff *skb){ if(!tuple){ return TC_ACT_SHOT; } + if ((unsigned long)(tuple + 1) > (unsigned long)skb->data_end){ + return TC_ACT_SHOT; + } unsigned long long tstamp = bpf_ktime_get_ns(); struct bpf_event event = { From 963792942a5855536e40d852ec4c499395e07232 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Tue, 14 May 2024 19:15:59 +0000 Subject: [PATCH 13/15] updated README to show -L out put with service id support --- README.md | 52 ++++++++++++++++++++++++++-------------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index c5274b2..3f89b1d 100644 --- a/README.md +++ b/README.md @@ -111,10 +111,10 @@ If running: ``` Assuming you are using the default address range for ziti-edge-tunnel should see output like: -target proto origin destination mapping: interface list --------- ----- ----------------- ------------------ ------------------------------------------------------- ----------------- -TUNMODE tcp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 TUNMODE redirect:tun0 [] -TUNMODE udp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 TUNMODE redirect:tun0 [] +service id proto origin destination mapping: interface list +---------------------- ----- --------------- ------------------ --------------------------------------------------------- ---------------- +0000000000000000000000 tcp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 TUNMODE redirect:tun0 [] +0000000000000000000000 udp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 TUNMODE redirect:tun0 [] ``` Verify running: (zfw-router) @@ -125,8 +125,8 @@ If running: ``` Assuming no services configured yet: -target proto origin destination mapping: interface list --------- ----- ----------------- ------------------ ------------------------------------------------------- ----------------- +service id proto origin destination mapping: interface list +---------------------- ----- --------------- ------------------ --------------------------------------------------------- ---------------- Rule Count: 0 prefix_tuple_count: 0 / 100000 @@ -367,19 +367,19 @@ Example: List all rules in Firewall sudo zfw -L ``` ``` -target proto origin destination mapping: interface list ------- ----- --------------- ------------------ --------------------------------------------------------- ---------------- -TPROXY tcp 0.0.0.0/0 10.0.0.16/28 dpts=22:22 TPROXY redirect 127.0.0.1:33381 [ens33,lo] -TPROXY tcp 0.0.0.0/0 10.0.0.16/28 dpts=30000:40000 TPROXY redirect 127.0.0.1:33381 [] -TPROXY udp 0.0.0.0/0 172.20.1.0/24 dpts=5000:10000 TPROXY redirect 127.0.0.1:59394 [] -TPROXY tcp 0.0.0.0/0 172.16.1.0/24 dpts=22:22 TPROXY redirect 127.0.0.1:33381 [] -TPROXY tcp 0.0.0.0/0 172.16.1.0/24 dpts=30000:40000 TPROXY redirect 127.0.0.1:33381 [] -PASSTHRU udp 0.0.0.0/0 192.168.3.0/24 dpts=5:7 PASSTHRU to 192.168.3.0/24 [] -PASSTHRU udp 10.1.1.1/32 192.168.100.100/32 dpts=50000:60000 PASSTHRU to 192.168.100.100/32 [] -PASSTHRU tcp 10.230.40.1/32 192.168.100.100/32 dpts=60000:65535 PASSTHRU to 192.168.100.100/32 [] -TPROXY udp 0.0.0.0/0 192.168.0.3/32 dpts=5000:10000 TPROXY redirect 127.0.0.1:59394 [] -PASSTHRU tcp 0.0.0.0/0 192.168.100.100/32 dpts=60000:65535 PASSTHRU to 192.168.100.100/32 [] -TUNMODE udp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 TUNMODE redirect:tun0 [] +service id proto origin destination mapping: interface list +---------------------- ----- --------------- ------------------ --------------------------------------------------------- ---------------- +5XzC8mf1RrFO2vmfHGG5GL tcp 0.0.0.0/0 10.0.0.16/28 dpts=22:22 TPROXY redirect 127.0.0.1:33381 [ens33,lo] +5XzC8mf1RrFO2vmfHGG5GL tcp 0.0.0.0/0 10.0.0.16/28 dpts=30000:40000 TPROXY redirect 127.0.0.1:33381 [] +0000000000000000000000 udp 0.0.0.0/0 172.20.1.0/24 dpts=5000:10000 TPROXY redirect 127.0.0.1:59394 [] +5XzC8mf1RrFO2vmfHGG5GL tcp 0.0.0.0/0 172.16.1.0/24 dpts=22:22 TPROXY redirect 127.0.0.1:33381 [] +5XzC8mf1RrFO2vmfHGG5GL tcp 0.0.0.0/0 172.16.1.0/24 dpts=30000:40000 TPROXY redirect 127.0.0.1:33381 [] +0000000000000000000000 udp 0.0.0.0/0 192.168.3.0/24 dpts=5:7 PASSTHRU to 192.168.3.0/24 [] +0000000000000000000000 udp 10.1.1.1/32 192.168.100.100/32 dpts=50000:60000 PASSTHRU to 192.168.100.100/32 [] +0000000000000000000000 tcp 10.230.40.1/32 192.168.100.100/32 dpts=60000:65535 PASSTHRU to 192.168.100.100/32 [] +FO2vmfHGG5GLvmfHGG5GLU udp 0.0.0.0/0 192.168.0.3/32 dpts=5000:10000 TPROXY redirect 127.0.0.1:59394 [] +0000000000000000000000 tcp 0.0.0.0/0 192.168.100.100/32 dpts=60000:65535 PASSTHRU to 192.168.100.100/32 [] +FO2vmfHGG5GLvmfHGG5GLU udp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 TUNMODE redirect:tun0 [] ``` - Example: List rules in firewall for a given prefix and protocol. If source specific you must include the o @@ -389,9 +389,9 @@ TUNMODE udp 0.0.0.0/0 100.64.0.0/10 dpts=1:65535 sudo zfw -L -c 192.168.100.100 -m 32 -p udp ``` ``` -target proto origin destination mapping: interface list ------- ----- -------- ------------------ --------------------------------------------------------- ------------------ -PASSTHRU udp 0.0.0.0/0 192.168.100.100/32 dpts=50000:60000 PASSTHRU to 192.168.100.100/32 [] +service id proto origin destination mapping: interface list +---------- ----- -------- ------------------ --------------------------------------------------------- ------------------ +0000000000000000000000 udp 0.0.0.0/0 192.168.100.100/32 dpts=50000:60000 PASSTHRU to 192.168.100.100/32 [] ``` - Example: List rules in firewall for a given prefix @@ -400,10 +400,10 @@ Usage: zfw -L -c -m -p sudo zfw -L -c 192.168.100.100 -m 32 ``` ``` -target proto origin destination mapping: interface list ------- ----- -------- ------------------ --------------------------------------------------------- ------------------- -PASSTHRU udp 0.0.0.0/0 192.168.100.100/32 dpts=50000:60000 PASSTHRU to 192.168.100.100/32 [] -PASSTHRU tcp 0.0.0.0/0 192.168.100.100/32 dpts=60000:65535 PASSTHRU to 192.168.100.100/32 [] +service id proto origin destination mapping: interface list +---------- ----- -------- ------------------ --------------------------------------------------------- ------------------ +0000000000000000000000 udp 0.0.0.0/0 192.168.100.100/32 dpts=50000:60000 PASSTHRU to 192.168.100.100/32 [] +0000000000000000000000 tcp 0.0.0.0/0 192.168.100.100/32 dpts=60000:65535 PASSTHRU to 192.168.100.100/32 [] ``` - Example: List all interface settings From c87d3d7fbec17b6af0b1d18f1108944d9366cc21 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Tue, 14 May 2024 21:06:43 +0000 Subject: [PATCH 14/15] reverted incorrect tuple bounds check. Moved original bounds check for tuple above event definition --- src/zfw_tc_ingress.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/src/zfw_tc_ingress.c b/src/zfw_tc_ingress.c index 54dc7ab..e7a48ba 100644 --- a/src/zfw_tc_ingress.c +++ b/src/zfw_tc_ingress.c @@ -1468,8 +1468,10 @@ int bpf_sk_splice5(struct __sk_buff *skb){ if(!tuple){ return TC_ACT_SHOT; } - if ((unsigned long)(tuple + 1) > (unsigned long)skb->data_end){ - return TC_ACT_SHOT; + /* determine length of tuple */ + tuple_len = sizeof(tuple->ipv4); + if ((unsigned long)tuple + tuple_len > (unsigned long)skb->data_end){ + return TC_ACT_SHOT; } unsigned long long tstamp = bpf_ktime_get_ns(); @@ -1490,11 +1492,6 @@ int bpf_sk_splice5(struct __sk_buff *skb){ {} }; - /* determine length of tuple */ - tuple_len = sizeof(tuple->ipv4); - if ((unsigned long)tuple + tuple_len > (unsigned long)skb->data_end){ - return TC_ACT_SHOT; - } struct tproxy_key key; /*look up attached interface IP address*/ struct ifindex_ip4 *local_ip4 = get_local_ip4(skb->ingress_ifindex); From 37538de4dce728171c3af8e9867ac70e164b471a Mon Sep 17 00:00:00 2001 From: r-caamano Date: Tue, 14 May 2024 23:10:20 +0000 Subject: [PATCH 15/15] Changed workflow to only build release on push to main to avoid closed but not merged prs from triggering a release --- .github/workflows/release.yml | 6 +++--- CHANGELOG.md | 4 +++- src/zfw.c | 2 +- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 56fc63d..f3e57cb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,9 +2,9 @@ name: release on: - pull_request: - types: [closed] - + push: + branches: + - main env: APP_NAME: 'zfw' MAINTAINER: 'Robert Caamano' diff --git a/CHANGELOG.md b/CHANGELOG.md index cc7aa9f..eac5467 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,12 +3,14 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). --- -# [0.6.0] - 2024-05-09 +# [0.6.1] - 2024-05-14 ### - Added support for ziti service id tracking. Will need to update ziti-router via pr. - Fixed issue where passthrough rules would not generate log data when in verbose mode. +- Fixed release workflow where if a non merged pull request was closed it would trigger a release + build action. # [0.5.18] - 2024-05-08 diff --git a/src/zfw.c b/src/zfw.c index 857aaef..1ee309d 100644 --- a/src/zfw.c +++ b/src/zfw.c @@ -170,7 +170,7 @@ char *service_string; char *log_file_name; char *object_file; char *direction_string; -const char *argp_program_version = "0.6.0"; +const char *argp_program_version = "0.6.1"; struct ring_buffer *ring_buffer; __u32 if_list[MAX_IF_LIST_ENTRIES];