Skip to content

Commit

Permalink
added support for stateful icmp unreachable filtering and some minor …
Browse files Browse the repository at this point in the history
…code fixes for monitoring
  • Loading branch information
r-caamano committed Dec 25, 2023
1 parent 9f1bd70 commit e37ee06
Show file tree
Hide file tree
Showing 3 changed files with 117 additions and 4 deletions.
10 changes: 10 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,16 @@
All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

---
# [0.5.4] - 2023-12-24

###

-- Added support for stateful stateful icmp unreachable inbound support in order to support
pmtud and unreachable metric collection.
-- Fixed added ring_buffer__free() to INThandler in zfw.c to properly de-allocate memory
allocated by ring_buffer__new in main() if -M argument was supplied and SIGINT or SIGTERM
is received.

# [0.5.3] - 2023-12-19

###
Expand Down
45 changes: 42 additions & 3 deletions src/zfw.c
Original file line number Diff line number Diff line change
Expand Up @@ -149,7 +149,7 @@ char *monitor_interface;
char *tc_interface;
char *object_file;
char *direction_string;
const char *argp_program_version = "0.5.3";
const char *argp_program_version = "0.5.4";
struct ring_buffer *ring_buffer;

__u8 if_list[MAX_IF_LIST_ENTRIES];
Expand Down Expand Up @@ -246,6 +246,9 @@ struct tproxy_key

void INThandler(int sig){
signal(sig, SIG_IGN);
if(ring_buffer){
ring_buffer__free(ring_buffer);
}
close_maps(1);
}

Expand Down Expand Up @@ -1624,6 +1627,9 @@ static int process_events(void *ctx, void *data, size_t len){
char * protocol;
if(evt->proto == IPPROTO_TCP){
protocol = "TCP";
}
else if(evt->proto == IPPROTO_ICMP){
protocol = "ICMP";
}else{
protocol = "UDP";
}
Expand All @@ -1641,7 +1647,7 @@ static int process_events(void *ctx, void *data, size_t len){
ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol,saddr, ntohs(evt->sport),
daddr, ntohs(evt->dport), ntohs(evt->tport));
}
else if(evt->tracking_code && ifname){
else if(((evt->proto == IPPROTO_TCP) | (evt->proto == IPPROTO_UDP)) && evt->tracking_code && ifname){
char *state = NULL;
__u16 code = evt->tracking_code;

Expand Down Expand Up @@ -1686,6 +1692,39 @@ static int process_events(void *ctx, void *data, size_t len){
(evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol,saddr, ntohs(evt->sport), daddr, ntohs(evt->dport), state);
}
}
else if(evt->proto == IPPROTO_ICMP && ifname){
__u16 code = evt->tracking_code;
if(code == 4){
printf("%s : %s : %s : %s :%s --> reported next hop mtu:%d > FRAGMENTATION NEEDED IN PATH TO:%s:%d\n", ts, ifname,
(evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol,saddr, ntohs(evt->sport), daddr, ntohs(evt->dport));
}else{
char *code_string = NULL;
char *protocol_string = NULL;
/*evt->sport is use repurposed store encapsulated higher layer protocol*/
if(evt->sport == IPPROTO_TCP){
protocol_string = "TCP";
}else{
protocol_string = "UDP";
}
if(code == 0){
code_string = "NET UNREACHABLE";
}
else if(code == 1){
code_string = "HOST UNREACHABLE";
}
else if(code == 2){
code_string = "PROTOCOL UNREACHABLE";
}
else if(code == 3){
code_string = "PORT UNREACHABLE";
}

if(code_string){
printf("%s : %s : %s : %s :%s --> REPORTED:%s > in PATH TO:%s:%s:%d\n", ts, ifname,
(evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol,saddr, code_string, daddr, protocol_string, ntohs(evt->dport));
}
}
}
else if(ifname){
printf("%s : %s : %s : %s :%s:%d > %s:%d\n", ts, ifname,
(evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol,saddr, ntohs(evt->sport), daddr, ntohs(evt->dport));
Expand Down Expand Up @@ -3010,7 +3049,7 @@ int main(int argc, char **argv)
ring_buffer = ring_buffer__new(rb_fd, process_events, NULL, NULL);
while(true){
ring_buffer__poll(ring_buffer, 1000);
}
}
}
else
{
Expand Down
66 changes: 65 additions & 1 deletion src/zfw_tc_ingress.c
Original file line number Diff line number Diff line change
Expand Up @@ -725,6 +725,70 @@ int bpf_sk_splice(struct __sk_buff *skb){
else if((icmph->type == 0) && (icmph->code == 0)){
return TC_ACT_OK;
}
else if(icmph->type == 3){
struct iphdr *inner_iph = (struct iphdr *)((unsigned long)icmph + sizeof(*icmph));
if ((unsigned long)(inner_iph + 1) > (unsigned long)skb->data_end){
if(local_diag->verbose){
event.error_code = IP_HEADER_TOO_BIG;
send_event(&event);
}
return TC_ACT_SHOT;
}
if((inner_iph->protocol == IPPROTO_TCP) || ((inner_iph->protocol == IPPROTO_UDP))){
struct bpf_sock_tuple *o_session = (struct bpf_sock_tuple *)(void*)(long)&inner_iph->saddr;
if ((unsigned long)(o_session + 1) > (unsigned long)skb->data_end){
event.error_code = IP_TUPLE_TOO_BIG;
send_event(&event);
return TC_ACT_SHOT;
}
if(inner_iph->protocol == IPPROTO_TCP){
sk = bpf_skc_lookup_tcp(skb, o_session, sizeof(o_session->ipv4),BPF_F_CURRENT_NETNS, 0);
if(sk){
if (sk->state == BPF_TCP_LISTEN){
event.proto = IPPROTO_ICMP;
event.saddr = iph->saddr;
event.daddr = o_session->ipv4.daddr;
event.tracking_code = icmph->code;
if(icmph->code == 4){
event.sport = icmph->un.frag.mtu;
}else{
event.sport = inner_iph->protocol;
}
event.dport = o_session->ipv4.dport;
send_event(&event);
bpf_sk_release(sk);
return TC_ACT_OK;
}
bpf_sk_release(sk);
}
}
else{
struct bpf_sock_tuple oudp_session = {0};
oudp_session.ipv4.daddr = o_session->ipv4.saddr;
oudp_session.ipv4.saddr = o_session->ipv4.daddr;
oudp_session.ipv4.dport = o_session->ipv4.sport;
oudp_session.ipv4.sport = o_session->ipv4.dport;
sk = bpf_sk_lookup_udp(skb, &oudp_session, sizeof(oudp_session.ipv4), BPF_F_CURRENT_NETNS, 0);
if(sk){
event.proto = IPPROTO_ICMP;
event.saddr = iph->saddr;
event.daddr = o_session->ipv4.daddr;
event.tracking_code = icmph->code;
if(icmph->code == 4){
event.sport = icmph->un.frag.mtu;
}else{
event.sport = inner_iph->protocol;
}
event.dport = o_session->ipv4.dport;
send_event(&event);
bpf_sk_release(sk);
return TC_ACT_OK;
}
}

}
return TC_ACT_SHOT;
}
else{
return TC_ACT_SHOT;
}
Expand All @@ -734,7 +798,7 @@ int bpf_sk_splice(struct __sk_buff *skb){
}
else{
return TC_ACT_SHOT;
}
}
}

/* determine length of tuple */
Expand Down

0 comments on commit e37ee06

Please sign in to comment.