Merge pull request #44 from netfoundry/v0.7.1-release-candidate

Fixed issue where if ziti-edge-tunnel is stopped and wildcard entries…
netfoundry · May 28, 2024 · e84d1c2 · e84d1c2
2 parents 8f6acc2 + 00ff957
commit e84d1c2
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 11 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,12 @@
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
+# [0.7.1] - 2024-05-28
+
+###
+
+- Fixed issue where if ziti-edge-tunnel is stopped and wildcard entries exist they will re-populate on start unless rebooted or ebpf disabled and re-enabled.  
+
 # [0.7.0] - 2024-05-26
 
 ###

diff --git a/src/zfw.c b/src/zfw.c
@@ -182,7 +182,7 @@ char *log_file_name;
 char *object_file;
 char *direction_string;
 
-const char *argp_program_version = "0.7.0";
+const char *argp_program_version = "0.7.1";
 struct ring_buffer *ring_buffer;
 
 __u32 if_list[MAX_IF_LIST_ENTRIES];

diff --git a/src/zfw_tunnel_wrapper.c b/src/zfw_tunnel_wrapper.c
@@ -104,6 +104,13 @@ int tp_ext_fd = -1;
 union bpf_attr wild_map;
 int wild_fd = -1;
 typedef unsigned char byte;
+
+struct wildcard_port_key {
+    __u16 low_port;
+    __u8 protocol;
+    __u8 pad;
+};
+
 void process_service_updates(char *service_id);
 void close_maps(int code);
 void open_transp_map();
@@ -129,6 +136,8 @@ void range_delete_key(struct port_extension_key key);
 void map_delete(struct tproxy_key *key, struct port_extension_key *port_ext_key);
 void delete_wild_entry(char *low_port, char *high_port,char *protocol);
 void add_wild_entry(char *low_port, char *high_port, char *protocol);
+void delete_wild_key(struct wildcard_port_key *key);
+void flush_wild();
 
 unsigned short port2s(char *port)
 {
@@ -155,12 +164,6 @@ char *nitoa(uint32_t address)
     return ipaddr;
 }
 
-struct wildcard_port_key {
-    __u16 low_port;
-    __u8 protocol;
-    __u8 pad;
-};
-
 struct tproxy_extension_mapping {
     char service_id[23];
 };
@@ -199,6 +202,7 @@ struct ifindex_tun {
 void INThandler(int sig){
     signal(sig, SIG_IGN);
     route_flush();
+    flush_wild();
     process_rules();
     close_maps(1);
 }
@@ -234,7 +238,7 @@ void route_flush()
     struct transp_key *key = &init_key;
     struct transp_value o_routes;
     struct transp_key current_key;
-    transp_map.key = (uint64_t)&key;
+    transp_map.key = (uint64_t)key;
     transp_map.value = (uint64_t)&o_routes;
     transp_map.map_fd = transp_fd;
     transp_map.flags = BPF_ANY;
@@ -299,7 +303,6 @@ void process_service_updates(char * service_id)
     map.value = (uint64_t)&orule;
     int lookup = 0;
     int ret = 0;
-    int rule_count = 0;
     while (true)
     {
         ret = syscall(__NR_bpf, BPF_MAP_GET_NEXT_KEY, &map, sizeof(map));
@@ -371,7 +374,6 @@ bool rule_exists(uint32_t dst_ip, uint8_t dplen, uint32_t src_ip, uint8_t splen,
     map.value = (uint64_t)&orule;
     int lookup = 0;
     int ret = 0;
-    int rule_count = 0;
     while (true)
     {
         ret = syscall(__NR_bpf, BPF_MAP_GET_NEXT_KEY, &map, sizeof(map));
@@ -442,7 +444,6 @@ void process_rules()
     map.value = (uint64_t)&orule;
     int lookup = 0;
     int ret = 0;
-    int rule_count = 0;
     while (true)
     {
         ret = syscall(__NR_bpf, BPF_MAP_GET_NEXT_KEY, &map, sizeof(map));
@@ -1153,6 +1154,7 @@ int process_bind(json_object *jobj, char *action)
         return ziti_dns_resolver_ip;
 }
 
+
 void delete_wild_key(struct wildcard_port_key *key){
     union bpf_attr map;
     memset(&map, 0, sizeof(map));
@@ -1175,6 +1177,33 @@ void delete_wild_key(struct wildcard_port_key *key){
     close(fd);
 }
 
+void flush_wild(){
+    if(wild_fd == -1){
+        open_wild_map();
+    }
+    struct wildcard_port_key init_key = {0};
+    struct wildcard_port_key *key = &init_key;
+    uint32_t  wcount;
+    struct wildcard_port_key current_key;
+    wild_map.key = (uint64_t)key;
+    wild_map.value = (uint64_t)&wcount;
+    wild_map.map_fd = wild_fd;
+    wild_map.flags = BPF_ANY;
+    int ret = 0;
+    while (true)
+    {
+        ret = syscall(__NR_bpf, BPF_MAP_GET_NEXT_KEY, &wild_map, sizeof(wild_map));
+        if (ret == -1)
+        {
+            break;
+        }
+        wild_map.key = wild_map.next_key;
+        current_key = *(struct wildcard_port_key *)wild_map.key;
+        delete_wild_key(&current_key);
+    }
+
+}
+
 void update_wild_key(struct wildcard_port_key *key, uint32_t count){
     if (wild_fd == -1)
     {