Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

V0.5.4 release candidate nf #21

Merged
merged 2 commits into from
Dec 26, 2023
Merged

V0.5.4 release candidate nf #21

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e37ee06
added support for stateful icmp unreachable filtering and some minor …
r-caamano Dec 25, 2023
f7e208b
changed -M output for ICMP Unreachable to require verbose mode and re…
r-caamano Dec 26, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,16 @@
All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

---
# [0.5.4] - 2023-12-24

###

-- Added support for stateful stateful icmp unreachable inbound support in order to support
pmtud and unreachable metric collection.
-- Fixed added ring_buffer__free() to INThandler in zfw.c to properly de-allocate memory
allocated by ring_buffer__new in main() if -M argument was supplied and SIGINT or SIGTERM
is received.

# [0.5.3] - 2023-12-19

###
Expand Down
45 changes: 42 additions & 3 deletions src/zfw.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,7 +149,7 @@ char *monitor_interface;
char *tc_interface;
char *object_file;
char *direction_string;
const char *argp_program_version = "0.5.3";
const char *argp_program_version = "0.5.4";
struct ring_buffer *ring_buffer;

__u8 if_list[MAX_IF_LIST_ENTRIES];
Expand Down Expand Up @@ -246,6 +246,9 @@ struct tproxy_key

void INThandler(int sig){
signal(sig, SIG_IGN);
if(ring_buffer){
ring_buffer__free(ring_buffer);
}
close_maps(1);
}

Expand Down Expand Up @@ -1624,6 +1627,9 @@ static int process_events(void *ctx, void *data, size_t len){
char * protocol;
if(evt->proto == IPPROTO_TCP){
protocol = "TCP";
}
else if(evt->proto == IPPROTO_ICMP){
protocol = "ICMP";
}else{
protocol = "UDP";
}
Expand All @@ -1641,7 +1647,7 @@ static int process_events(void *ctx, void *data, size_t len){
ts, ifname, (evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol,saddr, ntohs(evt->sport),
daddr, ntohs(evt->dport), ntohs(evt->tport));
}
else if(evt->tracking_code && ifname){
else if(((evt->proto == IPPROTO_TCP) | (evt->proto == IPPROTO_UDP)) && evt->tracking_code && ifname){
char *state = NULL;
__u16 code = evt->tracking_code;

Expand Down Expand Up @@ -1686,6 +1692,39 @@ static int process_events(void *ctx, void *data, size_t len){
(evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol,saddr, ntohs(evt->sport), daddr, ntohs(evt->dport), state);
}
}
else if(evt->proto == IPPROTO_ICMP && ifname){
__u16 code = evt->tracking_code;
if(code == 4){
printf("%s : %s : %s : %s :%s --> reported next hop mtu:%d > FRAGMENTATION NEEDED IN PATH TO:%s:%d\n", ts, ifname,
(evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol,saddr, ntohs(evt->sport), daddr, ntohs(evt->dport));
}else{
char *code_string = NULL;
char *protocol_string = NULL;
/*evt->sport is use repurposed store encapsulated higher layer protocol*/
if(evt->sport == IPPROTO_TCP){
protocol_string = "TCP";
}else{
protocol_string = "UDP";
}
if(code == 0){
code_string = "NET UNREACHABLE";
}
else if(code == 1){
code_string = "HOST UNREACHABLE";
}
else if(code == 2){
code_string = "PROTOCOL UNREACHABLE";
}
else if(code == 3){
code_string = "PORT UNREACHABLE";
}

if(code_string){
printf("%s : %s : %s : %s :%s --> REPORTED:%s > in PATH TO:%s:%s:%d\n", ts, ifname,
(evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol,saddr, code_string, daddr, protocol_string, ntohs(evt->dport));
}
}
}
else if(ifname){
printf("%s : %s : %s : %s :%s:%d > %s:%d\n", ts, ifname,
(evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol,saddr, ntohs(evt->sport), daddr, ntohs(evt->dport));
Expand Down Expand Up @@ -3010,7 +3049,7 @@ int main(int argc, char **argv)
ring_buffer = ring_buffer__new(rb_fd, process_events, NULL, NULL);
while(true){
ring_buffer__poll(ring_buffer, 1000);
}
}
}
else
{
Expand Down
72 changes: 70 additions & 2 deletions src/zfw_tc_ingress.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -725,6 +725,74 @@ int bpf_sk_splice(struct __sk_buff *skb){
else if((icmph->type == 0) && (icmph->code == 0)){
return TC_ACT_OK;
}
else if(icmph->type == 3){
struct iphdr *inner_iph = (struct iphdr *)((unsigned long)icmph + sizeof(*icmph));
if ((unsigned long)(inner_iph + 1) > (unsigned long)skb->data_end){
if(local_diag->verbose){
event.error_code = IP_HEADER_TOO_BIG;
send_event(&event);
}
return TC_ACT_SHOT;
}
if((inner_iph->protocol == IPPROTO_TCP) || ((inner_iph->protocol == IPPROTO_UDP))){
struct bpf_sock_tuple *o_session = (struct bpf_sock_tuple *)(void*)(long)&inner_iph->saddr;
if ((unsigned long)(o_session + 1) > (unsigned long)skb->data_end){
event.error_code = IP_TUPLE_TOO_BIG;
send_event(&event);
return TC_ACT_SHOT;
}
if(inner_iph->protocol == IPPROTO_TCP){
sk = bpf_skc_lookup_tcp(skb, o_session, sizeof(o_session->ipv4),BPF_F_CURRENT_NETNS, 0);
if(sk){
if (sk->state == BPF_TCP_LISTEN){
if(local_diag->verbose){
event.proto = IPPROTO_ICMP;
event.saddr = iph->saddr;
event.daddr = o_session->ipv4.daddr;
event.tracking_code = icmph->code;
if(icmph->code == 4){
event.sport = icmph->un.frag.mtu;
}else{
event.sport = inner_iph->protocol;
}
event.dport = o_session->ipv4.dport;
send_event(&event);
}
bpf_sk_release(sk);
return TC_ACT_OK;
}
bpf_sk_release(sk);
}
}
else{
struct bpf_sock_tuple oudp_session = {0};
oudp_session.ipv4.daddr = o_session->ipv4.saddr;
oudp_session.ipv4.saddr = o_session->ipv4.daddr;
oudp_session.ipv4.dport = o_session->ipv4.sport;
oudp_session.ipv4.sport = o_session->ipv4.dport;
sk = bpf_sk_lookup_udp(skb, &oudp_session, sizeof(oudp_session.ipv4), BPF_F_CURRENT_NETNS, 0);
if(sk){
if(local_diag->verbose){
event.proto = IPPROTO_ICMP;
event.saddr = iph->saddr;
event.daddr = o_session->ipv4.daddr;
event.tracking_code = icmph->code;
if(icmph->code == 4){
event.sport = icmph->un.frag.mtu;
}else{
event.sport = inner_iph->protocol;
}
event.dport = o_session->ipv4.dport;
send_event(&event);
}
bpf_sk_release(sk);
return TC_ACT_OK;
}
}

}
return TC_ACT_SHOT;
}
else{
return TC_ACT_SHOT;
}
Expand All @@ -734,7 +802,7 @@ int bpf_sk_splice(struct __sk_buff *skb){
}
else{
return TC_ACT_SHOT;
}
}
}

/* determine length of tuple */
Expand Down Expand Up @@ -766,7 +834,7 @@ int bpf_sk_splice(struct __sk_buff *skb){
}
for(int x = 0; x < addresses; x++){
if((tuple->ipv4.daddr == local_ip4->ipaddr[x]) && !local_diag->ssh_disable){
if(local_diag->verbose){
if(local_diag->verbose && ((event.tstamp % 2) == 0)){
event.proto = IPPROTO_TCP;
send_event(&event);
}
Expand Down