vikarti.anatra/safing-portmaster
1
0
Fork 0
mirror of https://github.com/safing/portmaster synced 2025-09-02 02:29:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Use datagram_connect for udp ebpf process detection

Browse source
This commit is contained in:
Vladimir Stoilov 2023-06-09 11:31:24 +03:00
parent 0164463ee5
commit 169a5a1303
4 changed files with 43 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
firewall/interception/ebpf/bpf_bpfeb.go
View file

@ -67,8 +67,8 @@ type bpfSpecs struct {
type bpfProgramSpecs struct {
TcpV4Connect *ebpf.ProgramSpec `ebpf:"tcp_v4_connect"`
TcpV6Connect *ebpf.ProgramSpec `ebpf:"tcp_v6_connect"`
UdpSendmsg *ebpf.ProgramSpec `ebpf:"udp_sendmsg"`
Udpv6Sendmsg *ebpf.ProgramSpec `ebpf:"udpv6_sendmsg"`
UdpV4Connect *ebpf.ProgramSpec `ebpf:"udp_v4_connect"`
UdpV6Connect *ebpf.ProgramSpec `ebpf:"udp_v6_connect"`
}
// bpfMapSpecs contains maps before they are loaded into the kernel.
@ -112,16 +112,16 @@ func (m *bpfMaps) Close() error {
type bpfPrograms struct {
TcpV4Connect *ebpf.Program `ebpf:"tcp_v4_connect"`
TcpV6Connect *ebpf.Program `ebpf:"tcp_v6_connect"`
UdpSendmsg *ebpf.Program `ebpf:"udp_sendmsg"`
Udpv6Sendmsg *ebpf.Program `ebpf:"udpv6_sendmsg"`
UdpV4Connect *ebpf.Program `ebpf:"udp_v4_connect"`
UdpV6Connect *ebpf.Program `ebpf:"udp_v6_connect"`
}
func (p *bpfPrograms) Close() error {
return _BpfClose(
p.TcpV4Connect,
p.TcpV6Connect,
p.UdpSendmsg,
p.Udpv6Sendmsg,
p.UdpV4Connect,
p.UdpV6Connect,
)
}

12
firewall/interception/ebpf/bpf_bpfel.go
View file

@ -67,8 +67,8 @@ type bpfSpecs struct {
type bpfProgramSpecs struct {
TcpV4Connect *ebpf.ProgramSpec `ebpf:"tcp_v4_connect"`
TcpV6Connect *ebpf.ProgramSpec `ebpf:"tcp_v6_connect"`
UdpSendmsg *ebpf.ProgramSpec `ebpf:"udp_sendmsg"`
Udpv6Sendmsg *ebpf.ProgramSpec `ebpf:"udpv6_sendmsg"`
UdpV4Connect *ebpf.ProgramSpec `ebpf:"udp_v4_connect"`
UdpV6Connect *ebpf.ProgramSpec `ebpf:"udp_v6_connect"`
}
// bpfMapSpecs contains maps before they are loaded into the kernel.
@ -112,16 +112,16 @@ func (m *bpfMaps) Close() error {
type bpfPrograms struct {
TcpV4Connect *ebpf.Program `ebpf:"tcp_v4_connect"`
TcpV6Connect *ebpf.Program `ebpf:"tcp_v6_connect"`
UdpSendmsg *ebpf.Program `ebpf:"udp_sendmsg"`
Udpv6Sendmsg *ebpf.Program `ebpf:"udpv6_sendmsg"`
UdpV4Connect *ebpf.Program `ebpf:"udp_v4_connect"`
UdpV6Connect *ebpf.Program `ebpf:"udp_v6_connect"`
}
func (p *bpfPrograms) Close() error {
return _BpfClose(
p.TcpV4Connect,
p.TcpV6Connect,
p.UdpSendmsg,
p.Udpv6Sendmsg,
p.UdpV4Connect,
p.UdpV6Connect,
)
}

24
firewall/interception/ebpf/program/monitor.c
View file

@ -57,8 +57,8 @@ int BPF_PROG(tcp_v4_connect, struct sock *sk) {
tcp_info->pid = __builtin_bswap32((u32)bpf_get_current_pid_tgid());
// Set src and dist ports
tcp_info->dport = sk->__sk_common.skc_dport;
tcp_info->sport = sk->__sk_common.skc_num;
tcp_info->dport = sk->__sk_common.skc_dport;
// Set src and dist IPs
tcp_info->saddr[0] = __builtin_bswap32(sk->__sk_common.skc_rcv_saddr);
@ -101,8 +101,8 @@ int BPF_PROG(tcp_v6_connect, struct sock *sk) {
tcp_info->pid = __builtin_bswap32((u32)bpf_get_current_pid_tgid());
// Set src and dist ports
tcp_info->dport = sk->__sk_common.skc_dport;
tcp_info->sport = sk->__sk_common.skc_num;
tcp_info->dport = sk->__sk_common.skc_dport;
// Set src and dist IPs
for(int i = 0; i < 4; i++) {
@ -123,10 +123,10 @@ int BPF_PROG(tcp_v6_connect, struct sock *sk) {
return 0;
};
// Fentry(function enter) of udp_sendmsg will be executed before equivalent kernel function is called.
// [this-function] -> udp_sendmsg
SEC("fentry/udp_sendmsg")
int BPF_PROG(udp_sendmsg, struct sock *sk) {
// Fexit(function exit) of udp_v4_connect will be executed after the ip4_datagram_connect kernel function is called.
// ip4_datagram_connect -> udp_v4_connect
SEC("fexit/ip4_datagram_connect")
int BPF_PROG(udp_v4_connect, struct sock *sk) {
// Ignore everything else then IPv4
if (sk->__sk_common.skc_family != AF_INET) {
return 0;
@ -143,8 +143,8 @@ int BPF_PROG(udp_sendmsg, struct sock *sk) {
udp_info->pid = __builtin_bswap32((u32)bpf_get_current_pid_tgid());
// Set src and dist ports
udp_info->dport = sk->__sk_common.skc_dport;
udp_info->sport = sk->__sk_common.skc_num;
udp_info->dport = sk->__sk_common.skc_dport;
// Set src and dist IPs
udp_info->saddr[0] = __builtin_bswap32(sk->__sk_common.skc_rcv_saddr);
@ -161,10 +161,10 @@ int BPF_PROG(udp_sendmsg, struct sock *sk) {
return 0;
}
// Fentry(function enter) of udpv6_sendmsg will be executed before equivalent kernel function is called.
// [this-function] -> udpv6_sendmsg
SEC("fentry/udpv6_sendmsg")
int BPF_PROG(udpv6_sendmsg, struct sock *sk) {
// Fentry(function enter) of udp_v6_connect will be executed after the ip6_datagram_connect kernel function is called.
// ip6_datagram_connect -> udp_v6_connect
SEC("fexit/ip6_datagram_connect")
int BPF_PROG(udp_v6_connect, struct sock *sk) {
// Ignore everything else then IPv6
if (sk->__sk_common.skc_family != AF_INET6) {
return 0;
@ -187,8 +187,8 @@ int BPF_PROG(udpv6_sendmsg, struct sock *sk) {
udp_info->pid = __builtin_bswap32((u32)bpf_get_current_pid_tgid());
// Set src and dist ports
udp_info->dport = sk->__sk_common.skc_dport;
udp_info->sport = sk->__sk_common.skc_num;
udp_info->dport = sk->__sk_common.skc_dport;
// Set src and dist IPs
for(int i = 0; i < 4; i++) {

29
firewall/interception/ebpf/worker.go
View file

@ -33,31 +33,40 @@ func StartEBPFWorker(ch chan packet.Packet) {
defer objs.Close()
// Create a link to the tcp_v4_connect program.
linkv4, err := link.AttachTracing(link.TracingOptions{
linkTCPIPv4, err := link.AttachTracing(link.TracingOptions{
Program: objs.bpfPrograms.TcpV4Connect,
})
if err != nil {
log.Errorf("ebpf: failed to attach to tcp_v4_connect: %s ", err)
}
defer linkv4.Close()
defer linkTCPIPv4.Close()
// Create a link to the tcp_v6_connect program.
linkv6, err := link.AttachTracing(link.TracingOptions{
linkTCPIPv6, err := link.AttachTracing(link.TracingOptions{
Program: objs.bpfPrograms.TcpV6Connect,
})
if err != nil {
log.Errorf("ebpf: failed to attach to tcp_v6_connect: %s ", err)
}
defer linkv6.Close()
defer linkTCPIPv6.Close()
// Create a link to the tcp_v6_connect program.
linkudp, err := link.AttachTracing(link.TracingOptions{
Program: objs.bpfPrograms.UdpSendmsg,
// Create a link to the udp_v4_connect program.
linkUDPV4, err := link.AttachTracing(link.TracingOptions{
Program: objs.bpfPrograms.UdpV4Connect,
})
if err != nil {
log.Errorf("ebpf: failed to attach to udp_sendmsg: %s ", err)
log.Errorf("ebpf: failed to attach to udp_v4_connect: %s ", err)
}
defer linkudp.Close()
defer linkUDPV4.Close()
// Create a link to the udp_v6_connect program.
linkUDPV6, err := link.AttachTracing(link.TracingOptions{
Program: objs.bpfPrograms.UdpV6Connect,
})
if err != nil {
log.Errorf("ebpf: failed to attach to udp_v6_connect: %s ", err)
}
defer linkUDPV6.Close()
rd, err := ringbuf.NewReader(objs.bpfMaps.Events)
if err != nil {
@ -103,7 +112,7 @@ func StartEBPFWorker(ch chan packet.Packet) {
Dst: arrayToIP(event.Daddr, packet.IPVersion(event.IpVersion)),
PID: event.Pid,
}
log.Debugf("ebpf: PID: %d conn: %s:%d -> %s:%d %s %s", info.PID, info.LocalIP(), info.LocalPort(), info.RemoteIP(), info.LocalPort(), info.Version.String(), info.Protocol.String())
log.Debugf("ebpf: PID: %d conn: %s:%d -> %s:%d %s %s", info.PID, info.LocalIP(), info.LocalPort(), info.RemoteIP(), info.RemotePort(), info.Version.String(), info.Protocol.String())
p := &infoPacket{}
p.SetPacketInfo(info)