From 3d06f26b0e143f67d399fe7475aaa7eda7f3a0f6 Mon Sep 17 00:00:00 2001 From: perryan123 <897465624@qq.com> Date: Sat, 7 Jan 2023 22:55:18 +0800 Subject: [PATCH 1/2] nettrace commit:support ipsec analysis --- shared/bpf/skb_shared.h | 5 +++++ shared/bpf/skb_utils.h | 14 ++++++++++++++ shared/pkt_utils.c | 4 ++++ src/trace.yaml | 19 +++++++++++++++++++ 4 files changed, 42 insertions(+) diff --git a/shared/bpf/skb_shared.h b/shared/bpf/skb_shared.h index 9b886bb..bfc8d21 100644 --- a/shared/bpf/skb_shared.h +++ b/shared/bpf/skb_shared.h @@ -40,6 +40,11 @@ typedef struct __attribute__((__packed__)) { struct { u16 op; } arp_ext; + struct + { + u32 spi; + u32 seq; + } espheader; #define field_udp l4.udp } l4; u16 proto_l3; diff --git a/shared/bpf/skb_utils.h b/shared/bpf/skb_utils.h index 6dbfefb..56fb45a 100644 --- a/shared/bpf/skb_utils.h +++ b/shared/bpf/skb_utils.h @@ -178,6 +178,12 @@ static try_inline bool ipv6_not_equel(u8 *src, u8 *target) #define ATTR_IPV6_CHECK() \ (filter && ATTR_OPS(addr, ATTR_IPV6_OPS)) +struct ip_esp_hdr { + __be32 spi; + __be32 seq_no; /* Sequence number */ + __u8 enc_data[0]; /* Variable len but >=8. Mind the 64 bit alignment! */ +}; + static try_inline int probe_parse_ip(void *ip, parse_ctx_t *ctx) { pkt_args_t *bpf_args = ctx->args; @@ -269,6 +275,14 @@ static try_inline int probe_parse_ip(void *ip, parse_ctx_t *ctx) pkt->l4.icmp.id = _(icmp->un.echo.id); break; } + case 50: { + struct ip_esp_hdr *esp_hdr = l4; + if (ATTR_ENABLE(port)) + goto err; + pkt->l4.espheader.seq = _(esp_hdr->seq_no); + pkt->l4.espheader.spi = _(esp_hdr->spi); + break; + } default: if (ATTR_ENABLE(port)) goto err; diff --git a/shared/pkt_utils.c b/shared/pkt_utils.c index 2b19a1b..be1c846 100644 --- a/shared/pkt_utils.c +++ b/shared/pkt_utils.c @@ -82,6 +82,7 @@ int ts_print_packet(char *buf, packet_t *pkt, char *minfo, daddr, ntohs(pkt->l4.min.dport)); break; case IPPROTO_ICMP: + case IPPROTO_ESP: BUF_FMT("%s -> %s", saddr, daddr); break; default: @@ -116,6 +117,9 @@ int ts_print_packet(char *buf, packet_t *pkt, char *minfo, } BUF_FMT("seq: %u", ntohs(pkt->l4.icmp.seq)); break; + case IPPROTO_ESP: + BUF_FMT(" spi:0x%x seq:0x%x", ntohl(pkt->l4.espheader.spi), ntohl(pkt->l4.espheader.seq)); + break; default: break; } diff --git a/src/trace.yaml b/src/trace.yaml index fafb86e..a5cfc28 100644 --- a/src/trace.yaml +++ b/src/trace.yaml @@ -222,6 +222,25 @@ children: - ip_finish_output_gso:2 - ip_finish_output2:2 - ip6_finish_output2:2 + - xfrm4_output:2 + - xfrm_output:1 + - xfrm_output2:2 + - xfrm_output_gso:2 + - xfrm_output_resume:1 + - xfrm4_transport_output:1 + - xfrm4_prepare_output:1 + - dst_output:2 + - ah_output:1 + - esp_output:1 + - esp_output_tail:1 + - xfrm4_rcv:0 + - xfrm4_policy_check:2 + - xfrm4_rcv:0 + - xfrm_input:0 + - ah_input:1 + - esp_input:1 + - xfrm4_transport_input:1 + - xfrm4_rcv_encap_finish:2 - name: ip-route desc: ip route for packet in and out visual: true From d40b9b6013e33eb5e1a0020386d97c0d94c42db2 Mon Sep 17 00:00:00 2001 From: perryan123 <897465624@qq.com> Date: Sun, 8 Jan 2023 21:15:55 +0800 Subject: [PATCH 2/2] nettrace commit:support ipsec analysis --- shared/bpf/skb_shared.h | 5 +++++ shared/bpf/skb_utils.h | 14 ++++++++++++++ shared/pkt_utils.c | 4 ++++ src/trace.yaml | 19 +++++++++++++++++++ 4 files changed, 42 insertions(+) diff --git a/shared/bpf/skb_shared.h b/shared/bpf/skb_shared.h index 9b886bb..bfc8d21 100644 --- a/shared/bpf/skb_shared.h +++ b/shared/bpf/skb_shared.h @@ -40,6 +40,11 @@ typedef struct __attribute__((__packed__)) { struct { u16 op; } arp_ext; + struct + { + u32 spi; + u32 seq; + } espheader; #define field_udp l4.udp } l4; u16 proto_l3; diff --git a/shared/bpf/skb_utils.h b/shared/bpf/skb_utils.h index 6dbfefb..f5852d5 100644 --- a/shared/bpf/skb_utils.h +++ b/shared/bpf/skb_utils.h @@ -178,6 +178,12 @@ static try_inline bool ipv6_not_equel(u8 *src, u8 *target) #define ATTR_IPV6_CHECK() \ (filter && ATTR_OPS(addr, ATTR_IPV6_OPS)) +struct ip_esp_hdr { + __be32 spi; + __be32 seq_no; /* Sequence number */ + __u8 enc_data[0]; /* Variable len but >=8. Mind the 64 bit alignment! */ +}; + static try_inline int probe_parse_ip(void *ip, parse_ctx_t *ctx) { pkt_args_t *bpf_args = ctx->args; @@ -269,6 +275,14 @@ static try_inline int probe_parse_ip(void *ip, parse_ctx_t *ctx) pkt->l4.icmp.id = _(icmp->un.echo.id); break; } + case IPPROTO_ESP: { + struct ip_esp_hdr *esp_hdr = l4; + if (ATTR_ENABLE(port)) + goto err; + pkt->l4.espheader.seq = _(esp_hdr->seq_no); + pkt->l4.espheader.spi = _(esp_hdr->spi); + break; + } default: if (ATTR_ENABLE(port)) goto err; diff --git a/shared/pkt_utils.c b/shared/pkt_utils.c index 2b19a1b..be1c846 100644 --- a/shared/pkt_utils.c +++ b/shared/pkt_utils.c @@ -82,6 +82,7 @@ int ts_print_packet(char *buf, packet_t *pkt, char *minfo, daddr, ntohs(pkt->l4.min.dport)); break; case IPPROTO_ICMP: + case IPPROTO_ESP: BUF_FMT("%s -> %s", saddr, daddr); break; default: @@ -116,6 +117,9 @@ int ts_print_packet(char *buf, packet_t *pkt, char *minfo, } BUF_FMT("seq: %u", ntohs(pkt->l4.icmp.seq)); break; + case IPPROTO_ESP: + BUF_FMT(" spi:0x%x seq:0x%x", ntohl(pkt->l4.espheader.spi), ntohl(pkt->l4.espheader.seq)); + break; default: break; } diff --git a/src/trace.yaml b/src/trace.yaml index fafb86e..a5cfc28 100644 --- a/src/trace.yaml +++ b/src/trace.yaml @@ -222,6 +222,25 @@ children: - ip_finish_output_gso:2 - ip_finish_output2:2 - ip6_finish_output2:2 + - xfrm4_output:2 + - xfrm_output:1 + - xfrm_output2:2 + - xfrm_output_gso:2 + - xfrm_output_resume:1 + - xfrm4_transport_output:1 + - xfrm4_prepare_output:1 + - dst_output:2 + - ah_output:1 + - esp_output:1 + - esp_output_tail:1 + - xfrm4_rcv:0 + - xfrm4_policy_check:2 + - xfrm4_rcv:0 + - xfrm_input:0 + - ah_input:1 + - esp_input:1 + - xfrm4_transport_input:1 + - xfrm4_rcv_encap_finish:2 - name: ip-route desc: ip route for packet in and out visual: true