Use datagram_connect for udp ebpf process detection

safing · Jun 9, 2023 · 169a5a1 · 169a5a1
1 parent 0164463
commit 169a5a1
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 34 deletions.
diff --git a/firewall/interception/ebpf/bpf_bpfeb.go b/firewall/interception/ebpf/bpf_bpfeb.go
diff --git a/firewall/interception/ebpf/bpf_bpfel.go b/firewall/interception/ebpf/bpf_bpfel.go
diff --git a/firewall/interception/ebpf/program/monitor.c b/firewall/interception/ebpf/program/monitor.c
@@ -57,8 +57,8 @@ int BPF_PROG(tcp_v4_connect, struct sock *sk) {
 	tcp_info->pid = __builtin_bswap32((u32)bpf_get_current_pid_tgid());
 
 	// Set src and dist ports
-	tcp_info->dport = sk->__sk_common.skc_dport;
 	tcp_info->sport = sk->__sk_common.skc_num;
+	tcp_info->dport = sk->__sk_common.skc_dport;
 
 	// Set src and dist IPs
 	tcp_info->saddr[0] = __builtin_bswap32(sk->__sk_common.skc_rcv_saddr);
@@ -101,8 +101,8 @@ int BPF_PROG(tcp_v6_connect, struct sock *sk) {
 	tcp_info->pid = __builtin_bswap32((u32)bpf_get_current_pid_tgid());
 
 	// Set src and dist ports
-	tcp_info->dport = sk->__sk_common.skc_dport;
 	tcp_info->sport = sk->__sk_common.skc_num;
+	tcp_info->dport = sk->__sk_common.skc_dport;
 
 	// Set src and dist IPs
 	for(int i = 0; i < 4; i++) {
@@ -123,10 +123,10 @@ int BPF_PROG(tcp_v6_connect, struct sock *sk) {
 	return 0;
 };
 
-// Fentry(function enter) of udp_sendmsg will be executed before equivalent kernel function is called.
-// [this-function] -> udp_sendmsg
-SEC("fentry/udp_sendmsg")
-int BPF_PROG(udp_sendmsg, struct sock *sk) {
+// Fexit(function exit) of udp_v4_connect will be executed after the ip4_datagram_connect kernel function is called.
+// ip4_datagram_connect -> udp_v4_connect
+SEC("fexit/ip4_datagram_connect")
+int BPF_PROG(udp_v4_connect, struct sock *sk) {
 	// Ignore everything else then IPv4
 	if (sk->__sk_common.skc_family != AF_INET) {
 		return 0;
@@ -143,8 +143,8 @@ int BPF_PROG(udp_sendmsg, struct sock *sk) {
 	udp_info->pid = __builtin_bswap32((u32)bpf_get_current_pid_tgid());
 
 	// Set src and dist ports
-	udp_info->dport = sk->__sk_common.skc_dport;
 	udp_info->sport = sk->__sk_common.skc_num;
+	udp_info->dport = sk->__sk_common.skc_dport;
 
 	// Set src and dist IPs
 	udp_info->saddr[0] = __builtin_bswap32(sk->__sk_common.skc_rcv_saddr);
@@ -161,10 +161,10 @@ int BPF_PROG(udp_sendmsg, struct sock *sk) {
 	return 0;
 }
 
-// Fentry(function enter) of udpv6_sendmsg will be executed before equivalent kernel function is called.
-// [this-function] -> udpv6_sendmsg
-SEC("fentry/udpv6_sendmsg")
-int BPF_PROG(udpv6_sendmsg, struct sock *sk) {
+// Fentry(function enter) of udp_v6_connect will be executed after the ip6_datagram_connect kernel function is called.
+// ip6_datagram_connect -> udp_v6_connect
+SEC("fexit/ip6_datagram_connect")
+int BPF_PROG(udp_v6_connect, struct sock *sk) {
 	// Ignore everything else then IPv6
 	if (sk->__sk_common.skc_family != AF_INET6) {
 		return 0;
@@ -187,8 +187,8 @@ int BPF_PROG(udpv6_sendmsg, struct sock *sk) {
 	udp_info->pid = __builtin_bswap32((u32)bpf_get_current_pid_tgid());
 
 	// Set src and dist ports
-	udp_info->dport = sk->__sk_common.skc_dport;
 	udp_info->sport = sk->__sk_common.skc_num;
+	udp_info->dport = sk->__sk_common.skc_dport;
 
 	// Set src and dist IPs
 	for(int i = 0; i < 4; i++) {

diff --git a/firewall/interception/ebpf/worker.go b/firewall/interception/ebpf/worker.go
@@ -33,31 +33,40 @@ func StartEBPFWorker(ch chan packet.Packet) {
 		defer objs.Close()
 
 		// Create a link to the tcp_v4_connect program.
-		linkv4, err := link.AttachTracing(link.TracingOptions{
+		linkTCPIPv4, err := link.AttachTracing(link.TracingOptions{
 			Program: objs.bpfPrograms.TcpV4Connect,
 		})
 		if err != nil {
 			log.Errorf("ebpf: failed to attach to tcp_v4_connect: %s ", err)
 		}
-		defer linkv4.Close()
+		defer linkTCPIPv4.Close()
 
 		// Create a link to the tcp_v6_connect program.
-		linkv6, err := link.AttachTracing(link.TracingOptions{
+		linkTCPIPv6, err := link.AttachTracing(link.TracingOptions{
 			Program: objs.bpfPrograms.TcpV6Connect,
 		})
 		if err != nil {
 			log.Errorf("ebpf: failed to attach to tcp_v6_connect: %s ", err)
 		}
-		defer linkv6.Close()
+		defer linkTCPIPv6.Close()
 
-		// Create a link to the tcp_v6_connect program.
-		linkudp, err := link.AttachTracing(link.TracingOptions{
-			Program: objs.bpfPrograms.UdpSendmsg,
+		// Create a link to the udp_v4_connect program.
+		linkUDPV4, err := link.AttachTracing(link.TracingOptions{
+			Program: objs.bpfPrograms.UdpV4Connect,
+		})
+		if err != nil {
+			log.Errorf("ebpf: failed to attach to udp_v4_connect: %s ", err)
+		}
+		defer linkUDPV4.Close()
+
+		// Create a link to the udp_v6_connect program.
+		linkUDPV6, err := link.AttachTracing(link.TracingOptions{
+			Program: objs.bpfPrograms.UdpV6Connect,
 		})
 		if err != nil {
-			log.Errorf("ebpf: failed to attach to udp_sendmsg: %s ", err)
+			log.Errorf("ebpf: failed to attach to udp_v6_connect: %s ", err)
 		}
-		defer linkudp.Close()
+		defer linkUDPV6.Close()
 
 		rd, err := ringbuf.NewReader(objs.bpfMaps.Events)
 		if err != nil {
@@ -103,7 +112,7 @@ func StartEBPFWorker(ch chan packet.Packet) {
 				Dst:      arrayToIP(event.Daddr, packet.IPVersion(event.IpVersion)),
 				PID:      event.Pid,
 			}
-			log.Debugf("ebpf: PID: %d conn: %s:%d -> %s:%d %s %s", info.PID, info.LocalIP(), info.LocalPort(), info.RemoteIP(), info.LocalPort(), info.Version.String(), info.Protocol.String())
+			log.Debugf("ebpf: PID: %d conn: %s:%d -> %s:%d %s %s", info.PID, info.LocalIP(), info.LocalPort(), info.RemoteIP(), info.RemotePort(), info.Version.String(), info.Protocol.String())
 
 			p := &infoPacket{}
 			p.SetPacketInfo(info)