bpf/progs/cgroup_tcp_skb.c

*539c7e67SKui-Feng Lee// SPDX-License-Identifier: GPL-2.0
*539c7e67SKui-Feng Lee/* Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */
*539c7e67SKui-Feng Lee#include <linux/bpf.h>
*539c7e67SKui-Feng Lee#include <bpf/bpf_endian.h>
*539c7e67SKui-Feng Lee#include <bpf/bpf_helpers.h>
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee#include <linux/if_ether.h>
*539c7e67SKui-Feng Lee#include <linux/in.h>
*539c7e67SKui-Feng Lee#include <linux/in6.h>
*539c7e67SKui-Feng Lee#include <linux/ipv6.h>
*539c7e67SKui-Feng Lee#include <linux/tcp.h>
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee#include <sys/types.h>
*539c7e67SKui-Feng Lee#include <sys/socket.h>
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee#include "cgroup_tcp_skb.h"
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Leechar _license[] SEC("license") = "GPL";
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee__u16 g_sock_port = 0;
*539c7e67SKui-Feng Lee__u32 g_sock_state = 0;
*539c7e67SKui-Feng Leeint g_unexpected = 0;
*539c7e67SKui-Feng Lee__u32 g_packet_count = 0;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Leeint needed_tcp_pkt(struct __sk_buff *skb, struct tcphdr *tcph)
*539c7e67SKui-Feng Lee{
*539c7e67SKui-Feng Lee	struct ipv6hdr ip6h;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	if (skb->protocol != bpf_htons(ETH_P_IPV6))
*539c7e67SKui-Feng Lee		return 0;
*539c7e67SKui-Feng Lee	if (bpf_skb_load_bytes(skb, 0, &ip6h, sizeof(ip6h)))
*539c7e67SKui-Feng Lee		return 0;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	if (ip6h.nexthdr != IPPROTO_TCP)
*539c7e67SKui-Feng Lee		return 0;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	if (bpf_skb_load_bytes(skb, sizeof(ip6h), tcph, sizeof(*tcph)))
*539c7e67SKui-Feng Lee		return 0;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	if (tcph->source != bpf_htons(g_sock_port) &&
*539c7e67SKui-Feng Lee	    tcph->dest != bpf_htons(g_sock_port))
*539c7e67SKui-Feng Lee		return 0;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	return 1;
*539c7e67SKui-Feng Lee}
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee/* Run accept() on a socket in the cgroup to receive a new connection. */
*539c7e67SKui-Feng Leestatic int egress_accept(struct tcphdr *tcph)
*539c7e67SKui-Feng Lee{
*539c7e67SKui-Feng Lee	if (g_sock_state ==  SYN_RECV_SENDING_SYN_ACK) {
*539c7e67SKui-Feng Lee		if (tcph->fin || !tcph->syn || !tcph->ack)
*539c7e67SKui-Feng Lee			g_unexpected++;
*539c7e67SKui-Feng Lee		else
*539c7e67SKui-Feng Lee			g_sock_state = SYN_RECV;
*539c7e67SKui-Feng Lee		return 1;
*539c7e67SKui-Feng Lee	}
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	return 0;
*539c7e67SKui-Feng Lee}
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Leestatic int ingress_accept(struct tcphdr *tcph)
*539c7e67SKui-Feng Lee{
*539c7e67SKui-Feng Lee	switch (g_sock_state) {
*539c7e67SKui-Feng Lee	case INIT:
*539c7e67SKui-Feng Lee		if (!tcph->syn || tcph->fin || tcph->ack)
*539c7e67SKui-Feng Lee			g_unexpected++;
*539c7e67SKui-Feng Lee		else
*539c7e67SKui-Feng Lee			g_sock_state = SYN_RECV_SENDING_SYN_ACK;
*539c7e67SKui-Feng Lee		break;
*539c7e67SKui-Feng Lee	case SYN_RECV:
*539c7e67SKui-Feng Lee		if (tcph->fin || tcph->syn || !tcph->ack)
*539c7e67SKui-Feng Lee			g_unexpected++;
*539c7e67SKui-Feng Lee		else
*539c7e67SKui-Feng Lee			g_sock_state = ESTABLISHED;
*539c7e67SKui-Feng Lee		break;
*539c7e67SKui-Feng Lee	default:
*539c7e67SKui-Feng Lee		return 0;
*539c7e67SKui-Feng Lee	}
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	return 1;
*539c7e67SKui-Feng Lee}
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee/* Run connect() on a socket in the cgroup to start a new connection. */
*539c7e67SKui-Feng Leestatic int egress_connect(struct tcphdr *tcph)
*539c7e67SKui-Feng Lee{
*539c7e67SKui-Feng Lee	if (g_sock_state == INIT) {
*539c7e67SKui-Feng Lee		if (!tcph->syn || tcph->fin || tcph->ack)
*539c7e67SKui-Feng Lee			g_unexpected++;
*539c7e67SKui-Feng Lee		else
*539c7e67SKui-Feng Lee			g_sock_state = SYN_SENT;
*539c7e67SKui-Feng Lee		return 1;
*539c7e67SKui-Feng Lee	}
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	return 0;
*539c7e67SKui-Feng Lee}
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Leestatic int ingress_connect(struct tcphdr *tcph)
*539c7e67SKui-Feng Lee{
*539c7e67SKui-Feng Lee	if (g_sock_state == SYN_SENT) {
*539c7e67SKui-Feng Lee		if (tcph->fin || !tcph->syn || !tcph->ack)
*539c7e67SKui-Feng Lee			g_unexpected++;
*539c7e67SKui-Feng Lee		else
*539c7e67SKui-Feng Lee			g_sock_state = ESTABLISHED;
*539c7e67SKui-Feng Lee		return 1;
*539c7e67SKui-Feng Lee	}
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	return 0;
*539c7e67SKui-Feng Lee}
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee/* The connection is closed by the peer outside the cgroup. */
*539c7e67SKui-Feng Leestatic int egress_close_remote(struct tcphdr *tcph)
*539c7e67SKui-Feng Lee{
*539c7e67SKui-Feng Lee	switch (g_sock_state) {
*539c7e67SKui-Feng Lee	case ESTABLISHED:
*539c7e67SKui-Feng Lee		break;
*539c7e67SKui-Feng Lee	case CLOSE_WAIT_SENDING_ACK:
*539c7e67SKui-Feng Lee		if (tcph->fin || tcph->syn || !tcph->ack)
*539c7e67SKui-Feng Lee			g_unexpected++;
*539c7e67SKui-Feng Lee		else
*539c7e67SKui-Feng Lee			g_sock_state = CLOSE_WAIT;
*539c7e67SKui-Feng Lee		break;
*539c7e67SKui-Feng Lee	case CLOSE_WAIT:
*539c7e67SKui-Feng Lee		if (!tcph->fin)
*539c7e67SKui-Feng Lee			g_unexpected++;
*539c7e67SKui-Feng Lee		else
*539c7e67SKui-Feng Lee			g_sock_state = LAST_ACK;
*539c7e67SKui-Feng Lee		break;
*539c7e67SKui-Feng Lee	default:
*539c7e67SKui-Feng Lee		return 0;
*539c7e67SKui-Feng Lee	}
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	return 1;
*539c7e67SKui-Feng Lee}
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Leestatic int ingress_close_remote(struct tcphdr *tcph)
*539c7e67SKui-Feng Lee{
*539c7e67SKui-Feng Lee	switch (g_sock_state) {
*539c7e67SKui-Feng Lee	case ESTABLISHED:
*539c7e67SKui-Feng Lee		if (tcph->fin)
*539c7e67SKui-Feng Lee			g_sock_state = CLOSE_WAIT_SENDING_ACK;
*539c7e67SKui-Feng Lee		break;
*539c7e67SKui-Feng Lee	case LAST_ACK:
*539c7e67SKui-Feng Lee		if (tcph->fin || tcph->syn || !tcph->ack)
*539c7e67SKui-Feng Lee			g_unexpected++;
*539c7e67SKui-Feng Lee		else
*539c7e67SKui-Feng Lee			g_sock_state = CLOSED;
*539c7e67SKui-Feng Lee		break;
*539c7e67SKui-Feng Lee	default:
*539c7e67SKui-Feng Lee		return 0;
*539c7e67SKui-Feng Lee	}
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	return 1;
*539c7e67SKui-Feng Lee}
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee/* The connection is closed by the endpoint inside the cgroup. */
*539c7e67SKui-Feng Leestatic int egress_close_local(struct tcphdr *tcph)
*539c7e67SKui-Feng Lee{
*539c7e67SKui-Feng Lee	switch (g_sock_state) {
*539c7e67SKui-Feng Lee	case ESTABLISHED:
*539c7e67SKui-Feng Lee		if (tcph->fin)
*539c7e67SKui-Feng Lee			g_sock_state = FIN_WAIT1;
*539c7e67SKui-Feng Lee		break;
*539c7e67SKui-Feng Lee	case TIME_WAIT_SENDING_ACK:
*539c7e67SKui-Feng Lee		if (tcph->fin || tcph->syn || !tcph->ack)
*539c7e67SKui-Feng Lee			g_unexpected++;
*539c7e67SKui-Feng Lee		else
*539c7e67SKui-Feng Lee			g_sock_state = TIME_WAIT;
*539c7e67SKui-Feng Lee		break;
*539c7e67SKui-Feng Lee	default:
*539c7e67SKui-Feng Lee		return 0;
*539c7e67SKui-Feng Lee	}
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	return 1;
*539c7e67SKui-Feng Lee}
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Leestatic int ingress_close_local(struct tcphdr *tcph)
*539c7e67SKui-Feng Lee{
*539c7e67SKui-Feng Lee	switch (g_sock_state) {
*539c7e67SKui-Feng Lee	case ESTABLISHED:
*539c7e67SKui-Feng Lee		break;
*539c7e67SKui-Feng Lee	case FIN_WAIT1:
*539c7e67SKui-Feng Lee		if (tcph->fin || tcph->syn || !tcph->ack)
*539c7e67SKui-Feng Lee			g_unexpected++;
*539c7e67SKui-Feng Lee		else
*539c7e67SKui-Feng Lee			g_sock_state = FIN_WAIT2;
*539c7e67SKui-Feng Lee		break;
*539c7e67SKui-Feng Lee	case FIN_WAIT2:
*539c7e67SKui-Feng Lee		if (!tcph->fin || tcph->syn || !tcph->ack)
*539c7e67SKui-Feng Lee			g_unexpected++;
*539c7e67SKui-Feng Lee		else
*539c7e67SKui-Feng Lee			g_sock_state = TIME_WAIT_SENDING_ACK;
*539c7e67SKui-Feng Lee		break;
*539c7e67SKui-Feng Lee	default:
*539c7e67SKui-Feng Lee		return 0;
*539c7e67SKui-Feng Lee	}
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	return 1;
*539c7e67SKui-Feng Lee}
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee/* Check the types of outgoing packets of a server socket to make sure they
*539c7e67SKui-Feng Lee * are consistent with the state of the server socket.
*539c7e67SKui-Feng Lee *
*539c7e67SKui-Feng Lee * The connection is closed by the client side.
*539c7e67SKui-Feng Lee */
*539c7e67SKui-Feng LeeSEC("cgroup_skb/egress")
*539c7e67SKui-Feng Leeint server_egress(struct __sk_buff *skb)
*539c7e67SKui-Feng Lee{
*539c7e67SKui-Feng Lee	struct tcphdr tcph;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	if (!needed_tcp_pkt(skb, &tcph))
*539c7e67SKui-Feng Lee		return 1;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	g_packet_count++;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	/* Egress of the server socket. */
*539c7e67SKui-Feng Lee	if (egress_accept(&tcph) || egress_close_remote(&tcph))
*539c7e67SKui-Feng Lee		return 1;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	g_unexpected++;
*539c7e67SKui-Feng Lee	return 1;
*539c7e67SKui-Feng Lee}
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee/* Check the types of incoming packets of a server socket to make sure they
*539c7e67SKui-Feng Lee * are consistent with the state of the server socket.
*539c7e67SKui-Feng Lee *
*539c7e67SKui-Feng Lee * The connection is closed by the client side.
*539c7e67SKui-Feng Lee */
*539c7e67SKui-Feng LeeSEC("cgroup_skb/ingress")
*539c7e67SKui-Feng Leeint server_ingress(struct __sk_buff *skb)
*539c7e67SKui-Feng Lee{
*539c7e67SKui-Feng Lee	struct tcphdr tcph;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	if (!needed_tcp_pkt(skb, &tcph))
*539c7e67SKui-Feng Lee		return 1;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	g_packet_count++;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	/* Ingress of the server socket. */
*539c7e67SKui-Feng Lee	if (ingress_accept(&tcph) || ingress_close_remote(&tcph))
*539c7e67SKui-Feng Lee		return 1;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	g_unexpected++;
*539c7e67SKui-Feng Lee	return 1;
*539c7e67SKui-Feng Lee}
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee/* Check the types of outgoing packets of a server socket to make sure they
*539c7e67SKui-Feng Lee * are consistent with the state of the server socket.
*539c7e67SKui-Feng Lee *
*539c7e67SKui-Feng Lee * The connection is closed by the server side.
*539c7e67SKui-Feng Lee */
*539c7e67SKui-Feng LeeSEC("cgroup_skb/egress")
*539c7e67SKui-Feng Leeint server_egress_srv(struct __sk_buff *skb)
*539c7e67SKui-Feng Lee{
*539c7e67SKui-Feng Lee	struct tcphdr tcph;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	if (!needed_tcp_pkt(skb, &tcph))
*539c7e67SKui-Feng Lee		return 1;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	g_packet_count++;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	/* Egress of the server socket. */
*539c7e67SKui-Feng Lee	if (egress_accept(&tcph) || egress_close_local(&tcph))
*539c7e67SKui-Feng Lee		return 1;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	g_unexpected++;
*539c7e67SKui-Feng Lee	return 1;
*539c7e67SKui-Feng Lee}
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee/* Check the types of incoming packets of a server socket to make sure they
*539c7e67SKui-Feng Lee * are consistent with the state of the server socket.
*539c7e67SKui-Feng Lee *
*539c7e67SKui-Feng Lee * The connection is closed by the server side.
*539c7e67SKui-Feng Lee */
*539c7e67SKui-Feng LeeSEC("cgroup_skb/ingress")
*539c7e67SKui-Feng Leeint server_ingress_srv(struct __sk_buff *skb)
*539c7e67SKui-Feng Lee{
*539c7e67SKui-Feng Lee	struct tcphdr tcph;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	if (!needed_tcp_pkt(skb, &tcph))
*539c7e67SKui-Feng Lee		return 1;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	g_packet_count++;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	/* Ingress of the server socket. */
*539c7e67SKui-Feng Lee	if (ingress_accept(&tcph) || ingress_close_local(&tcph))
*539c7e67SKui-Feng Lee		return 1;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	g_unexpected++;
*539c7e67SKui-Feng Lee	return 1;
*539c7e67SKui-Feng Lee}
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee/* Check the types of outgoing packets of a client socket to make sure they
*539c7e67SKui-Feng Lee * are consistent with the state of the client socket.
*539c7e67SKui-Feng Lee *
*539c7e67SKui-Feng Lee * The connection is closed by the server side.
*539c7e67SKui-Feng Lee */
*539c7e67SKui-Feng LeeSEC("cgroup_skb/egress")
*539c7e67SKui-Feng Leeint client_egress_srv(struct __sk_buff *skb)
*539c7e67SKui-Feng Lee{
*539c7e67SKui-Feng Lee	struct tcphdr tcph;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	if (!needed_tcp_pkt(skb, &tcph))
*539c7e67SKui-Feng Lee		return 1;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	g_packet_count++;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	/* Egress of the server socket. */
*539c7e67SKui-Feng Lee	if (egress_connect(&tcph) || egress_close_remote(&tcph))
*539c7e67SKui-Feng Lee		return 1;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	g_unexpected++;
*539c7e67SKui-Feng Lee	return 1;
*539c7e67SKui-Feng Lee}
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee/* Check the types of incoming packets of a client socket to make sure they
*539c7e67SKui-Feng Lee * are consistent with the state of the client socket.
*539c7e67SKui-Feng Lee *
*539c7e67SKui-Feng Lee * The connection is closed by the server side.
*539c7e67SKui-Feng Lee */
*539c7e67SKui-Feng LeeSEC("cgroup_skb/ingress")
*539c7e67SKui-Feng Leeint client_ingress_srv(struct __sk_buff *skb)
*539c7e67SKui-Feng Lee{
*539c7e67SKui-Feng Lee	struct tcphdr tcph;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	if (!needed_tcp_pkt(skb, &tcph))
*539c7e67SKui-Feng Lee		return 1;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	g_packet_count++;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	/* Ingress of the server socket. */
*539c7e67SKui-Feng Lee	if (ingress_connect(&tcph) || ingress_close_remote(&tcph))
*539c7e67SKui-Feng Lee		return 1;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	g_unexpected++;
*539c7e67SKui-Feng Lee	return 1;
*539c7e67SKui-Feng Lee}
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee/* Check the types of outgoing packets of a client socket to make sure they
*539c7e67SKui-Feng Lee * are consistent with the state of the client socket.
*539c7e67SKui-Feng Lee *
*539c7e67SKui-Feng Lee * The connection is closed by the client side.
*539c7e67SKui-Feng Lee */
*539c7e67SKui-Feng LeeSEC("cgroup_skb/egress")
*539c7e67SKui-Feng Leeint client_egress(struct __sk_buff *skb)
*539c7e67SKui-Feng Lee{
*539c7e67SKui-Feng Lee	struct tcphdr tcph;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	if (!needed_tcp_pkt(skb, &tcph))
*539c7e67SKui-Feng Lee		return 1;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	g_packet_count++;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	/* Egress of the server socket. */
*539c7e67SKui-Feng Lee	if (egress_connect(&tcph) || egress_close_local(&tcph))
*539c7e67SKui-Feng Lee		return 1;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	g_unexpected++;
*539c7e67SKui-Feng Lee	return 1;
*539c7e67SKui-Feng Lee}
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee/* Check the types of incoming packets of a client socket to make sure they
*539c7e67SKui-Feng Lee * are consistent with the state of the client socket.
*539c7e67SKui-Feng Lee *
*539c7e67SKui-Feng Lee * The connection is closed by the client side.
*539c7e67SKui-Feng Lee */
*539c7e67SKui-Feng LeeSEC("cgroup_skb/ingress")
*539c7e67SKui-Feng Leeint client_ingress(struct __sk_buff *skb)
*539c7e67SKui-Feng Lee{
*539c7e67SKui-Feng Lee	struct tcphdr tcph;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	if (!needed_tcp_pkt(skb, &tcph))
*539c7e67SKui-Feng Lee		return 1;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	g_packet_count++;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	/* Ingress of the server socket. */
*539c7e67SKui-Feng Lee	if (ingress_connect(&tcph) || ingress_close_local(&tcph))
*539c7e67SKui-Feng Lee		return 1;
*539c7e67SKui-Feng Lee
*539c7e67SKui-Feng Lee	g_unexpected++;
*539c7e67SKui-Feng Lee	return 1;
*539c7e67SKui-Feng Lee}