1 // SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause 2 // Copyright (c) 2020 Cloudflare 3 4 #include <errno.h> 5 #include <stdbool.h> 6 #include <stddef.h> 7 #include <linux/bpf.h> 8 #include <linux/in.h> 9 #include <sys/socket.h> 10 11 #include <bpf/bpf_endian.h> 12 #include <bpf/bpf_helpers.h> 13 14 #define IP4(a, b, c, d) \ 15 bpf_htonl((((__u32)(a) & 0xffU) << 24) | \ 16 (((__u32)(b) & 0xffU) << 16) | \ 17 (((__u32)(c) & 0xffU) << 8) | \ 18 (((__u32)(d) & 0xffU) << 0)) 19 #define IP6(aaaa, bbbb, cccc, dddd) \ 20 { bpf_htonl(aaaa), bpf_htonl(bbbb), bpf_htonl(cccc), bpf_htonl(dddd) } 21 22 /* Macros for least-significant byte and word accesses. */ 23 #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ 24 #define LSE_INDEX(index, size) (index) 25 #else 26 #define LSE_INDEX(index, size) ((size) - (index) - 1) 27 #endif 28 #define LSB(value, index) \ 29 (((__u8 *)&(value))[LSE_INDEX((index), sizeof(value))]) 30 #define LSW(value, index) \ 31 (((__u16 *)&(value))[LSE_INDEX((index), sizeof(value) / 2)]) 32 33 #define MAX_SOCKS 32 34 35 struct { 36 __uint(type, BPF_MAP_TYPE_SOCKMAP); 37 __uint(max_entries, MAX_SOCKS); 38 __type(key, __u32); 39 __type(value, __u64); 40 } redir_map SEC(".maps"); 41 42 struct { 43 __uint(type, BPF_MAP_TYPE_ARRAY); 44 __uint(max_entries, 2); 45 __type(key, int); 46 __type(value, int); 47 } run_map SEC(".maps"); 48 49 enum { 50 PROG1 = 0, 51 PROG2, 52 }; 53 54 enum { 55 SERVER_A = 0, 56 SERVER_B, 57 }; 58 59 /* Addressable key/value constants for convenience */ 60 static const int KEY_PROG1 = PROG1; 61 static const int KEY_PROG2 = PROG2; 62 static const int PROG_DONE = 1; 63 64 static const __u32 KEY_SERVER_A = SERVER_A; 65 static const __u32 KEY_SERVER_B = SERVER_B; 66 67 static const __u16 SRC_PORT = bpf_htons(8008); 68 static const __u32 SRC_IP4 = IP4(127, 0, 0, 2); 69 static const __u32 SRC_IP6[] = IP6(0xfd000000, 0x0, 0x0, 0x00000002); 70 71 static const __u16 DST_PORT = 7007; /* Host byte order */ 72 static const __u32 DST_IP4 = IP4(127, 0, 0, 1); 73 static const __u32 DST_IP6[] = IP6(0xfd000000, 0x0, 0x0, 0x00000001); 74 75 SEC("sk_lookup") 76 int lookup_pass(struct bpf_sk_lookup *ctx) 77 { 78 return SK_PASS; 79 } 80 81 SEC("sk_lookup") 82 int lookup_drop(struct bpf_sk_lookup *ctx) 83 { 84 return SK_DROP; 85 } 86 87 SEC("sk_lookup") 88 int check_ifindex(struct bpf_sk_lookup *ctx) 89 { 90 if (ctx->ingress_ifindex == 1) 91 return SK_DROP; 92 return SK_PASS; 93 } 94 95 SEC("sk_reuseport") 96 int reuseport_pass(struct sk_reuseport_md *ctx) 97 { 98 return SK_PASS; 99 } 100 101 SEC("sk_reuseport") 102 int reuseport_drop(struct sk_reuseport_md *ctx) 103 { 104 return SK_DROP; 105 } 106 107 /* Redirect packets destined for port DST_PORT to socket at redir_map[0]. */ 108 SEC("sk_lookup") 109 int redir_port(struct bpf_sk_lookup *ctx) 110 { 111 struct bpf_sock *sk; 112 int err; 113 114 if (ctx->local_port != DST_PORT) 115 return SK_PASS; 116 117 sk = bpf_map_lookup_elem(&redir_map, &KEY_SERVER_A); 118 if (!sk) 119 return SK_PASS; 120 121 err = bpf_sk_assign(ctx, sk, 0); 122 bpf_sk_release(sk); 123 return err ? SK_DROP : SK_PASS; 124 } 125 126 /* Redirect packets destined for DST_IP4 address to socket at redir_map[0]. */ 127 SEC("sk_lookup") 128 int redir_ip4(struct bpf_sk_lookup *ctx) 129 { 130 struct bpf_sock *sk; 131 int err; 132 133 if (ctx->family != AF_INET) 134 return SK_PASS; 135 if (ctx->local_port != DST_PORT) 136 return SK_PASS; 137 if (ctx->local_ip4 != DST_IP4) 138 return SK_PASS; 139 140 sk = bpf_map_lookup_elem(&redir_map, &KEY_SERVER_A); 141 if (!sk) 142 return SK_PASS; 143 144 err = bpf_sk_assign(ctx, sk, 0); 145 bpf_sk_release(sk); 146 return err ? SK_DROP : SK_PASS; 147 } 148 149 /* Redirect packets destined for DST_IP6 address to socket at redir_map[0]. */ 150 SEC("sk_lookup") 151 int redir_ip6(struct bpf_sk_lookup *ctx) 152 { 153 struct bpf_sock *sk; 154 int err; 155 156 if (ctx->family != AF_INET6) 157 return SK_PASS; 158 if (ctx->local_port != DST_PORT) 159 return SK_PASS; 160 if (ctx->local_ip6[0] != DST_IP6[0] || 161 ctx->local_ip6[1] != DST_IP6[1] || 162 ctx->local_ip6[2] != DST_IP6[2] || 163 ctx->local_ip6[3] != DST_IP6[3]) 164 return SK_PASS; 165 166 sk = bpf_map_lookup_elem(&redir_map, &KEY_SERVER_A); 167 if (!sk) 168 return SK_PASS; 169 170 err = bpf_sk_assign(ctx, sk, 0); 171 bpf_sk_release(sk); 172 return err ? SK_DROP : SK_PASS; 173 } 174 175 SEC("sk_lookup") 176 int select_sock_a(struct bpf_sk_lookup *ctx) 177 { 178 struct bpf_sock *sk; 179 int err; 180 181 sk = bpf_map_lookup_elem(&redir_map, &KEY_SERVER_A); 182 if (!sk) 183 return SK_PASS; 184 185 err = bpf_sk_assign(ctx, sk, 0); 186 bpf_sk_release(sk); 187 return err ? SK_DROP : SK_PASS; 188 } 189 190 SEC("sk_lookup") 191 int select_sock_a_no_reuseport(struct bpf_sk_lookup *ctx) 192 { 193 struct bpf_sock *sk; 194 int err; 195 196 sk = bpf_map_lookup_elem(&redir_map, &KEY_SERVER_A); 197 if (!sk) 198 return SK_DROP; 199 200 err = bpf_sk_assign(ctx, sk, BPF_SK_LOOKUP_F_NO_REUSEPORT); 201 bpf_sk_release(sk); 202 return err ? SK_DROP : SK_PASS; 203 } 204 205 SEC("sk_reuseport") 206 int select_sock_b(struct sk_reuseport_md *ctx) 207 { 208 __u32 key = KEY_SERVER_B; 209 int err; 210 211 err = bpf_sk_select_reuseport(ctx, &redir_map, &key, 0); 212 return err ? SK_DROP : SK_PASS; 213 } 214 215 /* Check that bpf_sk_assign() returns -EEXIST if socket already selected. */ 216 SEC("sk_lookup") 217 int sk_assign_eexist(struct bpf_sk_lookup *ctx) 218 { 219 struct bpf_sock *sk; 220 int err, ret; 221 222 ret = SK_DROP; 223 sk = bpf_map_lookup_elem(&redir_map, &KEY_SERVER_B); 224 if (!sk) 225 goto out; 226 err = bpf_sk_assign(ctx, sk, 0); 227 if (err) 228 goto out; 229 bpf_sk_release(sk); 230 231 sk = bpf_map_lookup_elem(&redir_map, &KEY_SERVER_A); 232 if (!sk) 233 goto out; 234 err = bpf_sk_assign(ctx, sk, 0); 235 if (err != -EEXIST) { 236 bpf_printk("sk_assign returned %d, expected %d\n", 237 err, -EEXIST); 238 goto out; 239 } 240 241 ret = SK_PASS; /* Success, redirect to KEY_SERVER_B */ 242 out: 243 if (sk) 244 bpf_sk_release(sk); 245 return ret; 246 } 247 248 /* Check that bpf_sk_assign(BPF_SK_LOOKUP_F_REPLACE) can override selection. */ 249 SEC("sk_lookup") 250 int sk_assign_replace_flag(struct bpf_sk_lookup *ctx) 251 { 252 struct bpf_sock *sk; 253 int err, ret; 254 255 ret = SK_DROP; 256 sk = bpf_map_lookup_elem(&redir_map, &KEY_SERVER_A); 257 if (!sk) 258 goto out; 259 err = bpf_sk_assign(ctx, sk, 0); 260 if (err) 261 goto out; 262 bpf_sk_release(sk); 263 264 sk = bpf_map_lookup_elem(&redir_map, &KEY_SERVER_B); 265 if (!sk) 266 goto out; 267 err = bpf_sk_assign(ctx, sk, BPF_SK_LOOKUP_F_REPLACE); 268 if (err) { 269 bpf_printk("sk_assign returned %d, expected 0\n", err); 270 goto out; 271 } 272 273 ret = SK_PASS; /* Success, redirect to KEY_SERVER_B */ 274 out: 275 if (sk) 276 bpf_sk_release(sk); 277 return ret; 278 } 279 280 /* Check that bpf_sk_assign(sk=NULL) is accepted. */ 281 SEC("sk_lookup") 282 int sk_assign_null(struct bpf_sk_lookup *ctx) 283 { 284 struct bpf_sock *sk = NULL; 285 int err, ret; 286 287 ret = SK_DROP; 288 289 err = bpf_sk_assign(ctx, NULL, 0); 290 if (err) { 291 bpf_printk("sk_assign returned %d, expected 0\n", err); 292 goto out; 293 } 294 295 sk = bpf_map_lookup_elem(&redir_map, &KEY_SERVER_B); 296 if (!sk) 297 goto out; 298 err = bpf_sk_assign(ctx, sk, BPF_SK_LOOKUP_F_REPLACE); 299 if (err) { 300 bpf_printk("sk_assign returned %d, expected 0\n", err); 301 goto out; 302 } 303 304 if (ctx->sk != sk) 305 goto out; 306 err = bpf_sk_assign(ctx, NULL, 0); 307 if (err != -EEXIST) 308 goto out; 309 err = bpf_sk_assign(ctx, NULL, BPF_SK_LOOKUP_F_REPLACE); 310 if (err) 311 goto out; 312 err = bpf_sk_assign(ctx, sk, BPF_SK_LOOKUP_F_REPLACE); 313 if (err) 314 goto out; 315 316 ret = SK_PASS; /* Success, redirect to KEY_SERVER_B */ 317 out: 318 if (sk) 319 bpf_sk_release(sk); 320 return ret; 321 } 322 323 /* Check that selected sk is accessible through context. */ 324 SEC("sk_lookup") 325 int access_ctx_sk(struct bpf_sk_lookup *ctx) 326 { 327 struct bpf_sock *sk1 = NULL, *sk2 = NULL; 328 int err, ret; 329 330 ret = SK_DROP; 331 332 /* Try accessing unassigned (NULL) ctx->sk field */ 333 if (ctx->sk && ctx->sk->family != AF_INET) 334 goto out; 335 336 /* Assign a value to ctx->sk */ 337 sk1 = bpf_map_lookup_elem(&redir_map, &KEY_SERVER_A); 338 if (!sk1) 339 goto out; 340 err = bpf_sk_assign(ctx, sk1, 0); 341 if (err) 342 goto out; 343 if (ctx->sk != sk1) 344 goto out; 345 346 /* Access ctx->sk fields */ 347 if (ctx->sk->family != AF_INET || 348 ctx->sk->type != SOCK_STREAM || 349 ctx->sk->state != BPF_TCP_LISTEN) 350 goto out; 351 352 /* Reset selection */ 353 err = bpf_sk_assign(ctx, NULL, BPF_SK_LOOKUP_F_REPLACE); 354 if (err) 355 goto out; 356 if (ctx->sk) 357 goto out; 358 359 /* Assign another socket */ 360 sk2 = bpf_map_lookup_elem(&redir_map, &KEY_SERVER_B); 361 if (!sk2) 362 goto out; 363 err = bpf_sk_assign(ctx, sk2, BPF_SK_LOOKUP_F_REPLACE); 364 if (err) 365 goto out; 366 if (ctx->sk != sk2) 367 goto out; 368 369 /* Access reassigned ctx->sk fields */ 370 if (ctx->sk->family != AF_INET || 371 ctx->sk->type != SOCK_STREAM || 372 ctx->sk->state != BPF_TCP_LISTEN) 373 goto out; 374 375 ret = SK_PASS; /* Success, redirect to KEY_SERVER_B */ 376 out: 377 if (sk1) 378 bpf_sk_release(sk1); 379 if (sk2) 380 bpf_sk_release(sk2); 381 return ret; 382 } 383 384 /* Check narrow loads from ctx fields that support them. 385 * 386 * Narrow loads of size >= target field size from a non-zero offset 387 * are not covered because they give bogus results, that is the 388 * verifier ignores the offset. 389 */ 390 SEC("sk_lookup") 391 int ctx_narrow_access(struct bpf_sk_lookup *ctx) 392 { 393 struct bpf_sock *sk; 394 int err, family; 395 bool v4; 396 397 v4 = (ctx->family == AF_INET); 398 399 /* Narrow loads from family field */ 400 if (LSB(ctx->family, 0) != (v4 ? AF_INET : AF_INET6) || 401 LSB(ctx->family, 1) != 0 || LSB(ctx->family, 2) != 0 || LSB(ctx->family, 3) != 0) 402 return SK_DROP; 403 if (LSW(ctx->family, 0) != (v4 ? AF_INET : AF_INET6)) 404 return SK_DROP; 405 406 /* Narrow loads from protocol field */ 407 if (LSB(ctx->protocol, 0) != IPPROTO_TCP || 408 LSB(ctx->protocol, 1) != 0 || LSB(ctx->protocol, 2) != 0 || LSB(ctx->protocol, 3) != 0) 409 return SK_DROP; 410 if (LSW(ctx->protocol, 0) != IPPROTO_TCP) 411 return SK_DROP; 412 413 /* Narrow loads from remote_port field. Expect SRC_PORT. */ 414 if (LSB(ctx->remote_port, 0) != ((SRC_PORT >> 0) & 0xff) || 415 LSB(ctx->remote_port, 1) != ((SRC_PORT >> 8) & 0xff) || 416 LSB(ctx->remote_port, 2) != 0 || LSB(ctx->remote_port, 3) != 0) 417 return SK_DROP; 418 if (LSW(ctx->remote_port, 0) != SRC_PORT) 419 return SK_DROP; 420 421 /* Narrow loads from local_port field. Expect DST_PORT. */ 422 if (LSB(ctx->local_port, 0) != ((DST_PORT >> 0) & 0xff) || 423 LSB(ctx->local_port, 1) != ((DST_PORT >> 8) & 0xff) || 424 LSB(ctx->local_port, 2) != 0 || LSB(ctx->local_port, 3) != 0) 425 return SK_DROP; 426 if (LSW(ctx->local_port, 0) != DST_PORT) 427 return SK_DROP; 428 429 /* Narrow loads from IPv4 fields */ 430 if (v4) { 431 /* Expect SRC_IP4 in remote_ip4 */ 432 if (LSB(ctx->remote_ip4, 0) != ((SRC_IP4 >> 0) & 0xff) || 433 LSB(ctx->remote_ip4, 1) != ((SRC_IP4 >> 8) & 0xff) || 434 LSB(ctx->remote_ip4, 2) != ((SRC_IP4 >> 16) & 0xff) || 435 LSB(ctx->remote_ip4, 3) != ((SRC_IP4 >> 24) & 0xff)) 436 return SK_DROP; 437 if (LSW(ctx->remote_ip4, 0) != ((SRC_IP4 >> 0) & 0xffff) || 438 LSW(ctx->remote_ip4, 1) != ((SRC_IP4 >> 16) & 0xffff)) 439 return SK_DROP; 440 441 /* Expect DST_IP4 in local_ip4 */ 442 if (LSB(ctx->local_ip4, 0) != ((DST_IP4 >> 0) & 0xff) || 443 LSB(ctx->local_ip4, 1) != ((DST_IP4 >> 8) & 0xff) || 444 LSB(ctx->local_ip4, 2) != ((DST_IP4 >> 16) & 0xff) || 445 LSB(ctx->local_ip4, 3) != ((DST_IP4 >> 24) & 0xff)) 446 return SK_DROP; 447 if (LSW(ctx->local_ip4, 0) != ((DST_IP4 >> 0) & 0xffff) || 448 LSW(ctx->local_ip4, 1) != ((DST_IP4 >> 16) & 0xffff)) 449 return SK_DROP; 450 } else { 451 /* Expect 0.0.0.0 IPs when family != AF_INET */ 452 if (LSB(ctx->remote_ip4, 0) != 0 || LSB(ctx->remote_ip4, 1) != 0 || 453 LSB(ctx->remote_ip4, 2) != 0 || LSB(ctx->remote_ip4, 3) != 0) 454 return SK_DROP; 455 if (LSW(ctx->remote_ip4, 0) != 0 || LSW(ctx->remote_ip4, 1) != 0) 456 return SK_DROP; 457 458 if (LSB(ctx->local_ip4, 0) != 0 || LSB(ctx->local_ip4, 1) != 0 || 459 LSB(ctx->local_ip4, 2) != 0 || LSB(ctx->local_ip4, 3) != 0) 460 return SK_DROP; 461 if (LSW(ctx->local_ip4, 0) != 0 || LSW(ctx->local_ip4, 1) != 0) 462 return SK_DROP; 463 } 464 465 /* Narrow loads from IPv6 fields */ 466 if (!v4) { 467 /* Expect SRC_IP6 in remote_ip6 */ 468 if (LSB(ctx->remote_ip6[0], 0) != ((SRC_IP6[0] >> 0) & 0xff) || 469 LSB(ctx->remote_ip6[0], 1) != ((SRC_IP6[0] >> 8) & 0xff) || 470 LSB(ctx->remote_ip6[0], 2) != ((SRC_IP6[0] >> 16) & 0xff) || 471 LSB(ctx->remote_ip6[0], 3) != ((SRC_IP6[0] >> 24) & 0xff) || 472 LSB(ctx->remote_ip6[1], 0) != ((SRC_IP6[1] >> 0) & 0xff) || 473 LSB(ctx->remote_ip6[1], 1) != ((SRC_IP6[1] >> 8) & 0xff) || 474 LSB(ctx->remote_ip6[1], 2) != ((SRC_IP6[1] >> 16) & 0xff) || 475 LSB(ctx->remote_ip6[1], 3) != ((SRC_IP6[1] >> 24) & 0xff) || 476 LSB(ctx->remote_ip6[2], 0) != ((SRC_IP6[2] >> 0) & 0xff) || 477 LSB(ctx->remote_ip6[2], 1) != ((SRC_IP6[2] >> 8) & 0xff) || 478 LSB(ctx->remote_ip6[2], 2) != ((SRC_IP6[2] >> 16) & 0xff) || 479 LSB(ctx->remote_ip6[2], 3) != ((SRC_IP6[2] >> 24) & 0xff) || 480 LSB(ctx->remote_ip6[3], 0) != ((SRC_IP6[3] >> 0) & 0xff) || 481 LSB(ctx->remote_ip6[3], 1) != ((SRC_IP6[3] >> 8) & 0xff) || 482 LSB(ctx->remote_ip6[3], 2) != ((SRC_IP6[3] >> 16) & 0xff) || 483 LSB(ctx->remote_ip6[3], 3) != ((SRC_IP6[3] >> 24) & 0xff)) 484 return SK_DROP; 485 if (LSW(ctx->remote_ip6[0], 0) != ((SRC_IP6[0] >> 0) & 0xffff) || 486 LSW(ctx->remote_ip6[0], 1) != ((SRC_IP6[0] >> 16) & 0xffff) || 487 LSW(ctx->remote_ip6[1], 0) != ((SRC_IP6[1] >> 0) & 0xffff) || 488 LSW(ctx->remote_ip6[1], 1) != ((SRC_IP6[1] >> 16) & 0xffff) || 489 LSW(ctx->remote_ip6[2], 0) != ((SRC_IP6[2] >> 0) & 0xffff) || 490 LSW(ctx->remote_ip6[2], 1) != ((SRC_IP6[2] >> 16) & 0xffff) || 491 LSW(ctx->remote_ip6[3], 0) != ((SRC_IP6[3] >> 0) & 0xffff) || 492 LSW(ctx->remote_ip6[3], 1) != ((SRC_IP6[3] >> 16) & 0xffff)) 493 return SK_DROP; 494 /* Expect DST_IP6 in local_ip6 */ 495 if (LSB(ctx->local_ip6[0], 0) != ((DST_IP6[0] >> 0) & 0xff) || 496 LSB(ctx->local_ip6[0], 1) != ((DST_IP6[0] >> 8) & 0xff) || 497 LSB(ctx->local_ip6[0], 2) != ((DST_IP6[0] >> 16) & 0xff) || 498 LSB(ctx->local_ip6[0], 3) != ((DST_IP6[0] >> 24) & 0xff) || 499 LSB(ctx->local_ip6[1], 0) != ((DST_IP6[1] >> 0) & 0xff) || 500 LSB(ctx->local_ip6[1], 1) != ((DST_IP6[1] >> 8) & 0xff) || 501 LSB(ctx->local_ip6[1], 2) != ((DST_IP6[1] >> 16) & 0xff) || 502 LSB(ctx->local_ip6[1], 3) != ((DST_IP6[1] >> 24) & 0xff) || 503 LSB(ctx->local_ip6[2], 0) != ((DST_IP6[2] >> 0) & 0xff) || 504 LSB(ctx->local_ip6[2], 1) != ((DST_IP6[2] >> 8) & 0xff) || 505 LSB(ctx->local_ip6[2], 2) != ((DST_IP6[2] >> 16) & 0xff) || 506 LSB(ctx->local_ip6[2], 3) != ((DST_IP6[2] >> 24) & 0xff) || 507 LSB(ctx->local_ip6[3], 0) != ((DST_IP6[3] >> 0) & 0xff) || 508 LSB(ctx->local_ip6[3], 1) != ((DST_IP6[3] >> 8) & 0xff) || 509 LSB(ctx->local_ip6[3], 2) != ((DST_IP6[3] >> 16) & 0xff) || 510 LSB(ctx->local_ip6[3], 3) != ((DST_IP6[3] >> 24) & 0xff)) 511 return SK_DROP; 512 if (LSW(ctx->local_ip6[0], 0) != ((DST_IP6[0] >> 0) & 0xffff) || 513 LSW(ctx->local_ip6[0], 1) != ((DST_IP6[0] >> 16) & 0xffff) || 514 LSW(ctx->local_ip6[1], 0) != ((DST_IP6[1] >> 0) & 0xffff) || 515 LSW(ctx->local_ip6[1], 1) != ((DST_IP6[1] >> 16) & 0xffff) || 516 LSW(ctx->local_ip6[2], 0) != ((DST_IP6[2] >> 0) & 0xffff) || 517 LSW(ctx->local_ip6[2], 1) != ((DST_IP6[2] >> 16) & 0xffff) || 518 LSW(ctx->local_ip6[3], 0) != ((DST_IP6[3] >> 0) & 0xffff) || 519 LSW(ctx->local_ip6[3], 1) != ((DST_IP6[3] >> 16) & 0xffff)) 520 return SK_DROP; 521 } else { 522 /* Expect :: IPs when family != AF_INET6 */ 523 if (LSB(ctx->remote_ip6[0], 0) != 0 || LSB(ctx->remote_ip6[0], 1) != 0 || 524 LSB(ctx->remote_ip6[0], 2) != 0 || LSB(ctx->remote_ip6[0], 3) != 0 || 525 LSB(ctx->remote_ip6[1], 0) != 0 || LSB(ctx->remote_ip6[1], 1) != 0 || 526 LSB(ctx->remote_ip6[1], 2) != 0 || LSB(ctx->remote_ip6[1], 3) != 0 || 527 LSB(ctx->remote_ip6[2], 0) != 0 || LSB(ctx->remote_ip6[2], 1) != 0 || 528 LSB(ctx->remote_ip6[2], 2) != 0 || LSB(ctx->remote_ip6[2], 3) != 0 || 529 LSB(ctx->remote_ip6[3], 0) != 0 || LSB(ctx->remote_ip6[3], 1) != 0 || 530 LSB(ctx->remote_ip6[3], 2) != 0 || LSB(ctx->remote_ip6[3], 3) != 0) 531 return SK_DROP; 532 if (LSW(ctx->remote_ip6[0], 0) != 0 || LSW(ctx->remote_ip6[0], 1) != 0 || 533 LSW(ctx->remote_ip6[1], 0) != 0 || LSW(ctx->remote_ip6[1], 1) != 0 || 534 LSW(ctx->remote_ip6[2], 0) != 0 || LSW(ctx->remote_ip6[2], 1) != 0 || 535 LSW(ctx->remote_ip6[3], 0) != 0 || LSW(ctx->remote_ip6[3], 1) != 0) 536 return SK_DROP; 537 538 if (LSB(ctx->local_ip6[0], 0) != 0 || LSB(ctx->local_ip6[0], 1) != 0 || 539 LSB(ctx->local_ip6[0], 2) != 0 || LSB(ctx->local_ip6[0], 3) != 0 || 540 LSB(ctx->local_ip6[1], 0) != 0 || LSB(ctx->local_ip6[1], 1) != 0 || 541 LSB(ctx->local_ip6[1], 2) != 0 || LSB(ctx->local_ip6[1], 3) != 0 || 542 LSB(ctx->local_ip6[2], 0) != 0 || LSB(ctx->local_ip6[2], 1) != 0 || 543 LSB(ctx->local_ip6[2], 2) != 0 || LSB(ctx->local_ip6[2], 3) != 0 || 544 LSB(ctx->local_ip6[3], 0) != 0 || LSB(ctx->local_ip6[3], 1) != 0 || 545 LSB(ctx->local_ip6[3], 2) != 0 || LSB(ctx->local_ip6[3], 3) != 0) 546 return SK_DROP; 547 if (LSW(ctx->remote_ip6[0], 0) != 0 || LSW(ctx->remote_ip6[0], 1) != 0 || 548 LSW(ctx->remote_ip6[1], 0) != 0 || LSW(ctx->remote_ip6[1], 1) != 0 || 549 LSW(ctx->remote_ip6[2], 0) != 0 || LSW(ctx->remote_ip6[2], 1) != 0 || 550 LSW(ctx->remote_ip6[3], 0) != 0 || LSW(ctx->remote_ip6[3], 1) != 0) 551 return SK_DROP; 552 } 553 554 /* Success, redirect to KEY_SERVER_B */ 555 sk = bpf_map_lookup_elem(&redir_map, &KEY_SERVER_B); 556 if (sk) { 557 bpf_sk_assign(ctx, sk, 0); 558 bpf_sk_release(sk); 559 } 560 return SK_PASS; 561 } 562 563 /* Check that sk_assign rejects SERVER_A socket with -ESOCKNOSUPPORT */ 564 SEC("sk_lookup") 565 int sk_assign_esocknosupport(struct bpf_sk_lookup *ctx) 566 { 567 struct bpf_sock *sk; 568 int err, ret; 569 570 ret = SK_DROP; 571 sk = bpf_map_lookup_elem(&redir_map, &KEY_SERVER_A); 572 if (!sk) 573 goto out; 574 575 err = bpf_sk_assign(ctx, sk, 0); 576 if (err != -ESOCKTNOSUPPORT) { 577 bpf_printk("sk_assign returned %d, expected %d\n", 578 err, -ESOCKTNOSUPPORT); 579 goto out; 580 } 581 582 ret = SK_PASS; /* Success, pass to regular lookup */ 583 out: 584 if (sk) 585 bpf_sk_release(sk); 586 return ret; 587 } 588 589 SEC("sk_lookup") 590 int multi_prog_pass1(struct bpf_sk_lookup *ctx) 591 { 592 bpf_map_update_elem(&run_map, &KEY_PROG1, &PROG_DONE, BPF_ANY); 593 return SK_PASS; 594 } 595 596 SEC("sk_lookup") 597 int multi_prog_pass2(struct bpf_sk_lookup *ctx) 598 { 599 bpf_map_update_elem(&run_map, &KEY_PROG2, &PROG_DONE, BPF_ANY); 600 return SK_PASS; 601 } 602 603 SEC("sk_lookup") 604 int multi_prog_drop1(struct bpf_sk_lookup *ctx) 605 { 606 bpf_map_update_elem(&run_map, &KEY_PROG1, &PROG_DONE, BPF_ANY); 607 return SK_DROP; 608 } 609 610 SEC("sk_lookup") 611 int multi_prog_drop2(struct bpf_sk_lookup *ctx) 612 { 613 bpf_map_update_elem(&run_map, &KEY_PROG2, &PROG_DONE, BPF_ANY); 614 return SK_DROP; 615 } 616 617 static __always_inline int select_server_a(struct bpf_sk_lookup *ctx) 618 { 619 struct bpf_sock *sk; 620 int err; 621 622 sk = bpf_map_lookup_elem(&redir_map, &KEY_SERVER_A); 623 if (!sk) 624 return SK_DROP; 625 626 err = bpf_sk_assign(ctx, sk, 0); 627 bpf_sk_release(sk); 628 if (err) 629 return SK_DROP; 630 631 return SK_PASS; 632 } 633 634 SEC("sk_lookup") 635 int multi_prog_redir1(struct bpf_sk_lookup *ctx) 636 { 637 int ret; 638 639 ret = select_server_a(ctx); 640 bpf_map_update_elem(&run_map, &KEY_PROG1, &PROG_DONE, BPF_ANY); 641 return SK_PASS; 642 } 643 644 SEC("sk_lookup") 645 int multi_prog_redir2(struct bpf_sk_lookup *ctx) 646 { 647 int ret; 648 649 ret = select_server_a(ctx); 650 bpf_map_update_elem(&run_map, &KEY_PROG2, &PROG_DONE, BPF_ANY); 651 return SK_PASS; 652 } 653 654 char _license[] SEC("license") = "Dual BSD/GPL"; 655