622adafb2a
Add selftest for BPF_CGROUP_INET4_CONNECT and BPF_CGROUP_INET6_CONNECT
attach types.
Try to connect(2) to specified IP:port and test that:
* remote IP:port pair is overridden;
* local end of connection is bound to specified IP.
All combinations of IPv4/IPv6 and TCP/UDP are tested.
Example:
# tcpdump -pn -i lo -w connect.pcap 2>/dev/null &
[1] 478
# strace -qqf -e connect -o connect.trace ./test_sock_addr.sh
Wait for testing IPv4/IPv6 to become available ... OK
Load bind4 with invalid type (can pollute stderr) ... REJECTED
Load bind4 with valid type ... OK
Attach bind4 with invalid type ... REJECTED
Attach bind4 with valid type ... OK
Load connect4 with invalid type (can pollute stderr) libbpf: load bpf \
program failed: Permission denied
libbpf: -- BEGIN DUMP LOG ---
libbpf:
0: (b7) r2 = 23569
1: (63) *(u32 *)(r1 +24) = r2
2: (b7) r2 = 16777343
3: (63) *(u32 *)(r1 +4) = r2
invalid bpf_context access off=4 size=4
[ 1518.404609] random: crng init done
libbpf: -- END LOG --
libbpf: failed to load program 'cgroup/connect4'
libbpf: failed to load object './connect4_prog.o'
... REJECTED
Load connect4 with valid type ... OK
Attach connect4 with invalid type ... REJECTED
Attach connect4 with valid type ... OK
Test case #1 (IPv4/TCP):
Requested: bind(192.168.1.254, 4040) ..
Actual: bind(127.0.0.1, 4444)
Requested: connect(192.168.1.254, 4040) from (*, *) ..
Actual: connect(127.0.0.1, 4444) from (127.0.0.4, 56068)
Test case #2 (IPv4/UDP):
Requested: bind(192.168.1.254, 4040) ..
Actual: bind(127.0.0.1, 4444)
Requested: connect(192.168.1.254, 4040) from (*, *) ..
Actual: connect(127.0.0.1, 4444) from (127.0.0.4, 56447)
Load bind6 with invalid type (can pollute stderr) ... REJECTED
Load bind6 with valid type ... OK
Attach bind6 with invalid type ... REJECTED
Attach bind6 with valid type ... OK
Load connect6 with invalid type (can pollute stderr) libbpf: load bpf \
program failed: Permission denied
libbpf: -- BEGIN DUMP LOG ---
libbpf:
0: (b7) r6 = 0
1: (63) *(u32 *)(r1 +12) = r6
invalid bpf_context access off=12 size=4
libbpf: -- END LOG --
libbpf: failed to load program 'cgroup/connect6'
libbpf: failed to load object './connect6_prog.o'
... REJECTED
Load connect6 with valid type ... OK
Attach connect6 with invalid type ... REJECTED
Attach connect6 with valid type ... OK
Test case #3 (IPv6/TCP):
Requested: bind(face:b00c:1234:5678::abcd, 6060) ..
Actual: bind(::1, 6666)
Requested: connect(face:b00c:1234:5678::abcd, 6060) from (*, *)
Actual: connect(::1, 6666) from (::6, 37458)
Test case #4 (IPv6/UDP):
Requested: bind(face:b00c:1234:5678::abcd, 6060) ..
Actual: bind(::1, 6666)
Requested: connect(face:b00c:1234:5678::abcd, 6060) from (*, *)
Actual: connect(::1, 6666) from (::6, 39315)
### SUCCESS
# egrep 'connect\(.*AF_INET' connect.trace | \
> egrep -vw 'htons\(1025\)' | fold -b -s -w 72
502 connect(7, {sa_family=AF_INET, sin_port=htons(4040),
sin_addr=inet_addr("192.168.1.254")}, 128) = 0
502 connect(8, {sa_family=AF_INET, sin_port=htons(4040),
sin_addr=inet_addr("192.168.1.254")}, 128) = 0
502 connect(9, {sa_family=AF_INET6, sin6_port=htons(6060),
inet_pton(AF_INET6, "face:b00c:1234:5678::abcd", &sin6_addr),
sin6_flowinfo=0, sin6_scope_id=0}, 128) = 0
502 connect(10, {sa_family=AF_INET6, sin6_port=htons(6060),
inet_pton(AF_INET6, "face:b00c:1234:5678::abcd", &sin6_addr),
sin6_flowinfo=0, sin6_scope_id=0}, 128) = 0
# fg
tcpdump -pn -i lo -w connect.pcap 2> /dev/null
# tcpdump -r connect.pcap -n tcp | cut -c 1-72
reading from file connect.pcap, link-type EN10MB (Ethernet)
17:57:40.383533 IP 127.0.0.4.56068 > 127.0.0.1.4444: Flags [S], seq 1333
17:57:40.383566 IP 127.0.0.1.4444 > 127.0.0.4.56068: Flags [S.], seq 112
17:57:40.383589 IP 127.0.0.4.56068 > 127.0.0.1.4444: Flags [.], ack 1, w
17:57:40.384578 IP 127.0.0.1.4444 > 127.0.0.4.56068: Flags [R.], seq 1,
17:57:40.403327 IP6 ::6.37458 > ::1.6666: Flags [S], seq 406513443, win
17:57:40.403357 IP6 ::1.6666 > ::6.37458: Flags [S.], seq 2448389240, ac
17:57:40.403376 IP6 ::6.37458 > ::1.6666: Flags [.], ack 1, win 342, opt
17:57:40.404263 IP6 ::1.6666 > ::6.37458: Flags [R.], seq 1, ack 1, win
Signed-off-by: Andrey Ignatov <rdna@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
277 lines
10 KiB
C
277 lines
10 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef __BPF_HELPERS_H
|
|
#define __BPF_HELPERS_H
|
|
|
|
/* helper macro to place programs, maps, license in
|
|
* different sections in elf_bpf file. Section names
|
|
* are interpreted by elf_bpf loader
|
|
*/
|
|
#define SEC(NAME) __attribute__((section(NAME), used))
|
|
|
|
/* helper functions called from eBPF programs written in C */
|
|
static void *(*bpf_map_lookup_elem)(void *map, void *key) =
|
|
(void *) BPF_FUNC_map_lookup_elem;
|
|
static int (*bpf_map_update_elem)(void *map, void *key, void *value,
|
|
unsigned long long flags) =
|
|
(void *) BPF_FUNC_map_update_elem;
|
|
static int (*bpf_map_delete_elem)(void *map, void *key) =
|
|
(void *) BPF_FUNC_map_delete_elem;
|
|
static int (*bpf_probe_read)(void *dst, int size, void *unsafe_ptr) =
|
|
(void *) BPF_FUNC_probe_read;
|
|
static unsigned long long (*bpf_ktime_get_ns)(void) =
|
|
(void *) BPF_FUNC_ktime_get_ns;
|
|
static int (*bpf_trace_printk)(const char *fmt, int fmt_size, ...) =
|
|
(void *) BPF_FUNC_trace_printk;
|
|
static void (*bpf_tail_call)(void *ctx, void *map, int index) =
|
|
(void *) BPF_FUNC_tail_call;
|
|
static unsigned long long (*bpf_get_smp_processor_id)(void) =
|
|
(void *) BPF_FUNC_get_smp_processor_id;
|
|
static unsigned long long (*bpf_get_current_pid_tgid)(void) =
|
|
(void *) BPF_FUNC_get_current_pid_tgid;
|
|
static unsigned long long (*bpf_get_current_uid_gid)(void) =
|
|
(void *) BPF_FUNC_get_current_uid_gid;
|
|
static int (*bpf_get_current_comm)(void *buf, int buf_size) =
|
|
(void *) BPF_FUNC_get_current_comm;
|
|
static unsigned long long (*bpf_perf_event_read)(void *map,
|
|
unsigned long long flags) =
|
|
(void *) BPF_FUNC_perf_event_read;
|
|
static int (*bpf_clone_redirect)(void *ctx, int ifindex, int flags) =
|
|
(void *) BPF_FUNC_clone_redirect;
|
|
static int (*bpf_redirect)(int ifindex, int flags) =
|
|
(void *) BPF_FUNC_redirect;
|
|
static int (*bpf_redirect_map)(void *map, int key, int flags) =
|
|
(void *) BPF_FUNC_redirect_map;
|
|
static int (*bpf_perf_event_output)(void *ctx, void *map,
|
|
unsigned long long flags, void *data,
|
|
int size) =
|
|
(void *) BPF_FUNC_perf_event_output;
|
|
static int (*bpf_get_stackid)(void *ctx, void *map, int flags) =
|
|
(void *) BPF_FUNC_get_stackid;
|
|
static int (*bpf_probe_write_user)(void *dst, void *src, int size) =
|
|
(void *) BPF_FUNC_probe_write_user;
|
|
static int (*bpf_current_task_under_cgroup)(void *map, int index) =
|
|
(void *) BPF_FUNC_current_task_under_cgroup;
|
|
static int (*bpf_skb_get_tunnel_key)(void *ctx, void *key, int size, int flags) =
|
|
(void *) BPF_FUNC_skb_get_tunnel_key;
|
|
static int (*bpf_skb_set_tunnel_key)(void *ctx, void *key, int size, int flags) =
|
|
(void *) BPF_FUNC_skb_set_tunnel_key;
|
|
static int (*bpf_skb_get_tunnel_opt)(void *ctx, void *md, int size) =
|
|
(void *) BPF_FUNC_skb_get_tunnel_opt;
|
|
static int (*bpf_skb_set_tunnel_opt)(void *ctx, void *md, int size) =
|
|
(void *) BPF_FUNC_skb_set_tunnel_opt;
|
|
static unsigned long long (*bpf_get_prandom_u32)(void) =
|
|
(void *) BPF_FUNC_get_prandom_u32;
|
|
static int (*bpf_xdp_adjust_head)(void *ctx, int offset) =
|
|
(void *) BPF_FUNC_xdp_adjust_head;
|
|
static int (*bpf_xdp_adjust_meta)(void *ctx, int offset) =
|
|
(void *) BPF_FUNC_xdp_adjust_meta;
|
|
static int (*bpf_setsockopt)(void *ctx, int level, int optname, void *optval,
|
|
int optlen) =
|
|
(void *) BPF_FUNC_setsockopt;
|
|
static int (*bpf_getsockopt)(void *ctx, int level, int optname, void *optval,
|
|
int optlen) =
|
|
(void *) BPF_FUNC_getsockopt;
|
|
static int (*bpf_sock_ops_cb_flags_set)(void *ctx, int flags) =
|
|
(void *) BPF_FUNC_sock_ops_cb_flags_set;
|
|
static int (*bpf_sk_redirect_map)(void *ctx, void *map, int key, int flags) =
|
|
(void *) BPF_FUNC_sk_redirect_map;
|
|
static int (*bpf_sock_map_update)(void *map, void *key, void *value,
|
|
unsigned long long flags) =
|
|
(void *) BPF_FUNC_sock_map_update;
|
|
static int (*bpf_perf_event_read_value)(void *map, unsigned long long flags,
|
|
void *buf, unsigned int buf_size) =
|
|
(void *) BPF_FUNC_perf_event_read_value;
|
|
static int (*bpf_perf_prog_read_value)(void *ctx, void *buf,
|
|
unsigned int buf_size) =
|
|
(void *) BPF_FUNC_perf_prog_read_value;
|
|
static int (*bpf_override_return)(void *ctx, unsigned long rc) =
|
|
(void *) BPF_FUNC_override_return;
|
|
static int (*bpf_msg_redirect_map)(void *ctx, void *map, int key, int flags) =
|
|
(void *) BPF_FUNC_msg_redirect_map;
|
|
static int (*bpf_msg_apply_bytes)(void *ctx, int len) =
|
|
(void *) BPF_FUNC_msg_apply_bytes;
|
|
static int (*bpf_msg_cork_bytes)(void *ctx, int len) =
|
|
(void *) BPF_FUNC_msg_cork_bytes;
|
|
static int (*bpf_msg_pull_data)(void *ctx, int start, int end, int flags) =
|
|
(void *) BPF_FUNC_msg_pull_data;
|
|
static int (*bpf_bind)(void *ctx, void *addr, int addr_len) =
|
|
(void *) BPF_FUNC_bind;
|
|
|
|
/* llvm builtin functions that eBPF C program may use to
|
|
* emit BPF_LD_ABS and BPF_LD_IND instructions
|
|
*/
|
|
struct sk_buff;
|
|
unsigned long long load_byte(void *skb,
|
|
unsigned long long off) asm("llvm.bpf.load.byte");
|
|
unsigned long long load_half(void *skb,
|
|
unsigned long long off) asm("llvm.bpf.load.half");
|
|
unsigned long long load_word(void *skb,
|
|
unsigned long long off) asm("llvm.bpf.load.word");
|
|
|
|
/* a helper structure used by eBPF C program
|
|
* to describe map attributes to elf_bpf loader
|
|
*/
|
|
struct bpf_map_def {
|
|
unsigned int type;
|
|
unsigned int key_size;
|
|
unsigned int value_size;
|
|
unsigned int max_entries;
|
|
unsigned int map_flags;
|
|
unsigned int inner_map_idx;
|
|
unsigned int numa_node;
|
|
};
|
|
|
|
static int (*bpf_skb_load_bytes)(void *ctx, int off, void *to, int len) =
|
|
(void *) BPF_FUNC_skb_load_bytes;
|
|
static int (*bpf_skb_store_bytes)(void *ctx, int off, void *from, int len, int flags) =
|
|
(void *) BPF_FUNC_skb_store_bytes;
|
|
static int (*bpf_l3_csum_replace)(void *ctx, int off, int from, int to, int flags) =
|
|
(void *) BPF_FUNC_l3_csum_replace;
|
|
static int (*bpf_l4_csum_replace)(void *ctx, int off, int from, int to, int flags) =
|
|
(void *) BPF_FUNC_l4_csum_replace;
|
|
static int (*bpf_skb_under_cgroup)(void *ctx, void *map, int index) =
|
|
(void *) BPF_FUNC_skb_under_cgroup;
|
|
static int (*bpf_skb_change_head)(void *, int len, int flags) =
|
|
(void *) BPF_FUNC_skb_change_head;
|
|
static int (*bpf_skb_pull_data)(void *, int len) =
|
|
(void *) BPF_FUNC_skb_pull_data;
|
|
|
|
/* Scan the ARCH passed in from ARCH env variable (see Makefile) */
|
|
#if defined(__TARGET_ARCH_x86)
|
|
#define bpf_target_x86
|
|
#define bpf_target_defined
|
|
#elif defined(__TARGET_ARCH_s930x)
|
|
#define bpf_target_s930x
|
|
#define bpf_target_defined
|
|
#elif defined(__TARGET_ARCH_arm64)
|
|
#define bpf_target_arm64
|
|
#define bpf_target_defined
|
|
#elif defined(__TARGET_ARCH_mips)
|
|
#define bpf_target_mips
|
|
#define bpf_target_defined
|
|
#elif defined(__TARGET_ARCH_powerpc)
|
|
#define bpf_target_powerpc
|
|
#define bpf_target_defined
|
|
#elif defined(__TARGET_ARCH_sparc)
|
|
#define bpf_target_sparc
|
|
#define bpf_target_defined
|
|
#else
|
|
#undef bpf_target_defined
|
|
#endif
|
|
|
|
/* Fall back to what the compiler says */
|
|
#ifndef bpf_target_defined
|
|
#if defined(__x86_64__)
|
|
#define bpf_target_x86
|
|
#elif defined(__s390x__)
|
|
#define bpf_target_s930x
|
|
#elif defined(__aarch64__)
|
|
#define bpf_target_arm64
|
|
#elif defined(__mips__)
|
|
#define bpf_target_mips
|
|
#elif defined(__powerpc__)
|
|
#define bpf_target_powerpc
|
|
#elif defined(__sparc__)
|
|
#define bpf_target_sparc
|
|
#endif
|
|
#endif
|
|
|
|
#if defined(bpf_target_x86)
|
|
|
|
#define PT_REGS_PARM1(x) ((x)->di)
|
|
#define PT_REGS_PARM2(x) ((x)->si)
|
|
#define PT_REGS_PARM3(x) ((x)->dx)
|
|
#define PT_REGS_PARM4(x) ((x)->cx)
|
|
#define PT_REGS_PARM5(x) ((x)->r8)
|
|
#define PT_REGS_RET(x) ((x)->sp)
|
|
#define PT_REGS_FP(x) ((x)->bp)
|
|
#define PT_REGS_RC(x) ((x)->ax)
|
|
#define PT_REGS_SP(x) ((x)->sp)
|
|
#define PT_REGS_IP(x) ((x)->ip)
|
|
|
|
#elif defined(bpf_target_s390x)
|
|
|
|
#define PT_REGS_PARM1(x) ((x)->gprs[2])
|
|
#define PT_REGS_PARM2(x) ((x)->gprs[3])
|
|
#define PT_REGS_PARM3(x) ((x)->gprs[4])
|
|
#define PT_REGS_PARM4(x) ((x)->gprs[5])
|
|
#define PT_REGS_PARM5(x) ((x)->gprs[6])
|
|
#define PT_REGS_RET(x) ((x)->gprs[14])
|
|
#define PT_REGS_FP(x) ((x)->gprs[11]) /* Works only with CONFIG_FRAME_POINTER */
|
|
#define PT_REGS_RC(x) ((x)->gprs[2])
|
|
#define PT_REGS_SP(x) ((x)->gprs[15])
|
|
#define PT_REGS_IP(x) ((x)->psw.addr)
|
|
|
|
#elif defined(bpf_target_arm64)
|
|
|
|
#define PT_REGS_PARM1(x) ((x)->regs[0])
|
|
#define PT_REGS_PARM2(x) ((x)->regs[1])
|
|
#define PT_REGS_PARM3(x) ((x)->regs[2])
|
|
#define PT_REGS_PARM4(x) ((x)->regs[3])
|
|
#define PT_REGS_PARM5(x) ((x)->regs[4])
|
|
#define PT_REGS_RET(x) ((x)->regs[30])
|
|
#define PT_REGS_FP(x) ((x)->regs[29]) /* Works only with CONFIG_FRAME_POINTER */
|
|
#define PT_REGS_RC(x) ((x)->regs[0])
|
|
#define PT_REGS_SP(x) ((x)->sp)
|
|
#define PT_REGS_IP(x) ((x)->pc)
|
|
|
|
#elif defined(bpf_target_mips)
|
|
|
|
#define PT_REGS_PARM1(x) ((x)->regs[4])
|
|
#define PT_REGS_PARM2(x) ((x)->regs[5])
|
|
#define PT_REGS_PARM3(x) ((x)->regs[6])
|
|
#define PT_REGS_PARM4(x) ((x)->regs[7])
|
|
#define PT_REGS_PARM5(x) ((x)->regs[8])
|
|
#define PT_REGS_RET(x) ((x)->regs[31])
|
|
#define PT_REGS_FP(x) ((x)->regs[30]) /* Works only with CONFIG_FRAME_POINTER */
|
|
#define PT_REGS_RC(x) ((x)->regs[1])
|
|
#define PT_REGS_SP(x) ((x)->regs[29])
|
|
#define PT_REGS_IP(x) ((x)->cp0_epc)
|
|
|
|
#elif defined(bpf_target_powerpc)
|
|
|
|
#define PT_REGS_PARM1(x) ((x)->gpr[3])
|
|
#define PT_REGS_PARM2(x) ((x)->gpr[4])
|
|
#define PT_REGS_PARM3(x) ((x)->gpr[5])
|
|
#define PT_REGS_PARM4(x) ((x)->gpr[6])
|
|
#define PT_REGS_PARM5(x) ((x)->gpr[7])
|
|
#define PT_REGS_RC(x) ((x)->gpr[3])
|
|
#define PT_REGS_SP(x) ((x)->sp)
|
|
#define PT_REGS_IP(x) ((x)->nip)
|
|
|
|
#elif defined(bpf_target_sparc)
|
|
|
|
#define PT_REGS_PARM1(x) ((x)->u_regs[UREG_I0])
|
|
#define PT_REGS_PARM2(x) ((x)->u_regs[UREG_I1])
|
|
#define PT_REGS_PARM3(x) ((x)->u_regs[UREG_I2])
|
|
#define PT_REGS_PARM4(x) ((x)->u_regs[UREG_I3])
|
|
#define PT_REGS_PARM5(x) ((x)->u_regs[UREG_I4])
|
|
#define PT_REGS_RET(x) ((x)->u_regs[UREG_I7])
|
|
#define PT_REGS_RC(x) ((x)->u_regs[UREG_I0])
|
|
#define PT_REGS_SP(x) ((x)->u_regs[UREG_FP])
|
|
|
|
/* Should this also be a bpf_target check for the sparc case? */
|
|
#if defined(__arch64__)
|
|
#define PT_REGS_IP(x) ((x)->tpc)
|
|
#else
|
|
#define PT_REGS_IP(x) ((x)->pc)
|
|
#endif
|
|
|
|
#endif
|
|
|
|
#ifdef bpf_target_powerpc
|
|
#define BPF_KPROBE_READ_RET_IP(ip, ctx) ({ (ip) = (ctx)->link; })
|
|
#define BPF_KRETPROBE_READ_RET_IP BPF_KPROBE_READ_RET_IP
|
|
#elif bpf_target_sparc
|
|
#define BPF_KPROBE_READ_RET_IP(ip, ctx) ({ (ip) = PT_REGS_RET(ctx); })
|
|
#define BPF_KRETPROBE_READ_RET_IP BPF_KPROBE_READ_RET_IP
|
|
#else
|
|
#define BPF_KPROBE_READ_RET_IP(ip, ctx) ({ \
|
|
bpf_probe_read(&(ip), sizeof(ip), (void *)PT_REGS_RET(ctx)); })
|
|
#define BPF_KRETPROBE_READ_RET_IP(ip, ctx) ({ \
|
|
bpf_probe_read(&(ip), sizeof(ip), \
|
|
(void *)(PT_REGS_FP(ctx) + sizeof(ip))); })
|
|
#endif
|
|
|
|
#endif
|