Loading...
1// SPDX-License-Identifier: GPL-2.0
2/* Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */
3#include <linux/bpf.h>
4#include <bpf/bpf_endian.h>
5#include <bpf/bpf_helpers.h>
6
7#include <linux/if_ether.h>
8#include <linux/in.h>
9#include <linux/in6.h>
10#include <linux/ipv6.h>
11#include <linux/tcp.h>
12
13#include <sys/types.h>
14#include <sys/socket.h>
15
16#include "cgroup_tcp_skb.h"
17
18char _license[] SEC("license") = "GPL";
19
20__u16 g_sock_port = 0;
21__u32 g_sock_state = 0;
22int g_unexpected = 0;
23__u32 g_packet_count = 0;
24
25int needed_tcp_pkt(struct __sk_buff *skb, struct tcphdr *tcph)
26{
27 struct ipv6hdr ip6h;
28
29 if (skb->protocol != bpf_htons(ETH_P_IPV6))
30 return 0;
31 if (bpf_skb_load_bytes(skb, 0, &ip6h, sizeof(ip6h)))
32 return 0;
33
34 if (ip6h.nexthdr != IPPROTO_TCP)
35 return 0;
36
37 if (bpf_skb_load_bytes(skb, sizeof(ip6h), tcph, sizeof(*tcph)))
38 return 0;
39
40 if (tcph->source != bpf_htons(g_sock_port) &&
41 tcph->dest != bpf_htons(g_sock_port))
42 return 0;
43
44 return 1;
45}
46
47/* Run accept() on a socket in the cgroup to receive a new connection. */
48static int egress_accept(struct tcphdr *tcph)
49{
50 if (g_sock_state == SYN_RECV_SENDING_SYN_ACK) {
51 if (tcph->fin || !tcph->syn || !tcph->ack)
52 g_unexpected++;
53 else
54 g_sock_state = SYN_RECV;
55 return 1;
56 }
57
58 return 0;
59}
60
61static int ingress_accept(struct tcphdr *tcph)
62{
63 switch (g_sock_state) {
64 case INIT:
65 if (!tcph->syn || tcph->fin || tcph->ack)
66 g_unexpected++;
67 else
68 g_sock_state = SYN_RECV_SENDING_SYN_ACK;
69 break;
70 case SYN_RECV:
71 if (tcph->fin || tcph->syn || !tcph->ack)
72 g_unexpected++;
73 else
74 g_sock_state = ESTABLISHED;
75 break;
76 default:
77 return 0;
78 }
79
80 return 1;
81}
82
83/* Run connect() on a socket in the cgroup to start a new connection. */
84static int egress_connect(struct tcphdr *tcph)
85{
86 if (g_sock_state == INIT) {
87 if (!tcph->syn || tcph->fin || tcph->ack)
88 g_unexpected++;
89 else
90 g_sock_state = SYN_SENT;
91 return 1;
92 }
93
94 return 0;
95}
96
97static int ingress_connect(struct tcphdr *tcph)
98{
99 if (g_sock_state == SYN_SENT) {
100 if (tcph->fin || !tcph->syn || !tcph->ack)
101 g_unexpected++;
102 else
103 g_sock_state = ESTABLISHED;
104 return 1;
105 }
106
107 return 0;
108}
109
110/* The connection is closed by the peer outside the cgroup. */
111static int egress_close_remote(struct tcphdr *tcph)
112{
113 switch (g_sock_state) {
114 case ESTABLISHED:
115 break;
116 case CLOSE_WAIT_SENDING_ACK:
117 if (tcph->fin || tcph->syn || !tcph->ack)
118 g_unexpected++;
119 else
120 g_sock_state = CLOSE_WAIT;
121 break;
122 case CLOSE_WAIT:
123 if (!tcph->fin)
124 g_unexpected++;
125 else
126 g_sock_state = LAST_ACK;
127 break;
128 default:
129 return 0;
130 }
131
132 return 1;
133}
134
135static int ingress_close_remote(struct tcphdr *tcph)
136{
137 switch (g_sock_state) {
138 case ESTABLISHED:
139 if (tcph->fin)
140 g_sock_state = CLOSE_WAIT_SENDING_ACK;
141 break;
142 case LAST_ACK:
143 if (tcph->fin || tcph->syn || !tcph->ack)
144 g_unexpected++;
145 else
146 g_sock_state = CLOSED;
147 break;
148 default:
149 return 0;
150 }
151
152 return 1;
153}
154
155/* The connection is closed by the endpoint inside the cgroup. */
156static int egress_close_local(struct tcphdr *tcph)
157{
158 switch (g_sock_state) {
159 case ESTABLISHED:
160 if (tcph->fin)
161 g_sock_state = FIN_WAIT1;
162 break;
163 case TIME_WAIT_SENDING_ACK:
164 if (tcph->fin || tcph->syn || !tcph->ack)
165 g_unexpected++;
166 else
167 g_sock_state = TIME_WAIT;
168 break;
169 default:
170 return 0;
171 }
172
173 return 1;
174}
175
176static int ingress_close_local(struct tcphdr *tcph)
177{
178 switch (g_sock_state) {
179 case ESTABLISHED:
180 break;
181 case FIN_WAIT1:
182 if (tcph->fin || tcph->syn || !tcph->ack)
183 g_unexpected++;
184 else
185 g_sock_state = FIN_WAIT2;
186 break;
187 case FIN_WAIT2:
188 if (!tcph->fin || tcph->syn || !tcph->ack)
189 g_unexpected++;
190 else
191 g_sock_state = TIME_WAIT_SENDING_ACK;
192 break;
193 default:
194 return 0;
195 }
196
197 return 1;
198}
199
200/* Check the types of outgoing packets of a server socket to make sure they
201 * are consistent with the state of the server socket.
202 *
203 * The connection is closed by the client side.
204 */
205SEC("cgroup_skb/egress")
206int server_egress(struct __sk_buff *skb)
207{
208 struct tcphdr tcph;
209
210 if (!needed_tcp_pkt(skb, &tcph))
211 return 1;
212
213 g_packet_count++;
214
215 /* Egress of the server socket. */
216 if (egress_accept(&tcph) || egress_close_remote(&tcph))
217 return 1;
218
219 g_unexpected++;
220 return 1;
221}
222
223/* Check the types of incoming packets of a server socket to make sure they
224 * are consistent with the state of the server socket.
225 *
226 * The connection is closed by the client side.
227 */
228SEC("cgroup_skb/ingress")
229int server_ingress(struct __sk_buff *skb)
230{
231 struct tcphdr tcph;
232
233 if (!needed_tcp_pkt(skb, &tcph))
234 return 1;
235
236 g_packet_count++;
237
238 /* Ingress of the server socket. */
239 if (ingress_accept(&tcph) || ingress_close_remote(&tcph))
240 return 1;
241
242 g_unexpected++;
243 return 1;
244}
245
246/* Check the types of outgoing packets of a server socket to make sure they
247 * are consistent with the state of the server socket.
248 *
249 * The connection is closed by the server side.
250 */
251SEC("cgroup_skb/egress")
252int server_egress_srv(struct __sk_buff *skb)
253{
254 struct tcphdr tcph;
255
256 if (!needed_tcp_pkt(skb, &tcph))
257 return 1;
258
259 g_packet_count++;
260
261 /* Egress of the server socket. */
262 if (egress_accept(&tcph) || egress_close_local(&tcph))
263 return 1;
264
265 g_unexpected++;
266 return 1;
267}
268
269/* Check the types of incoming packets of a server socket to make sure they
270 * are consistent with the state of the server socket.
271 *
272 * The connection is closed by the server side.
273 */
274SEC("cgroup_skb/ingress")
275int server_ingress_srv(struct __sk_buff *skb)
276{
277 struct tcphdr tcph;
278
279 if (!needed_tcp_pkt(skb, &tcph))
280 return 1;
281
282 g_packet_count++;
283
284 /* Ingress of the server socket. */
285 if (ingress_accept(&tcph) || ingress_close_local(&tcph))
286 return 1;
287
288 g_unexpected++;
289 return 1;
290}
291
292/* Check the types of outgoing packets of a client socket to make sure they
293 * are consistent with the state of the client socket.
294 *
295 * The connection is closed by the server side.
296 */
297SEC("cgroup_skb/egress")
298int client_egress_srv(struct __sk_buff *skb)
299{
300 struct tcphdr tcph;
301
302 if (!needed_tcp_pkt(skb, &tcph))
303 return 1;
304
305 g_packet_count++;
306
307 /* Egress of the server socket. */
308 if (egress_connect(&tcph) || egress_close_remote(&tcph))
309 return 1;
310
311 g_unexpected++;
312 return 1;
313}
314
315/* Check the types of incoming packets of a client socket to make sure they
316 * are consistent with the state of the client socket.
317 *
318 * The connection is closed by the server side.
319 */
320SEC("cgroup_skb/ingress")
321int client_ingress_srv(struct __sk_buff *skb)
322{
323 struct tcphdr tcph;
324
325 if (!needed_tcp_pkt(skb, &tcph))
326 return 1;
327
328 g_packet_count++;
329
330 /* Ingress of the server socket. */
331 if (ingress_connect(&tcph) || ingress_close_remote(&tcph))
332 return 1;
333
334 g_unexpected++;
335 return 1;
336}
337
338/* Check the types of outgoing packets of a client socket to make sure they
339 * are consistent with the state of the client socket.
340 *
341 * The connection is closed by the client side.
342 */
343SEC("cgroup_skb/egress")
344int client_egress(struct __sk_buff *skb)
345{
346 struct tcphdr tcph;
347
348 if (!needed_tcp_pkt(skb, &tcph))
349 return 1;
350
351 g_packet_count++;
352
353 /* Egress of the server socket. */
354 if (egress_connect(&tcph) || egress_close_local(&tcph))
355 return 1;
356
357 g_unexpected++;
358 return 1;
359}
360
361/* Check the types of incoming packets of a client socket to make sure they
362 * are consistent with the state of the client socket.
363 *
364 * The connection is closed by the client side.
365 */
366SEC("cgroup_skb/ingress")
367int client_ingress(struct __sk_buff *skb)
368{
369 struct tcphdr tcph;
370
371 if (!needed_tcp_pkt(skb, &tcph))
372 return 1;
373
374 g_packet_count++;
375
376 /* Ingress of the server socket. */
377 if (ingress_connect(&tcph) || ingress_close_local(&tcph))
378 return 1;
379
380 g_unexpected++;
381 return 1;
382}
1// SPDX-License-Identifier: GPL-2.0
2/* Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */
3#include <linux/bpf.h>
4#include <bpf/bpf_endian.h>
5#include <bpf/bpf_helpers.h>
6
7#include <linux/if_ether.h>
8#include <linux/in.h>
9#include <linux/in6.h>
10#include <linux/ipv6.h>
11#include <linux/tcp.h>
12
13#include <sys/types.h>
14#include <sys/socket.h>
15
16#include "cgroup_tcp_skb.h"
17
18char _license[] SEC("license") = "GPL";
19
20__u16 g_sock_port = 0;
21__u32 g_sock_state = 0;
22int g_unexpected = 0;
23__u32 g_packet_count = 0;
24
25int needed_tcp_pkt(struct __sk_buff *skb, struct tcphdr *tcph)
26{
27 struct ipv6hdr ip6h;
28
29 if (skb->protocol != bpf_htons(ETH_P_IPV6))
30 return 0;
31 if (bpf_skb_load_bytes(skb, 0, &ip6h, sizeof(ip6h)))
32 return 0;
33
34 if (ip6h.nexthdr != IPPROTO_TCP)
35 return 0;
36
37 if (bpf_skb_load_bytes(skb, sizeof(ip6h), tcph, sizeof(*tcph)))
38 return 0;
39
40 if (tcph->source != bpf_htons(g_sock_port) &&
41 tcph->dest != bpf_htons(g_sock_port))
42 return 0;
43
44 return 1;
45}
46
47/* Run accept() on a socket in the cgroup to receive a new connection. */
48static int egress_accept(struct tcphdr *tcph)
49{
50 if (g_sock_state == SYN_RECV_SENDING_SYN_ACK) {
51 if (tcph->fin || !tcph->syn || !tcph->ack)
52 g_unexpected++;
53 else
54 g_sock_state = SYN_RECV;
55 return 1;
56 }
57
58 return 0;
59}
60
61static int ingress_accept(struct tcphdr *tcph)
62{
63 switch (g_sock_state) {
64 case INIT:
65 if (!tcph->syn || tcph->fin || tcph->ack)
66 g_unexpected++;
67 else
68 g_sock_state = SYN_RECV_SENDING_SYN_ACK;
69 break;
70 case SYN_RECV:
71 if (tcph->fin || tcph->syn || !tcph->ack)
72 g_unexpected++;
73 else
74 g_sock_state = ESTABLISHED;
75 break;
76 default:
77 return 0;
78 }
79
80 return 1;
81}
82
83/* Run connect() on a socket in the cgroup to start a new connection. */
84static int egress_connect(struct tcphdr *tcph)
85{
86 if (g_sock_state == INIT) {
87 if (!tcph->syn || tcph->fin || tcph->ack)
88 g_unexpected++;
89 else
90 g_sock_state = SYN_SENT;
91 return 1;
92 }
93
94 return 0;
95}
96
97static int ingress_connect(struct tcphdr *tcph)
98{
99 if (g_sock_state == SYN_SENT) {
100 if (tcph->fin || !tcph->syn || !tcph->ack)
101 g_unexpected++;
102 else
103 g_sock_state = ESTABLISHED;
104 return 1;
105 }
106
107 return 0;
108}
109
110/* The connection is closed by the peer outside the cgroup. */
111static int egress_close_remote(struct tcphdr *tcph)
112{
113 switch (g_sock_state) {
114 case ESTABLISHED:
115 break;
116 case CLOSE_WAIT_SENDING_ACK:
117 if (tcph->fin || tcph->syn || !tcph->ack)
118 g_unexpected++;
119 else
120 g_sock_state = CLOSE_WAIT;
121 break;
122 case CLOSE_WAIT:
123 if (!tcph->fin)
124 g_unexpected++;
125 else
126 g_sock_state = LAST_ACK;
127 break;
128 default:
129 return 0;
130 }
131
132 return 1;
133}
134
135static int ingress_close_remote(struct tcphdr *tcph)
136{
137 switch (g_sock_state) {
138 case ESTABLISHED:
139 if (tcph->fin)
140 g_sock_state = CLOSE_WAIT_SENDING_ACK;
141 break;
142 case LAST_ACK:
143 if (tcph->fin || tcph->syn || !tcph->ack)
144 g_unexpected++;
145 else
146 g_sock_state = CLOSED;
147 break;
148 default:
149 return 0;
150 }
151
152 return 1;
153}
154
155/* The connection is closed by the endpoint inside the cgroup. */
156static int egress_close_local(struct tcphdr *tcph)
157{
158 switch (g_sock_state) {
159 case ESTABLISHED:
160 if (tcph->fin)
161 g_sock_state = FIN_WAIT1;
162 break;
163 case TIME_WAIT_SENDING_ACK:
164 if (tcph->fin || tcph->syn || !tcph->ack)
165 g_unexpected++;
166 else
167 g_sock_state = TIME_WAIT;
168 break;
169 default:
170 return 0;
171 }
172
173 return 1;
174}
175
176static int ingress_close_local(struct tcphdr *tcph)
177{
178 switch (g_sock_state) {
179 case ESTABLISHED:
180 break;
181 case FIN_WAIT1:
182 if (tcph->fin || tcph->syn || !tcph->ack)
183 g_unexpected++;
184 else
185 g_sock_state = FIN_WAIT2;
186 break;
187 case FIN_WAIT2:
188 if (!tcph->fin || tcph->syn || !tcph->ack)
189 g_unexpected++;
190 else
191 g_sock_state = TIME_WAIT_SENDING_ACK;
192 break;
193 default:
194 return 0;
195 }
196
197 return 1;
198}
199
200/* Check the types of outgoing packets of a server socket to make sure they
201 * are consistent with the state of the server socket.
202 *
203 * The connection is closed by the client side.
204 */
205SEC("cgroup_skb/egress")
206int server_egress(struct __sk_buff *skb)
207{
208 struct tcphdr tcph;
209
210 if (!needed_tcp_pkt(skb, &tcph))
211 return 1;
212
213 g_packet_count++;
214
215 /* Egress of the server socket. */
216 if (egress_accept(&tcph) || egress_close_remote(&tcph))
217 return 1;
218
219 g_unexpected++;
220 return 1;
221}
222
223/* Check the types of incoming packets of a server socket to make sure they
224 * are consistent with the state of the server socket.
225 *
226 * The connection is closed by the client side.
227 */
228SEC("cgroup_skb/ingress")
229int server_ingress(struct __sk_buff *skb)
230{
231 struct tcphdr tcph;
232
233 if (!needed_tcp_pkt(skb, &tcph))
234 return 1;
235
236 g_packet_count++;
237
238 /* Ingress of the server socket. */
239 if (ingress_accept(&tcph) || ingress_close_remote(&tcph))
240 return 1;
241
242 g_unexpected++;
243 return 1;
244}
245
246/* Check the types of outgoing packets of a server socket to make sure they
247 * are consistent with the state of the server socket.
248 *
249 * The connection is closed by the server side.
250 */
251SEC("cgroup_skb/egress")
252int server_egress_srv(struct __sk_buff *skb)
253{
254 struct tcphdr tcph;
255
256 if (!needed_tcp_pkt(skb, &tcph))
257 return 1;
258
259 g_packet_count++;
260
261 /* Egress of the server socket. */
262 if (egress_accept(&tcph) || egress_close_local(&tcph))
263 return 1;
264
265 g_unexpected++;
266 return 1;
267}
268
269/* Check the types of incoming packets of a server socket to make sure they
270 * are consistent with the state of the server socket.
271 *
272 * The connection is closed by the server side.
273 */
274SEC("cgroup_skb/ingress")
275int server_ingress_srv(struct __sk_buff *skb)
276{
277 struct tcphdr tcph;
278
279 if (!needed_tcp_pkt(skb, &tcph))
280 return 1;
281
282 g_packet_count++;
283
284 /* Ingress of the server socket. */
285 if (ingress_accept(&tcph) || ingress_close_local(&tcph))
286 return 1;
287
288 g_unexpected++;
289 return 1;
290}
291
292/* Check the types of outgoing packets of a client socket to make sure they
293 * are consistent with the state of the client socket.
294 *
295 * The connection is closed by the server side.
296 */
297SEC("cgroup_skb/egress")
298int client_egress_srv(struct __sk_buff *skb)
299{
300 struct tcphdr tcph;
301
302 if (!needed_tcp_pkt(skb, &tcph))
303 return 1;
304
305 g_packet_count++;
306
307 /* Egress of the server socket. */
308 if (egress_connect(&tcph) || egress_close_remote(&tcph))
309 return 1;
310
311 g_unexpected++;
312 return 1;
313}
314
315/* Check the types of incoming packets of a client socket to make sure they
316 * are consistent with the state of the client socket.
317 *
318 * The connection is closed by the server side.
319 */
320SEC("cgroup_skb/ingress")
321int client_ingress_srv(struct __sk_buff *skb)
322{
323 struct tcphdr tcph;
324
325 if (!needed_tcp_pkt(skb, &tcph))
326 return 1;
327
328 g_packet_count++;
329
330 /* Ingress of the server socket. */
331 if (ingress_connect(&tcph) || ingress_close_remote(&tcph))
332 return 1;
333
334 g_unexpected++;
335 return 1;
336}
337
338/* Check the types of outgoing packets of a client socket to make sure they
339 * are consistent with the state of the client socket.
340 *
341 * The connection is closed by the client side.
342 */
343SEC("cgroup_skb/egress")
344int client_egress(struct __sk_buff *skb)
345{
346 struct tcphdr tcph;
347
348 if (!needed_tcp_pkt(skb, &tcph))
349 return 1;
350
351 g_packet_count++;
352
353 /* Egress of the server socket. */
354 if (egress_connect(&tcph) || egress_close_local(&tcph))
355 return 1;
356
357 g_unexpected++;
358 return 1;
359}
360
361/* Check the types of incoming packets of a client socket to make sure they
362 * are consistent with the state of the client socket.
363 *
364 * The connection is closed by the client side.
365 */
366SEC("cgroup_skb/ingress")
367int client_ingress(struct __sk_buff *skb)
368{
369 struct tcphdr tcph;
370
371 if (!needed_tcp_pkt(skb, &tcph))
372 return 1;
373
374 g_packet_count++;
375
376 /* Ingress of the server socket. */
377 if (ingress_connect(&tcph) || ingress_close_local(&tcph))
378 return 1;
379
380 g_unexpected++;
381 return 1;
382}