| // SPDX-License-Identifier: GPL-2.0 |
| /* Copyright (c) 2023 Isovalent */ |
| #include <stdbool.h> |
| #include <linux/bpf.h> |
| #include <linux/if_ether.h> |
| #include <linux/in.h> |
| #include <linux/ip.h> |
| #include <linux/ipv6.h> |
| #include <linux/tcp.h> |
| #include <linux/udp.h> |
| #include <bpf/bpf_endian.h> |
| #include <bpf/bpf_helpers.h> |
| #include <linux/pkt_cls.h> |
| |
| char LICENSE[] SEC("license") = "GPL"; |
| |
| __u64 sk_cookie_seen; |
| __u64 reuseport_executed; |
| union { |
| struct tcphdr tcp; |
| struct udphdr udp; |
| } headers; |
| |
| const volatile __u16 dest_port; |
| |
| struct { |
| __uint(type, BPF_MAP_TYPE_SOCKMAP); |
| __uint(max_entries, 1); |
| __type(key, __u32); |
| __type(value, __u64); |
| } sk_map SEC(".maps"); |
| |
| SEC("sk_reuseport") |
| int reuse_accept(struct sk_reuseport_md *ctx) |
| { |
| reuseport_executed++; |
| |
| if (ctx->ip_protocol == IPPROTO_TCP) { |
| if (ctx->data + sizeof(headers.tcp) > ctx->data_end) |
| return SK_DROP; |
| |
| if (__builtin_memcmp(&headers.tcp, ctx->data, sizeof(headers.tcp)) != 0) |
| return SK_DROP; |
| } else if (ctx->ip_protocol == IPPROTO_UDP) { |
| if (ctx->data + sizeof(headers.udp) > ctx->data_end) |
| return SK_DROP; |
| |
| if (__builtin_memcmp(&headers.udp, ctx->data, sizeof(headers.udp)) != 0) |
| return SK_DROP; |
| } else { |
| return SK_DROP; |
| } |
| |
| sk_cookie_seen = bpf_get_socket_cookie(ctx->sk); |
| return SK_PASS; |
| } |
| |
| SEC("sk_reuseport") |
| int reuse_drop(struct sk_reuseport_md *ctx) |
| { |
| reuseport_executed++; |
| sk_cookie_seen = 0; |
| return SK_DROP; |
| } |
| |
| static int |
| assign_sk(struct __sk_buff *skb) |
| { |
| int zero = 0, ret = 0; |
| struct bpf_sock *sk; |
| |
| sk = bpf_map_lookup_elem(&sk_map, &zero); |
| if (!sk) |
| return TC_ACT_SHOT; |
| ret = bpf_sk_assign(skb, sk, 0); |
| bpf_sk_release(sk); |
| return ret ? TC_ACT_SHOT : TC_ACT_OK; |
| } |
| |
| static bool |
| maybe_assign_tcp(struct __sk_buff *skb, struct tcphdr *th) |
| { |
| if (th + 1 > (void *)(long)(skb->data_end)) |
| return TC_ACT_SHOT; |
| |
| if (!th->syn || th->ack || th->dest != bpf_htons(dest_port)) |
| return TC_ACT_OK; |
| |
| __builtin_memcpy(&headers.tcp, th, sizeof(headers.tcp)); |
| return assign_sk(skb); |
| } |
| |
| static bool |
| maybe_assign_udp(struct __sk_buff *skb, struct udphdr *uh) |
| { |
| if (uh + 1 > (void *)(long)(skb->data_end)) |
| return TC_ACT_SHOT; |
| |
| if (uh->dest != bpf_htons(dest_port)) |
| return TC_ACT_OK; |
| |
| __builtin_memcpy(&headers.udp, uh, sizeof(headers.udp)); |
| return assign_sk(skb); |
| } |
| |
| SEC("tc") |
| int tc_main(struct __sk_buff *skb) |
| { |
| void *data_end = (void *)(long)skb->data_end; |
| void *data = (void *)(long)skb->data; |
| struct ethhdr *eth; |
| |
| eth = (struct ethhdr *)(data); |
| if (eth + 1 > data_end) |
| return TC_ACT_SHOT; |
| |
| if (eth->h_proto == bpf_htons(ETH_P_IP)) { |
| struct iphdr *iph = (struct iphdr *)(data + sizeof(*eth)); |
| |
| if (iph + 1 > data_end) |
| return TC_ACT_SHOT; |
| |
| if (iph->protocol == IPPROTO_TCP) |
| return maybe_assign_tcp(skb, (struct tcphdr *)(iph + 1)); |
| else if (iph->protocol == IPPROTO_UDP) |
| return maybe_assign_udp(skb, (struct udphdr *)(iph + 1)); |
| else |
| return TC_ACT_SHOT; |
| } else { |
| struct ipv6hdr *ip6h = (struct ipv6hdr *)(data + sizeof(*eth)); |
| |
| if (ip6h + 1 > data_end) |
| return TC_ACT_SHOT; |
| |
| if (ip6h->nexthdr == IPPROTO_TCP) |
| return maybe_assign_tcp(skb, (struct tcphdr *)(ip6h + 1)); |
| else if (ip6h->nexthdr == IPPROTO_UDP) |
| return maybe_assign_udp(skb, (struct udphdr *)(ip6h + 1)); |
| else |
| return TC_ACT_SHOT; |
| } |
| } |
