-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Send packet data before handshake to userspace
Current implementation simply throws away these packets. This commit is the first step of implementing re-sending them after handshake.
- Loading branch information
Showing
7 changed files
with
87 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -36,6 +36,56 @@ static inline void update_tcp_header(struct tcphdr* tcp, __u16 udp_len, __u32 se | |
tcp->urg_ptr = 0; | ||
} | ||
|
||
#define SEG_LEN 256 | ||
|
||
static inline int store_packet(struct __sk_buff* skb, __u32 pkt_off, struct conn_tuple* key) { | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
hack3ric
Author
Owner
|
||
int retcode; | ||
__u32 data_len = skb->len - pkt_off; | ||
if (!key || data_len > MAX_PACKET_SIZE) return TC_ACT_SHOT; | ||
|
||
bool has_remainder = data_len % SEGMENT_SIZE; | ||
__u32 segments = data_len / SEGMENT_SIZE + has_remainder; | ||
__u32 alloc_size = sizeof(struct rb_item) + segments * SEGMENT_SIZE; | ||
struct bpf_dynptr ptr = {}; | ||
if (bpf_ringbuf_reserve_dynptr(&mimic_rb, alloc_size, 0, &ptr) < 0) { | ||
cleanup(TC_ACT_SHOT); | ||
} | ||
|
||
struct rb_item* item = bpf_dynptr_data(&ptr, 0, sizeof(*item)); | ||
if (!item) cleanup(TC_ACT_SHOT); | ||
item->type = RB_ITEM_STORE_PACKET; | ||
item->store_packet.conn_key = *key; | ||
item->store_packet.len = data_len; | ||
item->store_packet.l4_csum_partial = mimic_inspect_skb(skb)->ip_summed == CHECKSUM_PARTIAL; | ||
|
||
char* packet = NULL; | ||
__u32 offset = 0, i = 0; | ||
for (; i < segments - has_remainder; i++) { | ||
if (i > MAX_PACKET_SIZE / SEGMENT_SIZE + 1) break; | ||
offset = i * SEGMENT_SIZE; | ||
packet = bpf_dynptr_data(&ptr, sizeof(*item) + offset, SEGMENT_SIZE); | ||
if (!packet) cleanup(TC_ACT_SHOT); | ||
if (bpf_skb_load_bytes(skb, pkt_off + offset, packet, SEGMENT_SIZE) < 0) cleanup(TC_ACT_SHOT); | ||
} | ||
if (has_remainder) { | ||
offset = i * SEGMENT_SIZE; | ||
__u32 copy_len = data_len - offset; | ||
if (copy_len > 0 && copy_len < SEGMENT_SIZE) { | ||
if (copy_len < 2) copy_len = 1; | ||
if (copy_len < 3) copy_len = 2; | ||
|
||
packet = bpf_dynptr_data(&ptr, sizeof(*item) + offset, SEGMENT_SIZE); | ||
if (!packet) cleanup(TC_ACT_SHOT); | ||
if (bpf_skb_load_bytes(skb, pkt_off + offset, packet, copy_len) < 0) cleanup(TC_ACT_SHOT); | ||
} | ||
} | ||
bpf_ringbuf_submit_dynptr(&ptr, 0); | ||
return TC_ACT_STOLEN; | ||
cleanup: | ||
bpf_ringbuf_discard_dynptr(&ptr, 0); | ||
return retcode; | ||
} | ||
|
||
SEC("tc") | ||
int egress_handler(struct __sk_buff* skb) { | ||
decl_ok(struct ethhdr, eth, 0, skb); | ||
|
@@ -98,8 +148,7 @@ int egress_handler(struct __sk_buff* skb) { | |
} | ||
bpf_spin_unlock(&conn->lock); | ||
send_ctrl_packet(&conn_key, SYN, seq, ack_seq); | ||
// TODO: store packet in userspace buffer and send them after establishing | ||
return TC_ACT_STOLEN; | ||
return store_packet(skb, ip_end, &conn_key); | ||
} | ||
conn_state = conn->state; | ||
conn_seq = conn->seq; | ||
|
@@ -122,7 +171,7 @@ int egress_handler(struct __sk_buff* skb) { | |
ipv6->nexthdr = IPPROTO_TCP; | ||
} | ||
|
||
try(mangle_data(skb, ip_end + sizeof(*udp))); | ||
try_tc(mangle_data(skb, ip_end + sizeof(*udp))); | ||
decl_shot(struct tcphdr, tcp, ip_end, skb); | ||
update_tcp_header(tcp, udp_len, seq, ack_seq); | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Just FYI: Did you consider using
bpf_sk_assign
andbpf_redirect
like what's done in daeuniverse/dae#375, daeuniverse/dae#458?Though I think this might not be suitable for mimic since a socket with listening port might be required (dae uses a tproxy port)? Don't know whether
bpf_sk_assign
could be used on raw socket.