Merge pull request #163 from LorenzoTettamanti/feature/ebpf-core

Experimental service mapping pt.1

Author: LorenzoTettamanti

cli/Cargo.lock

@@ -61,6 +61,21 @@ pub struct VethLog {
 
 }
 
+// TODO: write documentation about this structure
+#[repr(C)]
+#[derive(Clone,Copy,Debug)]
+pub struct TcpPacketRegistry{
+    pub proto: u8,
+    pub src_ip: u32,
+    pub dst_ip: u32,
+    pub src_port: u16,
+    pub dst_port: u16,
+    pub pid: u32,
+    pub command: [u8;16],
+    pub cgroup_id: u64,
+
+}
+
 // docs:
 //
 // BPF maps used in the conntracker programs 
@@ -90,4 +105,7 @@ pub static mut VETH_EVENTS: PerfEventArray<VethLog> = PerfEventArray::new(0);
 
 #[map(name = "Blocklist")]
 pub static mut BLOCKLIST: HashMap<[u8;4], [u8;4]> = HashMap::<[u8;4], [u8;4]>::with_max_entries(1024, 0);
-//here i need to pass an address like this: [135,171,168,192]
+//here i need to pass an address like this: [135,171,168,192]
+
+#[map(name = "TcpPacketRegistry",pinning = "by_name")]
+pub static mut PACKET_REGISTRY: PerfEventArray<TcpPacketRegistry> = PerfEventArray::new(0);

core/src/components/conntracker/src/data_structures.rs

@@ -60,9 +60,12 @@ impl OFFSETS {
     pub const DST_PORT_OFFSET_FROM_IP_HEADER: usize = 2; // destination port offset
 
     // TOTAL BYTES SUM
-    pub const ETH_STACK_BYTES: usize = OFFSETS::SRC_MAC + OFFSETS::DST_MAC + OFFSETS::ETHERTYPE_BYTES; // ethernet protocol total stacked bytes
+    pub const ETH_STACK_BYTES: usize =
+        OFFSETS::SRC_MAC + OFFSETS::DST_MAC + OFFSETS::ETHERTYPE_BYTES; // ethernet protocol total stacked bytes
     pub const DST_T0TAL_BYTES_OFFSET: usize = OFFSETS::ETH_STACK_BYTES + OFFSETS::DST_BYTE_OFFSET; // destination total bytes offset
     pub const SRC_T0TAL_BYTES_OFFSET: usize = OFFSETS::ETH_STACK_BYTES + OFFSETS::SRC_BYTE_OFFSET; // source total bytes offset
     pub const PROTOCOL_T0TAL_BYTES_OFFSET: usize =
         OFFSETS::ETH_STACK_BYTES + OFFSETS::IPV4_PROTOCOL_OFFSET; // total bytes offset
+
+    pub const SKB_DATA_POINTER: usize = 208; // sk_buff structure data pointer
 }

core/src/components/conntracker/src/offsets.rs

@@ -1,6 +1,83 @@
-
 use aya_ebpf::programs::ProbeContext;
+use aya_ebpf::helpers::{
+    bpf_get_current_comm,
+    bpf_get_current_pid_tgid,
+    bpf_get_current_cgroup_id,
+};
+
+use crate::bindings::{ sk_buff };
+use crate::offsets::OFFSETS;
+use crate::data_structures::{ PACKET_REGISTRY, TcpPacketRegistry };
+use crate::veth_tracer::{ read_linux_inner_struct, read_linux_inner_value };
+
+// docs:
+// TODO: add function documentation
 
+// docs:
+//
+// how skb works? http://oldvger.kernel.org/~davem/skb_data.html
+//
+// ref: https://elixir.bootlin.com/linux/v6.17.7/source/net/ipv4/tcp_ipv4.c#L2195
+//
+
+//in tcp_v4_recv skb->data
 pub fn try_tcp_analyzer(ctx: ProbeContext) -> Result<u32, i64> {
-    todo!()
+    let sk_buff_pointer: *const sk_buff = ctx.arg(0).ok_or(1i64)?;
+    // first control: i'm, verifying that the pointer is not null
+    if sk_buff_pointer.is_null() {
+        return Err(1);
+    }
+
+    let skb_data_pointer = read_linux_inner_struct::<u8>(
+        sk_buff_pointer as *const u8,
+        OFFSETS::SKB_DATA_POINTER
+    )?;
+    let first_ipv4_byte = read_linux_inner_value::<u8>(skb_data_pointer as *const u8, 0)?;
+    let ihl = (first_ipv4_byte & 0x0f) as usize; // 0x0F=00001111 &=AND bit a bit operator to extract the last 4 bit
+    let ip_header_len = ihl * 4; //returns the header lenght in bytes
+
+    let proto = read_linux_inner_struct::<u8>(
+        skb_data_pointer,
+        OFFSETS::IPV4_PROTOCOL_OFFSET
+    )? as u8;
+
+    if proto != 6 {
+        return Ok(0);
+    } else {
+        // get the source ip,destination ip and connection id
+        let src_ip = read_linux_inner_value::<u32>(skb_data_pointer, OFFSETS::SRC_BYTE_OFFSET)?;
+        let dst_ip = read_linux_inner_value::<u32>(skb_data_pointer, OFFSETS::DST_BYTE_OFFSET)?;
+        let src_port = u16::from_be(
+            read_linux_inner_value(
+                skb_data_pointer,
+                ip_header_len + OFFSETS::SRC_PORT_OFFSET_FROM_IP_HEADER
+            )?
+        );
+        let dst_port = u16::from_be(
+            read_linux_inner_value(
+                skb_data_pointer,
+                ip_header_len + OFFSETS::DST_PORT_OFFSET_FROM_IP_HEADER
+            )?
+        );
+
+        let command = bpf_get_current_comm()?;
+        let pid = (bpf_get_current_pid_tgid() >> 32) as u32;
+        let cgroup_id = unsafe { bpf_get_current_cgroup_id() };
+
+        let log = TcpPacketRegistry {
+            proto,
+            src_ip,
+            dst_ip,
+            src_port,
+            dst_port,
+            pid,
+            command,
+            cgroup_id,
+        };
+        unsafe {
+            PACKET_REGISTRY.output(&ctx, &log, 0);
+        }
+    }
+
+    Ok(0)
 }

core/src/components/conntracker/src/tcp_analyzer.rs

@@ -77,7 +77,7 @@ pub fn try_veth_tracer(ctx: ProbeContext, mode: u8) -> Result<u32, i64> {
 //
 // Returns a Result type with a const pointer to an inner field or an error code as i64
 
-fn read_linux_inner_struct<T>(ptr: *const u8, offset: usize) -> Result<*const T, i64> {
+pub fn read_linux_inner_struct<T>(ptr: *const u8, offset: usize) -> Result<*const T, i64> {
     if ptr.is_null() {
         return Err(1);
     } else {
@@ -105,7 +105,7 @@ fn read_linux_inner_struct<T>(ptr: *const u8, offset: usize) -> Result<*const T,
 //
 // Returns a Result type with the value or an error code as i64
 
-fn read_linux_inner_value<T: Copy>(ptr: *const u8, offset: usize) -> Result<T, i64> {
+pub fn read_linux_inner_value<T: Copy>(ptr: *const u8, offset: usize) -> Result<T, i64> {
     if ptr.is_null() {
         return Err(1);
     }

core/src/components/conntracker/src/veth_tracer.rs

@@ -18,7 +18,6 @@ enums = []
 
 [dependencies]
 aya = "0.13.1"
-aya-log = "0.2.1"
 bytes = "1.4"
 tokio = { version = "1.48.0", features = ["rt","rt-multi-thread","fs","signal","fs","time","macros"] }
 anyhow = "1.0"