Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restrict loopback addr #50

Merged
merged 3 commits into from
Aug 14, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion kernel-collector
18 changes: 11 additions & 7 deletions src/socket.bpf.c
Original file line number Diff line number Diff line change
Expand Up @@ -72,19 +72,23 @@ static __always_inline short unsigned int set_idx_value(netdata_socket_idx_t *ns
BPF_CORE_READ_INTO(&family, is, sk.__sk_common.skc_family);
// Read source and destination IPs
if ( family == AF_INET ) { //AF_INET
BPF_CORE_READ_INTO(&nsi->saddr.addr32, is, sk.__sk_common.skc_rcv_saddr );
BPF_CORE_READ_INTO(&nsi->daddr.addr32, is, sk.__sk_common.skc_daddr );
BPF_CORE_READ_INTO(&nsi->saddr.addr32[0], is, sk.__sk_common.skc_rcv_saddr );
BPF_CORE_READ_INTO(&nsi->daddr.addr32[0], is, sk.__sk_common.skc_daddr );

if ((nsi->saddr.addr32[0] == 0 || nsi->daddr.addr32[0] == 0) || // Zero addr
nsi->saddr.addr64[0] == 16777343) // Loopback
nsi->saddr.addr32[0] == 16777343 || nsi->daddr.addr32[0] == 16777343) // Loopback
return AF_UNSPEC;
} else if ( family == AF_INET6 ) {
#if defined(NETDATA_CONFIG_IPV6)
BPF_CORE_READ_INTO(&nsi->saddr.addr8, is, sk.__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr8 );
BPF_CORE_READ_INTO(&nsi->daddr.addr8, is, sk.__sk_common.skc_v6_daddr.in6_u.u6_addr8 );

if ( ((!nsi->saddr.addr64[0]) && (!nsi->saddr.addr64[1])) || ((!nsi->daddr.addr64[0]) && (!nsi->daddr.addr64[1])) || // Zero addr
((nsi->saddr.addr64[0] == 0) && (nsi->saddr.addr64[1] == 72057594037927936))) // Loopback
if (((nsi->saddr.addr64[0] == 0) && (nsi->saddr.addr64[1] == 72057594037927936)) || // Loopback
((nsi->daddr.addr64[0] == 0) && (nsi->daddr.addr64[1] == 72057594037927936)))
return AF_UNSPEC;

if (((nsi->saddr.addr64[0] == 0) && (nsi->saddr.addr64[1] == 0)) ||
((nsi->daddr.addr64[0] == 0) && (nsi->daddr.addr64[1] == 0))) // Zero addr
return AF_UNSPEC;
#endif
} else {
Expand All @@ -95,8 +99,8 @@ static __always_inline short unsigned int set_idx_value(netdata_socket_idx_t *ns
BPF_CORE_READ_INTO(&nsi->dport, is, sk.__sk_common.skc_dport);
BPF_CORE_READ_INTO(&nsi->sport, is, sk.__sk_common.skc_num);

nsi->dport = bpf_ntohs(nsi->dport);
nsi->sport = bpf_ntohs(nsi->sport);
nsi->dport = nsi->dport;
nsi->sport = nsi->sport;

// Socket for nowhere or system looking for port
// This can be an attack vector that needs to be addressed in another opportunity
Expand Down
Loading