WIP: local sockets stack bypass

Author: nyrahul

Makefile

@@ -1,11 +1,35 @@
-BIN=bin
-KRNDIR=/home/rahul/rnd/linux-5.3
-CL=clang
-CC=gcc
-CFLAGS:=-Isrc -O2 -Wall
-KCFLAGS:=$(CFLAGS) -funroll-loops -I/usr/include/x86_64-linux-gnu -O2 -target bpf
-UCFLAGS:=$(CFLAGS) -I $(KRNDIR)/tools/lib -Wall
-ULDFLAGS:=$(KRNDIR)/tools/lib/bpf/libbpf.a -lelf
+ifeq (,$(KRNDIR))
+KRNDIR = /home/rahul/rnd/linux-5.3
+endif
+
+BIN = bin
+CL  = clang
+CC  = gcc
+Q   = @
+
+ifeq ($(V),1)
+  Q =
+endif
+
+# This is shamelessly copied from kernel's samples/bpf/Makefile
+KF = -nostdinc -isystem /usr/lib/gcc/x86_64-linux-gnu/7/include \
+	 -I$(KRNDIR)/arch/x86/include -I$(KRNDIR)/arch/x86/include/generated  \
+	 -I$(KRNDIR)/include -I$(KRNDIR)/arch/x86/include/uapi \
+	 -I$(KRNDIR)/arch/x86/include/generated/uapi -I$(KRNDIR)/include/uapi \
+	 -I$(KRNDIR)/include/generated/uapi \
+	 -include $(KRNDIR)/include/linux/kconfig.h \
+	 -include asm_goto_workaround.h \
+	 -I$(KRNDIR)/samples/bpf -I$(KRNDIR)/tools/testing/selftests/bpf/ -Isrc \
+	 -D__KERNEL__ -D__BPF_TRACING__ -Wno-unused-value -Wno-pointer-sign \
+	 -D__TARGET_ARCH_x86 -Wno-compare-distinct-pointer-types \
+	 -Wno-gnu-variable-sized-type-not-at-end \
+	 -Wno-address-of-packed-member -Wno-tautological-compare \
+	 -Wno-unknown-warning-option  \
+	 -O2 -emit-llvm
+
+UF  = -Isrc -O2 -I $(KRNDIR)/tools/lib -Wall
+UDF = $(KRNDIR)/tools/lib/bpf/libbpf.a -lelf
+
 SRCDIR=src
 
 SRCS_KERN:=$(wildcard $(SRCDIR)/*-kern.c)
@@ -18,18 +42,29 @@ UBINS:=$(patsubst %.c,$(BIN)/%.bin,$(SRCN))
 
 vpath %.c $(SRCDIR)
 
+RED=\033[0;31m
+GREEN=\033[0;32m
+CYAN=\033[0;36m
+NC=\033[0m
+
 .PHONY: all
-all: mkdir $(BOBJS) $(UBINS)
+all: chkdir $(BOBJS) $(UBINS)
 
-.PHONY: mkdir
-mkdir:
+.PHONY: chkdir
+chkdir:
+ifeq (,$(wildcard $(KRNDIR)/Kconfig))
+	@echo "Your kernel path[$(RED)$(KRNDIR)$(NC)] is incorrect. Use 'make KRNDIR=[KERNEL-SRC-PATH]'."
+	Quitting abnormally
+endif
 	@mkdir -p $(BIN) 2>/dev/null
 
 $(BIN)/%.bin: %.c
-	$(CC) $(UCFLAGS) $< -o $@ $(ULDFLAGS)
+	@echo "Compiling user-space app: $(CYAN)$@$(NC) ..."
+	$(Q)$(CC) $(UF) $< -o $@ $(UDF)
 
 $(BIN)/%.bo: %.c
-	$(CL) $(KCFLAGS) -c $< -o $@
+	@echo "Compiling eBPF bytecode: $(GREEN)$@$(NC) ..."
+	$(Q)$(CL) $(KF) -c $< -o -| llc -march=bpf -mcpu=probe -filetype=obj -o $@
 
 .PHONY: clean
 clean:

Makefile.old

@@ -0,0 +1,36 @@
+BIN=bin
+KRNDIR=/home/rahul/rnd/linux-5.3
+CL=clang
+CC=gcc
+CFLAGS:=-Isrc -O2 -Wall
+KCFLAGS:=$(CFLAGS) -funroll-loops -I$(KRNDIR)/tools/testing/selftests/bpf -O2 -target bpf
+UCFLAGS:=$(CFLAGS) -I $(KRNDIR)/tools/lib -Wall
+ULDFLAGS:=$(KRNDIR)/tools/lib/bpf/libbpf.a -lelf
+SRCDIR=src
+
+SRCS_KERN:=$(wildcard $(SRCDIR)/*-kern.c)
+SRCN:=$(notdir $(SRCS_KERN))
+BOBJS:=$(patsubst %.c,$(BIN)/%.bo,$(SRCN))
+
+SRCS_USER:=$(wildcard $(SRCDIR)/*-user.c)
+SRCN:=$(notdir $(SRCS_USER))
+UBINS:=$(patsubst %.c,$(BIN)/%.bin,$(SRCN))
+
+vpath %.c $(SRCDIR)
+
+.PHONY: all
+all: mkdir $(BOBJS) $(UBINS)
+
+.PHONY: mkdir
+mkdir:
+	@mkdir -p $(BIN) 2>/dev/null
+
+$(BIN)/%.bin: %.c
+	$(CC) $(UCFLAGS) $< -o $@ $(ULDFLAGS)
+
+$(BIN)/%.bo: %.c
+	$(CL) $(KCFLAGS) -c $< -o $@
+
+.PHONY: clean
+clean:
+	@rm -rf $(BIN)

load_tc.sh

@@ -2,6 +2,7 @@
 
 IFACE=lo
 [[ $UID -ne 0 ]] && echo "Need to be root" && exit 2
+[[ ! -f "bin/drop-spoofs-kern.bo" ]] && echo "do a make first" && exit 2
 
 function unload()
 {

run_as_cgroupv2.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+[[ $UID -ne 0 ]]             && echo "need to be root"   && exit 2
+[[ $(which curl) == "" ]]    && echo "need util curl"    && exit 2
+[[ $(which timeout) == "" ]] && echo "need util timeout" && exit 2
+
+CGRP_MNT=/tmp/cgroupv2
+FOO=$CGRP_MNT/foo
+PINPT=/sys/fs/bpf/mytestprog
+BO=bin/local-socket-bypass-kern.bo
+BPF_MNT=/sys/fs/bpf
+
+trap 'unload "$BASH_COMMAND"' EXIT
+
+unload()
+{
+    [[ $? -ne 0 ]] && echo "Failed: [$1]"
+    echo "unloading..."
+    set +e
+    bpftool cgroup detach $FOO sock_ops pinned $PINPT 2>/dev/null
+    umount $CGRP_MNT
+    [[ -d "$CGRP_MNT" ]] && rm -rf $CGRP_MNT
+    umount $BPF_MNT
+}
+
+# Inspired by: https://github.com/torvalds/linux/blob/master/samples/bpf/tcp_bpf.readme
+load()
+{
+    mountpoint $BPF_MNT >/dev/null
+    [[ $? -ne 0 ]] && mount -t bpf none $BPF_MNT
+
+    mkdir -p $CGRP_MNT
+    mountpoint $CGRP_MNT >/dev/null
+    [[ $? -ne 0 ]] && mount -t cgroup2 none $CGRP_MNT
+
+    set -eE -o functrace
+    mkdir -p $FOO 
+    echo $$ >> $FOO/cgroup.procs
+    bpftool prog load $BO $PINPT
+    bpftool cgroup attach $FOO sock_ops pinned $PINPT
+}
+
+load
+
+### Start of Action
+
+curl http://www.baidu.com
+
+### End of Action
+
+timeout --preserve-status 1s bpftool prog tracelog

src/drop-spoofs-kern.c

@@ -2,12 +2,11 @@
  * Do not allow a container to generate spoofed packet
  */
 
-#include <stdint.h>
-#include <linux/bpf.h>
-#include <linux/ip.h>
-#include <linux/in.h>
-#include <linux/pkt_cls.h>
-#include <linux/if_ether.h>
+#include <uapi/linux/bpf.h>
+#include <uapi/linux/ip.h>
+#include <uapi/linux/in.h>
+#include <uapi/linux/pkt_cls.h>
+#include <uapi/linux/if_ether.h>
 #include "drop-spoofs.h"
 
 #ifndef SEC

src/local-socket-bypass-kern.c

@@ -0,0 +1,39 @@
+/*
+ * Completely bypass kernel TCP/IP stack for local socket.
+ * Note:
+ * 1. sockmap can be used only for TCP sockets
+ * 2. since tcp/ip stack is bypassed, underneath tooling such as tcpdump and
+ *    other OAM/stats collection will not work for these bypassed sockets.
+ * 3. 
+ */
+
+#include <uapi/linux/bpf.h>
+#include <linux/version.h>
+
+#include "bpf_helpers.h"
+
+struct bpf_map_def SEC("maps") sock_ops = {
+    .type        = BPF_MAP_TYPE_SOCKMAP,
+    .key_size    = sizeof(int),
+    .value_size  = sizeof(unsigned int),
+    .max_entries = 2,
+};
+
+SEC("sockops")
+int sock_map_update(struct bpf_sock_ops *ops)
+{
+    int op;
+    op = (int) ops->op;
+
+    bpf_printk("XYZ BPF command: %d\n", op);
+    if (op == BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB || op == BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB) {
+        uint32_t idx = 0;
+        bpf_printk("Calling UPDATE: %d %d\n", op, BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB);
+        bpf_sock_map_update(ops, &sock_ops, &idx, BPF_ANY);
+    }
+
+    return 0;
+}
+
+char _license[] SEC("license") = "GPL";
+int  _version   SEC("version") = LINUX_VERSION_CODE;

src/xdp-drop-kern.c

@@ -4,13 +4,11 @@
  * Check: block-tcp-8080.rst for details
  */
 
-#include <linux/bpf.h>
-#include <linux/in.h>
-#include <linux/if_ether.h>
-#include <linux/ip.h>
-#include <linux/tcp.h>
-
-#define htons(x) ((__be16)___constant_swab16((x)))
+#include <uapi/linux/bpf.h>
+#include <uapi/linux/in.h>
+#include <uapi/linux/if_ether.h>
+#include <uapi/linux/ip.h>
+#include <uapi/linux/tcp.h>
 
 // Sizeof all headers till TCP
 #define TOTSZ (sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct tcphdr))