Skip to content

Commit

Permalink
Added outbound icmp echo tracking
Browse files Browse the repository at this point in the history
  • Loading branch information
@r-caamano
r-caamano committed Aug 13, 2024
1 parent 3b4018d commit 2a1de8f
Show file tree
Hide file tree
Showing 5 changed files with 360 additions and 27 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,10 @@
All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

---
###
# [0.8.13] - 2024-08-12
- Added Outbound tracking for IPv4 and IPv6 ICMP Echo

###
# [0.8.12] - 2024-08-07
- Change ci workflow display name and to trigger on push to branches other than main.
Expand Down
76 changes: 70 additions & 6 deletions src/zfw.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,9 @@
#define INGRESS_SERVER_RST_RCVD 24
#define INGRESS_SERVER_FINAL_ACK_RCVD 25
#define MATCHED_DROP_FILTER 26
#define ICMP_MATCHED_EXPIRED_STATE 27
#define ICMP_MATCHED_ACTIVE_STATE 28
#define CLIENT_INITIATED_ICMP_ECHO 29
#define IP6_HEADER_TOO_BIG 30
#define IPV6_TUPLE_TOO_BIG 31

Expand Down Expand Up @@ -215,6 +218,8 @@ const char *egress6_map_path = "/sys/fs/bpf/tc/globals/zt_egress6_map";
const char *egress_count_map_path = "/sys/fs/bpf/tc/globals/egress_count_map";
const char *egress_count6_map_path = "/sys/fs/bpf/tc/globals/egress6_count_map";
const char *masquerade_map_path = "/sys/fs/bpf/tc/globals/masquerade_map";
const char *icmp_masquerade_map_path = "/sys/fs/bpf/tc/globals/icmp_masquerade_map";
const char *icmp_echo_map_path = "/sys/fs/bpf/tc/globals/icmp_echo_map";
char doc[] = "zfw -- ebpf firewall configuration tool";
const char *if_map_path;
char *diag_interface;
Expand All @@ -236,7 +241,7 @@ char *direction_string;
char *masq_interface;
char check_alt[IF_NAMESIZE];

const char *argp_program_version = "0.8.12";
const char *argp_program_version = "0.8.13";
struct ring_buffer *ring_buffer;

__u32 if_list[MAX_IF_LIST_ENTRIES];
Expand Down Expand Up @@ -651,14 +656,15 @@ void disable_ebpf()
disable = true;
tc = true;
interface_tc();
const char *maps[34] = {tproxy_map_path, diag_map_path, if_map_path, count_map_path,
const char *maps[36] = {tproxy_map_path, diag_map_path, if_map_path, count_map_path,
udp_map_path, matched_map_path, tcp_map_path, tun_map_path, if_tun_map_path,
transp_map_path, rb_map_path, ddos_saddr_map_path, ddos_dport_map_path, syn_count_map_path,
tp_ext_map_path, if_list_ext_map_path, range_map_path, wildcard_port_map_path, tproxy6_map_path,
if6_map_path, count6_map_path, matched6_map_path, egress_range_map_path, egress_if_list_ext_map_path,
egress_ext_map_path, egress_map_path, egress6_map_path, egress_count_map_path, egress_count6_map_path,
egress_matched6_map_path, egress_matched_map_path, udp_ingress_map_path, tcp_ingress_map_path, masquerade_map_path};
for (int map_count = 0; map_count < 34; map_count++)
egress_matched6_map_path, egress_matched_map_path, udp_ingress_map_path, tcp_ingress_map_path,
masquerade_map_path, icmp_masquerade_map_path, icmp_echo_map_path};
for (int map_count = 0; map_count < 36; map_count++)
{

int stat = remove(maps[map_count]);
Expand Down Expand Up @@ -3098,7 +3104,10 @@ static int process_events(void *ctx, void *data, size_t len)
{
state = "MATCHED_DROP_FILTER";
}
printf("code=%d\n", code);
else if (code == MATCHED_DROP_FILTER)
{
state = "MATCHED_DROP_FILTER";
}

if (state)
{
Expand All @@ -3116,10 +3125,36 @@ static int process_events(void *ctx, void *data, size_t len)
}
else if (evt->proto == IPPROTO_ICMP && ifname)
{
char *state = NULL;
__u16 code = evt->tracking_code;
__u8 inner_ttl = evt->dest[0];
__u8 outer_ttl = evt->source[0];
if (code == 4)
if (code == ICMP_MATCHED_ACTIVE_STATE)
{
state = "ICMP_MATCHED_ACTIVE_STATE";
}
else if (code == ICMP_MATCHED_EXPIRED_STATE)
{
state = "ICMP_MATCHED_EXPIRED_STATE";
}
else if (code == CLIENT_INITIATED_ICMP_ECHO)
{
state = "CLIENT_INITIATED_ICMP_ECHO";
}
if(state)
{
sprintf(message, "%s : %s : %s : %s : %s > %s outbound_tracking ICMP %s ---> %s\n", ts, ifname,
(evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol, saddr, daddr,(evt->direction == INGRESS) ? "ECHO-REPLY" : "ECHO" ,state);
if (logging)
{
res = write_log(log_file_name, message);
}
else
{
printf("%s", message);
}
}
else if (code == 4)
{
/*evt->sport is use repurposed store next hop mtu*/
sprintf(message, "%s : %s : %s : %s :%s --> reported next hop mtu:%d > FRAGMENTATION NEEDED IN PATH TO:%s:%d\n", ts, ifname,
Expand Down Expand Up @@ -3426,6 +3461,35 @@ static int process_events(void *ctx, void *data, size_t len)
printf("%s", message);
}
}
}else if (evt->proto == IPPROTO_ICMPV6 && ifname)
{
char *state = NULL;
__u16 code = evt->tracking_code;
if (code == ICMP_MATCHED_ACTIVE_STATE)
{
state = "ICMP_MATCHED_ACTIVE_STATE";
}
else if (code == ICMP_MATCHED_EXPIRED_STATE)
{
state = "ICMP_MATCHED_EXPIRED_STATE";
}
else if (code == CLIENT_INITIATED_ICMP_ECHO)
{
state = "CLIENT_INITIATED_ICMP_ECHO";
}
if(state)
{
sprintf(message, "%s : %s : %s : %s : %s > %s outbound_tracking ICMP %s ---> %s\n", ts, ifname,
(evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol, saddr6, daddr6,(evt->direction == INGRESS) ? "ECHO-REPLY" : "ECHO" ,state);
if (logging)
{
res = write_log(log_file_name, message);
}
else
{
printf("%s", message);
}
}
}
else if (ifname)
{
Expand Down
63 changes: 60 additions & 3 deletions src/zfw_monitor.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,9 @@
#define INGRESS_SERVER_RST_RCVD 24
#define INGRESS_SERVER_FINAL_ACK_RCVD 25
#define MATCHED_DROP_FILTER 26
#define ICMP_MATCHED_EXPIRED_STATE 27
#define ICMP_MATCHED_ACTIVE_STATE 28
#define CLIENT_INITIATED_ICMP_ECHO 29
#define IP6_HEADER_TOO_BIG 30
#define IPV6_TUPLE_TOO_BIG 31

Expand All @@ -78,7 +81,7 @@ char check_alt[IF_NAMESIZE];
char doc[] = "zfw_monitor -- ebpf firewall monitor tool";
const char *rb_map_path = "/sys/fs/bpf/tc/globals/rb_map";
const char *tproxy_map_path = "/sys/fs/bpf/tc/globals/zt_tproxy_map";
const char *argp_program_version = "0.8.12";
const char *argp_program_version = "0.8.13";
union bpf_attr rb_map;
int rb_fd = -1;

Expand Down Expand Up @@ -507,7 +510,6 @@ static int process_events(void *ctx, void *data, size_t len)
{
state = "MATCHED_DROP_FILTER";
}
printf("code=%d\n", code);

if (state)
{
Expand All @@ -525,10 +527,36 @@ static int process_events(void *ctx, void *data, size_t len)
}
else if (evt->proto == IPPROTO_ICMP && ifname)
{
char *state = NULL;
__u16 code = evt->tracking_code;
__u8 inner_ttl = evt->dest[0];
__u8 outer_ttl = evt->source[0];
if (code == 4)
if (code == ICMP_MATCHED_ACTIVE_STATE)
{
state = "ICMP_MATCHED_ACTIVE_STATE";
}
else if (code == ICMP_MATCHED_EXPIRED_STATE)
{
state = "ICMP_MATCHED_EXPIRED_STATE";
}
else if (code == CLIENT_INITIATED_ICMP_ECHO)
{
state = "CLIENT_INITIATED_ICMP_ECHO";
}
if(state)
{
sprintf(message, "%s : %s : %s : %s : %s > %s outbound_tracking ICMP %s ---> %s\n", ts, ifname,
(evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol, saddr, daddr,(evt->direction == INGRESS) ? "ECHO-REPLY" : "ECHO" ,state);
if (logging)
{
res = write_log(log_file_name, message);
}
else
{
printf("%s", message);
}
}
else if (code == 4)
{
/*evt->sport is use repurposed store next hop mtu*/
sprintf(message, "%s : %s : %s : %s :%s --> reported next hop mtu:%d > FRAGMENTATION NEEDED IN PATH TO:%s:%d\n", ts, ifname,
Expand Down Expand Up @@ -835,6 +863,35 @@ static int process_events(void *ctx, void *data, size_t len)
printf("%s", message);
}
}
}else if (evt->proto == IPPROTO_ICMPV6 && ifname)
{
char *state = NULL;
__u16 code = evt->tracking_code;
if (code == ICMP_MATCHED_ACTIVE_STATE)
{
state = "ICMP_MATCHED_ACTIVE_STATE";
}
else if (code == ICMP_MATCHED_EXPIRED_STATE)
{
state = "ICMP_MATCHED_EXPIRED_STATE";
}
else if (code == CLIENT_INITIATED_ICMP_ECHO)
{
state = "CLIENT_INITIATED_ICMP_ECHO";
}
if(state)
{
sprintf(message, "%s : %s : %s : %s : %s > %s outbound_tracking ICMP %s ---> %s\n", ts, ifname,
(evt->direction == INGRESS) ? "INGRESS" : "EGRESS", protocol, saddr6, daddr6,(evt->direction == INGRESS) ? "ECHO-REPLY" : "ECHO" ,state);
if (logging)
{
res = write_log(log_file_name, message);
}
else
{
printf("%s", message);
}
}
}
else if (ifname)
{
Expand Down
Loading

0 comments on commit 2a1de8f

Please sign in to comment.