From 7b047ca121fdc97f1bb327ec95497a1171f66fb3 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Mon, 21 Aug 2023 20:19:38 +0000 Subject: [PATCH] Switched egress allowedSourceAddress discovery to event channel due to new feature in ZET 0.22.5, also added support for eapol frames and added "make" to compile prerequisites in BUILD.md --- .github/workflows/ci.yml | 5 +- .github/workflows/release.yml | 5 +- BUILD.md | 4 +- CHANGELOG.md | 12 +- README.md | 2 +- src/zfw.c | 73 +++++++- src/zfw_tc_ingress.c | 6 + src/zfw_tunnel_wrapper.c | 337 +++++++++++----------------------- 8 files changed, 199 insertions(+), 245 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d498b6d..225a7df 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -71,12 +71,11 @@ jobs: chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw - dpkg-deb --build -Z gzip --root-owner-group ${{ steps.deb_dir.outputs.deb_dir }} - name: Set Deb Predepends if: ${{ matrix.ziti_type == 'tunnel' }} run: | - echo 'Pre-Depends: ziti-edge-tunnel (>= 0.21.0)' >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control + echo 'Pre-Depends: ziti-edge-tunnel (>= 0.22.5)' >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control cp -p files/services/ziti-fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ @@ -165,7 +164,7 @@ jobs: - name: Set Deb Predepends if: ${{ matrix.ziti_type == 'tunnel' }} run: | - echo 'Pre-Depends: ziti-edge-tunnel (>= 0.21.0)' >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control + echo 'Pre-Depends: ziti-edge-tunnel (>= 0.22.5)' >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control cp -p files/services/ziti-fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b26667d..c378a55 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -72,12 +72,11 @@ jobs: chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/start_ebpf_${{ matrix.ziti_type }}.py chmod 744 ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/user/user_rules.sh.sample ln -s /opt/openziti/bin/zfw ${{ steps.deb_dir.outputs.deb_dir }}/usr/sbin/zfw - dpkg-deb --build -Z gzip --root-owner-group ${{ steps.deb_dir.outputs.deb_dir }} - name: Set Deb Predepends if: ${{ matrix.ziti_type == 'tunnel' }} run: | - echo 'Pre-Depends: ziti-edge-tunnel (>= 0.21.0)' >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control + echo 'Pre-Depends: ziti-edge-tunnel (>= 0.22.5)' >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control cp -p files/services/ziti-fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ @@ -166,7 +165,7 @@ jobs: - name: Set Deb Predepends if: ${{ matrix.ziti_type == 'tunnel' }} run: | - echo 'Pre-Depends: ziti-edge-tunnel (>= 0.21.0)' >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control + echo 'Pre-Depends: ziti-edge-tunnel (>= 0.22.5)' >> ${{ steps.deb_dir.outputs.deb_dir }}/DEBIAN/control cp -p files/services/ziti-fw-init.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/services/ziti-wrapper.service ${{ steps.deb_dir.outputs.deb_dir }}/etc/systemd/system/ cp -p files/bin/zfw_tunnwrapper ${{ steps.deb_dir.outputs.deb_dir }}/opt/openziti/bin/ diff --git a/BUILD.md b/BUILD.md index 7922007..c94e2b9 100644 --- a/BUILD.md +++ b/BUILD.md @@ -9,7 +9,7 @@ sudo apt update sudo apt upgrade sudo reboot - sudo apt install -y gcc clang libc6-dev-i386 libbpfcc-dev libbpf-dev libjson-c-dev + sudo apt install -y gcc clang libc6-dev-i386 libbpfcc-dev libbpf-dev libjson-c-dev make ``` 1. Compile: @@ -32,7 +32,7 @@ sudo apt update sudo apt upgrade sudo reboot - sudo apt-get install -y gcc clang libbpfcc-dev libbpf-dev libjson-c-dev + sudo apt-get install -y gcc clang libbpfcc-dev libbpf-dev libjson-c-dev make ``` 1. Compile: diff --git a/CHANGELOG.md b/CHANGELOG.md index 2457202..c3711e2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,16 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). --- + +# [0.5.0] - 2023-08-18 + +### + +- Added make to pre-compile binary package installs listed in BUILD.md +- Changed bind service lookup from dumpfile to event channel. 0.5.0 will only work with + ZET 0.22.4 or above +- Added passthrough support for eapol (802.1X) frames + # [0.4.6] - 2023-08-13 ### @@ -28,7 +38,7 @@ All notable changes to this project will be documented in this file. The format properly updating the ziti-router.service file. # [0.4.3] - 2023-07-25 - + ### -- Refactored monitoring to use ring buffer and removed all bpf_printk() helper calls diff --git a/README.md b/README.md index 8696037..dc8355f 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ edge-routers deb package. ## Ziti-Edge-Tunnel Deployment The program is designed to be deployed as systemd services if deployed via .deb package with -an existing ziti-edge-tunnel(v21.0 +) installation on Ubuntu 22.04(amd64/arm64)service installation. If you don't currently +an existing ziti-edge-tunnel(v22.5 +) installation on Ubuntu 22.04(amd64/arm64)service installation. If you don't currently have ziti-edge-tunnel installed and an operational OpenZiti network built, follow these [instructions](https://docs.openziti.io/docs/guides/Local_Gateway/EdgeTunnel). diff --git a/src/zfw.c b/src/zfw.c index 2d51d30..572fbf7 100644 --- a/src/zfw.c +++ b/src/zfw.c @@ -90,6 +90,7 @@ bool route = false; bool passthru = false; bool intercept = false; bool echo = false; +bool eapol = false; bool verbose = false; bool vrrp = false; bool per_interface = false; @@ -138,6 +139,7 @@ char doc[] = "zfw -- ebpf firewall configuration tool"; const char *if_map_path; char *diag_interface; char *echo_interface; +char *eapol_interface; char *verbose_interface; char *ssh_interface; char *prefix_interface; @@ -147,7 +149,7 @@ char *monitor_interface; char *tc_interface; char *object_file; char *direction_string; -const char *argp_program_version = "0.4.6"; +const char *argp_program_version = "0.5.0"; struct ring_buffer *ring_buffer; __u8 if_list[MAX_IF_LIST_ENTRIES]; @@ -206,6 +208,7 @@ struct diag_ip4 bool tc_egress; bool tun_mode; bool vrrp; + bool eapol; }; struct tproxy_port_mapping @@ -886,6 +889,18 @@ bool set_diag(uint32_t *idx) } printf("Set verbose to %d for %s\n", !disable, verbose_interface); } + if (eapol) + { + if (!disable) + { + o_diag.eapol = true; + } + else + { + o_diag.eapol = false; + } + printf("Set eapol to %d for %s\n", !disable, eapol_interface); + } if (per_interface) { if (!disable) @@ -992,6 +1007,7 @@ bool set_diag(uint32_t *idx) printf("%-24s:%d\n", "tc egress filter", o_diag.tc_egress); printf("%-24s:%d\n", "tun mode intercept", o_diag.tun_mode); printf("%-24s:%d\n", "vrrp enable", o_diag.vrrp); + printf("%-24s:%d\n", "eapol enable", o_diag.eapol); printf("--------------------------\n\n"); } } @@ -1150,8 +1166,9 @@ void interface_diag() diag_interface = address->ifa_name; tun_interface = address->ifa_name; vrrp_interface = address->ifa_name; + eapol_interface = address->ifa_name; } - if(!strncmp(address->ifa_name, "tun", 3) && (tun || per_interface || ssh_disable || echo || vrrp)){ + if(!strncmp(address->ifa_name, "tun", 3) && (tun || per_interface || ssh_disable || echo || vrrp || eapol)){ if(per_interface && !strncmp(prefix_interface, "tun", 3)){ printf("%s:zfw does not allow setting on tun interfaces!\n", address->ifa_name); } @@ -1167,10 +1184,13 @@ void interface_diag() if(vrrp && !strncmp(vrrp_interface, "tun", 3)){ printf("%s:zfw does not allow setting on tun interfaces!\n", address->ifa_name); } + if(eapol && !strncmp(eapol_interface, "tun", 3)){ + printf("%s:zfw does not allow setting on tun interfaces!\n", address->ifa_name); + } address = address->ifa_next; continue; } - if(!strncmp(address->ifa_name, "ziti", 4) && (tun || per_interface || ssh_disable || echo || vrrp)){ + if(!strncmp(address->ifa_name, "ziti", 4) && (tun || per_interface || ssh_disable || echo || vrrp || eapol)){ if(per_interface && !strncmp(prefix_interface, "ziti", 4)){ printf("%s:zfw does not allow setting on tun interfaces!\n", address->ifa_name); } @@ -1186,6 +1206,9 @@ void interface_diag() if(vrrp && !strncmp(vrrp_interface, "ziti", 4)){ printf("%s:zfw does not allow setting on tun interfaces!\n", address->ifa_name); } + if(eapol && !strncmp(eapol_interface, "ziti", 4)){ + printf("%s:zfw does not allow setting on tun interfaces!\n", address->ifa_name); + } address = address->ifa_next; continue; } @@ -1205,6 +1228,14 @@ void interface_diag() } } + if (eapol) + { + if (!strcmp(eapol_interface, address->ifa_name)) + { + set_diag(&idx); + } + } + if (verbose) { if(!strncmp(address->ifa_name, "tun", 3) && !strncmp(verbose_interface,"tun", 3)){ @@ -2159,6 +2190,7 @@ static struct argp_option options[] = { {"set-tc-filter", 'X', "", 0, "Add/remove TC filter to/from interface", 0}, {"object-file", 'O', "", 0, "Set object file", 0}, {"direction", 'z', "", 0, "Set direction", 0}, + {"enable-eapol", 'w', "", 0, "enable 802.1X eapol packets inbound on interface", 0}, {0}}; static error_t parse_opt(int key, char *arg, struct argp_state *state) @@ -2445,6 +2477,28 @@ static error_t parse_opt(int key, char *arg, struct argp_state *state) verbose_interface = arg; } break; + case 'w': + if (!strlen(arg) || (strchr(arg, '-') != NULL)) + { + fprintf(stderr, "Interface name or all required as arg to -w, --enable-eapol: %s\n", arg); + fprintf(stderr, "%s --help for more info\n", program_name); + exit(1); + } + idx = if_nametoindex(arg); + if(strcmp("all", arg) && idx == 0){ + printf("Interface not found: %s\n", arg); + exit(1); + } + eapol = true; + if (!strcmp("all", arg)) + { + all_interface = true; + } + else + { + eapol_interface = arg; + } + break; case 'x': if (!strlen(arg) || (strchr(arg, '-') != NULL)) { @@ -2606,7 +2660,7 @@ int main(int argc, char **argv) if (ebpf_disable) { - if (tcfilter || echo || ssh_disable || verbose || per_interface || add || delete || list || flush) + if (tcfilter || echo || ssh_disable || verbose || per_interface || add || delete || list || flush || monitor || eapol) { usage("Q, --disable-ebpf cannot be used in combination call"); } @@ -2633,6 +2687,11 @@ int main(int argc, char **argv) usage("-T, --set-tun-mode cannot be set as a part of combination call to zfw"); } + if ((eapol && (monitor || tun || echo || ssh_disable || verbose || per_interface || add || delete || list || flush || tcfilter || vrrp))) + { + usage("-M, --enable-eapol cannot be set as a part of combination call to zfw"); + } + if (( monitor && (tun || echo || ssh_disable || verbose || per_interface || add || delete || list || flush || tcfilter || vrrp))) { usage("-M, --monitor cannot be set as a part of combination call to zfw"); @@ -2678,9 +2737,9 @@ int main(int argc, char **argv) usage("Missing argument -r, --route requires -I --insert, -D --delete or -F --flush"); } - if (disable && (!ssh_disable && !echo && !verbose && !per_interface && !tcfilter && !tun && !vrrp)) + if (disable && (!ssh_disable && !echo && !verbose && !per_interface && !tcfilter && !tun && !vrrp && !eapol)) { - usage("Missing argument at least one of -e, -v, -x, or -E, -P, -R, -T, -X"); + usage("Missing argument at least one of -e, -v, -x, w, or -E, -P, -R, -T, -X"); } if (direction && !tcfilter) @@ -2831,7 +2890,7 @@ int main(int argc, char **argv) map_list(); } } - else if (vrrp || verbose || ssh_disable || echo || per_interface || tun) + else if (vrrp || verbose || ssh_disable || echo || per_interface || tun || eapol) { interface_diag(); exit(0); diff --git a/src/zfw_tc_ingress.c b/src/zfw_tc_ingress.c index 1bbe609..c889fbd 100644 --- a/src/zfw_tc_ingress.c +++ b/src/zfw_tc_ingress.c @@ -191,6 +191,7 @@ struct diag_ip4 { bool tc_egress; bool tun_mode; bool vrrp; + bool eapol; }; /*Value to tun_map*/ @@ -678,6 +679,11 @@ int bpf_sk_splice(struct __sk_buff *skb){ if ((unsigned long)(eth + 1) > (unsigned long)skb->data_end){ return TC_ACT_SHOT; } + + /*check if 802.1X and passthrough is enabled*/ + if((bpf_ntohs(eth->h_proto) == 0x888e) && local_diag->eapol){ + return TC_ACT_OK; + } /* check if incoming packet is a UDP or TCP tuple */ tuple = get_tuple(skb, sizeof(*eth), eth->h_proto, &ipv4,&ipv6, &udp, &tcp, &arp, &icmp, &vrrp, &event, local_diag); diff --git a/src/zfw_tunnel_wrapper.c b/src/zfw_tunnel_wrapper.c index 103a02b..d802266 100644 --- a/src/zfw_tunnel_wrapper.c +++ b/src/zfw_tunnel_wrapper.c @@ -63,7 +63,8 @@ void unbind_route_loopback(struct in_addr *address, unsigned short mask); void INThandler(int sig); void map_delete_key(char *service_id); void route_flush(); -int process_bind(char *service_id); +int process_bind(json_object *jobj, char *action); +int process_routes(char *service_id); /*convert integer ip to dotted decimal string*/ char *nitoa(uint32_t address) @@ -145,10 +146,30 @@ void route_flush() transp_map.key = transp_map.next_key; current_key = *(struct transp_key *)transp_map.key; //map_delete_key(current_key.service_id); - process_bind(current_key.service_id); + process_routes(current_key.service_id); } } +int process_routes(char *service_id){ + struct transp_key key = {{0}}; + sprintf(key.service_id, "%s", service_id); + struct transp_value o_routes; + transp_map.key = (uint64_t)&key; + transp_map.value = (uint64_t)&o_routes; + transp_map.map_fd = transp_fd; + transp_map.flags = BPF_ANY; + int lookup = syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &transp_map, sizeof(transp_map)); + bool changed = false; + if (!lookup) + { + for(int x = 0; x <= o_routes.count; x++){ + unbind_route_loopback(&o_routes.tentry[x].saddr, o_routes.tentry[x].prefix_len); + } + map_delete_key(service_id); + } + return 0; +} + void ebpf_usage() { @@ -362,185 +383,113 @@ void zfw_update(char *ip, char *mask, char *lowport, char *highport, char *proto } } -int readfile(char *filename){ - if(transp_fd == -1){ +int process_bind(json_object *jobj, char *action) +{ + if (transp_fd == -1) + { open_transp_map(); } - FILE *textfile; - char line[MAX_LINE_LENGTH]; - bool isIntercept = false; - bool isHosting = false; - char *rawString, *jString; - textfile = fopen(filename, "r"); - if(textfile == NULL){ - return 1; - } char service_id[32]; - bool valid_id =false; - while(fgets(line, MAX_LINE_LENGTH, textfile)) + struct json_object *id_obj = json_object_object_get(jobj, "Id"); + if(id_obj) { - if(strstr((char *)line, "perm(dial=false,bind=true)")){ - isHosting = true; - char *idString = strstr((char *)line, " id["); - char *end = strstr((char *)line, " id["); - if(idString){ - char *idStart = idString + 4; - for(int x = 0; x <= 31; x++){ - service_id[x] = idStart[x]; - if(idStart[x] == ']'){ - service_id[x] = '\0'; - valid_id = true; - break; - } - if(x == 31){ - valid_id = false; - } - } - } - if(valid_id){ - printf("Found service id = %s\n", service_id); - } - else{ - printf("Invalid Service ID\n"); - } - } - if(valid_id){ - if (transp_fd == -1) - { - open_transp_map(); - } - if (strstr((char *)line, "posture queries")) - { - isHosting = false; - } - if (strlen(line)) - { - line[strlen(line) - 1] = '\0'; - } - rawString = strstr((char *)line, "config[host.v1]="); - if (rawString) - { - jString = (char *)rawString + 16; - } - if (isHosting && rawString) + if((strlen(json_object_get_string(id_obj)) + 1 ) <= 32) + { + sprintf(service_id, "%s", json_object_get_string(id_obj)); + struct json_object *addresses_obj = json_object_object_get(jobj, "Addresses"); + if(addresses_obj && !strcmp(action,"-I")) { - struct json_object *jobj = json_tokener_parse(jString); - if (jobj) + int addresses_obj_len = json_object_array_length(addresses_obj); + // enum json_type type; + struct json_object *allowedSourceAddresses = json_object_object_get(jobj, "AllowedSourceAddresses"); + if (allowedSourceAddresses) { - printf("Service json = %s\n", json_object_to_json_string_ext(jobj, JSON_C_TO_STRING_PLAIN)); - // enum json_type type; - struct json_object *allowedSourceAddresses = json_object_object_get(jobj, "allowedSourceAddresses"); - if (allowedSourceAddresses) + int allowedSourceAddresses_len = json_object_array_length(allowedSourceAddresses); + printf("allowedSourceAddresses key exists: binding addresses to loopback\n"); + int j; + for (j = 0; j < allowedSourceAddresses_len; j++) { - int allowedSourceAddresses_len = json_object_array_length(allowedSourceAddresses); - if (allowedSourceAddresses) + struct json_object *address_obj = json_object_array_get_idx(allowedSourceAddresses, j); + if (address_obj) { - printf("allowedSourceAddresses key exists: binding addresses to loopback\n"); - int j; - for (j = 0; j < allowedSourceAddresses_len; j++) - { - struct json_object *addressobj = json_object_array_get_idx(allowedSourceAddresses, j); - if (addressobj) + struct json_object *host_obj = json_object_object_get(address_obj, "IsHost"); + if(host_obj){ + bool is_host = json_object_get_boolean(host_obj); + char ip[16]; + char mask[10]; + if(is_host) { - char *cidrString = strstr(json_object_get_string(addressobj), "/"); - char mask[3]; - char dest[strlen(json_object_get_string(addressobj)) + 1]; - char prefix[strlen(json_object_get_string(addressobj)) + 1]; - sprintf(prefix, "%s", json_object_get_string(addressobj)); - if ((cidrString) && strlen((char *)(cidrString + 1)) < 3) - { - sprintf(mask, "%s", (char *)(cidrString + 1)); - memset(dest, 0, strlen(json_object_get_string(addressobj)) + 1); - memcpy(dest, prefix, strlen(prefix) - (strlen(cidrString))); - } - else - { - sprintf(dest, "%s", prefix); - sprintf(mask, "%s", "32"); - } - struct in_addr tuncidr; - if (inet_aton(dest, &tuncidr)) - { - bind_route(&tuncidr, len2u16(mask)); - if (allowedSourceAddresses_len < MAX_TRANSP_ROUTES) - { - struct transp_key key = {{0}}; - sprintf(key.service_id, "%s", service_id); - struct transp_value o_routes; - transp_map.key = (uint64_t)&key; - transp_map.value = (uint64_t)&o_routes; - transp_map.map_fd = transp_fd; - transp_map.flags = BPF_ANY; - int lookup = syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &transp_map, sizeof(transp_map)); - bool changed = false; - if (lookup) - { - o_routes.tentry[j].saddr = tuncidr; - o_routes.tentry[j].prefix_len = len2u16(mask); - o_routes.count = j; - int result = syscall(__NR_bpf, BPF_MAP_UPDATE_ELEM, &transp_map, sizeof(transp_map)); - if (result) + printf("Invalid: Hostnames not supported for AllowedSourceAddress\n"); + }else + { + struct json_object *ip_obj = json_object_object_get(address_obj, "IP"); + printf("\n\nIP intercept:\n"); + if(ip_obj) + { + struct json_object *prefix_obj = json_object_object_get(address_obj, "Prefix"); + if(prefix_obj){ + char ip[strlen(json_object_get_string(ip_obj) + 1)]; + sprintf(ip,"%s", json_object_get_string(ip_obj)); + int smask = sprintf(mask, "%d", json_object_get_int(prefix_obj)); + printf("Service_IP=%s\n", ip); + struct in_addr tuncidr; + if (inet_aton(ip, &tuncidr)){ + bind_route(&tuncidr, len2u16(mask)); + if (j < MAX_TRANSP_ROUTES) { - printf("MAP_UPDATE_ELEM: %s \n", strerror(errno)); + struct transp_key key = {{0}}; + sprintf(key.service_id, "%s", service_id); + struct transp_value o_routes; + transp_map.key = (uint64_t)&key; + transp_map.value = (uint64_t)&o_routes; + transp_map.map_fd = transp_fd; + transp_map.flags = BPF_ANY; + int lookup = syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &transp_map, sizeof(transp_map)); + bool changed = false; + if (lookup) + { + o_routes.tentry[j].saddr = tuncidr; + o_routes.tentry[j].prefix_len = len2u16(mask); + o_routes.count = j; + int result = syscall(__NR_bpf, BPF_MAP_UPDATE_ELEM, &transp_map, sizeof(transp_map)); + if (result) + { + printf("MAP_UPDATE_ELEM: %s \n", strerror(errno)); + } + } + else + { + o_routes.tentry[j].saddr = tuncidr; + o_routes.tentry[j].prefix_len = len2u16(mask); + o_routes.count = j; + int result = syscall(__NR_bpf, BPF_MAP_UPDATE_ELEM, &transp_map, sizeof(transp_map)); + if (result) + { + printf("MAP_UPDATE_ELEM: %s \n", strerror(errno)); + } + } + } - } - else - { - o_routes.tentry[j].saddr = tuncidr; - o_routes.tentry[j].prefix_len = len2u16(mask); - o_routes.count = j; - int result = syscall(__NR_bpf, BPF_MAP_UPDATE_ELEM, &transp_map, sizeof(transp_map)); - if (result) + else { - printf("MAP_UPDATE_ELEM: %s \n", strerror(errno)); + printf("Can't store more than %d transparency routes per service\n", MAX_TRANSP_ROUTES); } } - } - else - { - printf("Can't store more than %d transparency routes per service\n", MAX_TRANSP_ROUTES); - } - } - else - { - printf("Invalid Prefix\n"); } } } } } - } - json_object_put(jobj); + } + }else{ + process_routes(service_id); } } } - fclose(textfile); - return 0; -} - -int process_bind(char *service_id){ - struct transp_key key = {{0}}; - sprintf(key.service_id, "%s", service_id); - struct transp_value o_routes; - transp_map.key = (uint64_t)&key; - transp_map.value = (uint64_t)&o_routes; - transp_map.map_fd = transp_fd; - transp_map.flags = BPF_ANY; - int lookup = syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &transp_map, sizeof(transp_map)); - bool changed = false; - if (!lookup) - { - for(int x = 0; x <= o_routes.count; x++){ - unbind_route_loopback(&o_routes.tentry[x].saddr, o_routes.tentry[x].prefix_len); - } - map_delete_key(service_id); - } return 0; } - - int process_dial(json_object *jobj, char *action){ struct json_object *addresses_obj = json_object_object_get(jobj, "Addresses"); if(addresses_obj) @@ -678,70 +627,12 @@ void enumerate_service(struct json_object *services_obj, char *action){ open_transp_map(); } printf("Service policy is Bind\n"); - if(!strcmp(action,"-D")){ - process_bind(service_id); - } + process_bind(service_obj, action); } } } } -void scrape_identity_log(struct json_object *ident_obj){ - if(ident_obj){ - struct json_object *name_obj = json_object_object_get(ident_obj, "Name"); - if(name_obj){ - char identity[strlen(json_object_get_string(name_obj) + 1)]; - sprintf(identity, "%s", json_object_get_string(name_obj)); - printf("Scraping log file for id:%s\n", identity); - char ident_dump_file[strlen(identity) + 6]; - sprintf(ident_dump_file, "%s.ziti", identity); - char symlink[strlen(ident_dump_file) + 6]; - sprintf(symlink,"/tmp/%s", ident_dump_file); - setpath("/tmp/", ident_dump_file, symlink); - readfile(symlink); - } - } -} - -int send_command(byte cmdbytes[], int cmd_length){ - char ctrl_buffer[BUFFER_SIZE]; - // send command to dump tunnel services to file - int ret = send(ctrl_socket, cmdbytes, cmd_length, 0); - if (ret == -1) - { - perror("write"); - return -1; - } - memset(&ctrl_buffer, 0, BUFFER_SIZE); - ret = recv(ctrl_socket, ctrl_buffer, BUFFER_SIZE, 0); - if ((ret == -1) || (ret == 0)) - { - perror("read"); - return -1; - } - /* Ensure buffer is 0-terminated. */ - ctrl_buffer[BUFFER_SIZE - 1] = '\0'; - char *ctrl_jString = (char *)ctrl_buffer; - struct json_object *ctrl_jobj, *success; - ctrl_jobj = json_tokener_parse(ctrl_jString); - if (ctrl_jobj) - { - printf("%s\n", json_object_to_json_string_ext(ctrl_jobj, JSON_C_TO_STRING_PLAIN)); - success = json_object_object_get(ctrl_jobj, "Success"); - } - if (success) - { - char *result = (char *)json_object_to_json_string_ext(success, JSON_C_TO_STRING_PLAIN); - if (!strcmp("false", result)) - { - printf("Command: Failure possible version mismatch\n"); - return -1; - } - } - json_object_put(ctrl_jobj); - return 0; -} - void get_string(char source[4096], char dest[2048]){ int count = 0; while((source[count] != '\n') && (count < 1023)){ @@ -837,13 +728,6 @@ int run(){ printf("%s\n\n",json_object_to_json_string_ext(event_jobj,JSON_C_TO_STRING_PLAIN)); } if(!strcmp("status", operation)){ - //printf("Received Status Event\n"); - // send command to dump tunnel services to file - ret = send_command(cmdbytes, sizeof(cmdbytes)); - if (ret == -1) - { - return -1; - } struct json_object *status_obj = json_object_object_get(event_jobj, "Status"); if(status_obj){ @@ -873,7 +757,6 @@ int run(){ for(int i = 0; i < identities_len; i++){ struct json_object *ident_obj = json_object_array_get_idx(identities_obj, i); if(ident_obj){ - scrape_identity_log(ident_obj); struct json_object *services_obj = json_object_object_get(ident_obj, "Services"); if(services_obj){ enumerate_service(services_obj, "-I"); @@ -901,13 +784,11 @@ int run(){ sprintf(action_string, "%s", json_object_get_string(action_obj)); if(!strcmp("updated", action_string)){ struct json_object *ident_obj = json_object_object_get(event_jobj, "Id"); - ret = send_command(cmdbytes, sizeof(cmdbytes)); - if (ret == -1) - { - return -1; - } if(ident_obj){ - scrape_identity_log(ident_obj); + struct json_object *ident_services_obj = json_object_object_get(ident_obj, "Services"); + if(ident_services_obj){ + enumerate_service(ident_services_obj, "-I"); + } } } }