netfoundry · r-caamano · Aug 3, 2023 · Aug 3, 2023
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,13 @@
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
+# [0.4.5] - 2023-08-03
+
+###
+
+- Fixed ring buffer events for tunnel interface not sending correct source/destination ports.  Also changed default
+  xdp RB events to only send if verbose mode is enabled for the tun/ziti interface.  
+
 # [0.4.4] - 2023-08-01
 
 ###

diff --git a/README.md b/README.md
@@ -248,7 +248,7 @@ sudo systemctl restart ziti-router.service
 
 ### Ziti Edge Tunnel Bidirectional Transparency (zfw-tunnel only)
 
-In order to allow internal tunneler connections over ziti the default operation has been set to not delete any tunX link routes. This will disable the ability to support transparency on some architectures i.e. arm64.  There is now an environmental variable ```TRANSPARENT_MODE='true'``` that can be set in the ```/opt/openziti/etc/ziti-edge-tunnel.env``` file to enable deletion of tunX routes if bi-directional transparency is required at the expense of disabling internal tunneler interception.
+In order to allow internal tunneler connections over ziti the default operation has been set to not delete any tunX link routes. This will disable the ability to support transparency.  There is an environmental variable ```TRANSPARENT_MODE='true'``` that can be set in the ```/opt/openziti/etc/ziti-edge-tunnel.env``` file to enable deletion of tunX routes if bi-directional transparency is required at the expense of disabling internal tunneler interception.
 
 ### Supporting Internal Containers / VMs
 

diff --git a/src/zfw.c b/src/zfw.c
@@ -147,7 +147,7 @@ char *monitor_interface;
 char *tc_interface;
 char *object_file;
 char *direction_string;
-const char *argp_program_version = "0.4.4";
+const char *argp_program_version = "0.4.5";
 struct ring_buffer *ring_buffer;
 
 __u8 if_list[MAX_IF_LIST_ENTRIES];

diff --git a/src/zfw_xdp_tun_ingress.c b/src/zfw_xdp_tun_ingress.c
@@ -20,6 +20,9 @@
 #include <linux/ip.h>
 #include <stdbool.h>
 #include <linux/if.h>
+#include <linux/tcp.h>
+#include <linux/udp.h>
+#include <linux/in.h>
 
 #ifndef memcpy
  #define memcpy(dest, src, n) __builtin_memcpy((dest), (src), (n))
@@ -148,11 +151,6 @@ int xdp_redirect_prog(struct xdp_md *ctx)
     {
         return XDP_PASS;
     }  
-    struct ethhdr *eth = (struct ethhdr *)(unsigned long)(ctx->data);
-    /* verify its a valid eth header within the packet bounds */
-    if ((unsigned long)(eth + 1) > (unsigned long)ctx->data_end){
-            return XDP_PASS;
-    }
     struct iphdr *iph = (struct iphdr *)(unsigned long)(ctx->data);
     /* ensure ip header is in packet bounds */
     if ((unsigned long)(iph + 1) > (unsigned long)ctx->data_end){
@@ -192,23 +190,36 @@ int xdp_redirect_prog(struct xdp_md *ctx)
         if ((unsigned long)(eth + 1) > (unsigned long)ctx->data_end){
                 return XDP_PASS;
         }
-        struct iphdr *iph = (struct iphdr *)(ctx->data + sizeof(*eth));
-        /* ensure ip header is in packet bounds */
-        if ((unsigned long)(iph + 1) > (unsigned long)ctx->data_end){
-                return XDP_PASS;
-        }
-        /* ip options not allowed */
-        if (iph->ihl != 5){
-            return XDP_PASS;
+        if(tun_diag->verbose){
+            struct iphdr *iph = (struct iphdr *)(ctx->data + sizeof(*eth));
+            /* ensure ip header is in packet bounds */
+            if ((unsigned long)(iph + 1) > (unsigned long)ctx->data_end){
+                    return XDP_PASS;
+            }
+            __u8 protocol = iph->protocol;
+            if(protocol == IPPROTO_TCP){
+                struct tcphdr *tcph = (struct tcphdr *)((unsigned long)iph + sizeof(*iph));
+                if ((unsigned long)(tcph + 1) > (unsigned long)ctx->data_end){
+                    return XDP_PASS;
+                }
+                event.dport = tcph->dest;
+                event.sport = tcph->source;
+            }else if (protocol == IPPROTO_UDP){
+                struct udphdr *udph = (struct udphdr *)((unsigned long)iph + sizeof(*iph));
+                if ((unsigned long)(udph + 1) > (unsigned long)ctx->data_end){
+                    return XDP_PASS;
+                }
+                event.dport = udph->dest;
+                event.sport = udph->source;
+            }
+            event.tun_ifindex = tus->ifindex;
+            event.proto = protocol;
+            event.saddr = iph->saddr;
+            event.daddr = iph->daddr;
+            memcpy(&event.source, &tus->dest, 6);
+            memcpy(&event.dest, &tus->source, 6);
+            send_event(&event);
         }
-        __u8 protocol = iph->protocol;
-        event.tun_ifindex = tus->ifindex;
-        event.proto = protocol;
-        event.saddr = iph->saddr;
-        event.daddr = iph->daddr;
-        memcpy(&event.source, &tus->dest, 6);
-        memcpy(&event.dest, &tus->source, 6);
-        send_event(&event);
         memcpy(&eth->h_dest, &tus->source,6);
         memcpy(&eth->h_source, &tus->dest,6);
         unsigned short proto = bpf_htons(ETH_P_IP);