ebpf: added support for ipv6 tunnels

In order to intercept UDP tunnels traffic, we use iptunnel_xmit for IPv4
connections. The equivalent of IPv6 would be ip6tunnel_xmit, but
unfortunately it's not public.

So instead of ip6tunnel_xmit, we'll use udp_tunnel6_xmit_skb.

This function receives two parameters besides the struct sock*, in6_addr
*saddr and in6_addr *daddr. If these addresses are not set, usually the
connection is a localhost connection.

On the other hand, this function is defined in the module
ip6_udp_tunnel. If this module is not loaded when the daemon starts,
we'll fail to intercept the connections.

Closes: #1250

Author: gustavo-iniguez-goya

daemon/procmon/ebpf/ebpf.go

@@ -30,6 +30,8 @@ type KProbeDefs struct {
 	KProbeIPtunnelXmit        *ebpf.Program `ebpf:"kprobe__iptunnel_xmit"`
 	KProbeInetDgramConnect    *ebpf.Program `ebpf:"kprobe__inet_dgram_connect"`
 	KretProbeInetDgramConnect *ebpf.Program `ebpf:"kretprobe__inet_dgram_connect"`
+
+	KProbeUDPtunnel6Xmit *ebpf.Program `ebpf:"kprobe__udp_tunnel6_xmit_skb"`
 }
 
 // MapDefs holds the map definitions of the main module
@@ -187,6 +189,11 @@ func Start(ebpfOpts Config) *Error {
 		log.Error("opening kretprobe: %s", err)
 	}
 	hooks = append(hooks, kp)
+	kp, err = link.Kprobe("udp_tunnel6_xmit_skb", ebpfMod.KProbeUDPtunnel6Xmit, nil)
+	if err != nil {
+		log.Error("opening kprobe: %s", err)
+	}
+	hooks = append(hooks, kp)
 
 	ebpfMaps = map[string]*ebpfMapsForProto{
 		"tcp":  {bpfMap: ebpfMod.TCPMap},

ebpf_prog/common_defs.h

@@ -3,6 +3,7 @@
 
 #include <linux/sched.h>
 #include <linux/ptrace.h>
+#include <linux/byteorder/generic.h>
 #include <uapi/linux/bpf.h>
 #include "bpf_headers/bpf_helpers.h"
 #include "bpf_headers/bpf_tracing.h"
@@ -11,6 +12,10 @@
 #define BUF_SIZE_MAP_NS 256
 #define MAPSIZE 12000
 
+#ifndef htonll
+  #define htonll(x) cpu_to_be64(x)
+#endif
+
 #define debug(fmt, ...) \
     ( \
      { \

ebpf_prog/opensnitch.c

@@ -342,6 +342,81 @@ int kprobe__udpv6_sendmsg(struct pt_regs *ctx)
     return 0;
 };
 
+SEC("kprobe/udp_tunnel6_xmit_skb")
+int kprobe__udp_tunnel6_xmit_skb(struct pt_regs *ctx)
+{
+#if defined(__x86_64__)
+    struct sock *sk = (struct sock *)PT_REGS_PARM2(ctx);
+    struct in6_addr *saddr = (struct in6_addr *)PT_REGS_PARM5(ctx);
+    // 6th
+    struct in6_addr *daddr = (struct in6_addr *)(ctx->r9);
+    // 10th
+    void *sport_ptr = (void *)(ctx->sp + 32);
+    // 11th
+    void *dport_ptr = (void *)(ctx->sp + 40);
+
+    struct udpv6_key_t udpv6_key, udpv6_key2;
+    __builtin_memset(&udpv6_key, 0, sizeof(udpv6_key));
+    __builtin_memset(&udpv6_key2, 0, sizeof(udpv6_key2));
+    u16 dport = 0, sport = 0;
+
+    bpf_probe_read(&sport, sizeof(sport), (void *)sport_ptr);
+    bpf_probe_read(&dport, sizeof(dport), (void *)dport_ptr);
+    if (dport == 0 || sport == 0){
+        return 0;
+    }
+
+    udpv6_key.dport = dport;
+    udpv6_key.sport = (sport >> 8) | ((sport << 8) & 0xff00);
+    udpv6_key2.sport = udpv6_key.sport;
+    udpv6_key2.dport = udpv6_key.dport;
+
+    // tunnel addrs
+    bpf_probe_read(&udpv6_key.saddr, sizeof(udpv6_key.saddr), &saddr->in6_u.u6_addr32);
+    bpf_probe_read(&udpv6_key.daddr, sizeof(udpv6_key.daddr), &daddr->in6_u.u6_addr32);
+
+    //bpf_probe_read(&udpv6_key.dport, sizeof(udpv6_key.dport), &sk->__sk_common.skc_dport);
+    //bpf_probe_read(&udpv6_key.sport, sizeof(udpv6_key.sport), &sk->__sk_common.skc_num);
+
+    // internet addrs
+    bpf_probe_read(&udpv6_key2.daddr, sizeof(udpv6_key2.daddr), &sk->__sk_common.skc_v6_daddr.in6_u.u6_addr32);
+    bpf_probe_read(&udpv6_key2.saddr, sizeof(udpv6_key2.saddr), &sk->__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr32);
+
+    u64 pid_tgid = bpf_get_current_pid_tgid();
+    u64 pid = pid_tgid >> 32;
+    struct udpv6_value_t udpv6_value={0};
+    __builtin_memset(&udpv6_value, 0, sizeof(udpv6_value));
+    bpf_get_current_comm(&udpv6_value.comm, sizeof(udpv6_value.comm));
+    udpv6_value.pid = pid;
+    udpv6_value.uid = bpf_get_current_uid_gid() & 0xffffffff;
+
+    struct udpv6_value_t *lookedupValue = bpf_map_lookup_elem(&udpv6Map, &udpv6_key2);
+    if (lookedupValue == NULL || lookedupValue->pid != pid) {
+        bpf_map_update_elem(&udpv6Map, &udpv6_key2, &udpv6_value, BPF_ANY);
+    }
+
+    lookedupValue = bpf_map_lookup_elem(&udpv6Map, &udpv6_key);
+    if (lookedupValue == NULL || lookedupValue->pid != pid) {
+        bpf_map_update_elem(&udpv6Map, &udpv6_key, &udpv6_value, BPF_ANY);
+    }
+
+    // when saddr and daddr are empty, usually the connection is from-to localhost.
+    if (saddr == 0 && daddr == 0){
+        udpv6_key.saddr.part1 = 0;
+        udpv6_key.saddr.part2 = htonll(1);
+        udpv6_key.daddr.part1 = 0;
+        udpv6_key.daddr.part2 = htonll(1);
+        bpf_map_update_elem(&udpv6Map, &udpv6_key, &udpv6_value, BPF_ANY);
+    }
+
+#endif
+
+    // TODO: other architectures
+
+    return 0;
+};
+
+
 SEC("kprobe/inet_dgram_connect")
 int kprobe__inet_dgram_connect(struct pt_regs *ctx)
 {