tools/testing/selftests/bpf/progs/cgroup_skb_sk_lookup_kern.c

   1 // SPDX-License-Identifier: GPL-2.0
   2 // Copyright (c) 2020 Facebook
   3
   4 #include <linux/bpf.h>
   5 #include <bpf/bpf_endian.h>
   6 #include <bpf/bpf_helpers.h>
   7
   8 #include <linux/if_ether.h>
   9 #include <linux/in.h>
  10 #include <linux/in6.h>
  11 #include <linux/ipv6.h>
  12 #include <linux/tcp.h>
  13
  14 #include <sys/types.h>
  15 #include <sys/socket.h>
  16
  17 int _version SEC("version") = 1;
  18 char _license[] SEC("license") = "GPL";
  19
  20 __u16 g_serv_port = 0;
  21
  22 static inline void set_ip(__u32 *dst, const struct in6_addr *src)
  23 {
  24         dst[0] = src->in6_u.u6_addr32[0];
  25         dst[1] = src->in6_u.u6_addr32[1];
  26         dst[2] = src->in6_u.u6_addr32[2];
  27         dst[3] = src->in6_u.u6_addr32[3];
  28 }
  29
  30 static inline void set_tuple(struct bpf_sock_tuple *tuple,
  31                              const struct ipv6hdr *ip6h,
  32                              const struct tcphdr *tcph)
  33 {
  34         set_ip(tuple->ipv6.saddr, &ip6h->daddr);
  35         set_ip(tuple->ipv6.daddr, &ip6h->saddr);
  36         tuple->ipv6.sport = tcph->dest;
  37         tuple->ipv6.dport = tcph->source;
  38 }
  39
  40 static inline int is_allowed_peer_cg(struct __sk_buff *skb,
  41                                      const struct ipv6hdr *ip6h,
  42                                      const struct tcphdr *tcph)
  43 {
  44         __u64 cgid, acgid, peer_cgid, peer_acgid;
  45         struct bpf_sock_tuple tuple;
  46         size_t tuple_len = sizeof(tuple.ipv6);
  47         struct bpf_sock *peer_sk;
  48
  49         set_tuple(&tuple, ip6h, tcph);
  50
  51         peer_sk = bpf_sk_lookup_tcp(skb, &tuple, tuple_len,
  52                                     BPF_F_CURRENT_NETNS, 0);
  53         if (!peer_sk)
  54                 return 0;
  55
  56         cgid = bpf_skb_cgroup_id(skb);
  57         peer_cgid = bpf_sk_cgroup_id(peer_sk);
  58
  59         acgid = bpf_skb_ancestor_cgroup_id(skb, 2);
  60         peer_acgid = bpf_sk_ancestor_cgroup_id(peer_sk, 2);
  61
  62         bpf_sk_release(peer_sk);
  63
  64         return cgid && cgid == peer_cgid && acgid && acgid == peer_acgid;
  65 }
  66
  67 SEC("cgroup_skb/ingress")
  68 int ingress_lookup(struct __sk_buff *skb)
  69 {
  70         __u32 serv_port_key = 0;
  71         struct ipv6hdr ip6h;
  72         struct tcphdr tcph;
  73
  74         if (skb->protocol != bpf_htons(ETH_P_IPV6))
  75                 return 1;
  76
  77         /* For SYN packets coming to listening socket skb->remote_port will be
  78          * zero, so IPv6/TCP headers are loaded to identify remote peer
  79          * instead.
  80          */
  81         if (bpf_skb_load_bytes(skb, 0, &ip6h, sizeof(ip6h)))
  82                 return 1;
  83
  84         if (ip6h.nexthdr != IPPROTO_TCP)
  85                 return 1;
  86
  87         if (bpf_skb_load_bytes(skb, sizeof(ip6h), &tcph, sizeof(tcph)))
  88                 return 1;
  89
  90         if (!g_serv_port)
  91                 return 0;
  92
  93         if (tcph.dest != g_serv_port)
  94                 return 1;
  95
  96         return is_allowed_peer_cg(skb, &ip6h, &tcph);
  97 }