Home Explore Help
Sign In
Soof
/
rescan
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 96c8a17705
Branches Tags
rescan
/
responder-ebpf
/
src
/
bin
/
syn.rs

syn.rs 4.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132 
  1. #![no_std]
    2. 

  2. #![no_main]
    3. 

  3. 

  4. use aya_bpf::{
    5. 

  5.     bindings::xdp_action,
    6. 

  6.     macros::{map, xdp},
    7. 

  7.     maps::Array,
    8. 

  8.     programs::XdpContext,
    9. 

  9. };
    10. 

  10. 

  11. use responder_ebpf::util::*;
    12. 

  12. use responder_ebpf::bindings::tcphdr;
    13. 

  13. use responder_common::*;
    14. 

  14. 

  15. use core::mem;
    16. 

  16. 

  17. const TCP_HDR_LEN: usize = mem::size_of::<tcphdr>();
    18. 

  18. const IPPROTO_TCP: u8 = 0x06;
    19. 

  19. 

  20. 

  21. #[inline(always)]
    22. 

  22. fn parse_tcphdr(ctx: &XdpContext, cursor: &mut usize) -> Option<*mut tcphdr> {
    23. 

  23.     let tcp = ptr_at_mut::<tcphdr>(&ctx, *cursor);
    24. 

  24.     if tcp.is_some() {
    25. 

  25.         *cursor += TCP_HDR_LEN;
    26. 

  26.     }
    27. 

  27.     tcp
    28. 

  28. }
    29. 

  29. 

  30. #[xdp(name="responder")]
    31. 

  31. pub fn responder(ctx: XdpContext) -> u32 {
    32. 

  32.     match try_responder(ctx) {
    33. 

  33.         Ok(ret) => ret,
    34. 

  34.         Err(_) => xdp_action::XDP_ABORTED,
    35. 

  35.     }
    36. 

  36. }
    37. 

  37. 

  38. #[inline(always)]
    39. 

  39. unsafe fn bounce_tcp(_ctx: &XdpContext, tcp: *mut tcphdr) {
    40. 

  40.     mem::swap(&mut (*tcp).source, &mut (*tcp).dest);
    41. 

  41.     mem::swap(&mut (*tcp).ack_seq, &mut (*tcp).seq); // Swap to keep checksum the same as much as possible
    42. 

  42.     let (ack_seq, o) = u32::from_be((*tcp).ack_seq).overflowing_add(1); // If overflow: 1's complement sum is unchanged
    43. 

  43.     (*tcp).ack_seq = u32::to_be(ack_seq);
    44. 

  44.     (*tcp).set_ack(1);
    45. 

  45.     (*tcp).check = !(ones_complement_add_u16(!(*tcp).check, (!o as u16) + (1 << 4)));
    46. 

  46. }
    47. 

  47. 

  48. #[map(name = "FILTER_MAP")]
    49. 

  49. static FILTER_MAP: Array<bloom_filter::ChunkType> =
    50. 

  50.     Array::<bloom_filter::ChunkType>::with_max_entries(bloom_filter::MAP_SIZE as u32, 0);
    51. 

  51. 

  52. #[inline(always)]
    53. 

  53. unsafe fn matches_filter(_ctx: &XdpContext, daddr: IpAddr) -> bool {
    54. 

  54.     match daddr {
    55. 

  55.         IpAddr::V4(daddr) => {
    56. 

  56.             let mut res = false;
    57. 

  57.             for hash_offset in 0..bloom_filter::HASH_COUNT {
    58. 

  58.                 res = true;
    59. 

  59.                 let hash = bloom_filter::hash(daddr, hash_offset);
    60. 

  60.                 let map_i = hash >> (bloom_filter::ADDRESS_BITS_CHUNK as u32);
    61. 

  61.                 let chunk_i = hash & (bloom_filter::ADDRESS_MASK_CHUNK as u32);
    62. 

  62.                 // info!(ctx, "{:ipv4} {} {} {}",daddr, hash, map_i, chunk_i);
    63. 

  63.                 let test = if let Some(b) = FILTER_MAP.get(map_i as u32) {
    64. 

  64.                     let word_i = chunk_i & (bloom_filter::ADDRESS_MASK_WORD as u32);
    65. 

  65.                     let chunk_i = (chunk_i as usize) >> bloom_filter::ADDRESS_BITS_WORD;
    66. 

  66.                     // info!(ctx, "{} [{}]", word_i, b[chunk_i]);
    67. 

  67.                     (b[chunk_i] >> (bloom_filter::ADDRESS_MASK_WORD as u32 - word_i)) & 1 == 1
    68. 

  68.                 } else {
    69. 

  69.                     false
    70. 

  70.                 };
    71. 

  71.                 if !test {
    72. 

  72.                     return false
    73. 

  73.                 }
    74. 

  74.             }
    75. 

  75.             res
    76. 

  76.         }
    77. 

  77.         IpAddr::V6(_daddr) => {
    78. 

  78.             false // TODO
    79. 

  79.         }
    80. 

  80.     }
    81. 

  81. }
    82. 

  82. 

  83. fn try_responder(ctx: XdpContext) -> Result<xdp_action::Type, xdp_action::Type> {
    84. 

  84.     let mut hdr_cursor = 0usize;
    85. 

  85. 

  86.     let (eth, ip) = unsafe {
    87. 

  87.         parse_routing(&ctx, &mut hdr_cursor)
    88. 

  88.             .ok_or(xdp_action::XDP_PASS)?
    89. 

  89.     };
    90. 

  90. 

  91.     let protocol = unsafe { l3_get_protocol(&ip) };
    92. 

  92.     let daddr = unsafe { l3_get_daddr(&ip) };
    93. 

  93. 

  94.     if is_local(daddr) {
    95. 

  95.         // info!(&ctx, "local: pass");
    96. 

  96.         return Ok(xdp_action::XDP_PASS);
    97. 

  97.     }
    98. 

  98. 

  99.     if unsafe { !matches_filter(&ctx, daddr) } {
    100. 

  100.         return Ok(xdp_action::XDP_DROP);
    101. 

  101.     }
    102. 

  102. 

  103.     if protocol != IPPROTO_TCP {
    104. 

  104.         return Ok(xdp_action::XDP_PASS);
    105. 

  105.     }
    106. 

  106. 

  107.     let tcp = parse_tcphdr(&ctx, &mut hdr_cursor).ok_or(xdp_action::XDP_PASS)?;
    108. 

  108.     let tcp_syn = unsafe { (*tcp).syn() };
    109. 

  109.     let tcp_ack = unsafe { (*tcp).ack() };
    110. 

  110. 

  111.     // match daddr {
    112. 

  112.     //     IpAddr::V4(ip) => info!(&ctx, "Received packet with matching daddr: {:ipv4}", ip),
    113. 

  113.     //     IpAddr::V6(ip) => unsafe { info!(&ctx, "Received packet with matching daddr: {:ipv6}", ip.in6_u.u6_addr8) }
    114. 

  114.     // }
    115. 

  115.     // info!(&ctx, "and tcp with syn: {}, ack: {}", tcp_syn, tcp_ack);
    116. 

  116. 

  117.     if tcp_syn == 0 || tcp_ack != 0 {
    118. 

  118.         return Ok(xdp_action::XDP_PASS);
    119. 

  119.     }
    120. 

  120. 

  121.     unsafe {
    122. 

  122.         bounce_routing(&ctx,eth, ip);
    123. 

  123.         bounce_tcp(&ctx, tcp);
    124. 

  124.     }
    125. 

  125. 

  126.     Ok(xdp_action::XDP_PASS)
    127. 

  127. }
    128. 

  128. 

  129. #[panic_handler]
    130. 

  130. fn panic(_info: &core::panic::PanicInfo) -> ! {
    131. 

  131.     unsafe { core::hint::unreachable_unchecked() }
    132. 

  132. }
    133.