• Andrey Ignatov's avatar
    bpf: Hooks for sys_sendmsg · 1cedee13
    Andrey Ignatov authored
    In addition to already existing BPF hooks for sys_bind and sys_connect,
    the patch provides new hooks for sys_sendmsg.
    
    It leverages existing BPF program type `BPF_PROG_TYPE_CGROUP_SOCK_ADDR`
    that provides access to socket itlself (properties like family, type,
    protocol) and user-passed `struct sockaddr *` so that BPF program can
    override destination IP and port for system calls such as sendto(2) or
    sendmsg(2) and/or assign source IP to the socket.
    
    The hooks are implemented as two new attach types:
    `BPF_CGROUP_UDP4_SENDMSG` and `BPF_CGROUP_UDP6_SENDMSG` for UDPv4 and
    UDPv6 correspondingly.
    
    UDPv4 and UDPv6 separate attach types for same reason as sys_bind and
    sys_connect hooks, i.e. to prevent reading from / writing to e.g.
    user_ip6 fields when user passes sockaddr_in since it'd be out-of-bound.
    
    The difference with already existing hooks is sys_sendmsg are
    implemented only for unconnected UDP.
    
    For TCP it doesn't make sense to change user-provided `struct sockaddr *`
    at sendto(2)/sendmsg(2) time since socket either was already connected
    and has source/destination set or wasn't connected and call to
    sendto(2)/sendmsg(2) would lead to ENOTCONN anyway.
    
    Connected UDP is already handled by sys_connect hooks that can override
    source/destination at connect time and use fast-path later, i.e. these
    hooks don't affect UDP fast-path.
    
    Rewriting source IP is implemented differently than that in sys_connect
    hooks. When sys_sendmsg is used with unconnected UDP it doesn't work to
    just bind socket to desired local IP address since source IP can be set
    on per-packet basis by using ancillary data (cmsg(3)). So no matter if
    socket is bound or not, source IP has to be rewritten on every call to
    sys_sendmsg.
    
    To do so two new fields are added to UAPI `struct bpf_sock_addr`;
    * `msg_src_ip4` to set source IPv4 for UDPv4;
    * `msg_src_ip6` to set source IPv6 for UDPv6.
    Signed-off-by: default avatarAndrey Ignatov <rdna@fb.com>
    Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    1cedee13
cgroup.c 17.2 KB