• Andrey Ignatov's avatar
    bpf: Post-hooks for sys_bind · aac3fc32
    Andrey Ignatov authored
    "Post-hooks" are hooks that are called right before returning from
    sys_bind. At this time IP and port are already allocated and no further
    changes to `struct sock` can happen before returning from sys_bind but
    BPF program has a chance to inspect the socket and change sys_bind
    result.
    
    Specifically it can e.g. inspect what port was allocated and if it
    doesn't satisfy some policy, BPF program can force sys_bind to fail and
    return EPERM to user.
    
    Another example of usage is recording the IP:port pair to some map to
    use it in later calls to sys_connect. E.g. if some TCP server inside
    cgroup was bound to some IP:port_n, it can be recorded to a map. And
    later when some TCP client inside same cgroup is trying to connect to
    127.0.0.1:port_n, BPF hook for sys_connect can override the destination
    and connect application to IP:port_n instead of 127.0.0.1:port_n. That
    helps forcing all applications inside a cgroup to use desired IP and not
    break those applications if they e.g. use localhost to communicate
    between each other.
    
    == Implementation details ==
    
    Post-hooks are implemented as two new attach types
    `BPF_CGROUP_INET4_POST_BIND` and `BPF_CGROUP_INET6_POST_BIND` for
    existing prog type `BPF_PROG_TYPE_CGROUP_SOCK`.
    
    Separate attach types for IPv4 and IPv6 are introduced to avoid access
    to IPv6 field in `struct sock` from `inet_bind()` and to IPv4 field from
    `inet6_bind()` since those fields might not make sense in such cases.
    Signed-off-by: default avatarAndrey Ignatov <rdna@fb.com>
    Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    aac3fc32
af_inet.c 50 KB