From 7056e6c24b747d042334081eb110dc58d3d6cb6d Mon Sep 17 00:00:00 2001 From: LiZhenCheng9527 Date: Tue, 30 Jul 2024 10:18:02 +0800 Subject: [PATCH 1/3] Fixed bug in bpf where IPv4 destination address was stored as IPv6 Signed-off-by: LiZhenCheng9527 --- bpf/kmesh/workload/sockops.c | 57 +++++++++++++++++++++++++++++++++--- bpf/kmesh/workload/xdp.c | 5 +++- pkg/auth/rbac.go | 28 ++++++++++++++++++ pkg/auth/rbac_test.go | 36 +++++++++++++++++++++-- pkg/auth/xdp_auth_handler.go | 3 ++ 5 files changed, 122 insertions(+), 7 deletions(-) diff --git a/bpf/kmesh/workload/sockops.c b/bpf/kmesh/workload/sockops.c index e540e5097..015d5138c 100644 --- a/bpf/kmesh/workload/sockops.c +++ b/bpf/kmesh/workload/sockops.c @@ -38,8 +38,20 @@ static inline bool is_managed_by_kmesh(struct bpf_sock_ops *skops) struct manager_key key = {0}; if (skops->family == AF_INET) key.addr.ip4 = skops->local_ip4; - if (skops->family == AF_INET6) - IP6_COPY(key.addr.ip6, skops->local_ip6); + if (skops->family == AF_INET6) { + if (is_ipv4_mapped_addr(skops->local_ip6)) + key.addr.ip4 = skops->local_ip6[3]; + else + IP6_COPY(key.addr.ip6, skops->local_ip6); + } + // if (skops->family == AF_INET6) + // IP6_COPY(key.addr.ip6, skops->local_ip6); + + BPF_LOG(DEBUG, SOCKOPS, "skops family is %d", skops->family); + BPF_LOG(DEBUG, SOCKOPS, "key ipv4 is %d, ipv6 is %d", key.addr.ip4, key.addr.ip6); + BPF_LOG(DEBUG, SOCKOPS, "skops local_ipv4 is %d, local_ipv6 is %d", skops->local_ip4, skops->local_ip6); + BPF_LOG(DEBUG, SOCKOPS, "skops remote_ipv4 is %d, remote_ipv6 is %d", skops->remote_ip4, skops->remote_ip6); + BPF_LOG(DEBUG, SOCKOPS, "mamnager key ipv4 is %u, ipv6 is %u, %u, %u, %u", key.addr.ip4, key.addr.ip6[0], key.addr.ip6[1], key.addr.ip6[2], key.addr.ip6[3]); int *value = bpf_map_lookup_elem(&map_of_manager, &key); if (!value) @@ -56,7 +68,8 @@ static inline void extract_skops_to_tuple(struct bpf_sock_ops *skops, struct bpf tuple_key->ipv4.sport = bpf_htons(GET_SKOPS_LOCAL_PORT(skops)); // remote_port is network byteorder tuple_key->ipv4.dport = GET_SKOPS_REMOTE_PORT(skops); - } else { + } + if (skops->family == AF_INET6) { bpf_memcpy(tuple_key->ipv6.saddr, skops->local_ip6, IPV6_ADDR_LEN); bpf_memcpy(tuple_key->ipv6.daddr, skops->remote_ip6, IPV6_ADDR_LEN); // local_port is host byteorder, need to htons @@ -68,6 +81,7 @@ static inline void extract_skops_to_tuple(struct bpf_sock_ops *skops, struct bpf static inline void extract_skops_to_tuple_reverse(struct bpf_sock_ops *skops, struct bpf_sock_tuple *tuple_key) { + if (skops->family == AF_INET) { tuple_key->ipv4.saddr = skops->remote_ip4; tuple_key->ipv4.daddr = skops->local_ip4; @@ -75,7 +89,8 @@ static inline void extract_skops_to_tuple_reverse(struct bpf_sock_ops *skops, st tuple_key->ipv4.sport = GET_SKOPS_REMOTE_PORT(skops); // local_port is host byteorder tuple_key->ipv4.dport = bpf_htons(GET_SKOPS_LOCAL_PORT(skops)); - } else { + } + if (skops->family == AF_INET6) { bpf_memcpy(tuple_key->ipv6.saddr, skops->remote_ip6, IPV6_ADDR_LEN); bpf_memcpy(tuple_key->ipv6.daddr, skops->local_ip6, IPV6_ADDR_LEN); // remote_port is network byteorder @@ -83,6 +98,31 @@ static inline void extract_skops_to_tuple_reverse(struct bpf_sock_ops *skops, st // local_port is host byteorder tuple_key->ipv6.dport = bpf_htons(GET_SKOPS_LOCAL_PORT(skops)); } + BPF_LOG(DEBUG, SOCKOPS, "skops family is %d", skops->family); + BPF_LOG(DEBUG, SOCKOPS, "origin key info, source ipv4: %u, port: %u, destination ipv4: %u, port: %u", tuple_key->ipv4.saddr, tuple_key->ipv4.sport, tuple_key->ipv4.daddr, tuple_key->ipv4.dport); + BPF_LOG(DEBUG, SOCKOPS, "origin key ipv6 info, source ipv6: %u, %u, %u, %u, port: %u, destination ipv6: %u, %u, %u, %u, port: %u", + tuple_key->ipv6.saddr[0], tuple_key->ipv6.saddr[1], tuple_key->ipv6.saddr[2], tuple_key->ipv6.saddr[3], tuple_key->ipv6.sport, + tuple_key->ipv6.daddr[0], tuple_key->ipv6.daddr[1], tuple_key->ipv6.daddr[2], tuple_key->ipv6.daddr[3], tuple_key->ipv6.dport); + + if (is_ipv4_mapped_addr(tuple_key->ipv6.daddr) || is_ipv4_mapped_addr(tuple_key->ipv6.saddr)) { + tuple_key->ipv4.saddr = tuple_key->ipv6.saddr[3]; + tuple_key->ipv4.daddr = tuple_key->ipv6.daddr[3]; + // tuple_key->ipv6.saddr[0] = tuple_key->ipv4.saddr; + // tuple_key->ipv6.daddr[0] = tuple_key->ipv4.daddr; + // tuple_key->ipv6.saddr[1] = 0x00000000; + // tuple_key->ipv6.saddr[2] = 0x00000000; + // tuple_key->ipv6.saddr[3] = 0x00000000; + // tuple_key->ipv6.daddr[1] = 0x00000000; + // tuple_key->ipv6.daddr[2] = 0x00000000; + // tuple_key->ipv6.daddr[3] = 0x00000000; + tuple_key->ipv4.sport = tuple_key->ipv6.sport; + tuple_key->ipv4.dport = tuple_key->ipv6.dport; + } + + BPF_LOG(DEBUG, SOCKOPS, "change key info, source ipv4: %u, port: %u, destination ipv4: %u, port: %u", tuple_key->ipv4.saddr, tuple_key->ipv4.sport, tuple_key->ipv4.daddr, tuple_key->ipv4.dport); + BPF_LOG(DEBUG, SOCKOPS, "change key ipv6 info, source ipv6: %u, %u, %u, %u, port: %u, destination ipv6: %u, %u, %u, %u, port: %u", + tuple_key->ipv6.saddr[0], tuple_key->ipv6.saddr[1], tuple_key->ipv6.saddr[2], tuple_key->ipv6.saddr[3], tuple_key->ipv6.sport, + tuple_key->ipv6.daddr[0], tuple_key->ipv6.daddr[1], tuple_key->ipv6.daddr[2], tuple_key->ipv6.daddr[3], tuple_key->ipv6.dport); } // clean map_of_auth @@ -123,6 +163,12 @@ static inline void auth_ip_tuple(struct bpf_sock_ops *skops) // In this way, auth can be performed normally. extract_skops_to_tuple_reverse(skops, &(*msg).tuple); (*msg).type = (skops->family == AF_INET) ? IPV4 : IPV6; + if (is_ipv4_mapped_addr(skops->local_ip6)) { + BPF_LOG(DEBUG, SOCKOPS, "origin msg type is %d", (*msg).type); + (*msg).type = IPV4; + BPF_LOG(DEBUG, SOCKOPS, "origin msg type is %d", (*msg).type); + + } bpf_ringbuf_submit(msg, 0); } @@ -211,6 +257,7 @@ int sockops_prog(struct bpf_sock_ops *skops) skops_handle_kmesh_managed_process(skops); break; case BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB: + BPF_LOG(DEBUG, SOCKOPS, "1 is managed by kmesh %d", is_managed_by_kmesh(skops)); if (!is_managed_by_kmesh(skops)) break; observe_on_connect_established(skops->sk, OUTBOUND); @@ -222,6 +269,7 @@ int sockops_prog(struct bpf_sock_ops *skops) enable_encoding_metadata(skops); break; case BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB: + BPF_LOG(DEBUG, SOCKOPS, "2 is managed by kmesh %d", is_managed_by_kmesh(skops)); if (!is_managed_by_kmesh(skops)) break; observe_on_connect_established(skops->sk, INBOUND); @@ -230,6 +278,7 @@ int sockops_prog(struct bpf_sock_ops *skops) auth_ip_tuple(skops); break; case BPF_SOCK_OPS_STATE_CB: + BPF_LOG(DEBUG, SOCKOPS, "this is clean up"); if (skops->args[1] == BPF_TCP_CLOSE) { observe_on_close(skops->sk); clean_auth_map(skops); diff --git a/bpf/kmesh/workload/xdp.c b/bpf/kmesh/workload/xdp.c index dc9963d0d..0c496bdc4 100644 --- a/bpf/kmesh/workload/xdp.c +++ b/bpf/kmesh/workload/xdp.c @@ -115,14 +115,17 @@ int xdp_shutdown(struct xdp_md *ctx) struct xdp_info info = {0}; struct bpf_sock_tuple tuple_info = {0}; + BPF_LOG(INFO, XDP, "check package"); if (parser_xdp_info(ctx, &info) == PARSER_FAILED) return XDP_PASS; - + BPF_LOG(INFO, XDP, "check address family %u", info.iph->version); if (info.iph->version != 4 && info.iph->version != 6) return XDP_PASS; // never failed parser_tuple(&info, &tuple_info); + BPF_LOG(INFO, XDP, "tup_info source ipv4: %d, Ipv6: %d", tuple_info.ipv4.saddr, tuple_info.ipv6.saddr); + BPF_LOG(INFO, XDP, "tup_info destination ipv4: %d, Ipv6: %d", tuple_info.ipv4.daddr, tuple_info.ipv6.daddr); if (should_shutdown(&info, &tuple_info) == AUTH_FORBID) shutdown_tuple(&info); diff --git a/pkg/auth/rbac.go b/pkg/auth/rbac.go index 40df718ed..8669c11d8 100644 --- a/pkg/auth/rbac.go +++ b/pkg/auth/rbac.go @@ -146,8 +146,11 @@ func (r *Rbac) Run(ctx context.Context, mapOfTuple, mapOfAuth *ebpf.Map) { continue } + fmt.Printf("\n------- %#v ---------\n", conn) + if !r.doRbac(&conn) { log.Infof("Auth denied for connection: %+v", conn) + fmt.Printf("\n-------- %#v ---------\n", tupleData) // If conn is denied, write tuples into XDP map, which includes source/destination IP/Port if err = r.notifyFunc(mapOfAuth, msgType, tupleData); err != nil { log.Error("authmap update FAILED, err: ", err) @@ -180,6 +183,7 @@ func (r *Rbac) doRbac(conn *rbacConnection) bool { dstWorkload := r.workloadCache.GetWorkloadByAddr(networkAddress) // If no workload found, deny if dstWorkload == nil { + log.Warnf("get destination workload from ip %v FAILED", conn.dstIp) return false } @@ -189,23 +193,27 @@ func (r *Rbac) doRbac(conn *rbacConnection) bool { // 1. If there is ANY deny policy, deny the request for _, denyPolicy := range denyPolicies { if matches(conn, denyPolicy) { + log.Infof("Auth denied for connection: %+v", conn) return false } } // 2. If there is NO allow policy for the workload, allow the request if len(allowPolicies) == 0 { + log.Infof("Auth allowed for connection: %+v", conn) return true } // 3. If there is ANY allow policy matched, allow the request for _, allowPolicy := range allowPolicies { if matches(conn, allowPolicy) { + log.Infof("Auth allowed for connection: %+v", conn) return true } } // 4. If 1,2 and 3 unsatisfied, deny the request + log.Infof("Auth denied for connection: %+v", conn) return false } @@ -480,7 +488,10 @@ func (r *Rbac) buildConnV6(buf *bytes.Buffer) (rbacConnection, error) { conn.dstIp = binary.BigEndian.AppendUint32(conn.dstIp, tupleV6.DstAddr[i]) } conn.dstPort = uint32(tupleV6.DstPort) + // conn.dstIp = restoreIPv4(conn.dstIp) + // conn.srcIp = restoreIPv4(conn.srcIp) conn.srcIdentity = r.getIdentityByIp(conn.srcIp) + return conn, nil } @@ -511,3 +522,20 @@ func (r *Rbac) getIdentityByIp(ip []byte) Identity { serviceAccount: workload.GetServiceAccount(), } } + +// Converting IPv4 data reported in IPv6 form to IPv4 +// func restoreIPv4(bytes []byte) []byte { +// fmt.Printf("********** %#v ***********", bytes) +// constantSlice := []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255} +// if slices.EqualUnordered(bytes[:12], constantSlice) { +// return bytes[12:] +// } + +// for i := 4; i < 16; i++ { +// if bytes[i] != 0 { +// return bytes +// } +// } + +// return bytes[:4] +// } diff --git a/pkg/auth/rbac_test.go b/pkg/auth/rbac_test.go index 710903fc8..d0a923121 100644 --- a/pkg/auth/rbac_test.go +++ b/pkg/auth/rbac_test.go @@ -28,7 +28,6 @@ import ( "github.com/cilium/ebpf/asm" "github.com/stretchr/testify/assert" "istio.io/istio/pkg/util/sets" - "kmesh.net/kmesh/api/v2/workloadapi" "kmesh.net/kmesh/api/v2/workloadapi/security" "kmesh.net/kmesh/pkg/controller/workload/cache" @@ -2149,7 +2148,7 @@ func TestRbac_Run(t *testing.T) { Uid: "123456", Addresses: [][]byte{ {192, 168, 120, 1}, - net.ParseIP("fd80::1"), + net.ParseIP("0:1::fd80:0"), }, AuthorizationPolicies: []string{DENY_AUTH}, }) @@ -2163,6 +2162,7 @@ func TestRbac_Run(t *testing.T) { "1. IPv4: Deny, records found in map_of_auth", args{ msgType: MSG_TYPE_IPV4, + // 192, 168, 120, 1, 192, 168, 122, 3, , , 8080 lookupKey: append([]byte{0xC0, 0xA8, 0x78, 0x01, 0xC0, 0xA8, 0x7A, 0x03, 0xC2, 0x6C, 0x1F, 0x90}, make([]byte, TUPLE_LEN-IPV4_TUPLE_LENGTH)...), }, @@ -2213,3 +2213,35 @@ func TestRbac_Run(t *testing.T) { mapOfAuth.Close() } } + +// func TestRestoreIPv4(t *testing.T) { +// type args struct { +// bytes []byte +// } +// tests := []struct { +// name string +// args args +// want []byte +// }{ +// { +// name: "maped by kmesh", +// args: args{ +// bytes: []byte{10, 244, 0, 13, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, +// }, +// want: []byte{10, 244, 0, 13}, +// }, +// { +// name: "ipv4 to ipv6", +// args: args{ +// bytes: []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 10, 244, 0, 13}, +// }, +// want: []byte{10, 244, 0, 13}, +// }, +// } +// for _, tt := range tests { +// t.Run(tt.name, func(t *testing.T) { +// got := restoreIPv4(tt.args.bytes) +// assert.Equal(t, tt.want, got) +// }) +// } +// } diff --git a/pkg/auth/xdp_auth_handler.go b/pkg/auth/xdp_auth_handler.go index 5fb0a40d7..a00567361 100644 --- a/pkg/auth/xdp_auth_handler.go +++ b/pkg/auth/xdp_auth_handler.go @@ -25,6 +25,8 @@ import ( type notifyFunc func(mapOfAuth *ebpf.Map, msgType uint32, key []byte) error func xdpNotifyConnRst(mapOfAuth *ebpf.Map, msgType uint32, key []byte) error { + fmt.Printf("\n---------- %#v ------------\n", key) + fmt.Printf("\n---------- %#v ------------\n", msgType) if mapOfAuth == nil { return fmt.Errorf("map_of_auth is nil") } @@ -35,6 +37,7 @@ func xdpNotifyConnRst(mapOfAuth *ebpf.Map, msgType uint32, key []byte) error { key[i] = 0 } } + fmt.Printf("\n---------- %#v ------------\n", key) // Insert the socket tuple into the auth map, so xdp_auth_handler can know that socket with // this tuple is denied by policy, note that IP and port are big endian in auth map return mapOfAuth.Update(key, uint32(1), ebpf.UpdateAny) From 438e2826ff1d6de8158ce7648efaf060516cf895 Mon Sep 17 00:00:00 2001 From: LiZhenCheng9527 Date: Wed, 31 Jul 2024 18:14:05 +0800 Subject: [PATCH 2/3] clean up Signed-off-by: LiZhenCheng9527 --- bpf/kmesh/workload/sockops.c | 34 +--------------------------------- bpf/kmesh/workload/xdp.c | 4 ---- pkg/auth/rbac.go | 27 ++------------------------- pkg/auth/rbac_test.go | 32 -------------------------------- pkg/auth/xdp_auth_handler.go | 3 --- 5 files changed, 3 insertions(+), 97 deletions(-) diff --git a/bpf/kmesh/workload/sockops.c b/bpf/kmesh/workload/sockops.c index 015d5138c..bddb3b91f 100644 --- a/bpf/kmesh/workload/sockops.c +++ b/bpf/kmesh/workload/sockops.c @@ -44,15 +44,7 @@ static inline bool is_managed_by_kmesh(struct bpf_sock_ops *skops) else IP6_COPY(key.addr.ip6, skops->local_ip6); } - // if (skops->family == AF_INET6) - // IP6_COPY(key.addr.ip6, skops->local_ip6); - - BPF_LOG(DEBUG, SOCKOPS, "skops family is %d", skops->family); - BPF_LOG(DEBUG, SOCKOPS, "key ipv4 is %d, ipv6 is %d", key.addr.ip4, key.addr.ip6); - BPF_LOG(DEBUG, SOCKOPS, "skops local_ipv4 is %d, local_ipv6 is %d", skops->local_ip4, skops->local_ip6); - BPF_LOG(DEBUG, SOCKOPS, "skops remote_ipv4 is %d, remote_ipv6 is %d", skops->remote_ip4, skops->remote_ip6); - BPF_LOG(DEBUG, SOCKOPS, "mamnager key ipv4 is %u, ipv6 is %u, %u, %u, %u", key.addr.ip4, key.addr.ip6[0], key.addr.ip6[1], key.addr.ip6[2], key.addr.ip6[3]); - + int *value = bpf_map_lookup_elem(&map_of_manager, &key); if (!value) return false; @@ -98,31 +90,13 @@ static inline void extract_skops_to_tuple_reverse(struct bpf_sock_ops *skops, st // local_port is host byteorder tuple_key->ipv6.dport = bpf_htons(GET_SKOPS_LOCAL_PORT(skops)); } - BPF_LOG(DEBUG, SOCKOPS, "skops family is %d", skops->family); - BPF_LOG(DEBUG, SOCKOPS, "origin key info, source ipv4: %u, port: %u, destination ipv4: %u, port: %u", tuple_key->ipv4.saddr, tuple_key->ipv4.sport, tuple_key->ipv4.daddr, tuple_key->ipv4.dport); - BPF_LOG(DEBUG, SOCKOPS, "origin key ipv6 info, source ipv6: %u, %u, %u, %u, port: %u, destination ipv6: %u, %u, %u, %u, port: %u", - tuple_key->ipv6.saddr[0], tuple_key->ipv6.saddr[1], tuple_key->ipv6.saddr[2], tuple_key->ipv6.saddr[3], tuple_key->ipv6.sport, - tuple_key->ipv6.daddr[0], tuple_key->ipv6.daddr[1], tuple_key->ipv6.daddr[2], tuple_key->ipv6.daddr[3], tuple_key->ipv6.dport); if (is_ipv4_mapped_addr(tuple_key->ipv6.daddr) || is_ipv4_mapped_addr(tuple_key->ipv6.saddr)) { tuple_key->ipv4.saddr = tuple_key->ipv6.saddr[3]; tuple_key->ipv4.daddr = tuple_key->ipv6.daddr[3]; - // tuple_key->ipv6.saddr[0] = tuple_key->ipv4.saddr; - // tuple_key->ipv6.daddr[0] = tuple_key->ipv4.daddr; - // tuple_key->ipv6.saddr[1] = 0x00000000; - // tuple_key->ipv6.saddr[2] = 0x00000000; - // tuple_key->ipv6.saddr[3] = 0x00000000; - // tuple_key->ipv6.daddr[1] = 0x00000000; - // tuple_key->ipv6.daddr[2] = 0x00000000; - // tuple_key->ipv6.daddr[3] = 0x00000000; tuple_key->ipv4.sport = tuple_key->ipv6.sport; tuple_key->ipv4.dport = tuple_key->ipv6.dport; } - - BPF_LOG(DEBUG, SOCKOPS, "change key info, source ipv4: %u, port: %u, destination ipv4: %u, port: %u", tuple_key->ipv4.saddr, tuple_key->ipv4.sport, tuple_key->ipv4.daddr, tuple_key->ipv4.dport); - BPF_LOG(DEBUG, SOCKOPS, "change key ipv6 info, source ipv6: %u, %u, %u, %u, port: %u, destination ipv6: %u, %u, %u, %u, port: %u", - tuple_key->ipv6.saddr[0], tuple_key->ipv6.saddr[1], tuple_key->ipv6.saddr[2], tuple_key->ipv6.saddr[3], tuple_key->ipv6.sport, - tuple_key->ipv6.daddr[0], tuple_key->ipv6.daddr[1], tuple_key->ipv6.daddr[2], tuple_key->ipv6.daddr[3], tuple_key->ipv6.dport); } // clean map_of_auth @@ -164,10 +138,7 @@ static inline void auth_ip_tuple(struct bpf_sock_ops *skops) extract_skops_to_tuple_reverse(skops, &(*msg).tuple); (*msg).type = (skops->family == AF_INET) ? IPV4 : IPV6; if (is_ipv4_mapped_addr(skops->local_ip6)) { - BPF_LOG(DEBUG, SOCKOPS, "origin msg type is %d", (*msg).type); (*msg).type = IPV4; - BPF_LOG(DEBUG, SOCKOPS, "origin msg type is %d", (*msg).type); - } bpf_ringbuf_submit(msg, 0); } @@ -257,7 +228,6 @@ int sockops_prog(struct bpf_sock_ops *skops) skops_handle_kmesh_managed_process(skops); break; case BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB: - BPF_LOG(DEBUG, SOCKOPS, "1 is managed by kmesh %d", is_managed_by_kmesh(skops)); if (!is_managed_by_kmesh(skops)) break; observe_on_connect_established(skops->sk, OUTBOUND); @@ -269,7 +239,6 @@ int sockops_prog(struct bpf_sock_ops *skops) enable_encoding_metadata(skops); break; case BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB: - BPF_LOG(DEBUG, SOCKOPS, "2 is managed by kmesh %d", is_managed_by_kmesh(skops)); if (!is_managed_by_kmesh(skops)) break; observe_on_connect_established(skops->sk, INBOUND); @@ -278,7 +247,6 @@ int sockops_prog(struct bpf_sock_ops *skops) auth_ip_tuple(skops); break; case BPF_SOCK_OPS_STATE_CB: - BPF_LOG(DEBUG, SOCKOPS, "this is clean up"); if (skops->args[1] == BPF_TCP_CLOSE) { observe_on_close(skops->sk); clean_auth_map(skops); diff --git a/bpf/kmesh/workload/xdp.c b/bpf/kmesh/workload/xdp.c index 0c496bdc4..864efa838 100644 --- a/bpf/kmesh/workload/xdp.c +++ b/bpf/kmesh/workload/xdp.c @@ -115,17 +115,13 @@ int xdp_shutdown(struct xdp_md *ctx) struct xdp_info info = {0}; struct bpf_sock_tuple tuple_info = {0}; - BPF_LOG(INFO, XDP, "check package"); if (parser_xdp_info(ctx, &info) == PARSER_FAILED) return XDP_PASS; - BPF_LOG(INFO, XDP, "check address family %u", info.iph->version); if (info.iph->version != 4 && info.iph->version != 6) return XDP_PASS; // never failed parser_tuple(&info, &tuple_info); - BPF_LOG(INFO, XDP, "tup_info source ipv4: %d, Ipv6: %d", tuple_info.ipv4.saddr, tuple_info.ipv6.saddr); - BPF_LOG(INFO, XDP, "tup_info destination ipv4: %d, Ipv6: %d", tuple_info.ipv4.daddr, tuple_info.ipv6.daddr); if (should_shutdown(&info, &tuple_info) == AUTH_FORBID) shutdown_tuple(&info); diff --git a/pkg/auth/rbac.go b/pkg/auth/rbac.go index 8669c11d8..ba7cc6188 100644 --- a/pkg/auth/rbac.go +++ b/pkg/auth/rbac.go @@ -146,11 +146,8 @@ func (r *Rbac) Run(ctx context.Context, mapOfTuple, mapOfAuth *ebpf.Map) { continue } - fmt.Printf("\n------- %#v ---------\n", conn) - if !r.doRbac(&conn) { log.Infof("Auth denied for connection: %+v", conn) - fmt.Printf("\n-------- %#v ---------\n", tupleData) // If conn is denied, write tuples into XDP map, which includes source/destination IP/Port if err = r.notifyFunc(mapOfAuth, msgType, tupleData); err != nil { log.Error("authmap update FAILED, err: ", err) @@ -183,7 +180,7 @@ func (r *Rbac) doRbac(conn *rbacConnection) bool { dstWorkload := r.workloadCache.GetWorkloadByAddr(networkAddress) // If no workload found, deny if dstWorkload == nil { - log.Warnf("get destination workload from ip %v FAILED", conn.dstIp) + log.Warnf("Auth denied for connection: %v because destination workload not found", conn.dstIp) return false } @@ -193,27 +190,24 @@ func (r *Rbac) doRbac(conn *rbacConnection) bool { // 1. If there is ANY deny policy, deny the request for _, denyPolicy := range denyPolicies { if matches(conn, denyPolicy) { - log.Infof("Auth denied for connection: %+v", conn) + log.Infof("Auth denied for connection: %+v because authorization policy", conn) return false } } // 2. If there is NO allow policy for the workload, allow the request if len(allowPolicies) == 0 { - log.Infof("Auth allowed for connection: %+v", conn) return true } // 3. If there is ANY allow policy matched, allow the request for _, allowPolicy := range allowPolicies { if matches(conn, allowPolicy) { - log.Infof("Auth allowed for connection: %+v", conn) return true } } // 4. If 1,2 and 3 unsatisfied, deny the request - log.Infof("Auth denied for connection: %+v", conn) return false } @@ -522,20 +516,3 @@ func (r *Rbac) getIdentityByIp(ip []byte) Identity { serviceAccount: workload.GetServiceAccount(), } } - -// Converting IPv4 data reported in IPv6 form to IPv4 -// func restoreIPv4(bytes []byte) []byte { -// fmt.Printf("********** %#v ***********", bytes) -// constantSlice := []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255} -// if slices.EqualUnordered(bytes[:12], constantSlice) { -// return bytes[12:] -// } - -// for i := 4; i < 16; i++ { -// if bytes[i] != 0 { -// return bytes -// } -// } - -// return bytes[:4] -// } diff --git a/pkg/auth/rbac_test.go b/pkg/auth/rbac_test.go index d0a923121..012d2f420 100644 --- a/pkg/auth/rbac_test.go +++ b/pkg/auth/rbac_test.go @@ -2213,35 +2213,3 @@ func TestRbac_Run(t *testing.T) { mapOfAuth.Close() } } - -// func TestRestoreIPv4(t *testing.T) { -// type args struct { -// bytes []byte -// } -// tests := []struct { -// name string -// args args -// want []byte -// }{ -// { -// name: "maped by kmesh", -// args: args{ -// bytes: []byte{10, 244, 0, 13, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, -// }, -// want: []byte{10, 244, 0, 13}, -// }, -// { -// name: "ipv4 to ipv6", -// args: args{ -// bytes: []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 10, 244, 0, 13}, -// }, -// want: []byte{10, 244, 0, 13}, -// }, -// } -// for _, tt := range tests { -// t.Run(tt.name, func(t *testing.T) { -// got := restoreIPv4(tt.args.bytes) -// assert.Equal(t, tt.want, got) -// }) -// } -// } diff --git a/pkg/auth/xdp_auth_handler.go b/pkg/auth/xdp_auth_handler.go index a00567361..5fb0a40d7 100644 --- a/pkg/auth/xdp_auth_handler.go +++ b/pkg/auth/xdp_auth_handler.go @@ -25,8 +25,6 @@ import ( type notifyFunc func(mapOfAuth *ebpf.Map, msgType uint32, key []byte) error func xdpNotifyConnRst(mapOfAuth *ebpf.Map, msgType uint32, key []byte) error { - fmt.Printf("\n---------- %#v ------------\n", key) - fmt.Printf("\n---------- %#v ------------\n", msgType) if mapOfAuth == nil { return fmt.Errorf("map_of_auth is nil") } @@ -37,7 +35,6 @@ func xdpNotifyConnRst(mapOfAuth *ebpf.Map, msgType uint32, key []byte) error { key[i] = 0 } } - fmt.Printf("\n---------- %#v ------------\n", key) // Insert the socket tuple into the auth map, so xdp_auth_handler can know that socket with // this tuple is denied by policy, note that IP and port are big endian in auth map return mapOfAuth.Update(key, uint32(1), ebpf.UpdateAny) From ccb08485ef1ca58ee3b961befe7618fcf7a67569 Mon Sep 17 00:00:00 2001 From: LiZhenCheng9527 Date: Wed, 31 Jul 2024 18:18:56 +0800 Subject: [PATCH 3/3] make gen Signed-off-by: LiZhenCheng9527 --- bpf/kmesh/workload/sockops.c | 3 +-- pkg/auth/rbac.go | 2 +- pkg/auth/rbac_test.go | 1 + 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bpf/kmesh/workload/sockops.c b/bpf/kmesh/workload/sockops.c index bddb3b91f..cffc837bc 100644 --- a/bpf/kmesh/workload/sockops.c +++ b/bpf/kmesh/workload/sockops.c @@ -44,7 +44,7 @@ static inline bool is_managed_by_kmesh(struct bpf_sock_ops *skops) else IP6_COPY(key.addr.ip6, skops->local_ip6); } - + int *value = bpf_map_lookup_elem(&map_of_manager, &key); if (!value) return false; @@ -73,7 +73,6 @@ static inline void extract_skops_to_tuple(struct bpf_sock_ops *skops, struct bpf static inline void extract_skops_to_tuple_reverse(struct bpf_sock_ops *skops, struct bpf_sock_tuple *tuple_key) { - if (skops->family == AF_INET) { tuple_key->ipv4.saddr = skops->remote_ip4; tuple_key->ipv4.daddr = skops->local_ip4; diff --git a/pkg/auth/rbac.go b/pkg/auth/rbac.go index ba7cc6188..73ea093e8 100644 --- a/pkg/auth/rbac.go +++ b/pkg/auth/rbac.go @@ -501,7 +501,7 @@ func isEmptyMatch(m *security.Match) bool { m.GetNamespaces() == nil && m.GetNotNamespaces() == nil } -// todo : get identity form tls connection +// todo : get identity from tls connection func (r *Rbac) getIdentityByIp(ip []byte) Identity { var networkAddress cache.NetworkAddress networkAddress.Address, _ = netip.AddrFromSlice(ip) diff --git a/pkg/auth/rbac_test.go b/pkg/auth/rbac_test.go index 012d2f420..6d8009c39 100644 --- a/pkg/auth/rbac_test.go +++ b/pkg/auth/rbac_test.go @@ -28,6 +28,7 @@ import ( "github.com/cilium/ebpf/asm" "github.com/stretchr/testify/assert" "istio.io/istio/pkg/util/sets" + "kmesh.net/kmesh/api/v2/workloadapi" "kmesh.net/kmesh/api/v2/workloadapi/security" "kmesh.net/kmesh/pkg/controller/workload/cache"