tools/testing/selftests/bpf/progs/cgroup_tcp_skb.c

   1 // SPDX-License-Identifier: GPL-2.0
   2 /* Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */
   3 #include <linux/bpf.h>
   4 #include <bpf/bpf_endian.h>
   5 #include <bpf/bpf_helpers.h>
   6
   7 #include <linux/if_ether.h>
   8 #include <linux/in.h>
   9 #include <linux/in6.h>
  10 #include <linux/ipv6.h>
  11 #include <linux/tcp.h>
  12
  13 #include <sys/types.h>
  14 #include <sys/socket.h>
  15
  16 #include "cgroup_tcp_skb.h"
  17
  18 char _license[] SEC("license") = "GPL";
  19
  20 __u16 g_sock_port = 0;
  21 __u32 g_sock_state = 0;
  22 int g_unexpected = 0;
  23 __u32 g_packet_count = 0;
  24
  25 int needed_tcp_pkt(struct __sk_buff *skb, struct tcphdr *tcph)
  26 {
  27         struct ipv6hdr ip6h;
  28
  29         if (skb->protocol != bpf_htons(ETH_P_IPV6))
  30                 return 0;
  31         if (bpf_skb_load_bytes(skb, 0, &ip6h, sizeof(ip6h)))
  32                 return 0;
  33
  34         if (ip6h.nexthdr != IPPROTO_TCP)
  35                 return 0;
  36
  37         if (bpf_skb_load_bytes(skb, sizeof(ip6h), tcph, sizeof(*tcph)))
  38                 return 0;
  39
  40         if (tcph->source != bpf_htons(g_sock_port) &&
  41             tcph->dest != bpf_htons(g_sock_port))
  42                 return 0;
  43
  44         return 1;
  45 }
  46
  47 /* Run accept() on a socket in the cgroup to receive a new connection. */
  48 static int egress_accept(struct tcphdr *tcph)
  49 {
  50         if (g_sock_state ==  SYN_RECV_SENDING_SYN_ACK) {
  51                 if (tcph->fin || !tcph->syn || !tcph->ack)
  52                         g_unexpected++;
  53                 else
  54                         g_sock_state = SYN_RECV;
  55                 return 1;
  56         }
  57
  58         return 0;
  59 }
  60
  61 static int ingress_accept(struct tcphdr *tcph)
  62 {
  63         switch (g_sock_state) {
  64         case INIT:
  65                 if (!tcph->syn || tcph->fin || tcph->ack)
  66                         g_unexpected++;
  67                 else
  68                         g_sock_state = SYN_RECV_SENDING_SYN_ACK;
  69                 break;
  70         case SYN_RECV:
  71                 if (tcph->fin || tcph->syn || !tcph->ack)
  72                         g_unexpected++;
  73                 else
  74                         g_sock_state = ESTABLISHED;
  75                 break;
  76         default:
  77                 return 0;
  78         }
  79
  80         return 1;
  81 }
  82
  83 /* Run connect() on a socket in the cgroup to start a new connection. */
  84 static int egress_connect(struct tcphdr *tcph)
  85 {
  86         if (g_sock_state == INIT) {
  87                 if (!tcph->syn || tcph->fin || tcph->ack)
  88                         g_unexpected++;
  89                 else
  90                         g_sock_state = SYN_SENT;
  91                 return 1;
  92         }
  93
  94         return 0;
  95 }
  96
  97 static int ingress_connect(struct tcphdr *tcph)
  98 {
  99         if (g_sock_state == SYN_SENT) {
 100                 if (tcph->fin || !tcph->syn || !tcph->ack)
 101                         g_unexpected++;
 102                 else
 103                         g_sock_state = ESTABLISHED;
 104                 return 1;
 105         }
 106
 107         return 0;
 108 }
 109
 110 /* The connection is closed by the peer outside the cgroup. */
 111 static int egress_close_remote(struct tcphdr *tcph)
 112 {
 113         switch (g_sock_state) {
 114         case ESTABLISHED:
 115                 break;
 116         case CLOSE_WAIT_SENDING_ACK:
 117                 if (tcph->fin || tcph->syn || !tcph->ack)
 118                         g_unexpected++;
 119                 else
 120                         g_sock_state = CLOSE_WAIT;
 121                 break;
 122         case CLOSE_WAIT:
 123                 if (!tcph->fin)
 124                         g_unexpected++;
 125                 else
 126                         g_sock_state = LAST_ACK;
 127                 break;
 128         default:
 129                 return 0;
 130         }
 131
 132         return 1;
 133 }
 134
 135 static int ingress_close_remote(struct tcphdr *tcph)
 136 {
 137         switch (g_sock_state) {
 138         case ESTABLISHED:
 139                 if (tcph->fin)
 140                         g_sock_state = CLOSE_WAIT_SENDING_ACK;
 141                 break;
 142         case LAST_ACK:
 143                 if (tcph->fin || tcph->syn || !tcph->ack)
 144                         g_unexpected++;
 145                 else
 146                         g_sock_state = CLOSED;
 147                 break;
 148         default:
 149                 return 0;
 150         }
 151
 152         return 1;
 153 }
 154
 155 /* The connection is closed by the endpoint inside the cgroup. */
 156 static int egress_close_local(struct tcphdr *tcph)
 157 {
 158         switch (g_sock_state) {
 159         case ESTABLISHED:
 160                 if (tcph->fin)
 161                         g_sock_state = FIN_WAIT1;
 162                 break;
 163         case TIME_WAIT_SENDING_ACK:
 164                 if (tcph->fin || tcph->syn || !tcph->ack)
 165                         g_unexpected++;
 166                 else
 167                         g_sock_state = TIME_WAIT;
 168                 break;
 169         default:
 170                 return 0;
 171         }
 172
 173         return 1;
 174 }
 175
 176 static int ingress_close_local(struct tcphdr *tcph)
 177 {
 178         switch (g_sock_state) {
 179         case ESTABLISHED:
 180                 break;
 181         case FIN_WAIT1:
 182                 if (tcph->fin || tcph->syn || !tcph->ack)
 183                         g_unexpected++;
 184                 else
 185                         g_sock_state = FIN_WAIT2;
 186                 break;
 187         case FIN_WAIT2:
 188                 if (!tcph->fin || tcph->syn || !tcph->ack)
 189                         g_unexpected++;
 190                 else
 191                         g_sock_state = TIME_WAIT_SENDING_ACK;
 192                 break;
 193         default:
 194                 return 0;
 195         }
 196
 197         return 1;
 198 }
 199
 200 /* Check the types of outgoing packets of a server socket to make sure they
 201  * are consistent with the state of the server socket.
 202  *
 203  * The connection is closed by the client side.
 204  */
 205 SEC("cgroup_skb/egress")
 206 int server_egress(struct __sk_buff *skb)
 207 {
 208         struct tcphdr tcph;
 209
 210         if (!needed_tcp_pkt(skb, &tcph))
 211                 return 1;
 212
 213         g_packet_count++;
 214
 215         /* Egress of the server socket. */
 216         if (egress_accept(&tcph) || egress_close_remote(&tcph))
 217                 return 1;
 218
 219         g_unexpected++;
 220         return 1;
 221 }
 222
 223 /* Check the types of incoming packets of a server socket to make sure they
 224  * are consistent with the state of the server socket.
 225  *
 226  * The connection is closed by the client side.
 227  */
 228 SEC("cgroup_skb/ingress")
 229 int server_ingress(struct __sk_buff *skb)
 230 {
 231         struct tcphdr tcph;
 232
 233         if (!needed_tcp_pkt(skb, &tcph))
 234                 return 1;
 235
 236         g_packet_count++;
 237
 238         /* Ingress of the server socket. */
 239         if (ingress_accept(&tcph) || ingress_close_remote(&tcph))
 240                 return 1;
 241
 242         g_unexpected++;
 243         return 1;
 244 }
 245
 246 /* Check the types of outgoing packets of a server socket to make sure they
 247  * are consistent with the state of the server socket.
 248  *
 249  * The connection is closed by the server side.
 250  */
 251 SEC("cgroup_skb/egress")
 252 int server_egress_srv(struct __sk_buff *skb)
 253 {
 254         struct tcphdr tcph;
 255
 256         if (!needed_tcp_pkt(skb, &tcph))
 257                 return 1;
 258
 259         g_packet_count++;
 260
 261         /* Egress of the server socket. */
 262         if (egress_accept(&tcph) || egress_close_local(&tcph))
 263                 return 1;
 264
 265         g_unexpected++;
 266         return 1;
 267 }
 268
 269 /* Check the types of incoming packets of a server socket to make sure they
 270  * are consistent with the state of the server socket.
 271  *
 272  * The connection is closed by the server side.
 273  */
 274 SEC("cgroup_skb/ingress")
 275 int server_ingress_srv(struct __sk_buff *skb)
 276 {
 277         struct tcphdr tcph;
 278
 279         if (!needed_tcp_pkt(skb, &tcph))
 280                 return 1;
 281
 282         g_packet_count++;
 283
 284         /* Ingress of the server socket. */
 285         if (ingress_accept(&tcph) || ingress_close_local(&tcph))
 286                 return 1;
 287
 288         g_unexpected++;
 289         return 1;
 290 }
 291
 292 /* Check the types of outgoing packets of a client socket to make sure they
 293  * are consistent with the state of the client socket.
 294  *
 295  * The connection is closed by the server side.
 296  */
 297 SEC("cgroup_skb/egress")
 298 int client_egress_srv(struct __sk_buff *skb)
 299 {
 300         struct tcphdr tcph;
 301
 302         if (!needed_tcp_pkt(skb, &tcph))
 303                 return 1;
 304
 305         g_packet_count++;
 306
 307         /* Egress of the server socket. */
 308         if (egress_connect(&tcph) || egress_close_remote(&tcph))
 309                 return 1;
 310
 311         g_unexpected++;
 312         return 1;
 313 }
 314
 315 /* Check the types of incoming packets of a client socket to make sure they
 316  * are consistent with the state of the client socket.
 317  *
 318  * The connection is closed by the server side.
 319  */
 320 SEC("cgroup_skb/ingress")
 321 int client_ingress_srv(struct __sk_buff *skb)
 322 {
 323         struct tcphdr tcph;
 324
 325         if (!needed_tcp_pkt(skb, &tcph))
 326                 return 1;
 327
 328         g_packet_count++;
 329
 330         /* Ingress of the server socket. */
 331         if (ingress_connect(&tcph) || ingress_close_remote(&tcph))
 332                 return 1;
 333
 334         g_unexpected++;
 335         return 1;
 336 }
 337
 338 /* Check the types of outgoing packets of a client socket to make sure they
 339  * are consistent with the state of the client socket.
 340  *
 341  * The connection is closed by the client side.
 342  */
 343 SEC("cgroup_skb/egress")
 344 int client_egress(struct __sk_buff *skb)
 345 {
 346         struct tcphdr tcph;
 347
 348         if (!needed_tcp_pkt(skb, &tcph))
 349                 return 1;
 350
 351         g_packet_count++;
 352
 353         /* Egress of the server socket. */
 354         if (egress_connect(&tcph) || egress_close_local(&tcph))
 355                 return 1;
 356
 357         g_unexpected++;
 358         return 1;
 359 }
 360
 361 /* Check the types of incoming packets of a client socket to make sure they
 362  * are consistent with the state of the client socket.
 363  *
 364  * The connection is closed by the client side.
 365  */
 366 SEC("cgroup_skb/ingress")
 367 int client_ingress(struct __sk_buff *skb)
 368 {
 369         struct tcphdr tcph;
 370
 371         if (!needed_tcp_pkt(skb, &tcph))
 372                 return 1;
 373
 374         g_packet_count++;
 375
 376         /* Ingress of the server socket. */
 377         if (ingress_connect(&tcph) || ingress_close_local(&tcph))
 378                 return 1;
 379
 380         g_unexpected++;
 381         return 1;
 382 }