github.com/datadog/cilium@v1.6.12/bpf/sockops/bpf_redir.c

github.com/datadog/cilium@v1.6.12/bpf/sockops/bpf_redir.c (about)

     1  /*
     2   *  Copyright (C) 2018 Authors of Cilium
     3   *
     4   *  This program is free software; you can redistribute it and/or modify
     5   *  it under the terms of the GNU General Public License as published by
     6   *  the Free Software Foundation; either version 2 of the License, or
     7   *  (at your option) any later version.
     8   *
     9   *  This program is distributed in the hope that it will be useful,
    10   *  but WITHOUT ANY WARRANTY; without even the implied warranty of
    11   *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    12   *  GNU General Public License for more details.
    13   *
    14   *  You should have received a copy of the GNU General Public License
    15   *  along with this program; if not, write to the Free Software
    16   *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
    17   */
    18  
    19  #define SKIP_CALLS_MAP
    20  
    21  #include <node_config.h>
    22  #include <bpf/api.h>
    23  
    24  #include <stdint.h>
    25  #include <stdio.h>
    26  
    27  #include <linux/bpf.h>
    28  #include <linux/if_ether.h>
    29  
    30  #define SOCKMAP 1
    31  
    32  #include "../lib/utils.h"
    33  #include "../lib/common.h"
    34  #include "../lib/maps.h"
    35  #include "../lib/lb.h"
    36  #include "../lib/eps.h"
    37  #include "../lib/events.h"
    38  #include "../lib/policy.h"
    39  
    40  #include "bpf_sockops.h"
    41  
    42  __section("sk_msg")
    43  int bpf_redir_proxy(struct sk_msg_md *msg)
    44  {
    45  	struct remote_endpoint_info *info;
    46  	__u64 flags = BPF_F_INGRESS;
    47  	struct sock_key key = {};
    48  	__u32 dstID = 0;
    49  	int verdict;
    50  
    51  	sk_msg_extract4_key(msg, &key);
    52  
    53  	/* Currently, pulling dstIP out of endpoint
    54  	 * tables. This can be simplified by caching this information with the
    55  	 * socket to avoid extra overhead. This would require the agent though
    56  	 * to flush the sock ops map on policy changes.
    57  	 */
    58  	info = lookup_ip4_remote_endpoint(key.dip4);
    59  	if (info != NULL && info->sec_label)
    60  		dstID = info->sec_label;
    61  	else
    62  		dstID = WORLD_ID;
    63  
    64  	verdict = policy_sk_egress(dstID, key.sip4, key.dport);
    65  	if (verdict >= 0) {
    66  		msg_redirect_hash(msg, &SOCK_OPS_MAP, &key, flags);
    67  	}
    68  	return SK_PASS;
    69  }
    70  
    71  BPF_LICENSE("GPL");
    72  int _version __section("version") = 1;