1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #ifndef NET_FIREWALL_MATCH_H
16 #define NET_FIREWALL_MATCH_H
17
18 #include <bpf/bpf_helpers.h>
19
20 #include "netfirewall_utils.h"
21 #include "netfirewall_bitmap.h"
22 #include "netfirewall_map.h"
23 #include "netfirewall_event.h"
24 #include "netfirewall_def.h"
25
26 /**
27 * @brief Get the user id from sock_uid
28 *
29 * @param sock_uid bpf_get_socket_uid
30 * @return user id with type __u32
31 */
get_user_id(__u32 sock_uid)32 static __always_inline __u32 get_user_id(__u32 sock_uid)
33 {
34 __u32 user_id = sock_uid / USER_ID_DIVIDOR;
35 if (user_id > 0) {
36 return user_id;
37 }
38
39 current_user_id_key key = CURRENT_USER_ID_KEY;
40 uid_key *current_user_id = bpf_map_lookup_elem(&CURRENT_UID_MAP, &key);
41 if (!current_user_id) {
42 return DEFAULT_USER_ID;
43 }
44
45 return *current_user_id;
46 }
47
48 /**
49 * @brief swap tuple ports at egress direction
50 *
51 * @param tuple struct match_tuple
52 */
swap_tuple_ports(struct match_tuple * tuple)53 static __always_inline void swap_tuple_ports(struct match_tuple *tuple)
54 {
55 __be16 tmp = tuple->sport;
56 tuple->sport = tuple->dport;
57 tuple->dport = tmp;
58 }
59
60 /**
61 * @brief swap tuple addrs at egress direction
62 *
63 * @param tuple struct match_tuple
64 */
swap_tuple_addrs(struct match_tuple * tuple)65 static __always_inline void swap_tuple_addrs(struct match_tuple *tuple)
66 {
67 if (tuple->family == AF_INET) {
68 __be32 tmp = tuple->ipv4.saddr;
69 tuple->ipv4.saddr = tuple->ipv4.daddr;
70 tuple->ipv4.daddr = tmp;
71 } else {
72 struct in6_addr tmp = tuple->ipv6.saddr;
73 tuple->ipv6.saddr = tuple->ipv6.daddr;
74 tuple->ipv6.daddr = tmp;
75 }
76 }
77
78 /**
79 * @brief Get the match tuple from skb
80 *
81 * @param skb struct __sk_buff of packet
82 * @param tuple struct match_tuple
83 * @param dir enum stream_dir
84 * @return true if success or false if an error occurred
85 */
get_match_tuple(struct __sk_buff * skb,struct match_tuple * tuple,enum stream_dir dir)86 static __always_inline bool get_match_tuple(struct __sk_buff *skb, struct match_tuple *tuple, enum stream_dir dir)
87 {
88 if (!skb || !tuple) {
89 return false;
90 }
91
92 __u32 l3_nhoff = get_l3_nhoff(skb);
93 __u32 l4_nhoff = get_l4_nhoff(skb);
94 __u8 protocol = 0;
95 if (skb->family == AF_INET) {
96 load_l3_v4_addrs(skb, l3_nhoff, &(tuple->ipv4.saddr), &(tuple->ipv4.daddr));
97 } else {
98 load_l3_v6_addrs(skb, l3_nhoff, &(tuple->ipv6.saddr), &(tuple->ipv6.daddr));
99 }
100 if (!load_l4_protocol(skb, l3_nhoff, &protocol)) {
101 return false;
102 }
103 tuple->dir = dir;
104 tuple->family = skb->family;
105 __u32 sock_uid = bpf_get_socket_uid(skb);
106 tuple->appuid = sock_uid;
107 tuple->uid = get_user_id(sock_uid);
108 tuple->protocol = protocol;
109
110 if (protocol == IPPROTO_TCP || protocol == IPPROTO_UDP) {
111 load_l4_ports(skb, l4_nhoff, protocol, &(tuple->sport), &(tuple->dport));
112 if (protocol == IPPROTO_TCP) {
113 load_l4_header_flags(skb, l4_nhoff, &(tuple->rst));
114 }
115 }
116 if (dir == EGRESS) {
117 swap_tuple_addrs(tuple);
118 swap_tuple_ports(tuple);
119 }
120 tuple->ifindex = skb->ifindex;
121 return true;
122 }
123
124 /**
125 * @brief lookup key or other_key from bpf map
126 *
127 * @param map bpf map pointer
128 * @param key key need to lookup
129 * @param other_key when key not found, then lookup other_key
130 * @return value with type struct bitmap of the key or other_key
131 */
lookup_map(void * map,void * key,void * other_key)132 static __always_inline struct bitmap *lookup_map(void *map, void *key, void *other_key)
133 {
134 struct bitmap *result = bpf_map_lookup_elem(map, key);
135 if (!result) {
136 result = bpf_map_lookup_elem(map, other_key);
137 }
138 return result;
139 }
140
141 /**
142 * @brief match packet is loopback or not
143 *
144 * @param match_tpl struct match_tuple
145 * @return true is loopback packet or false if not
146 */
match_loopback(struct match_tuple match_tpl)147 static __always_inline bool match_loopback(struct match_tuple match_tpl)
148 {
149 bool is_loopback = false;
150 if (match_tpl.protocol == PROTOCOL_SAT_EXPAK && match_tpl.ifindex == 1) {
151 is_loopback = true;
152 } else {
153 loop_back_val *result = NULL;
154 if (match_tpl.family == AF_INET) {
155 // ipv4 127.0.0.1
156 struct ipv4_lpm_key lpm_key = {
157 .prefixlen = IPV4_MAX_PREFIXLEN,
158 .data = match_tpl.ipv4.saddr,
159 };
160 result = bpf_map_lookup_elem(&LOOP_BACK_IPV4_MAP, &lpm_key);
161 if (result != NULL) {
162 lpm_key.data = match_tpl.ipv4.daddr;
163 result = bpf_map_lookup_elem(&LOOP_BACK_IPV4_MAP, &lpm_key);
164 }
165 } else {
166 // ipv6 ::1/128
167 struct ipv6_lpm_key lpm_key = {
168 .prefixlen = IPV6_MAX_PREFIXLEN,
169 };
170 memcpy(&(lpm_key.data), &(match_tpl.ipv6.saddr), sizeof(lpm_key.data));
171 result = bpf_map_lookup_elem(&LOOP_BACK_IPV6_MAP, &lpm_key);
172 if (result != NULL) {
173 memcpy(&(lpm_key.data), &(match_tpl.ipv6.daddr), sizeof(lpm_key.data));
174 result = bpf_map_lookup_elem(&LOOP_BACK_IPV4_MAP, &lpm_key);
175 }
176 }
177 if (result != NULL) {
178 is_loopback = true;
179 }
180 }
181 return true;
182 }
183
184 /**
185 * @brief lookup addr bitmap use the given tuple
186 *
187 * @param tuple struct match_tuple get from skb
188 * @param key out param for lookup result
189 * @return true if success or false if an error occurred
190 */
match_addrs(struct match_tuple * tuple,struct bitmap * key)191 static __always_inline bool match_addrs(struct match_tuple *tuple, struct bitmap *key)
192 {
193 if (!tuple || !key) {
194 return false;
195 }
196
197 struct bitmap *result = NULL;
198 bool ingress = tuple->dir == INGRESS;
199
200 if (tuple->family == AF_INET) {
201 struct ipv4_lpm_key other_lpm_key = {
202 .prefixlen = 32,
203 .data = OTHER_IP4_KEY,
204 };
205 struct ipv4_lpm_key lpm_key = {
206 .prefixlen = 32,
207 .data = tuple->ipv4.saddr,
208 };
209
210 result = lookup_map(GET_MAP(ingress, saddr), &lpm_key, &other_lpm_key);
211 if (result) {
212 bitmap_and(key->val, result->val);
213 result = NULL;
214 }
215
216 lpm_key.data = tuple->ipv4.daddr;
217 result = lookup_map(GET_MAP(ingress, daddr), &lpm_key, &other_lpm_key);
218 if (result) {
219 bitmap_and(key->val, result->val);
220 }
221 } else {
222 struct ipv6_lpm_key other_lpm_key = {
223 .prefixlen = 128,
224 };
225 struct ipv6_lpm_key lpm_key = {
226 .prefixlen = 128,
227 };
228 memset(&(other_lpm_key.data), 0xff, sizeof(other_lpm_key.data));
229
230 memcpy(&(lpm_key.data), &(tuple->ipv6.saddr), sizeof(lpm_key.data));
231 result = lookup_map(GET_MAP(ingress, saddr6), &lpm_key, &other_lpm_key);
232 if (result) {
233 bitmap_and(key->val, result->val);
234 result = NULL;
235 }
236
237 memcpy(&(lpm_key.data), &(tuple->ipv6.daddr), sizeof(lpm_key.data));
238 result = lookup_map(GET_MAP(ingress, daddr6), &lpm_key, &other_lpm_key);
239 if (result) {
240 bitmap_and(key->val, result->val);
241 }
242 }
243 return true;
244 }
245
246 /**
247 * @brief bitmap use the given tuple
248 *
249 * @param tuple struct match_tuple get from skb
250 * @param key out param for lookup result
251 * @return true if success or false if an error occurred
252 */
match_ports(struct match_tuple * tuple,struct bitmap * key)253 static __always_inline bool match_ports(struct match_tuple *tuple, struct bitmap *key)
254 {
255 if (!tuple || !key) {
256 return false;
257 }
258 __u8 protocol = tuple->protocol;
259 port_key other_port_key = OTHER_PORT_KEY;
260 bool ingress = tuple->dir == INGRESS;
261 struct bitmap *result = NULL;
262
263 result = lookup_map(GET_MAP(ingress, sport), &(tuple->sport), &other_port_key);
264 if (result) {
265 log_dbg2(DBG_MATCH_SPORT, tuple->dir, (__u32)tuple->sport, result->val[0]);
266 bitmap_and(key->val, result->val);
267 result = NULL;
268 }
269 result = lookup_map(GET_MAP(ingress, dport), &(tuple->dport), &other_port_key);
270 if (result) {
271 log_dbg2(DBG_MATCH_DPORT, tuple->dir, (__u32)tuple->dport, result->val[0]);
272 bitmap_and(key->val, result->val);
273 }
274 return true;
275 }
276
277 /**
278 * @brief lookup protocol bitmap use the given tuple
279 *
280 * @param tuple struct match_tuple get from skb
281 * @param key out param for lookup result
282 * @return true if success or false if an error occurred
283 */
match_protocol(struct match_tuple * tuple,struct bitmap * key)284 static __always_inline bool match_protocol(struct match_tuple *tuple, struct bitmap *key)
285 {
286 if (!tuple || !key) {
287 return false;
288 }
289
290 proto_key other_proto_key = OTHER_PROTO_KEY;
291 bool ingress = tuple->dir == INGRESS;
292 struct bitmap *result = NULL;
293
294 result = lookup_map(GET_MAP(ingress, proto), &(tuple->protocol), &other_proto_key);
295 if (result) {
296 log_dbg2(DBG_MATCH_PROTO, tuple->dir, (__u32)tuple->protocol, result->val[0]);
297 bitmap_and(key->val, result->val);
298 }
299
300 return true;
301 }
302
303 /**
304 * @brief lookup appuid bitmap use the given tuple
305 *
306 * @param tuple struct match_tuple get from skb
307 * @param key out param for lookup result
308 * @return true if success or false if an error occurred
309 */
match_appuid(struct match_tuple * tuple,struct bitmap * key)310 static __always_inline bool match_appuid(struct match_tuple *tuple, struct bitmap *key)
311 {
312 if (!tuple || !key) {
313 return false;
314 }
315
316 appuid_key other_appuid_key = OTHER_APPUID_KEY;
317 bool ingress = tuple->dir == INGRESS;
318 struct bitmap *result = NULL;
319
320 result = lookup_map(GET_MAP(ingress, appuid), &(tuple->appuid), &other_appuid_key);
321 if (result) {
322 log_dbg2(DBG_MATCH_APPUID, tuple->dir, tuple->appuid, result->val[0]);
323 bitmap_and(key->val, result->val);
324 }
325
326 return true;
327 }
328
329 /**
330 * @brief lookup user_id bitmap use the given tuple
331 *
332 * @param tuple struct match_tuple get from skb
333 * @param key out param for lookup result
334 * @return true if success or false if an error occurred
335 */
match_uid(struct match_tuple * tuple,struct bitmap * key)336 static __always_inline bool match_uid(struct match_tuple *tuple, struct bitmap *key)
337 {
338 if (!tuple || !key) {
339 return false;
340 }
341
342 uid_key other_uid_key = OTHER_UID_KEY;
343 bool ingress = tuple->dir == INGRESS;
344 struct bitmap *result = NULL;
345
346 result = lookup_map(GET_MAP(ingress, uid), &(tuple->uid), &other_uid_key);
347 if (result) {
348 log_dbg2(DBG_MATCH_UID, tuple->dir, tuple->uid, result->val[0]);
349 bitmap_and(key->val, result->val);
350 }
351
352 return true;
353 }
354
355 /**
356 * @brief lookup action key bitmap use the given tuple
357 *
358 * @param tuple struct match_tuple get from skb
359 * @param key out param for lookup result
360 * @return true if success or false if an error occurred
361 */
match_action_key(struct match_tuple * tuple,struct bitmap * key)362 static __always_inline bool match_action_key(struct match_tuple *tuple, struct bitmap *key)
363 {
364 if (!tuple || !key) {
365 return false;
366 }
367
368 memset(key, 0xff, sizeof(struct bitmap));
369
370 if (!match_addrs(tuple, key)) {
371 return false;
372 }
373
374 if (!match_protocol(tuple, key)) {
375 return false;
376 }
377
378 if (!match_ports(tuple, key)) {
379 return false;
380 }
381
382 if (!match_appuid(tuple, key)) {
383 return false;
384 }
385
386 if (!match_uid(tuple, key)) {
387 return false;
388 }
389
390 log_dbg(DBG_ACTION_KEY, tuple->dir, key->val[0]);
391 return true;
392 }
393
MatchDomain(const struct match_tuple * tuple)394 static __always_inline bool MatchDomain(const struct match_tuple *tuple)
395 {
396 if (!tuple) {
397 return false;
398 }
399 struct domain_value *result = NULL;
400 if (tuple->family == AF_INET) {
401 struct ipv4_lpm_key key = {
402 .prefixlen = IPV4_MAX_PREFIXLEN,
403 .data = tuple->ipv4.saddr,
404 };
405 result = bpf_map_lookup_elem(&DOMAIN_IPV4_MAP, &key);
406 } else {
407 struct ipv6_lpm_key key = {
408 .prefixlen = IPV6_MAX_PREFIXLEN,
409 .data = tuple->ipv6.saddr,
410 };
411 result = bpf_map_lookup_elem(&DOMAIN_IPV6_MAP, &key);
412 }
413 bool matchAction = false;
414 if (result != NULL && tuple->uid == result->uid &&
415 (tuple->appuid == result->appuid || result->appuid == 0)) {
416 matchAction = true;
417 } else {
418 matchAction = false;
419 }
420 return matchAction;
421 }
422
423 /**
424 * @brief lookup action with action_key use the given tuple
425 *
426 * @param tuple struct match_tuple get from skb
427 * @param key out param for lookup result
428 * @return true if success or false if an error occurred
429 */
match_action(struct match_tuple * tuple,struct bitmap * key)430 static __always_inline enum sk_action match_action(struct match_tuple *tuple, struct bitmap *key)
431 {
432 if (!tuple || !key) {
433 return SK_PASS;
434 }
435 bool ingress = tuple->dir == INGRESS;
436 struct defalut_action_value *default_value = bpf_map_lookup_elem(&DEFAULT_ACTION_MAP, &tuple->uid);
437 enum sk_action sk_act = SK_PASS;
438 if (default_value) {
439 sk_act = ingress ? default_value->inaction : default_value->outaction;
440 }
441
442 action_key akey = 1;
443 struct bitmap *action_bitmap = bpf_map_lookup_elem(GET_MAP(ingress, action), &akey);
444 /*
445 * Conflict & Repetition Algorithm
446 * eg: matched 0110, action 1100 : 1:drop 0:pass
447 * 1 default drop: Match the rule with the action's bitmap bit by and, and if any bit is 1, it is drop
448 * (0110&1100->0100)
449 * 2 default pass: 2.1 Reverse the action, 0011(1:pass, 0:drop) 2.2 Match results bit by and, and if
450 * any bit is 1, it is pass(0110&0011->0010)
451 */
452 if (action_bitmap && bitmap_positive(key->val)) {
453 if (sk_act == SK_DROP) {
454 bitmap_and(key->val, action_bitmap->val);
455 if (!bitmap_positive(key->val)) {
456 sk_act = SK_PASS;
457 }
458 } else {
459 bitmap_and_inv(key->val, action_bitmap->val);
460 if (!bitmap_positive(key->val)) {
461 sk_act = SK_DROP;
462 }
463 }
464 // If the outbound does not match the IP rule, check if there are any domain name rules
465 } else if (MatchDomain(tuple)) {
466 log_dbg(DBG_MATCH_DOMAIN, tuple->dir, sk_act);
467 sk_act = SK_PASS;
468 }
469 log_dbg(DBG_MATCH_ACTION, tuple->dir, sk_act);
470 return sk_act;
471 }
472 #endif // NET_FIREWALL_MATCH_H
473