bpf/tcpreset.c

/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
// +build ignore
#include "vmlinux.h"
#include "bpf_helpers.h"
#include "bpf_core_read.h"
#include "bpf_tracing.h"
#include "inspector.h"

#define RESET_NOSOCK 1
#define RESET_ACTIVE 2
#define RESET_PROCESS 4
#define RESET_RECEIVE 8

struct receive_reset_args {
	unsigned long pad;
    const void * skaddr;
    u16 sport;
    u16 dport;
    u8 saddr[4];
    u8 daddr[4];
    u8 saddr_v6[16];
    u8 daddr_v6[16];
    u64 sock_cookie;
}__attribute__((packed));

struct send_reset_args {
	unsigned long pad;
	const void * skbaddr;
    const void * skaddr;
    int state;
    u16 sport;
    u16 dport;
    u8 saddr[4];
    u8 daddr[4];
    u8 saddr_v6[16];
    u8 daddr_v6[16];
};

struct insp_tcpreset_event_t {
	u32 type;
    u8 state;
	struct tuple tuple;
	struct skb_meta skb_meta;
	s64 stack_id;
};

struct insp_tcpreset_event_t *unused_event __attribute__((unused));

struct {
	__uint(type, BPF_MAP_TYPE_STACK_TRACE);
	__uint(max_entries, 1000);
	__uint(key_size, sizeof(u32));
	__uint(value_size, PERF_MAX_STACK_DEPTH * sizeof(u64));
} insp_tcpreset_stack SEC(".maps");

struct {
	__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
} insp_tcpreset_events SEC(".maps");

SEC("kprobe/tcp_v4_send_reset")
int trace_sendreset(struct pt_regs * ctx)
{
	struct sock * sk = (struct sock *)PT_REGS_PARM1(ctx);
	struct sk_buff * skb = (struct sk_buff *)(void *)PT_REGS_PARM2(ctx);
	struct insp_tcpreset_event_t event = {0};
	if (sk){
		event.type = RESET_PROCESS;
	}else{
		event.type = RESET_NOSOCK;
	}

	bpf_core_read(&event.state,sizeof(event.state),&sk->__sk_common.skc_state);
	event.stack_id = bpf_get_stackid((struct pt_regs *)ctx, &insp_tcpreset_stack, BPF_F_FAST_STACK_CMP);
	set_tuple(skb, &event.tuple);
	set_meta(skb,&event.skb_meta);

	bpf_perf_event_output((struct pt_regs *)ctx,&insp_tcpreset_events,BPF_F_CURRENT_CPU,&event,sizeof(event));
	return 0;
}


SEC("kprobe/tcp_send_active_reset")
int trace_sendactive(struct pt_regs * ctx)
{
    struct sock * sk = (struct sock *)PT_REGS_PARM1(ctx);
	struct insp_tcpreset_event_t event = {0};
	event.type = RESET_ACTIVE;
	bpf_core_read(&event.state,sizeof(event.state),&sk->__sk_common.skc_state);
	set_tuple_sock(sk,&event.tuple);
	set_meta_sock(sk,&event.skb_meta);
	bpf_perf_event_output((struct pt_regs *)ctx,&insp_tcpreset_events,BPF_F_CURRENT_CPU,&event,sizeof(event));
	return 0;
}

SEC("tracepoint/tcp/tcp_receive_reset")
int insp_rstrx(struct receive_reset_args *ctx)
{
	struct insp_tcpreset_event_t event = {0};
	event.stack_id = bpf_get_stackid((struct pt_regs *)ctx, &insp_tcpreset_stack, BPF_F_FAST_STACK_CMP);
	if ((int)event.stack_id < 0) {
		return 0;
	}
	event.type = RESET_RECEIVE;
	struct sock * sk = (struct sock *)ctx->skaddr;
	bpf_core_read(&event.state,sizeof(event.state),&sk->__sk_common.skc_state);
	set_tuple_sock(sk,&event.tuple);
	set_meta_sock(sk,&event.skb_meta);
	bpf_perf_event_output((struct pt_regs *)ctx,&insp_tcpreset_events,BPF_F_CURRENT_CPU,&event,sizeof(event));
	return 0;
}

char LICENSE[] SEC("license") = "Dual BSD/GPL";