Description
Describe the feature you'd like supported
Program type: BPF_PROG_TYPE_SOCK_ADDR
Attach types:
-
BPF_CGROUP_INET4_CONNECT -
BPF_CGROUP_INET6_CONNECT -
BPF_CGROUP_INET4_RECV_ACCEPT -
BPF_CGROUP_INET6_RECV_ACCEPT
The program attached to the INETx_CONNECT hook will be invoked for connect() calls on TCP or UDP sockets or when a UDP socket calls sendto() to a unique remote address/port tuple. Programs attached to the INETx_RECV_ACCEPT hook will get invoked for TCP accept() calls, for the first UDP packets (unicast) from a unique remote address/port tuple.
The INETx_CONNECT hooks exist in Linux eBPF. The RECV_ACCEPT ones do not and will be introduced in eBPF for Windows. As needed, this can be up streamed into Linux in future.
Proposed solution
A program information NPI provider would be developed for the program type BPF_PROG_TYPE_SOCK_ADDR. This program type will not have any program type specific helper functions for the demo.
Hook NPI providers would be needed for each of the attach types BPF_CGROUP_INET4_CONNECT, BPF_CGROUP_INET6_CONNECT, BPF_CGROUP_INET4_RECV_ACCEPT and BPF_CGROUP_INET6_RECV_ACCEPT.
The following table shows the attach type and the WFP layer at which a callout would be added.
| BPF Attach Type | WFP Layer |
|---|---|
| BPF_CGROUP_INET4_CONNECT | ALE_AUTH_CONNECT_V4 |
| BPF_CGROUP_INET6_CONNECT | ALE_AUTH_CONNECT_V6 |
| BPF_CGROUP_INET4_RECV_ACCEPT | ALE_AUTH_RECV_ACCEPT_V4 |
| BPF_CGROUP_INET6_RECV_ACCEPT | ALE_AUTH_RECV_ACCEPT_V6 |
When a program attaches to any of the above attach types, a WFP filter is created with the above callouts in the corresponding layers with a single filter condition – which is: FWPM_CONDITION_COMPARTMENT_ID.
The classify callback for the ALE layer callout would invoke the corresponding SOCK_ADDR type eBPF program and based on its return value return a WFP classify decision that would either permit or block the connection.
Additional context
No response