diff --git a/chapter12/net-context/tc-exist-process/main.bpf.c b/chapter12/net-context/tc-exist-process/main.bpf.c index a67b54d..f8e9383 100644 --- a/chapter12/net-context/tc-exist-process/main.bpf.c +++ b/chapter12/net-context/tc-exist-process/main.bpf.c @@ -7,7 +7,7 @@ #define ETH_P_IP 0x0800 /* Internet Protocol packet */ // ipv4 #define ETH_HLEN 14 /* Total octets in header. */ #define TASK_COMM_LEN 16 -#define TC_ACT_OK 0 +#define TC_ACT_UNSPEC (-1) struct sock_key { @@ -114,13 +114,13 @@ int on_egress(struct __sk_buff *skb) { void *data = (void *)(long)skb->data; if ((data + ETH_HLEN + sizeof(struct iphdr)) > data_end) - return TC_ACT_OK; + return TC_ACT_UNSPEC; struct iphdr *ip_hdr = data + ETH_HLEN; if (ip_hdr->protocol != IPPROTO_TCP) - return TC_ACT_OK; + return TC_ACT_UNSPEC; struct tcphdr *tcp_hdr = (void *)ip_hdr + sizeof(struct iphdr); if ((void *)tcp_hdr + sizeof(struct tcphdr) > data_end) { - return TC_ACT_OK; + return TC_ACT_UNSPEC; } key.saddr = ip_hdr->saddr; @@ -128,7 +128,7 @@ int on_egress(struct __sk_buff *skb) { value = bpf_map_lookup_elem(&socks, &key); if (!value) { - return TC_ACT_OK; + return TC_ACT_UNSPEC; } u32 daddr = ip_hdr->daddr; u16 dport = bpf_ntohs(tcp_hdr->dest); @@ -137,7 +137,7 @@ int on_egress(struct __sk_buff *skb) { bpf_printk("%s %pI4:%d", value->comm, &key.saddr, key.sport); bpf_printk("%s -> %pI4:%d", value->comm, &daddr, dport); - return TC_ACT_OK; + return TC_ACT_UNSPEC; } diff --git a/chapter12/net-context/tc/main.bpf.c b/chapter12/net-context/tc/main.bpf.c index 07d9886..40586dd 100644 --- a/chapter12/net-context/tc/main.bpf.c +++ b/chapter12/net-context/tc/main.bpf.c @@ -7,7 +7,7 @@ #define ETH_P_IP 0x0800 /* Internet Protocol packet */ // ipv4 #define ETH_HLEN 14 /* Total octets in header. */ #define TASK_COMM_LEN 16 -#define TC_ACT_OK 0 +#define TC_ACT_UNSPEC (-1) struct sock_key { @@ -163,13 +163,13 @@ int on_egress(struct __sk_buff *skb) { void *data = (void *)(long)skb->data; if ((data + ETH_HLEN + sizeof(struct iphdr)) > data_end) - return TC_ACT_OK; + return TC_ACT_UNSPEC; struct iphdr *ip_hdr = data + ETH_HLEN; if (ip_hdr->protocol != IPPROTO_TCP) - return TC_ACT_OK; + return TC_ACT_UNSPEC; struct tcphdr *tcp_hdr = (void *)ip_hdr + sizeof(struct iphdr); if ((void *)tcp_hdr + sizeof(struct tcphdr) > data_end) { - return TC_ACT_OK; + return TC_ACT_UNSPEC; } key.saddr = ip_hdr->saddr; @@ -179,7 +179,7 @@ int on_egress(struct __sk_buff *skb) { value = bpf_map_lookup_elem(&socks, &key); if (!value) { - return TC_ACT_OK; + return TC_ACT_UNSPEC; } u32 daddr = ip_hdr->daddr; u16 dport = bpf_ntohs(tcp_hdr->dest); @@ -188,7 +188,7 @@ int on_egress(struct __sk_buff *skb) { bpf_printk("%s %pI4:%d", value->comm, &key.saddr, key.sport); bpf_printk("%s -> %pI4:%d", value->comm, &daddr, dport); - return TC_ACT_OK; + return TC_ACT_UNSPEC; } diff --git a/chapter14/hijack-tcp-to-send-data/main.bpf.c b/chapter14/hijack-tcp-to-send-data/main.bpf.c index d6d38ab..0c1f0a4 100644 --- a/chapter14/hijack-tcp-to-send-data/main.bpf.c +++ b/chapter14/hijack-tcp-to-send-data/main.bpf.c @@ -29,27 +29,27 @@ int on_egress(struct __sk_buff *skb) { // 从 IP 首部中过滤协议类型,只处理 TCP 协议 struct iphdr *ip_hdr = data + ETH_HLEN; if ((void *)ip_hdr + sizeof(struct iphdr) > data_end) { - return TC_ACT_OK; + return TC_ACT_UNSPEC; } if (ip_hdr->protocol != IPPROTO_TCP) { - return TC_ACT_OK; + return TC_ACT_UNSPEC; } // TCP 协议数据过滤 struct tcphdr *tcp_hdr = (void *)ip_hdr + sizeof(struct iphdr); if ((void *)tcp_hdr + sizeof(struct tcphdr) > data_end) { - return TC_ACT_OK; + return TC_ACT_UNSPEC; } if (tcp_hdr->dest != bpf_htons(8000)) { bpf_printk("skip port: %d", bpf_ntohs(tcp_hdr->dest)); - return TC_ACT_OK; + return TC_ACT_UNSPEC; } // 防止重复劫持,出现一直重传 int zero = 0; if (bpf_map_lookup_elem(&modify_map, &tcp_hdr->source)) { bpf_printk("exist"); - return TC_ACT_OK; + return TC_ACT_UNSPEC; } bpf_map_update_elem(&modify_map, &tcp_hdr->source, &zero, BPF_ANY); bpf_printk("hijack start"); @@ -72,13 +72,13 @@ int on_egress(struct __sk_buff *skb) { int ret = bpf_skb_store_bytes(skb, dest_addr_offset, &new_dest_addr, sizeof(u32), 0); if (ret < 0) { bpf_printk("replace dest addr failed: %d", ret); - return TC_ACT_OK; + return TC_ACT_UNSPEC; } // 重新计算 IP 首部 checksum ret = bpf_l3_csum_replace(skb, ip_checksum_offset, old_dest_addr, new_dest_addr, sizeof(u32)); if (ret < 0) { bpf_printk("bpf_l3_csum_replace failed: %d", ret); - return TC_ACT_OK; + return TC_ACT_UNSPEC; } // 替换 TCP 首部,修改目的端口 @@ -89,25 +89,25 @@ int on_egress(struct __sk_buff *skb) { ret = bpf_skb_store_bytes(skb, dest_port_offset, &new_dest_port, sizeof(u16), 0); if (ret < 0) { bpf_printk("replace dest port failed: %d", ret); - return TC_ACT_OK; + return TC_ACT_UNSPEC; } // 重新计算 TCP 首部 checksum ret = bpf_l4_csum_replace(skb, tcp_checksum_offset, old_dest_port, new_dest_port, sizeof(u16)); if (ret < 0) { bpf_printk("bpf_l4_csum_replace failed: %d", ret); - return TC_ACT_OK; + return TC_ACT_UNSPEC; } // 调整 skb 关联的数据包长度信息 ret = bpf_skb_change_tail(skb, skb->len+increment_len, 0); if (ret < 0) { bpf_printk("bpf_skb_change_tail failed: %d", ret); - return TC_ACT_OK; + return TC_ACT_UNSPEC; } ret = bpf_skb_pull_data(skb, 0); if (ret < 0) { bpf_printk("bpf_skb_pull_data failed: %d", ret); - return TC_ACT_OK; + return TC_ACT_UNSPEC; } // 调用 bpf_skb_change_tail 后,需要重新执行检查,否则验证器会验证失败 @@ -115,14 +115,14 @@ int on_egress(struct __sk_buff *skb) { data_end = (void *)(long)skb->data_end; ip_hdr = data + ETH_HLEN; if ((void *)ip_hdr + sizeof(struct iphdr) > data_end) { - return TC_ACT_OK; + return TC_ACT_UNSPEC; } if (ip_hdr->protocol != IPPROTO_TCP) { - return TC_ACT_OK; + return TC_ACT_UNSPEC; } tcp_hdr = (void *)ip_hdr + sizeof(struct iphdr); if ((void *)tcp_hdr + sizeof(struct tcphdr) > data_end) { - return TC_ACT_OK; + return TC_ACT_UNSPEC; } // 替换 TCP payload @@ -130,12 +130,12 @@ int on_egress(struct __sk_buff *skb) { ret = bpf_skb_store_bytes(skb, offset, new_payload, sizeof(new_payload), 0); if (ret < 0) { bpf_printk("overwrite payload failed: %d", ret); - return TC_ACT_OK; + return TC_ACT_UNSPEC; } bpf_printk("hijack end"); - return TC_ACT_OK; + return TC_ACT_UNSPEC; } diff --git a/chapter14/hijack-tcp-to-send-data/main.h b/chapter14/hijack-tcp-to-send-data/main.h index 6e05bfb..668f778 100644 --- a/chapter14/hijack-tcp-to-send-data/main.h +++ b/chapter14/hijack-tcp-to-send-data/main.h @@ -1,11 +1,7 @@ #define ETH_P_IP 0x0800 /* Internet Protocol packet */ #define ETH_HLEN 14 /* Total octets in header. */ -#define TC_ACT_UNSPEC (-1) -#define TC_ACT_OK 0 -#define TC_ACT_SHOT 2 -#define TC_ACT_STOLEN 4 -#define TC_ACT_REDIRECT 7 +#define TC_ACT_UNSPEC (-1) struct event_t { @@ -42,4 +38,4 @@ static __always_inline int str_len(const char *s, int max_len) if (s[max_len - 1] != '\0') return max_len; return 0; -} \ No newline at end of file +}