eBPF code to intercept WireGuard (/tunnels) connections #493
Replies: 3 comments 2 replies
-
You didnt zero out net_hdr. Im not saying that is the reason but ebpf code is very finicky. |
Beta Was this translation helpful? Give feedback.
-
Thank you @themighty1 for reviewing it. Also worth noting is that this function was included in kernel 3.8 with a different definition, later rewritten in 3.10 and 3.11 and 3.12 if included maybe we should load kprobes one by one, otherwise if this kprobe fails loading we wouldn't load the rest of kprobes. |
Beta Was this translation helpful? Give feedback.
-
hey @themighty1 , I'd like to know your opinion on the status of this issue #513 . Do you think that it could be merged as it is right now? On x86_64 it works on pretty much every kernel I've tried it out in. On arm64 works (with some limitations). And on i386/armhf I haven't managed to get sk_buff nor sock from registers, so the hook for these arquitectures is just ignored, or a .o module without this hook should be shipped. |
Beta Was this translation helpful? Give feedback.
-
Tested only on 5.10.x, 5.8.x, 5.4.x and 4.19.x, and only for x86_64 and IPv4 for now.
procmon/parse.go:FindProcess() must be edited in order to pass some checks, and in these cases maybe we could set the name (path of the process internally) as "Kernel connection", and arguments the value of /proc//comm.
Anyway, I think that the comm value should be set from the eBPF data, instead of reading it from disk again.
Beta Was this translation helpful? Give feedback.
All reactions