Added DNS state cleanup upon server reply for passthrough/Masquerade

netfoundry · Sep 7, 2024 · 002ce1f · 002ce1f
1 parent e53c3ae
commit 002ce1f
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. The format
 
 ---
 ---
+###
+# [0.8.18] - 2024-09-07
+- Add removal of udp state upon receipt of DNS reply from server for passthrough tracking / Masquerade
+
 ###
 # [0.8.17] - 2024-09-06
 - Refactor of L4 csum ipv4 

diff --git a/src/zfw.c b/src/zfw.c
@@ -246,7 +246,7 @@ char *direction_string;
 char *masq_interface;
 char check_alt[IF_NAMESIZE];
 
-const char *argp_program_version = "0.8.17";
+const char *argp_program_version = "0.8.18";
 struct ring_buffer *ring_buffer;
 
 __u32 if_list[MAX_IF_LIST_ENTRIES];

diff --git a/src/zfw_monitor.c b/src/zfw_monitor.c
@@ -85,7 +85,7 @@ char check_alt[IF_NAMESIZE];
 char doc[] = "zfw_monitor -- ebpf firewall monitor tool";
 const char *rb_map_path = "/sys/fs/bpf/tc/globals/rb_map";
 const char *tproxy_map_path = "/sys/fs/bpf/tc/globals/zt_tproxy_map";
-const char *argp_program_version = "0.8.17";
+const char *argp_program_version = "0.8.18";
 union bpf_attr rb_map;
 int rb_fd = -1;
 

diff --git a/src/zfw_tc_ingress.c b/src/zfw_tc_ingress.c
@@ -2204,11 +2204,58 @@ int bpf_sk_splice(struct __sk_buff *skb){
                         }
                     }
                     else{
+                        ustate->tstamp = tstamp;
                         if(local_diag->verbose){
                             event.tracking_code = UDP_MATCHED_ACTIVE_STATE;
                             send_event(&event);
                         }
-                        ustate->tstamp = tstamp;
+                        /*DNS state over after response so clear the state tables upon reply from server*/
+                        if(bpf_ntohs(udp_state_key.dport) == 53){
+                            if(local_diag->masquerade){
+                                struct iphdr *iph = (struct iphdr *)(skb->data + sizeof(*eth));
+                                if ((unsigned long)(iph + 1) > (unsigned long)skb->data_end){
+                                    return TC_ACT_SHOT;
+                                }
+                                struct udphdr *udph = (struct udphdr *)((unsigned long)iph + sizeof(*iph));
+                                if ((unsigned long)(udph + 1) > (unsigned long)skb->data_end){
+                                    return TC_ACT_SHOT;
+                                }
+                                struct masq_reverse_key rk = {0};
+                                rk.dport = udp_state_key.dport;
+                                rk.sport = udp_state_key.sport;
+                                rk.ifindex = event.ifindex;
+                                rk.__in46_u_dest.ip = udp_state_key.__in46_u_dst.ip;
+                                rk.__in46_u_src.ip = udp_state_key.__in46_u_src.ip;
+                                rk.protocol = IPPROTO_UDP;
+                                struct masq_value *rv = get_reverse_masquerade(rk);
+                                if(rv){
+                                    struct masq_key mk = {0};
+                                    mk.dport = udph->source;
+                                    mk.sport = rv->o_sport;
+                                    mk.__in46_u_dest.ip = iph->saddr;
+                                    mk.ifindex = event.ifindex;
+                                    mk.protocol = IPPROTO_UDP;
+                                    del_masq(mk);
+                                    if(local_diag->verbose){
+                                        event.tracking_code = MASQUERADE_ENTRY_REMOVED;
+                                        send_event(&event);
+                                    }
+                                }
+                                del_reverse_masq(rk);
+                                if(local_diag->verbose){
+                                    event.tracking_code = REVERSE_MASQUERADE_ENTRY_REMOVED;
+                                    send_event(&event);
+                                }
+                            }
+                            del_udp(udp_state_key);
+                            ustate = get_udp(udp_state_key);
+                            if(!ustate){
+                                if(local_diag->verbose){
+                                    event.tracking_code = UDP_MATCHED_EXPIRED_STATE;
+                                    send_event(&event);
+                                }
+                            }
+                        }
                         return TC_ACT_OK;
                     }
                 }