diff --git a/CHANGELOG.md b/CHANGELOG.md index 90efd6e..c4dd16d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. The format --- --- +### +# [0.8.18] - 2024-09-07 +- Add removal of udp state upon receipt of DNS reply from server for passthrough tracking / Masquerade + ### # [0.8.17] - 2024-09-06 - Refactor of L4 csum ipv4 diff --git a/src/zfw.c b/src/zfw.c index 55a3ace..19952b9 100644 --- a/src/zfw.c +++ b/src/zfw.c @@ -246,7 +246,7 @@ char *direction_string; char *masq_interface; char check_alt[IF_NAMESIZE]; -const char *argp_program_version = "0.8.17"; +const char *argp_program_version = "0.8.18"; struct ring_buffer *ring_buffer; __u32 if_list[MAX_IF_LIST_ENTRIES]; diff --git a/src/zfw_monitor.c b/src/zfw_monitor.c index 7615672..d7eb3e3 100644 --- a/src/zfw_monitor.c +++ b/src/zfw_monitor.c @@ -85,7 +85,7 @@ char check_alt[IF_NAMESIZE]; char doc[] = "zfw_monitor -- ebpf firewall monitor tool"; const char *rb_map_path = "/sys/fs/bpf/tc/globals/rb_map"; const char *tproxy_map_path = "/sys/fs/bpf/tc/globals/zt_tproxy_map"; -const char *argp_program_version = "0.8.17"; +const char *argp_program_version = "0.8.18"; union bpf_attr rb_map; int rb_fd = -1; diff --git a/src/zfw_tc_ingress.c b/src/zfw_tc_ingress.c index cae74e0..8d18557 100644 --- a/src/zfw_tc_ingress.c +++ b/src/zfw_tc_ingress.c @@ -2204,11 +2204,58 @@ int bpf_sk_splice(struct __sk_buff *skb){ } } else{ + ustate->tstamp = tstamp; if(local_diag->verbose){ event.tracking_code = UDP_MATCHED_ACTIVE_STATE; send_event(&event); } - ustate->tstamp = tstamp; + /*DNS state over after response so clear the state tables upon reply from server*/ + if(bpf_ntohs(udp_state_key.dport) == 53){ + if(local_diag->masquerade){ + struct iphdr *iph = (struct iphdr *)(skb->data + sizeof(*eth)); + if ((unsigned long)(iph + 1) > (unsigned long)skb->data_end){ + return TC_ACT_SHOT; + } + struct udphdr *udph = (struct udphdr *)((unsigned long)iph + sizeof(*iph)); + if ((unsigned long)(udph + 1) > (unsigned long)skb->data_end){ + return TC_ACT_SHOT; + } + struct masq_reverse_key rk = {0}; + rk.dport = udp_state_key.dport; + rk.sport = udp_state_key.sport; + rk.ifindex = event.ifindex; + rk.__in46_u_dest.ip = udp_state_key.__in46_u_dst.ip; + rk.__in46_u_src.ip = udp_state_key.__in46_u_src.ip; + rk.protocol = IPPROTO_UDP; + struct masq_value *rv = get_reverse_masquerade(rk); + if(rv){ + struct masq_key mk = {0}; + mk.dport = udph->source; + mk.sport = rv->o_sport; + mk.__in46_u_dest.ip = iph->saddr; + mk.ifindex = event.ifindex; + mk.protocol = IPPROTO_UDP; + del_masq(mk); + if(local_diag->verbose){ + event.tracking_code = MASQUERADE_ENTRY_REMOVED; + send_event(&event); + } + } + del_reverse_masq(rk); + if(local_diag->verbose){ + event.tracking_code = REVERSE_MASQUERADE_ENTRY_REMOVED; + send_event(&event); + } + } + del_udp(udp_state_key); + ustate = get_udp(udp_state_key); + if(!ustate){ + if(local_diag->verbose){ + event.tracking_code = UDP_MATCHED_EXPIRED_STATE; + send_event(&event); + } + } + } return TC_ACT_OK; } }