Skip to content

Commit

Permalink
Merge pull request #1158 from weli-l/dev/auth_ip
Browse files Browse the repository at this point in the history 
improve xdp bpf log
  • Loading branch information
@kmesh-bot
kmesh-bot authored Jan 10, 2025
2 parents 4601e6a + ef92f16 commit b86f8e0
Showing 1 changed file with 35 additions and 50 deletions.
85 changes: 35 additions & 50 deletions bpf/kmesh/workload/include/authz.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ struct {

struct match_context {
__u32 action;
char *policy_name;
__u8 policy_index;
bool need_tailcall_to_userspace;
__u8 n_rules;
Expand Down Expand Up @@ -161,20 +162,17 @@ static int match_dst_ports(Istio__Security__Match *match, struct xdp_info *info,
}
if (info->iph->version == IPV4_VERSION) {
if (bpf_htons(notPorts[i]) == tuple_info->ipv4.dport) {
BPF_LOG(DEBUG, AUTH, "port %u in not_destination_ports, unmatched", notPorts[i]);
return UNMATCHED;
}
} else {
if (bpf_htons(notPorts[i]) == tuple_info->ipv6.dport) {
BPF_LOG(DEBUG, AUTH, "port %u in not_destination_ports, unmatched", notPorts[i]);
return UNMATCHED;
}
}
}
}
// if not match not_destination_ports && has no destination_ports, return MATCHED
if (match->n_destination_ports == 0) {
BPF_LOG(DEBUG, AUTH, "no destination_ports configured, matching by default");
return MATCHED;
}

Expand All @@ -190,17 +188,14 @@ static int match_dst_ports(Istio__Security__Match *match, struct xdp_info *info,
}
if (info->iph->version == IPV4_VERSION) {
if (bpf_htons(ports[i]) == tuple_info->ipv4.dport) {
BPF_LOG(DEBUG, AUTH, "port %u in destination_ports, matched", ports[i]);
return MATCHED;
}
} else {
if (bpf_htons(ports[i]) == tuple_info->ipv6.dport) {
BPF_LOG(DEBUG, AUTH, "port %u in destination_ports, matched", ports[i]);
return MATCHED;
}
}
}
BPF_LOG(DEBUG, AUTH, "no matching ports found, unmatched");
return UNMATCHED;
}

Expand Down Expand Up @@ -303,23 +298,6 @@ match_ip_rule(struct ProtobufCBinaryData *addrInfo, __u32 preFixLen, struct bpf_

if (addrInfo->len == IPV4_BYTE_LEN) {
__u32 rule_ip = convert_ipv4_to_u32(addrInfo, false);
if (type & TYPE_SRCIP) {
BPF_LOG(
DEBUG,
AUTH,
"IPv4 match srcip: Rule IP: %x, Prefix Length: %u, Target IP: %x\n",
rule_ip,
preFixLen,
bpf_ntohl(tuple_info->ipv4.saddr));
} else if (type & TYPE_DSTIP) {
BPF_LOG(
DEBUG,
AUTH,
"IPv4 match dstip: Rule IP: %x, Prefix Length: %u, Target IP: %x\n",
rule_ip,
preFixLen,
bpf_ntohl(tuple_info->ipv4.daddr));
}
return match_ipv4_rule(rule_ip, preFixLen, tuple_info, type);
} else if (addrInfo->len == IPV6_BYTE_LEN) {
struct ip_addr rule_addr = {0};
Expand All @@ -332,23 +310,6 @@ match_ip_rule(struct ProtobufCBinaryData *addrInfo, __u32 preFixLen, struct bpf_
}
if (is_ipv4_mapped_addr(rule_addr.ip6)) {
__u32 rule_ip = convert_ipv4_to_u32(addrInfo, true);
if (type & TYPE_SRCIP) {
BPF_LOG(
DEBUG,
AUTH,
"IPv4_in_IPv6 match srcip: Rule IP: %x, Prefix Length: %u, Target IP: %x\n",
rule_ip,
preFixLen,
bpf_ntohl(tuple_info->ipv4.saddr));
} else if (type & TYPE_DSTIP) {
BPF_LOG(
DEBUG,
AUTH,
"IPv4_in_IPv6 match dstip: Rule IP: %x, Prefix Length: %u, Target IP: %x\n",
rule_ip,
preFixLen,
bpf_ntohl(tuple_info->ipv4.daddr));
}
return match_ipv4_rule(rule_ip, preFixLen, tuple_info, type);
} else {
if (type & TYPE_SRCIP) {
Expand Down Expand Up @@ -621,6 +582,11 @@ int policies_check(struct xdp_md *ctx)
match_ctx->rulesPtr = rulesPtr;
match_ctx->n_rules = policy->n_rules;
match_ctx->action = policy->action;
char *policy_name = (char *)KMESH_GET_PTR_VAL(policy->name, char *);
if (!policy_name) {
return XDP_PASS;
}
match_ctx->policy_name = policy_name;
ret = bpf_map_update_elem(&kmesh_tc_args, &tuple_key, match_ctx, BPF_ANY);
if (ret < 0) {
return XDP_PASS;
Expand All @@ -636,6 +602,7 @@ int policy_check(struct xdp_md *ctx)
struct match_context *match_ctx;
struct bpf_sock_tuple tuple_key = {0};
struct xdp_info info = {0};
bool matched = false;
void *rulesPtr;
__u64 rule_addr;
void *rule;
Expand Down Expand Up @@ -672,20 +639,38 @@ int policy_check(struct xdp_md *ctx)
continue;
}
if (rule_match_check(rule, &info, &tuple_key, match_ctx) == MATCHED) {
matched = true;
break;
}
}

if (matched) {
BPF_LOG(DEBUG, AUTH, "policy %s matched", match_ctx->policy_name);
if (info.iph->version == IPV4_VERSION) {
BPF_LOG(
DEBUG,
AUTH,
"rule matched, action: %s",
match_ctx->action == ISTIO__SECURITY__ACTION__DENY ? "DENY" : "ALLOW");
if (bpf_map_delete_elem(&kmesh_tc_args, &tuple_key) != 0) {
BPF_LOG(ERR, AUTH, "failed to delete tail call context from map");
}
__u32 auth_result = match_ctx->action == ISTIO__SECURITY__ACTION__DENY ? AUTH_DENY : AUTH_ALLOW;
if (bpf_map_update_elem(&map_of_auth_result, &tuple_key, &auth_result, BPF_ANY) != 0) {
BPF_LOG(ERR, AUTH, "failed to update auth result in map_of_auth_result");
}
return match_ctx->action == ISTIO__SECURITY__ACTION__DENY ? XDP_DROP : XDP_PASS;
"src ip: %u, dst ip %u, dst port: %u\n",
ip2str(&tuple_key.ipv4.saddr, true),
ip2str(&tuple_key.ipv4.daddr, true),
bpf_ntohs(tuple_key.ipv4.dport));
} else {
BPF_LOG(
DEBUG,
AUTH,
"src ip: %u, dst ip %u, dst port: %u\n",
ip2str(&tuple_key.ipv6.saddr[0], false),
ip2str(&tuple_key.ipv6.daddr[0], false),
bpf_ntohs(tuple_key.ipv6.dport));
}
if (bpf_map_delete_elem(&kmesh_tc_args, &tuple_key) != 0) {
BPF_LOG(ERR, AUTH, "failed to delete tail call context from map");
}
__u32 auth_result = match_ctx->action == ISTIO__SECURITY__ACTION__DENY ? AUTH_DENY : AUTH_ALLOW;
if (bpf_map_update_elem(&map_of_auth_result, &tuple_key, &auth_result, BPF_ANY) != 0) {
BPF_LOG(ERR, AUTH, "failed to update auth result in map_of_auth_result");
}
return match_ctx->action == ISTIO__SECURITY__ACTION__DENY ? XDP_DROP : XDP_PASS;
}

match_ctx->policy_index++;
Expand Down

0 comments on commit b86f8e0

Please sign in to comment.