Fixed tcp outbound tracking session closing and format issues in zfw_xdp_ingress.c

r-caamano · r-caamano · commit fd6567f7097d · 2025-05-29T03:31:05.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file. The format
 ---
 ###
 
+# [0.9.18] - 2025-5-28
+###
+
+- Fixed issue where outbound tcp passthrough tracking will stop packet ingress forwarding prematurely when
+  fin received from client and server.
+
+- Fixed format error in zfw_xdp_ingress.c where several statements had double ; termination.
+
 # [0.9.17] - 2025-5-1
 
 - Refactored GENEVE inbound termination to continue to filter processing as non GENEVE if the GENEVE version and
diff --git a/src/zfw.c b/src/zfw.c
@@ -278,7 +278,7 @@ char *direction_string;
 char *masq_interface;
 char check_alt[IF_NAMESIZE];
 
-const char *argp_program_version = "0.9.17";
+const char *argp_program_version = "0.9.18";
 struct ring_buffer *ring_buffer;
 
 __u32 if_list[MAX_IF_LIST_ENTRIES];
diff --git a/src/zfw_monitor.c b/src/zfw_monitor.c
@@ -93,7 +93,7 @@ char check_alt[IF_NAMESIZE];
 char doc[] = "zfw_monitor -- ebpf firewall monitor tool";
 const char *rb_map_path = "/sys/fs/bpf/tc/globals/rb_map";
 const char *tproxy_map_path = "/sys/fs/bpf/tc/globals/zt_tproxy_map";
-const char *argp_program_version = "0.9.17";
+const char *argp_program_version = "0.9.18";
 union bpf_attr rb_map;
 int rb_fd = -1;
 
diff --git a/src/zfw_tc_ingress.c b/src/zfw_tc_ingress.c
@@ -2299,7 +2299,8 @@ int bpf_sk_splice(struct __sk_buff *skb){
                 unsigned long long tstamp = bpf_ktime_get_ns();
                 struct tcp_state *tstate = get_tcp(tcp_state_key);
                 /*check tcp state and timeout if greater than 60 minutes without traffic*/
-                if(tstate && (tstamp < (tstate->tstamp + 3600000000000))){ 
+                if(tstate && (tstamp < (tstate->tstamp + 3600000000000)))
+                { 
                     /*Filter modbus responses that do not match outstanding requests*/  
                     if(local_diag->ot_filtering && (tuple->ipv4.sport == bpf_ntohs(502)) && (tuple->ipv4.dport >= bpf_ntohs(1024)) && payload_len > 0){
                         unsigned short *modbus_ti = (unsigned short*)((unsigned long)tcph + (tcph->doff * 4));
@@ -2456,6 +2457,7 @@ int bpf_sk_splice(struct __sk_buff *skb){
                                     }
                                 }
                             }
+                            return TC_ACT_OK;
                         }
                         else if((tstate->est) && (tstate->cfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1))){
                             tstate->sfack = 1;
diff --git a/src/zfw_xdp_tun_ingress.c b/src/zfw_xdp_tun_ingress.c
@@ -200,7 +200,7 @@ int xdp_redirect_prog(struct xdp_md *ctx)
             }
             event.dport = tcph->dest;
             event.sport = tcph->source;
-            tun_state_key.sport = tcph->dest;;
+            tun_state_key.sport = tcph->dest;
             tun_state_key.dport =  tcph->source;  
         }else if (protocol == IPPROTO_UDP){
             struct udphdr *udph = (struct udphdr *)((unsigned long)iph + sizeof(*iph));
@@ -209,7 +209,7 @@ int xdp_redirect_prog(struct xdp_md *ctx)
             }
             event.dport = udph->dest;
             event.sport = udph->source;
-            tun_state_key.sport = udph->dest;;
+            tun_state_key.sport = udph->dest;
             tun_state_key.dport =  udph->source;
         }
         tun_state_key.type = 4;
@@ -256,7 +256,7 @@ int xdp_redirect_prog(struct xdp_md *ctx)
             }
             event.dport = tcph->dest;
             event.sport = tcph->source;
-            tun_state_key.sport = tcph->dest;;
+            tun_state_key.sport = tcph->dest;
             tun_state_key.dport =  tcph->source; 
         }else if (protocol == IPPROTO_UDP){
             struct udphdr *udph = (struct udphdr *)((unsigned long)ip6h + sizeof(*ip6h));
@@ -265,7 +265,7 @@ int xdp_redirect_prog(struct xdp_md *ctx)
             }
             event.dport = udph->dest;
             event.sport = udph->source;
-            tun_state_key.sport = udph->dest;;
+            tun_state_key.sport = udph->dest;
             tun_state_key.dport =  udph->source; 
         }
         struct tun_state *tus = get_tun(tun_state_key);

Original file line number	Diff line number	Diff line change
`@@ -2299,7 +2299,8 @@ int bpf_sk_splice(struct __sk_buff *skb){`
`2299`	`2299`	`unsigned long long tstamp = bpf_ktime_get_ns();`
`2300`	`2300`	`struct tcp_state *tstate = get_tcp(tcp_state_key);`
`2301`	`2301`	`/check tcp state and timeout if greater than 60 minutes without traffic/`
`2302`		`- if(tstate && (tstamp < (tstate->tstamp + 3600000000000))){`
	`2302`	`+ if(tstate && (tstamp < (tstate->tstamp + 3600000000000)))`
	`2303`	`+ {`
`2303`	`2304`	`/Filter modbus responses that do not match outstanding requests/`
`2304`	`2305`	`if(local_diag->ot_filtering && (tuple->ipv4.sport == bpf_ntohs(502)) && (tuple->ipv4.dport >= bpf_ntohs(1024)) && payload_len > 0){`
`2305`	`2306`	`unsigned short modbus_ti = (unsigned short)((unsigned long)tcph + (tcph->doff * 4));`
`@@ -2456,6 +2457,7 @@ int bpf_sk_splice(struct __sk_buff *skb){`
`2456`	`2457`	`}`
`2457`	`2458`	`}`
`2458`	`2459`	`}`
	`2460`	`+ return TC_ACT_OK;`
`2459`	`2461`	`}`
`2460`	`2462`	`else if((tstate->est) && (tstate->cfin == 1) && (bpf_htonl(tcph->ack_seq) == (bpf_htonl(tstate->cfseq) + 1))){`
`2461`	`2463`	`tstate->sfack = 1;`
Original file line number	Diff line number	Diff line change
`@@ -200,7 +200,7 @@ int xdp_redirect_prog(struct xdp_md *ctx)`
`200`	`200`	`}`
`201`	`201`	`event.dport = tcph->dest;`
`202`	`202`	`event.sport = tcph->source;`
`203`		`- tun_state_key.sport = tcph->dest;;`
	`203`	`+ tun_state_key.sport = tcph->dest;`
`204`	`204`	`tun_state_key.dport = tcph->source;`
`205`	`205`	`}else if (protocol == IPPROTO_UDP){`
`206`	`206`	`struct udphdr udph = (struct udphdr )((unsigned long)iph + sizeof(*iph));`
`@@ -209,7 +209,7 @@ int xdp_redirect_prog(struct xdp_md *ctx)`
`209`	`209`	`}`
`210`	`210`	`event.dport = udph->dest;`
`211`	`211`	`event.sport = udph->source;`
`212`		`- tun_state_key.sport = udph->dest;;`
	`212`	`+ tun_state_key.sport = udph->dest;`
`213`	`213`	`tun_state_key.dport = udph->source;`
`214`	`214`	`}`
`215`	`215`	`tun_state_key.type = 4;`
`@@ -256,7 +256,7 @@ int xdp_redirect_prog(struct xdp_md *ctx)`
`256`	`256`	`}`
`257`	`257`	`event.dport = tcph->dest;`
`258`	`258`	`event.sport = tcph->source;`
`259`		`- tun_state_key.sport = tcph->dest;;`
	`259`	`+ tun_state_key.sport = tcph->dest;`
`260`	`260`	`tun_state_key.dport = tcph->source;`
`261`	`261`	`}else if (protocol == IPPROTO_UDP){`
`262`	`262`	`struct udphdr udph = (struct udphdr )((unsigned long)ip6h + sizeof(*ip6h));`
`@@ -265,7 +265,7 @@ int xdp_redirect_prog(struct xdp_md *ctx)`
`265`	`265`	`}`
`266`	`266`	`event.dport = udph->dest;`
`267`	`267`	`event.sport = udph->source;`
`268`		`- tun_state_key.sport = udph->dest;;`
	`268`	`+ tun_state_key.sport = udph->dest;`
`269`	`269`	`tun_state_key.dport = udph->source;`
`270`	`270`	`}`
`271`	`271`	`struct tun_state *tus = get_tun(tun_state_key);`