V0.9.17 release candidate

CHANGELOG.md

@@ -5,6 +5,15 @@ All notable changes to this project will be documented in this file. The format
 ---
 ###
 
+# [0.9.17] - 2025-5-1
+
+- Refactored GENEVE inbound termination to continue to filter processing as non GENEVE if the GENEVE version and
+  header length are not the expected values vs the current explicit drop action.
+
+- Removed port 6081(GENEVE) from the IPv4 masquerade PAT random dynamic udp source port pool
+
+###
+
 # [0.9.16] - 2025-4-25
 
 - Refactored openziti tunnel mode forwarding to optimize forwarding performance.  On ingress

src/zfw.c

@@ -278,7 +278,7 @@ char *direction_string;
 char *masq_interface;
 char check_alt[IF_NAMESIZE];
 
-const char *argp_program_version = "0.9.16";
+const char *argp_program_version = "0.9.17";
 struct ring_buffer *ring_buffer;
 
 __u32 if_list[MAX_IF_LIST_ENTRIES];

src/zfw_monitor.c

@@ -93,7 +93,7 @@ char check_alt[IF_NAMESIZE];
 char doc[] = "zfw_monitor -- ebpf firewall monitor tool";
 const char *rb_map_path = "/sys/fs/bpf/tc/globals/rb_map";
 const char *tproxy_map_path = "/sys/fs/bpf/tc/globals/zt_tproxy_map";
-const char *argp_program_version = "0.9.16";
+const char *argp_program_version = "0.9.17";
 union bpf_attr rb_map;
 int rb_fd = -1;
 

src/zfw_tc_ingress.c

@@ -54,7 +54,6 @@
 #define NO_IP_OPTIONS_ALLOWED 2
 #define UDP_HEADER_TOO_BIG 3
 #define GENEVE_HEADER_TOO_BIG 4
-#define GENEVE_HEADER_LENGTH_VERSION_ERROR  5
 #define SKB_ADJUST_ERROR 6
 #define ICMP_HEADER_TOO_BIG 7
 #define IP_TUPLE_TOO_BIG 8
@@ -1145,42 +1144,38 @@ static struct bpf_sock_tuple *get_tuple(struct __sk_buff *skb, __u64 nh_off,
                 __u32 gen_hdr_len = genhdr[0] & 0x3F;
 
                 /* if the length is not equal to 32 bytes and version 0 */
-                if ((gen_hdr_len != AWS_GNV_HDR_OPT_LEN / 4) || (gen_ver != GENEVE_VER)){
-                    event->error_code = GENEVE_HEADER_LENGTH_VERSION_ERROR;
-                    send_event(event);
-                    return NULL;
-                }
-
-                /* Updating the skb to pop geneve header */
-                int ret = 0;
-                ret = bpf_skb_adjust_room(skb, -68, BPF_ADJ_ROOM_MAC, 0);
-                if (ret) {
-                    event->error_code = SKB_ADJUST_ERROR;
-                    send_event(event);
-                    return NULL;
-                }
-                /* Initialize iph for after popping outer */
-                iph = (struct iphdr *)(skb->data + nh_off);
-                if((unsigned long)(iph + 1) > (unsigned long)skb->data_end){
-                    event->error_code = IP_HEADER_TOO_BIG;
-                    send_event(event);
-                    return NULL;
-                }
-                unsigned char version = iph->version;
-                if(version == 6){
-                    *ipv4 = false;
-                    event->version = 6;
-                    ip6h = (struct ipv6hdr *)(skb->data + nh_off);
-                    /* ensure ip header is in packet bounds */
-                    if ((unsigned long)(ip6h + 1) > (unsigned long)skb->data_end){
-                        event->error_code = IP6_HEADER_TOO_BIG;
+                if ((gen_hdr_len == AWS_GNV_HDR_OPT_LEN / 4) && (gen_ver == GENEVE_VER)){
+                    /* Updating the skb to pop geneve header */
+                    int ret = 0;
+                    ret = bpf_skb_adjust_room(skb, -68, BPF_ADJ_ROOM_MAC, 0);
+                    if (ret) {
+                        event->error_code = SKB_ADJUST_ERROR;
                         send_event(event);
                         return NULL;
                     }
-                    *ipv6 = true;
-                    proto = ip6h->nexthdr;
-                }else{
-                    proto = iph->protocol;
+                    /* Initialize iph for after popping outer */
+                    iph = (struct iphdr *)(skb->data + nh_off);
+                    if((unsigned long)(iph + 1) > (unsigned long)skb->data_end){
+                        event->error_code = IP_HEADER_TOO_BIG;
+                        send_event(event);
+                        return NULL;
+                    }
+                    unsigned char version = iph->version;
+                    if(version == 6){
+                        *ipv4 = false;
+                        event->version = 6;
+                        ip6h = (struct ipv6hdr *)(skb->data + nh_off);
+                        /* ensure ip header is in packet bounds */
+                        if ((unsigned long)(ip6h + 1) > (unsigned long)skb->data_end){
+                            event->error_code = IP6_HEADER_TOO_BIG;
+                            send_event(event);
+                            return NULL;
+                        }
+                        *ipv6 = true;
+                        proto = ip6h->nexthdr;
+                    }else{
+                        proto = iph->protocol;
+                    }
                 }
 
             }

src/zfw_tc_outbound_track.c

@@ -37,6 +37,7 @@
 #define MAX_INDEX_ENTRIES 100
 #define MAX_ADDRESSES 10
 #define BPF_MAX_RANGES 250000
+#define GENEVE_UDP_PORT 6081
 #define MAX_IF_LIST_ENTRIES 3
 #define MATCHED_KEY_DEPTH 3
 #define MAX_IF_ENTRIES 256
@@ -2982,7 +2983,19 @@ int bpf_sk_splice6(struct __sk_buff *skb){
                     else{
                         int tcount = 0;
                         while(true){
+                            if(tcount > 5000){
+                                if(local_diag->verbose){
+                                    event.tracking_code = MASQUERADE_NO_FREE_UDP_SRC_PORTS_FOUND;
+                                    send_event(&event);
+                                }
+                                return TC_ACT_SHOT;
+                            }
                             rand_source_port = bpf_htons(1024 + bpf_get_prandom_u32() % (65535 -1023));
+                            tcount++;
+                            //If random port is equal GENEVE(udp port 6081) find another available source port
+                            if(rand_source_port == bpf_htons(GENEVE_UDP_PORT)){
+                                continue;
+                            }
                             struct masq_key tmk = {0};
                             tmk.__in46_u_dest.ip =  tuple->ipv4.daddr;
                             tmk.dport = tuple->ipv4.dport;
@@ -2993,14 +3006,6 @@ int bpf_sk_splice6(struct __sk_buff *skb){
                             if(!tmvptr){
                                 break;
                             }
-                            tcount++;
-                            if(tcount > 5000){
-                                if(local_diag->verbose){
-                                    event.tracking_code = MASQUERADE_NO_FREE_UDP_SRC_PORTS_FOUND;
-                                    send_event(&event);
-                                }
-                                return TC_ACT_SHOT;
-                            }
                         }
                         struct masq_value rev_new_val = {0};
                         rev_new_val.o_sport =  rand_source_port;