eBPF for Windows
Loading...
Searching...
No Matches
Data Structures | Macros | Typedefs | Enumerations | Functions
ebpf_nethooks.h File Reference
#include <stdint.h>

Go to the source code of this file.

Data Structures

struct  _bind_md
 
struct  bpf_sock_addr
 Data structure used as context for BPF_PROG_TYPE_CGROUP_SOCK_ADDR program type. More...
 
struct  _bpf_sock_addr_network_context
 Network context information for the connection. Available for CONNECT_AUTHORIZATION, RECV_ACCEPT, and BIND attach types. More...
 
struct  _bpf_sock_ops
 

Macros

#define SOCK_ADDR_EXT_HELPER_FN_BASE   0xFFFF
 
#define BPF_SOCK_ADDR_NETWORK_CONTEXT_VERSION   1
 
#define SOCK_OPS_EXT_HELPER_FN_BASE   0xFFFF
 

Typedefs

typedef enum _bind_operation bind_operation_t
 
typedef struct _bind_md bind_md_t
 
typedef enum _bind_action bind_action_t
 Actions that can be returned by a bind hook program.
 
typedef bind_action_t bind_hook_t(bind_md_t *context)
 Handle IPv4 and IPv6 socket bind operations.
 
typedef enum _ebpf_sock_addr_verdict ebpf_sock_addr_verdict_t
 
typedef struct bpf_sock_addr bpf_sock_addr_t
 Data structure used as context for BPF_PROG_TYPE_CGROUP_SOCK_ADDR program type.
 
typedef struct _bpf_sock_addr_network_context bpf_sock_addr_network_context_t
 Network context information for the connection. Available for CONNECT_AUTHORIZATION, RECV_ACCEPT, and BIND attach types.
 
typedef ebpf_sock_addr_verdict_t sock_addr_hook_t(bpf_sock_addr_t *context)
 Handle socket operation. Currently supports ingress/egress connection initialization.
 
typedef enum _bpf_sock_op_type bpf_sock_op_type_t
 
typedef struct _bpf_sock_ops bpf_sock_ops_t
 
typedef int sock_ops_hook_t(bpf_sock_ops_t *context)
 Handle socket event notification. Currently notifies ingress/egress connection establishment and tear down.
 

Enumerations

enum  _bind_operation { BIND_OPERATION_BIND , BIND_OPERATION_POST_BIND , BIND_OPERATION_UNBIND }
 
enum  _bind_action {
  BIND_PERMIT_SOFT , BIND_DENY , BIND_REDIRECT , BIND_PERMIT_HARD ,
  BIND_PERMIT = BIND_PERMIT_SOFT
}
 Actions that can be returned by a bind hook program. More...
 
enum  _ebpf_sock_addr_verdict { BPF_SOCK_ADDR_VERDICT_REJECT , BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT , BPF_SOCK_ADDR_VERDICT_PROCEED_HARD }
 
enum  ebpf_sock_addr_helper_id_t { BPF_FUNC_sock_addr_get_current_pid_tgid = SOCK_ADDR_EXT_HELPER_FN_BASE + 1 , BPF_FUNC_sock_addr_set_redirect_context = SOCK_ADDR_EXT_HELPER_FN_BASE + 2 , BPF_FUNC_sock_addr_get_network_context = SOCK_ADDR_EXT_HELPER_FN_BASE + 3 }
 
enum  _bpf_sock_op_type { BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB , BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB , BPF_SOCK_OPS_CONNECTION_DELETED_CB }
 
enum  ebpf_sock_ops_helper_id_t { BPF_FUNC_sock_ops_get_flow_id = SOCK_OPS_EXT_HELPER_FN_BASE + 1 }
 

Functions

int bpf_sock_addr_set_redirect_context (bpf_sock_addr_t *ctx, void *data, uint32_t data_size)
 Set a context for consumption by a user-mode application (sock_addr specific only). This function is not supported for the recv_accept hooks.
 
int bpf_sock_addr_get_network_context (bpf_sock_addr_t *ctx, void *context_ptr, uint32_t context_size)
 Get the network context for the connection (CONNECT_AUTHORIZATION, RECV_ACCEPT, and BIND).
 
uint64_t bpf_sock_ops_get_flow_id (bpf_sock_ops_t *ctx)
 Get the WFP flow ID associated with the current sock_ops context.
 

Macro Definition Documentation

◆ BPF_SOCK_ADDR_NETWORK_CONTEXT_VERSION

#define BPF_SOCK_ADDR_NETWORK_CONTEXT_VERSION   1

◆ SOCK_ADDR_EXT_HELPER_FN_BASE

#define SOCK_ADDR_EXT_HELPER_FN_BASE   0xFFFF

◆ SOCK_OPS_EXT_HELPER_FN_BASE

#define SOCK_OPS_EXT_HELPER_FN_BASE   0xFFFF

Typedef Documentation

◆ bind_action_t

typedef enum _bind_action bind_action_t

Actions that can be returned by a bind hook program.

◆ bind_hook_t

typedef bind_action_t bind_hook_t(bind_md_t *context)

Handle IPv4 and IPv6 socket bind operations.

This function type defines the signature for eBPF programs that handle socket bind operations. The program is called before the bind operation completes and can inspect the socket metadata to make policy decisions about whether to allow, deny, or redirect the bind request.

The program can examine details such as the process ID, socket address, protocol, and interface information to implement custom bind policies. For redirect operations, the program can modify the socket_address field in the context to change the bind target.

Program type: EBPF_PROGRAM_TYPE_BIND

Note
The function must return one of the defined bind_action_t values.
Parameters
[in]contextSocket metadata.
Return values
BIND_PERMIT_SOFTPermit the bind operation (soft permit - allows lower-priority filters to override).
BIND_PERMIT_HARDPermit the bind operation (hard permit - blocks lower-priority filters).
BIND_DENYDeny the bind operation.
BIND_REDIRECTChange the bind endpoint.

◆ bind_md_t

typedef struct _bind_md bind_md_t

◆ bind_operation_t

typedef enum _bind_operation bind_operation_t

◆ bpf_sock_addr_network_context_t

typedef struct _bpf_sock_addr_network_context bpf_sock_addr_network_context_t

Network context information for the connection. Available for CONNECT_AUTHORIZATION, RECV_ACCEPT, and BIND attach types.

◆ bpf_sock_addr_t

typedef struct bpf_sock_addr bpf_sock_addr_t

Data structure used as context for BPF_PROG_TYPE_CGROUP_SOCK_ADDR program type.

◆ bpf_sock_op_type_t

typedef enum _bpf_sock_op_type bpf_sock_op_type_t

◆ bpf_sock_ops_t

typedef struct _bpf_sock_ops bpf_sock_ops_t

◆ ebpf_sock_addr_verdict_t

typedef enum _ebpf_sock_addr_verdict ebpf_sock_addr_verdict_t

◆ sock_addr_hook_t

typedef ebpf_sock_addr_verdict_t sock_addr_hook_t(bpf_sock_addr_t *context)

Handle socket operation. Currently supports ingress/egress connection initialization.

Program type: EBPF_PROGRAM_TYPE_CGROUP_SOCK_ADDR

Attach type(s): EBPF_ATTACH_TYPE_CGROUP_INET4_CONNECT EBPF_ATTACH_TYPE_CGROUP_INET6_CONNECT EBPF_ATTACH_TYPE_CGROUP_INET4_RECV_ACCEPT EBPF_ATTACH_TYPE_CGROUP_INET6_RECV_ACCEPT EBPF_ATTACH_TYPE_CGROUP_INET4_CONNECT_AUTHORIZATION EBPF_ATTACH_TYPE_CGROUP_INET6_CONNECT_AUTHORIZATION EBPF_ATTACH_TYPE_CGROUP_INET4_BIND EBPF_ATTACH_TYPE_CGROUP_INET6_BIND

Parameters
[in]contextbpf_sock_addr_t
Return values
BPF_SOCK_ADDR_VERDICT_REJECTBlock the socket operation. Maps to a hard block in WFP.
BPF_SOCK_ADDR_VERDICT_PROCEED_SOFTAllow the socket operation. Maps to a soft permit in WFP.
BPF_SOCK_ADDR_VERDICT_PROCEED_HARDAllow the socket operation. Maps to a hard permit in WFP.

Any return value other than the ones mentioned above is treated as BPF_SOCK_ADDR_VERDICT_REJECT.

◆ sock_ops_hook_t

typedef int sock_ops_hook_t(bpf_sock_ops_t *context)

Handle socket event notification. Currently notifies ingress/egress connection establishment and tear down.

Program type: EBPF_PROGRAM_TYPE_SOCK_OPS

Attach type(s): EBPF_ATTACH_TYPE_CGROUP_SOCK_OPS

Parameters
[in]contextbpf_sock_ops_t
Returns
0 on success, or error value in case of failure.

Enumeration Type Documentation

◆ _bind_action

enum _bind_action

Actions that can be returned by a bind hook program.

Enumerator
BIND_PERMIT_SOFT 

Permit the bind operation (soft permit).

Use this when you want to allow the operation but still permit other security policies or filters to make the final decision.

BIND_DENY 

Deny the bind operation.

The bind operation will be blocked.

BIND_REDIRECT 

Change the bind endpoint.

The bind operation is allowed but the target address/port may be modified by the eBPF program. The program should update the socket_address field in the bind_md_t context to specify the new target.

BIND_PERMIT_HARD 

Permit the bind operation (hard permit).

The bind operation is allowed and lower-priority filters or security policies cannot override this decision.

BIND_PERMIT 

Backward compatibility alias for BIND_PERMIT_SOFT.

Deprecated:
Use BIND_PERMIT_SOFT instead for clarity about the permit behavior.

◆ _bind_operation

enum _bind_operation
Enumerator
BIND_OPERATION_BIND 

Entry to bind.

BIND_OPERATION_POST_BIND 

After port allocation.

BIND_OPERATION_UNBIND 

Release port.

◆ _bpf_sock_op_type

enum _bpf_sock_op_type
Enumerator
BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB 

Indicates when an active (outbound) connection is established.

BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB 

Indicates when a passive (inbound) connection is established.

BPF_SOCK_OPS_CONNECTION_DELETED_CB 

Indicates when a connection is deleted.

◆ _ebpf_sock_addr_verdict

enum _ebpf_sock_addr_verdict
Enumerator
BPF_SOCK_ADDR_VERDICT_REJECT 
BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT 
BPF_SOCK_ADDR_VERDICT_PROCEED_HARD 

◆ ebpf_sock_addr_helper_id_t

enum ebpf_sock_addr_helper_id_t
Enumerator
BPF_FUNC_sock_addr_get_current_pid_tgid 
BPF_FUNC_sock_addr_set_redirect_context 
BPF_FUNC_sock_addr_get_network_context 

◆ ebpf_sock_ops_helper_id_t

enum ebpf_sock_ops_helper_id_t
Enumerator
BPF_FUNC_sock_ops_get_flow_id 

Function Documentation

◆ bpf_sock_addr_get_network_context()

int bpf_sock_addr_get_network_context ( bpf_sock_addr_t ctx,
void *  context_ptr,
uint32_t  context_size 
)

Get the network context for the connection (CONNECT_AUTHORIZATION, RECV_ACCEPT, and BIND).

Parameters
[in]ctxPointer to bpf_sock_addr_t context.
[out]context_ptrPointer to bpf_sock_addr_network_context_t struct to be filled.
[in]context_sizeSize of the struct (used for version management).
Return values
0The operation was successful.
<0A failure occurred (e.g., network context unavailable at current attach layer).

◆ bpf_sock_addr_set_redirect_context()

int bpf_sock_addr_set_redirect_context ( bpf_sock_addr_t ctx,
void *  data,
uint32_t  data_size 
)

Set a context for consumption by a user-mode application (sock_addr specific only). This function is not supported for the recv_accept hooks.

Parameters
[in]ctxPointer to bpf_sock_addr_t context.
[in]dataPointer to data to store.
[in]data_sizeThe size of the data to store.
Return values
0The operation was successful.
<0A failure occurred.

◆ bpf_sock_ops_get_flow_id()

uint64_t bpf_sock_ops_get_flow_id ( bpf_sock_ops_t ctx)

Get the WFP flow ID associated with the current sock_ops context.

Parameters
[in]ctxPointer to bpf_sock_ops_t context.
Returns
The WFP flow ID as a 64-bit unsigned integer.
Generated by doxygen 1.9.8