#include <stdint.h>
Go to the source code of this file.
|
| enum | _bind_operation { BIND_OPERATION_BIND
, BIND_OPERATION_POST_BIND
, BIND_OPERATION_UNBIND
} |
| |
| enum | _bind_action {
BIND_PERMIT_SOFT
, BIND_DENY
, BIND_REDIRECT
, BIND_PERMIT_HARD
,
BIND_PERMIT = BIND_PERMIT_SOFT
} |
| | Actions that can be returned by a bind hook program. More...
|
| |
| enum | _ebpf_sock_addr_verdict { BPF_SOCK_ADDR_VERDICT_REJECT
, BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT
, BPF_SOCK_ADDR_VERDICT_PROCEED_HARD
} |
| |
| enum | ebpf_sock_addr_helper_id_t { BPF_FUNC_sock_addr_get_current_pid_tgid = SOCK_ADDR_EXT_HELPER_FN_BASE + 1
, BPF_FUNC_sock_addr_set_redirect_context = SOCK_ADDR_EXT_HELPER_FN_BASE + 2
} |
| |
| enum | _bpf_sock_op_type { BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB
, BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB
, BPF_SOCK_OPS_CONNECTION_DELETED_CB
} |
| |
| enum | ebpf_sock_ops_helper_id_t { BPF_FUNC_sock_ops_get_flow_id = SOCK_OPS_EXT_HELPER_FN_BASE + 1
} |
| |
◆ SOCK_ADDR_EXT_HELPER_FN_BASE
| #define SOCK_ADDR_EXT_HELPER_FN_BASE 0xFFFF |
◆ SOCK_OPS_EXT_HELPER_FN_BASE
| #define SOCK_OPS_EXT_HELPER_FN_BASE 0xFFFF |
◆ bind_action_t
Actions that can be returned by a bind hook program.
◆ bind_hook_t
Handle IPv4 and IPv6 socket bind() requests.
This function type defines the signature for eBPF programs that handle socket bind operations. The program is called before the bind operation completes and can inspect the socket metadata to make policy decisions about whether to allow, deny, or redirect the bind request.
The program can examine details such as the process ID, socket address, protocol, and interface information to implement custom bind policies. For redirect operations, the program can modify the socket_address field in the context to change the bind target.
Program type: EBPF_PROGRAM_TYPE_BIND
- Note
- The function must return one of the defined bind_action_t values.
- Parameters
-
| [in] | context | Socket metadata. |
- Return values
-
| BIND_PERMIT_SOFT | Permit the bind operation (soft permit - allows lower-priority filters to override). |
| BIND_PERMIT_HARD | Permit the bind operation (hard permit - blocks lower-priority filters). |
| BIND_DENY | Deny the bind operation. |
| BIND_REDIRECT | Change the bind endpoint. |
◆ bind_md_t
◆ bind_operation_t
◆ bpf_sock_addr_t
Data structure used as context for BPF_PROG_TYPE_CGROUP_SOCK_ADDR program type.
◆ bpf_sock_op_type_t
◆ bpf_sock_ops_t
◆ ebpf_sock_addr_verdict_t
◆ sock_addr_hook_t
◆ sock_ops_hook_t
◆ _bind_action
Actions that can be returned by a bind hook program.
| Enumerator |
|---|
| BIND_PERMIT_SOFT | Permit the bind operation (soft permit).
Use this when you want to allow the operation but still permit other security policies or filters to make the final decision.
|
| BIND_DENY | Deny the bind operation.
The bind operation will be blocked.
|
| BIND_REDIRECT | Change the bind endpoint.
The bind operation is allowed but the target address/port may be modified by the eBPF program. The program should update the socket_address field in the bind_md_t context to specify the new target.
|
| BIND_PERMIT_HARD | Permit the bind operation (hard permit).
The bind operation is allowed and lower-priority filters or security policies cannot override this decision.
|
| BIND_PERMIT | Backward compatibility alias for BIND_PERMIT_SOFT.
- Deprecated:
- Use BIND_PERMIT_SOFT instead for clarity about the permit behavior.
|
◆ _bind_operation
| Enumerator |
|---|
| BIND_OPERATION_BIND | Entry to bind.
|
| BIND_OPERATION_POST_BIND | After port allocation.
|
| BIND_OPERATION_UNBIND | Release port.
|
◆ _bpf_sock_op_type
| Enumerator |
|---|
| BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB | Indicates when an active (outbound) connection is established.
|
| BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB | Indicates when a passive (inbound) connection is established.
|
| BPF_SOCK_OPS_CONNECTION_DELETED_CB | Indicates when a connection is deleted.
|
◆ _ebpf_sock_addr_verdict
| Enumerator |
|---|
| BPF_SOCK_ADDR_VERDICT_REJECT | |
| BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT | |
| BPF_SOCK_ADDR_VERDICT_PROCEED_HARD | |
◆ ebpf_sock_addr_helper_id_t
| Enumerator |
|---|
| BPF_FUNC_sock_addr_get_current_pid_tgid | |
| BPF_FUNC_sock_addr_set_redirect_context | |
◆ ebpf_sock_ops_helper_id_t
| Enumerator |
|---|
| BPF_FUNC_sock_ops_get_flow_id | |
◆ bpf_sock_addr_set_redirect_context()
| int bpf_sock_addr_set_redirect_context |
( |
bpf_sock_addr_t * |
ctx, |
|
|
void * |
data, |
|
|
uint32_t |
data_size |
|
) |
| |
Set a context for consumption by a user-mode application (sock_addr specific only). This function is not supported for the recv_accept hooks.
- Parameters
-
| [in] | ctx | Pointer to bpf_sock_addr_t context. |
| [in] | data | Pointer to data to store. |
| [in] | data_size | The size of the data to store. |
- Return values
-
| 0 | The operation was successful. |
| <0 | A failure occurred. |
◆ bpf_sock_ops_get_flow_id()
Get the WFP flow ID associated with the current sock_ops context.
- Parameters
-
| [in] | ctx | Pointer to bpf_sock_ops_t context. |
- Returns
- The WFP flow ID as a 64-bit unsigned integer.
