eBPF for Windows
ebpf_nethooks.h
Go to the documentation of this file.
1 // Copyright (c) eBPF for Windows contributors
2 // SPDX-License-Identifier: MIT
3 #pragma once
4 #include <stdint.h>
5 
6 // This file contains APIs for hooks and helpers that are
7 // exposed by netebpfext.sys for use by eBPF programs.
8 
9 #ifndef __doxygen
10 #define EBPF_HELPER(return_type, name, args) typedef return_type(*const name##_t) args
11 #endif
12 
13 // BIND hook
14 
15 typedef enum _bind_operation
16 {
17  BIND_OPERATION_BIND,
18  BIND_OPERATION_POST_BIND,
19  BIND_OPERATION_UNBIND,
20 } bind_operation_t;
21 
22 typedef struct _bind_md
23 {
24  uint8_t* app_id_start;
25  uint8_t* app_id_end;
26  uint64_t process_id;
27  uint8_t socket_address[16];
28  uint8_t socket_address_length;
29  bind_operation_t operation;
30  uint8_t protocol;
31 } bind_md_t;
32 
33 typedef enum _bind_action
34 {
35  BIND_PERMIT,
36  BIND_DENY,
37  BIND_REDIRECT,
38 } bind_action_t;
39 
50 typedef bind_action_t
51 bind_hook_t(bind_md_t* context);
52 
53 //
54 // CGROUP_SOCK_ADDR.
55 //
56 
57 #define BPF_SOCK_ADDR_VERDICT_REJECT 0
58 #define BPF_SOCK_ADDR_VERDICT_PROCEED 1
59 
60 #ifdef _MSC_VER
61 #pragma warning(push)
62 #pragma warning(disable : 4201)
63 #endif
67 typedef struct bpf_sock_addr
68 {
69  uint32_t family;
70  struct
71  {
76  union
77  {
78  uint32_t msg_src_ip4;
79  uint32_t msg_src_ip6[4];
80  };
81  uint16_t msg_src_port;
82  };
83  struct
84  {
85  /* @brief Destination IP address in network byte order.
86  * Local for egress, remote for ingress.
87  */
88  union
89  {
90  uint32_t user_ip4;
91  uint32_t user_ip6[4];
92  };
93  uint16_t user_port;
94  };
95  uint32_t protocol;
96  uint32_t compartment_id;
97  uint64_t interface_luid;
98 } bpf_sock_addr_t;
99 
100 #define SOCK_ADDR_EXT_HELPER_FN_BASE 0xFFFF
101 
102 typedef enum
103 {
104  BPF_FUNC_sock_addr_get_current_pid_tgid = SOCK_ADDR_EXT_HELPER_FN_BASE + 1,
105  BPF_FUNC_sock_addr_set_redirect_context = SOCK_ADDR_EXT_HELPER_FN_BASE + 2,
106 } ebpf_sock_addr_helper_id_t;
107 
121 EBPF_HELPER(uint64_t, bpf_sock_addr_get_current_pid_tgid, (bpf_sock_addr_t * ctx));
122 #ifndef __doxygen
123 #define bpf_sock_addr_get_current_pid_tgid \
124  ((bpf_sock_addr_get_current_pid_tgid_t)BPF_FUNC_sock_addr_get_current_pid_tgid)
125 #endif
126 
138 EBPF_HELPER(int, bpf_sock_addr_set_redirect_context, (bpf_sock_addr_t * ctx, void* data, uint32_t data_size));
139 #ifndef __doxygen
140 #define bpf_sock_addr_set_redirect_context \
141  ((bpf_sock_addr_set_redirect_context_t)BPF_FUNC_sock_addr_set_redirect_context)
142 #endif
143 
161 typedef int
162 sock_addr_hook_t(bpf_sock_addr_t* context);
163 
164 typedef enum _bpf_sock_op_type
165 {
167  BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB,
169  BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB,
171  BPF_SOCK_OPS_CONNECTION_DELETED_CB
172 } bpf_sock_op_type_t;
173 
174 typedef struct _bpf_sock_ops
175 {
176  bpf_sock_op_type_t op;
177  uint32_t family;
178  struct
179  {
180  union
181  {
182  uint32_t local_ip4;
183  uint32_t local_ip6[4];
184  };
185  uint32_t local_port;
186  };
187  struct
188  {
189  union
190  {
191  uint32_t remote_ip4;
192  uint32_t remote_ip6[4];
193  };
194  uint32_t remote_port;
195  };
196  uint8_t protocol;
197  uint32_t compartment_id;
198  uint64_t interface_luid;
199 } bpf_sock_ops_t;
200 
213 typedef int
214 sock_ops_hook_t(bpf_sock_ops_t* context);
215 
216 #ifdef _MSC_VER
217 #pragma warning(pop)
218 #endif
bind_operation_t
enum _bind_operation bind_operation_t
SOCK_ADDR_EXT_HELPER_FN_BASE
#define SOCK_ADDR_EXT_HELPER_FN_BASE
Definition: ebpf_nethooks.h:100
bpf_sock_addr_get_current_pid_tgid
uint64_t bpf_sock_addr_get_current_pid_tgid(bpf_sock_addr_t *ctx)
Get current pid and tgid (sock_addr specific only).
ebpf_sock_addr_helper_id_t
ebpf_sock_addr_helper_id_t
Definition: ebpf_nethooks.h:103
BPF_FUNC_sock_addr_set_redirect_context
@ BPF_FUNC_sock_addr_set_redirect_context
Definition: ebpf_nethooks.h:105
BPF_FUNC_sock_addr_get_current_pid_tgid
@ BPF_FUNC_sock_addr_get_current_pid_tgid
Definition: ebpf_nethooks.h:104
bpf_sock_op_type_t
enum _bpf_sock_op_type bpf_sock_op_type_t
sock_addr_hook_t
int sock_addr_hook_t(bpf_sock_addr_t *context)
Handle socket operation. Currently supports ingress/egress connection initialization.
Definition: ebpf_nethooks.h:162
sock_ops_hook_t
int sock_ops_hook_t(bpf_sock_ops_t *context)
Handle socket event notification. Currently notifies ingress/egress connection establishment and tear...
Definition: ebpf_nethooks.h:214
bpf_sock_addr_set_redirect_context
int bpf_sock_addr_set_redirect_context(bpf_sock_addr_t *ctx, void *data, uint32_t data_size)
Set a context for consumption by a user-mode application (sock_addr specific only)....
_bind_operation
_bind_operation
Definition: ebpf_nethooks.h:16
BIND_OPERATION_BIND
@ BIND_OPERATION_BIND
Entry to bind.
Definition: ebpf_nethooks.h:17
BIND_OPERATION_UNBIND
@ BIND_OPERATION_UNBIND
Release port.
Definition: ebpf_nethooks.h:19
BIND_OPERATION_POST_BIND
@ BIND_OPERATION_POST_BIND
After port allocation.
Definition: ebpf_nethooks.h:18
_bind_action
_bind_action
Definition: ebpf_nethooks.h:34
BIND_REDIRECT
@ BIND_REDIRECT
Change the bind endpoint.
Definition: ebpf_nethooks.h:37
BIND_PERMIT
@ BIND_PERMIT
Permit the bind operation.
Definition: ebpf_nethooks.h:35
BIND_DENY
@ BIND_DENY
Deny the bind operation.
Definition: ebpf_nethooks.h:36
_bpf_sock_op_type
_bpf_sock_op_type
Definition: ebpf_nethooks.h:165
BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB
@ BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB
Indicates when a passive (inbound) connection is established.
Definition: ebpf_nethooks.h:169
BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB
@ BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB
Indicates when an active (outbound) connection is established.
Definition: ebpf_nethooks.h:167
BPF_SOCK_OPS_CONNECTION_DELETED_CB
@ BPF_SOCK_OPS_CONNECTION_DELETED_CB
Indicates when a connection is deleted.
Definition: ebpf_nethooks.h:171
bind_hook_t
bind_action_t bind_hook_t(bind_md_t *context)
Handle an AF_INET socket bind() request.
Definition: ebpf_nethooks.h:51
bpf_sock_addr_t
struct bpf_sock_addr bpf_sock_addr_t
Data structure used as context for BPF_PROG_TYPE_CGROUP_SOCK_ADDR program type.
bind_action_t
enum _bind_action bind_action_t
bind_md_t
struct _bind_md bind_md_t
bpf_sock_ops_t
struct _bpf_sock_ops bpf_sock_ops_t
_bind_md
Definition: ebpf_nethooks.h:23
_bind_md::protocol
uint8_t protocol
Protocol number (e.g., IPPROTO_TCP).
Definition: ebpf_nethooks.h:30
_bind_md::operation
bind_operation_t operation
Operation to do.
Definition: ebpf_nethooks.h:29
_bind_md::app_id_end
uint8_t * app_id_end
Pointer to end of App ID.
Definition: ebpf_nethooks.h:25
_bind_md::socket_address
uint8_t socket_address[16]
Socket address to bind to.
Definition: ebpf_nethooks.h:27
_bind_md::process_id
uint64_t process_id
Process ID.
Definition: ebpf_nethooks.h:26
_bind_md::app_id_start
uint8_t * app_id_start
Pointer to start of App ID.
Definition: ebpf_nethooks.h:24
_bind_md::socket_address_length
uint8_t socket_address_length
Length in bytes of the socket address.
Definition: ebpf_nethooks.h:28
_bpf_sock_ops
Definition: ebpf_nethooks.h:175
_bpf_sock_ops::local_ip4
uint32_t local_ip4
Definition: ebpf_nethooks.h:182
_bpf_sock_ops::family
uint32_t family
IP address family.
Definition: ebpf_nethooks.h:177
_bpf_sock_ops::remote_ip4
uint32_t remote_ip4
Definition: ebpf_nethooks.h:191
_bpf_sock_ops::compartment_id
uint32_t compartment_id
Network compartment Id.
Definition: ebpf_nethooks.h:197
_bpf_sock_ops::protocol
uint8_t protocol
IP protocol.
Definition: ebpf_nethooks.h:196
_bpf_sock_ops::remote_port
uint32_t remote_port
Definition: ebpf_nethooks.h:194
_bpf_sock_ops::interface_luid
uint64_t interface_luid
Interface LUID.
Definition: ebpf_nethooks.h:198
_bpf_sock_ops::local_ip6
uint32_t local_ip6[4]
Definition: ebpf_nethooks.h:183
_bpf_sock_ops::op
bpf_sock_op_type_t op
Definition: ebpf_nethooks.h:176
_bpf_sock_ops::remote_ip6
uint32_t remote_ip6[4]
Definition: ebpf_nethooks.h:192
_bpf_sock_ops::local_port
uint32_t local_port
Definition: ebpf_nethooks.h:185
bpf_sock_addr
Data structure used as context for BPF_PROG_TYPE_CGROUP_SOCK_ADDR program type.
Definition: ebpf_nethooks.h:68
bpf_sock_addr::protocol
uint32_t protocol
IP protocol.
Definition: ebpf_nethooks.h:95
bpf_sock_addr::user_port
uint16_t user_port
Destination port in network byte order.
Definition: ebpf_nethooks.h:93
bpf_sock_addr::msg_src_port
uint16_t msg_src_port
Source port in network byte order.
Definition: ebpf_nethooks.h:81
bpf_sock_addr::user_ip4
uint32_t user_ip4
Definition: ebpf_nethooks.h:90
bpf_sock_addr::user_ip6
uint32_t user_ip6[4]
Definition: ebpf_nethooks.h:91
bpf_sock_addr::compartment_id
uint32_t compartment_id
Network compartment Id.
Definition: ebpf_nethooks.h:96
bpf_sock_addr::msg_src_ip6
uint32_t msg_src_ip6[4]
Definition: ebpf_nethooks.h:79
bpf_sock_addr::interface_luid
uint64_t interface_luid
Interface LUID.
Definition: ebpf_nethooks.h:97
bpf_sock_addr::msg_src_ip4
uint32_t msg_src_ip4
Definition: ebpf_nethooks.h:78
bpf_sock_addr::family
uint32_t family
IP address family.
Definition: ebpf_nethooks.h:69
Generated by doxygen 1.9.1