From 3f95ade4f02d1419e65ba4f0462168fb13515191 Mon Sep 17 00:00:00 2001
From: up200504098 <huang_fangfang@hoperun.com>
Date: Mon, 6 May 2024 20:28:51 +0800
Subject: [PATCH 1/2] =?UTF-8?q?=E9=98=B2=E7=81=AB=E5=A2=99=EF=BC=9A?=
 =?UTF-8?q?=E6=B7=BB=E5=8A=A0sock=5Ftcp=5Fsend=5Freset=E6=8E=A7=E5=88=B6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: up200504098 <huang_fangfang@hoperun.com>
---
 include/uapi/linux/bpf.h       | 12 ++++++++++++
 net/core/filter.c              | 30 ++++++++++++++++++++++++++++++
 tools/include/uapi/linux/bpf.h | 12 ++++++++++++
 3 files changed, 54 insertions(+)

diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 0f39fdcb2273..01f99b528932 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -3742,6 +3742,13 @@ union bpf_attr {
  * 	Return
  * 		The helper returns **TC_ACT_REDIRECT** on success or
  * 		**TC_ACT_SHOT** on error.
+ *
+ * int bpf_sock_tcp_send_reset(struct sk_buff *skb)
+ * 	Description
+ * 		Redirect If Netfirewall intercepts socket TCP interception,
+ * 		we need to actively send a reset packet to disconnect the current TCP connection.
+ * 	Return
+ * 		The helper returns Send packet reset sucess.
  */
 #define __BPF_FUNC_MAPPER(FN)		\
 	FN(unspec),			\
@@ -3900,8 +3907,13 @@ union bpf_attr {
 	FN(per_cpu_ptr),		\
 	FN(this_cpu_ptr),		\
 	FN(redirect_peer),		\
+	FN(sock_tcp_send_reset),		\
 	/* */
 
+#ifndef BPF_SOCK_TCP_SEND_RESET_ENABLE
+#define BPF_SOCK_TCP_SEND_RESET_ENABLE
+#endif // BPF_SOCK_TCP_SEND_RESET_ENABLE
+
 /* integer value in 'imm' field of BPF_CALL instruction selects which helper
  * function eBPF program intends to call
  */
diff --git a/net/core/filter.c b/net/core/filter.c
index 9343a911e9e2..246ed9c71344 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -77,6 +77,9 @@
 #include <net/transp_v6.h>
 #include <linux/btf_ids.h>
 #include <net/tls.h>
+#include <net/netfilter/ipv4/nf_reject.h>
+#include <net/netfilter/ipv6/nf_reject.h>
+#include <uapi/linux/netfilter.h>
 
 static const struct bpf_func_proto *
 bpf_sk_base_func_proto(enum bpf_func_id func_id);
@@ -4616,6 +4619,31 @@ static const struct bpf_func_proto bpf_get_socket_cookie_proto = {
 	.arg1_type      = ARG_PTR_TO_CTX,
 };
 
+BPF_CALL_1(bpf_sock_tcp_send_reset, struct sk_buff *, skb)
+{
+	//destroy tcp
+	struct sock *sk = sk_to_full_sk(skb->sk);
+	if (sk->sk_protocol == IPPROTO_TCP) {
+		struct net *net = dev_net(skb->dev);
+		int hook = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD) | (1 << NF_INET_LOCAL_OUT);
+		if (sk->sk_family == AF_INET) {
+			nf_send_reset(net, skb, hook);
+#if IS_ENABLED(CONFIG_NF_REJECT_IPV6)
+		} else if (sk->sk_family == AF_INET6) {
+			nf_send_reset6(net, skb, hook);
+#endif
+		}
+	}
+	return 0;
+}
+
+static const struct bpf_func_proto bpf_sock_tcp_send_reset_proto = {
+	.func           = bpf_sock_tcp_send_reset,
+	.gpl_only       = false,
+	.ret_type       = RET_INTEGER,
+	.arg1_type      = ARG_PTR_TO_CTX,
+};
+
 BPF_CALL_1(bpf_get_socket_cookie_sock_addr, struct bpf_sock_addr_kern *, ctx)
 {
 	return __sock_gen_cookie(ctx->sk);
@@ -7094,6 +7122,8 @@ cg_skb_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
 		return &bpf_get_local_storage_proto;
 	case BPF_FUNC_sk_fullsock:
 		return &bpf_sk_fullsock_proto;
+	case BPF_FUNC_sock_tcp_send_reset:
+		return &bpf_sock_tcp_send_reset_proto;
 	case BPF_FUNC_sk_storage_get:
 		return &bpf_sk_storage_get_proto;
 	case BPF_FUNC_sk_storage_delete:
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index 1dd4b1acbcb0..02e5dfca1941 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -3742,6 +3742,13 @@ union bpf_attr {
  * 	Return
  * 		The helper returns **TC_ACT_REDIRECT** on success or
  * 		**TC_ACT_SHOT** on error.
+ *
+ * int bpf_sock_tcp_send_reset(struct sk_buff *skb)
+ * 	Description
+ * 		Redirect If Netfirewall intercepts socket TCP interception,
+ * 		we need to actively send a reset packet to disconnect the current TCP connection.
+ * 	Return
+ * 		The helper returns Send packet reset sucess.
  */
 #define __BPF_FUNC_MAPPER(FN)		\
 	FN(unspec),			\
@@ -3900,8 +3907,13 @@ union bpf_attr {
 	FN(per_cpu_ptr),		\
 	FN(this_cpu_ptr),		\
 	FN(redirect_peer),		\
+	FN(sock_tcp_send_reset),		\
 	/* */
 
+#ifndef BPF_SOCK_TCP_SEND_RESET_ENABLE
+#define BPF_SOCK_TCP_SEND_RESET_ENABLE
+#endif // BPF_SOCK_TCP_SEND_RESET_ENABLE
+
 /* integer value in 'imm' field of BPF_CALL instruction selects which helper
  * function eBPF program intends to call
  */
-- 
Gitee


From 4900f0e2ab7b5e680587921c23ed648378771409 Mon Sep 17 00:00:00 2001
From: up200504098 <huang_fangfang@hoperun.com>
Date: Tue, 7 May 2024 14:27:04 +0800
Subject: [PATCH 2/2] fix device config is not set CONFIG_NF_REJECT_IPV4

Signed-off-by: up200504098 <huang_fangfang@hoperun.com>
---
 net/core/filter.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/core/filter.c b/net/core/filter.c
index 246ed9c71344..3f8253b3b1c9 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -4621,6 +4621,7 @@ static const struct bpf_func_proto bpf_get_socket_cookie_proto = {
 
 BPF_CALL_1(bpf_sock_tcp_send_reset, struct sk_buff *, skb)
 {
+#if IS_ENABLED(CONFIG_NF_REJECT_IPV4)
 	//destroy tcp
 	struct sock *sk = sk_to_full_sk(skb->sk);
 	if (sk->sk_protocol == IPPROTO_TCP) {
@@ -4634,6 +4635,7 @@ BPF_CALL_1(bpf_sock_tcp_send_reset, struct sk_buff *, skb)
 #endif
 		}
 	}
+#endif
 	return 0;
 }
 
-- 
Gitee