Get query from function
This commit is contained in:
		
							parent
							
								
									5812b581e8
								
							
						
					
					
						commit
						1051b50931
					
				| @ -12,12 +12,11 @@ struct dnshdr { | ||||
|     uint16_t nbAdditionalRRs; | ||||
| }; | ||||
| 
 | ||||
| struct dns_query { | ||||
| /*struct dns_query {
 | ||||
|     char *name; | ||||
|     uint16_t type; | ||||
|     uint16_t class; | ||||
| //    struct dns_query    *next;
 | ||||
| }; | ||||
| };*/ | ||||
| 
 | ||||
| struct event { | ||||
|     uint32_t saddr; | ||||
|  | ||||
| @ -29,53 +29,20 @@ struct { | ||||
| } m_data SEC(".maps"); | ||||
| 
 | ||||
| /*
 | ||||
|  * https://datatracker.ietf.org/doc/html/rfc1035
 | ||||
|  * This function get the query field and the return the length of it | ||||
|  */ | ||||
| static int dnsquery(struct __sk_buff *skb, struct ethhdr eth, struct iphdr ip, struct udphdr udp, int dport, int sport){ | ||||
|     struct event *s_event; | ||||
|     struct dnshdr dns = {0}; | ||||
|     char saddr[32]; | ||||
|     // bpf_printk("udp len: %d", ntohs(udp.len));
 | ||||
| 
 | ||||
|     s_event = bpf_ringbuf_reserve(&m_data, sizeof(*s_event), 0); | ||||
|     if (!s_event) | ||||
|        return 0; | ||||
| 
 | ||||
|     /* Get IP header */ | ||||
|     s_event->saddr = ip.saddr; | ||||
| 
 | ||||
|     /* Get DNS header */ | ||||
|     bpf_skb_load_bytes(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr), &dns, sizeof(struct dnshdr)); | ||||
| 
 | ||||
|     if (ntohs(dns.nbQuestions) == 0){ | ||||
|         bpf_ringbuf_discard(s_event, 0); | ||||
|         return 0; | ||||
|     } | ||||
| 
 | ||||
| 
 | ||||
|     bpf_printk("tid: %x", ntohs(dns.transactionID)); // Use as key map
 | ||||
|     bpf_printk("nb question: %d", ntohs(dns.nbQuestions)); | ||||
| 
 | ||||
|     struct dns_query dquery; | ||||
|     bpf_skb_load_bytes(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr) + sizeof(struct dnshdr), &dquery, sizeof(struct dns_query)); | ||||
|     //bpf_printk("%s", dquery.name);
 | ||||
|     //bpf_printk("class: %d", ntohs(dquery.class));
 | ||||
|     //bpf_printk("type: %d", ntohs(dquery.type));
 | ||||
|     // bpf_printk("size: %d %d %d", tlen, skb->len, (skb->len - tlen));
 | ||||
|     //dlen = (skb->len - tlen);
 | ||||
|     //bpf_printk("DNS packet len: %d", dlen);
 | ||||
|     //qlen = dlen - sizeof(struct dnshdr);
 | ||||
|     //bpf_printk("size: %d %d", sizeof(struct dnshdr), qlen);
 | ||||
| static size_t get_query(struct __sk_buff *skb, struct event *s_event, uint16_t *class, uint16_t *type, size_t tlen){ | ||||
|     size_t len; | ||||
|     char buf[QNAME_SIZE] = {0}; | ||||
| 
 | ||||
| 
 | ||||
|     bpf_skb_load_bytes(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr) + sizeof(struct dnshdr), &buf, 41); | ||||
|     int index = 0; | ||||
|     int qname_len = 0; // Full length of the qname field
 | ||||
|     char *c = buf; | ||||
|     char qname[QNAME_SIZE] = {0}; | ||||
|     char *c; | ||||
| 
 | ||||
|      | ||||
|     bpf_skb_load_bytes(skb, tlen, &buf, 41); | ||||
|     c = buf; | ||||
| 
 | ||||
|     /*
 | ||||
|      * The qname is composed by a the number of bytes then follow by the label | ||||
|      * For instance, for the qname www.bucchino.org, | ||||
| @ -100,9 +67,56 @@ static int dnsquery(struct __sk_buff *skb, struct ethhdr eth, struct iphdr ip, s | ||||
|     bpf_printk("%s (%d) %d", s_event->qname, index, qname_len); | ||||
| 
 | ||||
|     // Get class and type
 | ||||
|     len = qname_len; | ||||
|     bpf_skb_load_bytes(skb, tlen + qname_len, type, sizeof(uint16_t)); | ||||
|     len += 2; | ||||
|     bpf_skb_load_bytes(skb, tlen + qname_len + 2, class, sizeof(uint16_t)); | ||||
|     len += 2; | ||||
| 
 | ||||
|     return len; | ||||
| } | ||||
| 
 | ||||
| /*
 | ||||
|  * https://datatracker.ietf.org/doc/html/rfc1035
 | ||||
|  */ | ||||
| static int dnsquery(struct __sk_buff *skb, struct ethhdr eth, struct iphdr ip, struct udphdr udp, int dport, int sport){ | ||||
|     struct event *s_event; | ||||
|     struct dnshdr dns = {0}; | ||||
|     char saddr[32]; | ||||
|     uint16_t class, type; | ||||
|     bpf_skb_load_bytes(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr) + sizeof(struct dnshdr) + qname_len, &type, sizeof(uint16_t)); | ||||
|     bpf_skb_load_bytes(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr) + sizeof(struct dnshdr) + qname_len + 2, &class, sizeof(uint16_t)); | ||||
|     // bpf_printk("udp len: %d", ntohs(udp.len));
 | ||||
| 
 | ||||
|     s_event = bpf_ringbuf_reserve(&m_data, sizeof(*s_event), 0); | ||||
|     if (!s_event) | ||||
|        return 0; | ||||
| 
 | ||||
|     /* Get IP header */ | ||||
|     s_event->saddr = ip.saddr; | ||||
| 
 | ||||
|     /* Get DNS header */ | ||||
|     bpf_skb_load_bytes(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr), &dns, sizeof(struct dnshdr)); | ||||
| 
 | ||||
|     if (ntohs(dns.nbQuestions) == 0){ | ||||
|         bpf_ringbuf_discard(s_event, 0); | ||||
|         return 0; | ||||
|     } | ||||
| 
 | ||||
| 
 | ||||
|     bpf_printk("tid: %x", ntohs(dns.transactionID)); // Use as key map
 | ||||
|     bpf_printk("nb question: %d", ntohs(dns.nbQuestions)); | ||||
| 
 | ||||
|     //struct dns_query dquery;
 | ||||
|     //bpf_skb_load_bytes(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr) + sizeof(struct dnshdr), &dquery, sizeof(struct dns_query));
 | ||||
|     // bpf_printk("size: %d %d %d", tlen, skb->len, (skb->len - tlen));
 | ||||
|     //dlen = (skb->len - tlen);
 | ||||
|     //bpf_printk("DNS packet len: %d", dlen);
 | ||||
|     //qlen = dlen - sizeof(struct dnshdr);
 | ||||
|     //bpf_printk("size: %d %d", sizeof(struct dnshdr), qlen);
 | ||||
| 
 | ||||
| 
 | ||||
|     /* Get the query structure */ | ||||
|     size_t tlen = sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr) + sizeof(struct dnshdr); | ||||
|     size_t query_len = get_query(skb, s_event, &class, &type, tlen); | ||||
| 
 | ||||
|     // https://docs.cilium.io/en/stable/reference-guides/bpf/progtypes/
 | ||||
|     s_event->dport = dport; | ||||
| @ -120,7 +134,7 @@ static int dnsquery(struct __sk_buff *skb, struct ethhdr eth, struct iphdr ip, s | ||||
| } | ||||
| 
 | ||||
| static int dnsanswer(struct __sk_buff *skb, struct ethhdr eth, struct iphdr ip, struct udphdr udp, int dport, int sport){ | ||||
| 
 | ||||
|     return 0; | ||||
| } | ||||
| SEC("socket") | ||||
| int detect_dns(struct __sk_buff *skb) { | ||||
|  | ||||
										
											Binary file not shown.
										
									
								
							
		Loading…
	
		Reference in New Issue
	
	Block a user
	 gbucchino
						gbucchino