Add conntrack parse skeleton

Waujito · Jan 8, 2025 · 84d47b8 · 84d47b8
1 parent 8bf2ab9
commit 84d47b8
Show file tree

Hide file tree

Showing 5 changed files with 340 additions and 28 deletions.
diff --git a/src/config.h b/src/config.h
@@ -284,4 +284,42 @@ struct config_t config = default_config_set;	\
 config->last_section = &(config.default_config) \
 
 
+struct ytb_conntrack {
+	uint32_t mask;
+
+	uint64_t orig_packets;
+	uint64_t repl_packets;
+	uint64_t orig_bytes;
+	uint64_t repl_bytes;
+	uint32_t connmark;
+	uint32_t id;
+};
+
+enum yct_attrs {
+	YCTATTR_ORIG_PACKETS,
+	YCTATTR_REPL_PACKETS,
+	YCTATTR_ORIG_BYTES,
+	YCTATTR_REPL_BYTES,
+	YCTATTR_CONNMARK,
+	YCTATTR_CONNID,
+};
+/* enum yct_attrs attr, struct ytb_conntrack * yct */
+#define yct_set_mask_attr(attr, yct) \
+	((yct)->mask |= (1 << (attr)))
+
+/* enum yct_attrs attr, const struct ytb_conntrack * yct */
+#define yct_is_mask_attr(attr, yct) \
+	(((yct)->mask & (1 << (attr))) == (1 << (attr)))
+
+/* enum yct_attrs attr, struct ytb_conntrack * yct */
+#define yct_del_mask_attr(attr, yct) \
+	(yct)->mask &= ~(1 << (attr))
+
+
+struct packet_data {
+	const uint8_t *payload;
+	size_t payload_len;
+	struct ytb_conntrack yct;
+};
+
 #endif /* YTB_CONFIG_H */
diff --git a/src/kytunblock.c b/src/kytunblock.c
@@ -251,10 +251,10 @@ struct instance_config_t instance_config = {
 	.send_delayed_packet = delay_packet_send,
 };
 
-static int connbytes_pkts(const struct sk_buff *skb) {
+static int conntrack_parse(const struct sk_buff *skb, 
+			  struct ytb_conntrack *yct) {
 	const struct nf_conn *ct;
 	enum ip_conntrack_info ctinfo;
-	u_int64_t pkts = 0;
 	const struct nf_conn_counter *counters;
 
 	ct = nf_ct_get(skb, &ctinfo);
@@ -273,9 +273,20 @@ static int connbytes_pkts(const struct sk_buff *skb) {
 		return -1;
 #endif
 
-	pkts = atomic64_read(&counters[IP_CT_DIR_ORIGINAL].packets);
+	yct->orig_packets = atomic64_read(&counters[IP_CT_DIR_ORIGINAL].packets);
+	yct_set_mask_attr(YCTATTR_ORIG_PACKETS, yct);
+	yct->orig_bytes = atomic64_read(&counters[IP_CT_DIR_ORIGINAL].bytes);
+	yct_set_mask_attr(YCTATTR_ORIG_BYTES, yct);
+	yct->repl_packets = atomic64_read(&counters[IP_CT_DIR_REPLY].packets);
+	yct_set_mask_attr(YCTATTR_REPL_PACKETS, yct);
+	yct->repl_bytes = atomic64_read(&counters[IP_CT_DIR_REPLY].bytes);
+	yct_set_mask_attr(YCTATTR_REPL_BYTES, yct);
+	yct->connmark = READ_ONCE(ct->mark);
+	yct_set_mask_attr(YCTATTR_CONNMARK, yct);
+	yct->id = nf_ct_get_id(ct);
+	yct_set_mask_attr(YCTATTR_CONNID, yct);
 
-	return pkts;
+	return 0;
 }
 
 /* If this is a Red Hat-based kernel (Red Hat, CentOS, Fedora, etc)... */
@@ -346,6 +357,7 @@ static int connbytes_pkts(const struct sk_buff *skb) {
 
 static NF_CALLBACK(ykb_nf_hook, skb) {
 	int ret;
+	struct packet_data pd = {0};
 
 	if ((skb->mark & config.mark) == config.mark) 
 		goto accept;
@@ -356,16 +368,28 @@ static NF_CALLBACK(ykb_nf_hook, skb) {
 	if (skb->len > MAX_PACKET_SIZE)
 		goto accept;
 
-	if (config.connbytes_limit != 0 && connbytes_pkts(skb) > config.connbytes_limit)
+	ret = conntrack_parse(skb, &pd.yct);
+	if (ret < 0) {
+		lgtrace("[TRACE] conntrack_parse error code\n");
+	}
+
+	lgtrace("[CONNTRACK TRACE] orig_packets=%llu repl_packets=%llu orig_bytes=%llu repl_bytes=%llu connmark=%d id=%ud\n", pd.yct.orig_packets, pd.yct.repl_packets, pd.yct.orig_bytes, pd.yct.repl_bytes, pd.yct.connmark, pd.yct.id);
+
+	if (config.connbytes_limit != 0 && yct_is_mask_attr(YCTATTR_ORIG_PACKETS, &pd.yct) && pd.yct.orig_packets > config.connbytes_limit)
 		goto accept;
 
+
+
 	ret = skb_linearize(skb);
 	if (ret < 0) {
 		lgerror(ret, "Cannot linearize");
 		goto accept;
 	}
 
-	int vrd = process_packet(skb->data, skb->len);
+	pd.payload = skb->data;
+	pd.payload_len = skb->len;
+
+	int vrd = process_packet(&pd);
 
 	switch(vrd) {
 		case PKT_ACCEPT:

diff --git a/src/mangle.c b/src/mangle.c
@@ -32,7 +32,10 @@
 #include "linux/inet.h"
 #endif
 
-int process_packet(const uint8_t *raw_payload, size_t raw_payload_len) {
+int process_packet(const struct packet_data *pd) {
+	const uint8_t *raw_payload = pd->payload;
+	uint32_t raw_payload_len = pd->payload_len;
+
 	if (raw_payload_len > MAX_PACKET_SIZE) {
 		return PKT_ACCEPT;
 	}

diff --git a/src/mangle.h b/src/mangle.h
@@ -22,6 +22,7 @@
 
 #include "types.h"
 #include "tls.h"
+#include "config.h"
 
 #define PKT_ACCEPT	0
 #define PKT_DROP	1
@@ -32,7 +33,7 @@
  * Processes the packet and returns verdict.
  * This is the primary function that traverses the packet.
  */
-int process_packet(const uint8_t *packet, size_t packet_len);
+int process_packet(const struct packet_data *pd);
 
 
 /**