I found an eBPF sample which proxies requests, which filter which requests to filter based on the target port.
I'm trying to filter by the process_id of the client instead of the target port and tried adding the bpf_get_current_pid_tgid() here. However it seems that the method is not found/available in that context.
How can I find the right method to get the connection owners process_id in this context?
BPF_PROG_TYPE_SK_LOOKUP programs are invoked at the point where a host knows an incoming connection should be handled by a local socket, but not yet which one. Normally the kernel would look at the IPs and ports the sockets are bound on, but this program type allows us to replace that logic and assign connections to sockets which normally are not allowed. For example to send traffic for a whole /24 to a single socket (bind only allows you to listen on a specific IP or a wildcard, not IP ranges).
So since it is the job of this program type to pick an owner for a connection, there is no PID yet which could be returned. The verifier will reject any program that attempts to use the bpf_get_current_pid_tgid helper in the BPF_PROG_TYPE_SK_LOOKUP program type.
How can I find the right method to get the connection owners process_id in this context?
You are likely looking for another program type which triggers at another location.
BPF_PROG_TYPE_CGROUP_SOCK_ADDR and then use the connect(), getpeername().. to also achieve the same goal. But we are not sure at this stage if a cgroup would needed around the application (maybe the whole system is also running in a root cgroup?) –
Stem © 2022 - 2024 — McMap. All rights reserved.
BPF_PROG_TYPE_SK_MSG. – Stem