Add udp_connect to ebpf kernel probe?

[akiasmaka]

I noticed that the ebpf module does not probe udp_connect but only udp_sendmsg, to my understanding udp_connect can be used as a way to create a "connection" where it then can be used by udp_send():https://www.nongnu.org/lwip/2_0_x/group__udp__raw.html#gaa4546c43981f043c0ae4514d625cc3fc to create network traffic.
Shouldn't opensnitch capture this traffic? Or am I missing something?

[gustavo-iniguez-goya]

Hi @akiasmaka ,

As far as I can tell, udp_connect is not part of the kernel functions: https://elixir.bootlin.com/linux/latest/A/ident/udp_connect
In contrast to udp_sendmsg: https://elixir.bootlin.com/linux/latest/A/ident/udp_sendmsg , https://elixir.bootlin.com/linux/latest/source/net/ipv4/udp.c

udp_connect is a userspace function: https://github.com/particle-iot/lwip/blob/master/src/core/udp.c

You can list the hookeable functions with bpftrace: bpftrace -l|grep udp_

[akiasmaka]

I see, thanks for the clarification!
I have one more question that I find interesting, for TCP the ebpf probe hooks on tcp_v4_connect
https://elixir.bootlin.com/linux/latest/source/net/ipv4/tcp_ipv4.c#L3068 instead of the https://elixir.bootlin.com/linux/latest/source/net/ipv4/tcp_ipv4.c#L3080 tcp_sendmsg

Why on UDP the probe hooks on https://elixir.bootlin.com/linux/latest/source/net/ipv4/udp.c#L2928 udp_sendmsg
instead of the https://elixir.bootlin.com/linux/latest/source/net/ipv4/udp.c#L2921 ip4_datagram_connect

Is this because UDP will only really generate traffic in the udp_sendmsg function?

[gustavo-iniguez-goya]

The reason to use tcp_*_connect is because OpenSnitch only intercepts new outbound connections. Hooking tcp_sendmsg would cause to intercept all the transmissions of a TCP connection:
Pros:

• It'd allow us to inspect traffic.
• apply rules based on patterns/rules.
• know how many bytes an application is sending (can be accomplished by getting it via netlink, without the overhead of counting every packet)

Cons:

• more complexity.
• more CPU usage.

Is this because UDP will only really generate traffic in the udp_sendmsg function?

I can't answer this question because I don't really know why udp_sendmsg is used instead of ip4_datagram_connect, I didn't add that code :)
Looking at the kernel struct, it seems that ip4_datagram_connect would be the equivalent of tcp_*_connect. But unlike TCP connections, ip4_datagram_connect is called for every transmission.

[akiasmaka]

Thanks for the info!