我有以下BPF程序:
#include <uapi/linux/bpf.h>
#include <linux/version.h>
#include "bpf_helpers.h"
#include "bpf_map.h"
struct bpf_map_def SEC("maps/sock_ops") sock_ops = {
.type = BPF_MAP_TYPE_SOCKMAP,
.key_size = sizeof(int),
.value_size = sizeof(unsigned int),
.max_entries = 2,
.pinning = 0,
.namespace = "",
};
SEC("cgroup/sock_ops/sock_map_update")
int sock_ops_sock_map_update(struct bpf_sock_ops *ops)
{
int op;
op = (int) ops->op;
if (op == BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB || op == BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB) {
uint32_t idx = 0;
bpf_sock_map_update(ops, &sock_ops, &idx, BPF_ANY);
}
return 0;
}
char _license[] SEC("license") = "GPL";
u32 _version SEC("version") = LINUX_VERSION_CODE;
它所做的就是将已建立的TCP套接字添加到sock_ops sockmap。然后,我将该程序作为BPF_PROG_TYPE_SOCK_OPS程序加载,将其附加到v2 cgroup并在该cgroup中运行shell。
但是,这似乎破坏了SSL:
$ curl https://www.google.com/
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.google.com:443
HTTP可以按预期工作:
$ curl http://www.google.com/
<!doctype html><html...
这是为什么?
uname -a:Linux ubuntu-bionic 4.18.0-16-generic#17〜18.04.1-Ubuntu SMP Tue Feb 12 13:35:51 UTC 2019 x86_64 x86_64 x86_64 GNU / Linux