in bpf/accesslog/syscalls/connect_conntrack.c [85:133]
static __always_inline int nf_conn_aware(struct pt_regs* ctx, struct nf_conn *ct) {
if (ct == NULL) {
return 0;
}
__u64 id = bpf_get_current_pid_tgid();
struct connect_args_t *connect_args = bpf_map_lookup_elem(&conecting_args, &id);
if (!connect_args) {
return 0;
}
// already contains the remote address
if (connect_args->has_remote && &(connect_args->remote) != NULL) {
return 0;
}
__u32 status;
if (bpf_probe_read(&status, sizeof(status), &(ct->status)) != 0) {
return 0; // Invalid ct pointer
}
if (!(status & IPS_CONFIRMED)) {
return 0;
}
if (!(status & IPS_NAT_MASK)) {
return 0;
}
struct nf_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
if (bpf_probe_read(&tuplehash, sizeof(tuplehash), &(ct->tuplehash)) != 0) {
return 0; // Invalid ct pointer
}
struct nf_conntrack_tuple reply = tuplehash[IP_CT_DIR_REPLY].tuple;
conntrack_tuple_t reply_conn = {};
if (!nf_conntrack_tuple_to_conntrack_tuple(connect_args, &reply_conn, &reply)) {
return 0;
}
struct connect_track_remote remote = {};
remote.iph = reply_conn.saddr_h;
remote.ipl = reply_conn.saddr_l;
remote.port = reply_conn.sport;
connect_args->remote = remote;
connect_args->has_remote = 1;
bpf_map_update_elem(&conecting_args, &id, connect_args, 0);
return 0;
}