in ebpf/redirect.bpf.c [49:103]
inline __attribute__((always_inline)) int
update_audit_map_entry(bpf_sock_addr_t *ctx)
{
uint64_t pid_tip = bpf_get_current_pid_tgid();
uint32_t pid = (uint32_t)(pid_tip >> 32);
if (check_skip_process_map_entry(pid) == 1)
{
return 1;
}
sock_addr_audit_entry_t entry = {0};
entry.process_id = pid;
entry.logon_id = bpf_get_current_logon_id(ctx);
if (entry.logon_id == 0)
{
bpf_printk("Failed to get logon id.");
}
entry.is_admin = bpf_is_current_admin(ctx);
if (entry.is_admin < 0)
{
bpf_printk("Failed to get admin status %u.", entry.is_admin);
}
entry.destination_ipv4 = ctx->user_ip4; // we only support ipv4 so far.
entry.destination_port = ctx->user_port;
uint16_t source_port = ctx->msg_src_port;
if (source_port == 0)
{
int32_t result = bpf_sock_addr_set_redirect_context(ctx, &entry, sizeof(sock_addr_audit_entry_t));
if (result != 0)
{
bpf_printk("Failed to add audit entry to redirect context with result %u.", result);
}
else
{
bpf_printk("Added audit entry to redirect context.");
}
}
else
{
sock_addr_audit_key_t key = {0};
key.protocol = ctx->protocol;
key.source_port = source_port;
uint64_t ret = bpf_map_update_elem(&audit_map, &key, &entry, 0);
if (ret != 0)
{
bpf_printk("Failed to update audit map with results: %u.", ret);
}
else
{
bpf_printk("Added audit entry with source port: %u", source_port);
}
}
return 0;
}