Why does adding an established TCP socket to a BPF_MAP_TYPE_SOCKMAP map break SSL?

Question

I have the following BPF program:

#include <uapi/linux/bpf.h>
#include <linux/version.h>

#include "bpf_helpers.h"
#include "bpf_map.h"

struct bpf_map_def SEC("maps/sock_ops") sock_ops = {
    .type = BPF_MAP_TYPE_SOCKMAP,
    .key_size = sizeof(int),
    .value_size = sizeof(unsigned int),
    .max_entries = 2,
    .pinning = 0,
    .namespace = "",
};

SEC("cgroup/sock_ops/sock_map_update")
int sock_ops_sock_map_update(struct bpf_sock_ops *ops)
{
    int op;
    op = (int) ops->op;

    if (op == BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB || op == BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB) {
        uint32_t idx = 0;
        bpf_sock_map_update(ops, &sock_ops, &idx, BPF_ANY);
    }

    return 0;
}

char _license[] SEC("license") = "GPL";
u32 _version SEC("version") = LINUX_VERSION_CODE;

All it does is adds established TCP sockets to the sock_ops sockmap. I then load this program as a BPF_PROG_TYPE_SOCK_OPS program, attach it to a v2 cgroup and run a shell in that cgroup.

However, this seems to break SSL:

$ curl https://www.google.com/
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.google.com:443

HTTP works as expected:

$ curl http://www.google.com/
<!doctype html><html...

Why is this?

uname -a: Linux ubuntu-bionic 4.18.0-16-generic #17~18.04.1-Ubuntu SMP Tue Feb 12 13:35:51 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Have you figured out this problem? – hexchain Mar 31 '20 at 11:18 — hexchain, Mar 31 '20 at 11:18

Why does adding an established TCP socket to a BPF_MAP_TYPE_SOCKMAP map break SSL?

0 Answers0