Fix ICMP/ICMPv6 send hooks: inline IP extraction and improve size accounting

In __icmp_send and icmp6_send, process_icmp4()/process_icmp6() were called
to populate IPs, but the skb transport_header in those hooks points to the
triggering TCP/UDP layer, not an ICMP header. Replace those calls with
direct inline IP extraction from the network header, eliminating the
garbage type/code reads that were immediately overwritten.

Also fix two size accounting bugs:
- __icmp_send: validate ihl >= 5 before computing ihl_bytes; a zero return
  from BPF_CORE_READ_BITFIELD_PROBED was silently producing a wrong msglen
- icmp6_send: replace the hardcoded 56-byte constant with a proper RFC 4443
  section 2.4 computation capping the included original packet at 1232 bytes
  (1280 min MTU - 40 outer IPv6 - 8 ICMPv6 header)

Disable raw_sendmsg and rawv6_sendmsg kprobes (#if 0 / commented out) as
they are not ready for production use.

Author: dkorunic

bpf/kprobe.bpf.c

@@ -248,15 +248,30 @@ int BPF_KPROBE(__icmp_send, struct sk_buff *skb, __u8 type, __u8 code,
 
   key.cgroupid = get_current_cgroup_id();
 
-  /* process_icmp4 populates src/dst IPs from the triggering packet's IP
-   * header; its returned msglen (triggering payload) is not used here. */
-  process_icmp4(skb, &key, pid);
+  /* Extract src/dst IPs directly from the triggering packet's IP header.
+   * process_icmp4() cannot be used here: the skb's transport_header points to
+   * the triggering transport layer (TCP/UDP), not an ICMP header, so calling
+   * it would read garbage type/code that we would then have to overwrite. */
+  struct iphdr *iphdr = (struct iphdr *)(BPF_CORE_READ(skb, head) +
+                                         BPF_CORE_READ(skb, network_header));
+
+  __be32 ip4_src = BPF_CORE_READ(iphdr, saddr);
+  __builtin_memcpy(key.srcip.s6_addr, ip4in6, sizeof(ip4in6));
+  __builtin_memcpy(key.srcip.s6_addr + sizeof(ip4in6), &ip4_src,
+                   sizeof(ip4_src));
+
+  __be32 ip4_dst = BPF_CORE_READ(iphdr, daddr);
+  __builtin_memcpy(key.dstip.s6_addr, ip4in6, sizeof(ip4in6));
+  __builtin_memcpy(key.dstip.s6_addr + sizeof(ip4in6), &ip4_dst,
+                   sizeof(ip4_dst));
+
+  key.proto = IPPROTO_ICMP;
+  key.pid = pid;
 
   /* __icmp_send is called with the triggering packet's skb, so src/dst IPs
    * come from the original packet (src=sender, dst=us). Swap them to reflect
    * the actual ICMP error direction (src=us, dst=original sender).
-   * The transport_header also points to the triggering transport layer, not
-   * an ICMP header, so use the kprobe arguments directly for type/code. */
+   * Use kprobe arguments directly for type/code. */
   struct in6_addr tmp_ip = key.srcip;
   key.srcip = key.dstip;
   key.dstip = tmp_ip;
@@ -265,13 +280,13 @@ int BPF_KPROBE(__icmp_send, struct sk_buff *skb, __u8 type, __u8 code,
 
   /* Compute the actual ICMP error response size per RFC 792 / RFC 1812:
    * 8-byte ICMP header + original IP header + first 8 bytes of original data.
-   * Using the triggering packet's tot_len (as process_icmp4 did) over-counts
-   * by including the full original payload instead of just the 8-byte excerpt.
-   */
-  struct iphdr *iphdr = (struct iphdr *)(BPF_CORE_READ(skb, head) +
-                                         BPF_CORE_READ(skb, network_header));
+   * Validate ihl >= 5 (minimum 20-byte header) before using it. */
   __u16 tot_len = bpf_ntohs(BPF_CORE_READ(iphdr, tot_len));
-  __u16 ihl_bytes = (__u16)(BPF_CORE_READ_BITFIELD_PROBED(iphdr, ihl) * 4);
+  __u16 ihl_raw = (__u16)BPF_CORE_READ_BITFIELD_PROBED(iphdr, ihl);
+  if (ihl_raw < 5) {
+    return 0;
+  }
+  __u16 ihl_bytes = ihl_raw * 4;
   __u16 payload = (ihl_bytes <= tot_len) ? (tot_len - ihl_bytes) : 0;
   size_t msglen =
       sizeof(struct icmphdr) + ihl_bytes + (payload > 8 ? 8 : payload);
@@ -310,26 +325,40 @@ int BPF_KPROBE(icmp6_send, struct sk_buff *skb, __u8 type, __u8 code,
 
   key.cgroupid = get_current_cgroup_id();
 
-  /* process_icmp6 populates src/dst IPs from the triggering packet's IPv6
-   * header; its returned msglen (triggering payload_len) is not used here. */
-  process_icmp6(skb, &key, pid);
+  /* Extract src/dst IPs directly from the triggering packet's IPv6 header.
+   * process_icmp6() cannot be used here: the skb's transport_header points to
+   * the triggering transport layer (TCP/UDP), not an ICMPv6 header, so calling
+   * it would read garbage type/code that we would then have to overwrite. */
+  struct ipv6hdr *iphdr =
+      (struct ipv6hdr *)(BPF_CORE_READ(skb, head) +
+                         BPF_CORE_READ(skb, network_header));
+
+  BPF_CORE_READ_INTO(&key.srcip, iphdr, saddr);
+  BPF_CORE_READ_INTO(&key.dstip, iphdr, daddr);
+
+  key.proto = IPPROTO_ICMPV6;
+  key.pid = pid;
 
   /* icmp6_send is called with the triggering packet's skb, so src/dst IPs
    * come from the original packet (src=sender, dst=us). Swap them to reflect
    * the actual ICMPv6 error direction (src=us, dst=original sender).
-   * The transport_header also points to the triggering transport layer, not
-   * an ICMPv6 header, so use the kprobe arguments directly for type/code. */
+   * Use kprobe arguments directly for type/code. */
   struct in6_addr tmp_ip = key.srcip;
   key.srcip = key.dstip;
   key.dstip = tmp_ip;
   key.src_port = type;
   key.dst_port = code;
 
-  /* Compute the actual ICMPv6 error response size per RFC 4443:
-   * 8-byte ICMPv6 header + fixed 40-byte IPv6 header + first 8 bytes of
-   * original data. The triggering payload_len (as process_icmp6 returned)
-   * over-counts by including the full original payload. */
-  size_t msglen = sizeof(struct icmp6hdr) + sizeof(struct ipv6hdr) + 8;
+  /* Compute the ICMPv6 error response size per RFC 4443 section 2.4:
+   * 8-byte ICMPv6 header + as much of the original IPv6 packet as fits within
+   * the minimum IPv6 MTU (1280 bytes). Max includable body:
+   * 1280 - 40 (outer IPv6 header) - 8 (ICMPv6 header) = 1232 bytes. */
+  __u16 payload_len = bpf_ntohs(BPF_CORE_READ(iphdr, payload_len));
+  __u32 orig_len = (__u32)sizeof(struct ipv6hdr) + payload_len;
+  __u32 max_body =
+      1280U - (__u32)sizeof(struct ipv6hdr) - (__u32)sizeof(struct icmp6hdr);
+  __u32 body = orig_len < max_body ? orig_len : max_body;
+  size_t msglen = sizeof(struct icmp6hdr) + body;
 
   update_val(&key, msglen);
 
@@ -400,6 +429,7 @@ int BPF_KPROBE(icmpv6_rcv, struct sk_buff *skb) {
   return 0;
 }
 
+#if 0
 /**
  * Hook function for kprobe on raw_sendmsg function.
  *
@@ -428,7 +458,9 @@ int BPF_KPROBE(raw_sendmsg, struct sock *sk, struct msghdr *msg, size_t len) {
 
   return 0;
 }
+#endif
 
+#if 0
 /**
  * Hook function for kprobe on rawv6_sendmsg function.
  *
@@ -457,5 +489,6 @@ int BPF_KPROBE(rawv6_sendmsg, struct sock *sk, struct msghdr *msg, size_t len) {
 
   return 0;
 }
+#endif
 
 char __license[] SEC("license") = "Dual MIT/GPL";

kprobe_arm64_bpfel.go

@@ -169,8 +169,8 @@ func main() {
 			{kprobe: "icmp6_send", prog: objsKprobe.Icmp6Send},
 			{kprobe: "icmp_rcv", prog: objsKprobe.IcmpRcv},
 			{kprobe: "icmpv6_rcv", prog: objsKprobe.Icmpv6Rcv},
-			{kprobe: "raw_sendmsg", prog: objsKprobe.RawSendmsg},
-			{kprobe: "rawv6_sendmsg", prog: objsKprobe.Rawv6Sendmsg},
+			//{kprobe: "raw_sendmsg", prog: objsKprobe.RawSendmsg},
+			//{kprobe: "rawv6_sendmsg", prog: objsKprobe.Rawv6Sendmsg},
 		}
 
 		cGroupCacheInit()