Allow to intercept more kernel connections by gustavo-iniguez-goya · Pull Request #513 · evilsocket/opensnitch (original) (raw)

Tested on aarch64, kernel 5.8:

• ✅ NFS and CIFS (smb) interception works.
• ❌ VPN WireGuard interception works, but source and destination ports are always 0. If instead of read them from UDP header we read them from sock struct, the source port is not 0 but destination port is still 0:

if (udp_key.sport == 0){  
           bpf_probe_read(&udp_key.sport, sizeof(udp_key.sport), &sk->__sk_common.skc_num);  
}  
if (udp_key.dport == 0){  
           bpf_probe_read(&udp_key.dport, sizeof(udp_key.dport), &sk->__sk_common.skc_dport);  
}  

However tracing these connections with bpftrace report both ports just fine.