Add support for cgroup/connect_authorization4 and cgroup/connect_authorization6 by Alan-Jowett · Pull Request #4750 · microsoft/ebpf-for-windows

Alan-Jowett · 2025-10-21T23:53:24Z

Description

Resolves: #4751

This pull request introduces support for new eBPF attach types for socket authorization on Windows, specifically BPF_CGROUP_INET4_CONNECT_AUTHORIZATION and BPF_CGROUP_INET6_CONNECT_AUTHORIZATION. These attach types allow eBPF programs to make authorization decisions after route selection, enabling policies based on network interface, tunnel type, and route-dependent metadata.

The design is documented in docs/ConnectAuthorizationAttachTypes.md.

New Attach Types and Program Invocation Logic

Added BPF_CGROUP_INET4_CONNECT_AUTHORIZATION and BPF_CGROUP_INET6_CONNECT_AUTHORIZATION attach types in ebpf_structs.h with GUIDs in ebpf_program_attach_type_guids.h.
Section names: cgroup/connect_authorization4 and cgroup/connect_authorization6.
WFP layer mapping: FWPM_LAYER_ALE_AUTH_CONNECT_V4 / FWPM_LAYER_ALE_AUTH_CONNECT_V6.
Updated internal arrays and filter parameter mappings in net_ebpf_ext_sock_addr.c to register and handle the new attach types.
Extended section info in net_ebpf_ext_program_info.h for the new program sections.

Filtered Program Invocation

Refactored program invocation logic to support filtered invocation via net_ebpf_extension_hook_invoke_filtered_programs and net_ebpf_extension_hook_expand_stack_and_invoke_filtered_programs.
Each hook client tracks its attach type for correct filtering.

Additional Helper Function

Added bpf_sock_addr_get_network_context() helper returning bpf_sock_addr_network_context_t with fields: version, interface_type, tunnel_type, next_hop_interface_luid, sub_interface_index.
Available for CONNECT_AUTHORIZATION and RECV_ACCEPT attach types (next_hop_interface_luid only for CONNECT_AUTHORIZATION).

Read-Only Context Enforcement

CONNECT_AUTHORIZATION context is read-only; modifications override the verdict to REJECT.

Reauthorization Support

CONNECT_AUTHORIZATION programs are invoked during WFP reauthorization cycles.

Generalization and Backward Compatibility

Generalized functions to recognize all CONNECT and CONNECT_AUTHORIZATION attach types, maintaining backward compatibility.

Testing

New sample programs (cgroup_connect_authorization4.c, cgroup_connect_authorization6.c) and unit tests covering authorization, reauth, context modification rejection, and combined CONNECT + CONNECT_AUTHORIZATION scenarios.

Documentation

Design doc published separately in PR #4767: docs/ConnectAuthorizationAttachTypes.md.

Installation

No installer impact.

Alan-Jowett · 2025-10-22T17:45:11Z

Note:
There is still an issue in this PR. The code maintains a list of programs attached to the filter context and invokes all of them for both connect and auth_connect callouts, which is wrong.

…types Add new BPF_CGROUP_INET4_AUTH_CONNECT and BPF_CGROUP_INET6_AUTH_CONNECT attach points for authorization of outbound connections: - Add new hook types and program types in ebpf_nethooks.h - Add attach type GUIDs in ebpf_program_attach_type_guids.h - Add network extension support in netebpfext - Add tests and bpf2c expected outputs

Replace 4 individual helper functions with single struct-based bpf_sock_addr_get_network_context() helper as specified in ConnectAuthorizationAttachTypes.md. Enforce read-only context at CONNECT_AUTHORIZATION layer: if a program modifies context fields (redirect), the connection is blocked. Run AUTH_CONNECT programs for all non-REJECT verdicts (not just PROCEED_SOFT), allowing auth programs to evaluate connections that received PROCEED_HARD from the redirect layer. Remove the FWP_CONDITION_FLAG_IS_REAUTHORIZE early-return that auto-permitted reauth events, so programs are invoked for reauthorization. Fix verdict reading in authorize_connection_classify to use accumulated verdict from process_verdict callback instead of raw program return. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

The cgroup_sock_addr expected output files were stale — the branch's bpf2c generates different formatting for struct initializers since merging main. Regenerated the 3 affected files (dll, raw, sys). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

…addr_t Clarify in struct member comments that interface_type, tunnel_type, next_hop_interface_luid, and sub_interface_index are set to their respective MAX values when the field is not available for the current attach type. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Remove period from middle of sentence in the comment above enum bpf_link_type as suggested by dthaler. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

…horization Rename variables, comments, test case names, and trace strings to use the full CONNECT_AUTHORIZATION naming instead of abbreviated AUTH_CONNECT/auth_connect per style guidelines. WFP API names (FWPM_LAYER_ALE_AUTH_CONNECT_V4, etc.) are unchanged as those are external API constants. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copy min(context_size, sizeof(net_ctx)) instead of rejecting callers with a smaller struct. This allows programs compiled against an older version of the struct to still receive the fields they know about when the extension adds new fields in future versions. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Return -1 if the helper is called from CONNECT_REDIRECT or any attach type other than CONNECT_AUTHORIZATION or RECV_ACCEPT, where the network layer metadata is not available. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Replace auth/auth-connect with authorization/connect-authorization in comments per style guidelines (no abbreviations). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Replace conditional 'if (result == 0)' with SAFE_REQUIRE(result == 0) to ensure the test fails if the network context map lookup fails instead of silently skipping validation. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

- Add /*filter_function*/ comment for NULL parameter - Use conditional operator for simple field assignments - Add tracelog when CONNECT_AUTHORIZATION program attempts redirect Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

The _Out_writes_ SAL annotation on context_ptr requires the buffer to be initialized on all paths. Zero the output buffer upfront to satisfy the code analyzer on early-return error paths. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Replace hardcoded UINT32_MAX/UINT64_MAX sentinel values for sub_interface_index and next_hop_interface_luid with the SDK-defined NET_IFINDEX_UNSPECIFIED (0) and NET_IFLUID_UNSPECIFIED (0) from shared/ifdef.h. Replace magic numbers in socket_tests.cpp interface type validation with IF_TYPE_ETHERNET_CSMACD, IF_TYPE_SOFTWARE_LOOPBACK, IF_TYPE_IEEE80211, and IF_TYPE_TUNNEL from ipifcons.h. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Run generate_expected_bpf2c_output.ps1 to update all expected output files after the connect_authorization helper changes. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

The test was using in6addr_loopback.u.Word[] (uint16_t[8]) to compute the IPv6 connection ID, but the eBPF program uses ctx->user_ip6[] (uint32_t[4]). This caused the map lookup to fail with ENOENT because the keys didn't match. Fix by casting the IPv6 address to uint32_t* to match the eBPF program's indexing granularity. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Replace (uint32_t)-1 sentinel values with proper SDK constants: - interface_type: use 0 (unspecified) instead of UINT32_MAX - tunnel_type: use TUNNEL_TYPE_NONE instead of (uint32_t)-1 - next_hop_interface_luid: use NET_IFLUID_UNSPECIFIED in test mock - sub_interface_index: use NET_IFINDEX_UNSPECIFIED in test mock Replace magic number 100 in tunnel_type range check with explicit enumeration of valid IANA tunnel type constants. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

dthaler

Looks good now, thanks!

keith-horton reviewed Oct 22, 2025

View reviewed changes

Comment thread include/ebpf_structs.h Outdated

Alan-Jowett force-pushed the auth_connect_attach_point branch from 933f0d4 to 393b85f Compare October 22, 2025 20:01

matthewige reviewed Oct 22, 2025

View reviewed changes

Comment thread docs/ConnectAuthorizationAttachTypes.md Outdated

Comment thread docs/AuthConnectAttachTypes.md Outdated

Comment thread netebpfext/net_ebpf_ext_sock_addr.c Outdated

Alan-Jowett force-pushed the auth_connect_attach_point branch from 7da8bcf to 9d30eed Compare October 23, 2025 15:06

Alan-Jowett marked this pull request as ready for review October 23, 2025 17:14

Alan-Jowett requested review from LakshK98, dthaler, mikeagun, mtfriesen, poornagmsft, saxena-anurag and shankarseal as code owners October 23, 2025 17:15

dthaler reviewed Oct 23, 2025

View reviewed changes

Comment thread docs/AuthConnectAttachTypes.md Outdated

Comment thread ebpf-for-windows.sln

Comment thread docs/ConnectAuthorizationAttachTypes.md Outdated

Comment thread docs/AuthConnectAttachTypes.md Outdated

keith-horton reviewed Oct 24, 2025

View reviewed changes

Comment thread netebpfext/net_ebpf_ext_sock_addr.c Outdated

keith-horton reviewed Oct 24, 2025

View reviewed changes

Comment thread tests/end_to_end/netsh_test.cpp Outdated

dthaler reviewed Oct 24, 2025

View reviewed changes

Comment thread docs/AuthConnectAttachTypes.md Outdated

dthaler reviewed Oct 24, 2025

View reviewed changes

Comment thread docs/ConnectAuthorizationAttachTypes.md Outdated

dthaler reviewed Oct 24, 2025

View reviewed changes

Comment thread docs/AuthConnectAttachTypes.md Outdated

shankarseal reviewed Oct 24, 2025

View reviewed changes

Comment thread include/ebpf_nethooks.h Outdated

shankarseal reviewed Oct 24, 2025

View reviewed changes

Comment thread tests/socket/socket_tests.cpp Outdated