Permission Denied: classifier_egress not load

Question

Permission Denied: classifier_egress not load

brielino opened this issue a year ago · comments

I can't get TripleCross working on my virtual machine, after running the command sudo tc filter add dev enp0s3 egress bpf direct-action obj bin/tc.o sec classifier/egress after running the command sudo tc qdisc add dev enp0s3 clsact
This is the error
'libbpf: load bpf program failed: Permission denied
libbpf: -- BEGIN DUMP LOG ---
libbpf:
; int classifier_egress(struct __sk_buff *skb){
0: (bf) r6 = r1
; void *data_end = (void *)(__u64)skb->data_end;
1: (61) r5 = *(u32 *)(r6 +80)
; void *data = (void *)(__u64)skb->data;
2: (61) r7 = *(u32 *)(r6 +76)
; if ((void *)eth + sizeof(struct ethhdr) > data_end){
3: (bf) r8 = r7
4: (07) r8 += 14
; if ((void *)eth + sizeof(struct ethhdr) > data_end){
5: (3d) if r5 >= r8 goto pc+8'
.
.
.
'R2 pointer arithmetic with <<= operator prohibited
processed 628 insns (limit 1000000) max_states_per_insn 4 total_states 30 peak_states 26 mark_read 7

libbpf: -- END LOG --
libbpf: failed to load program 'classifier_egress'
libbpf: failed to load object 'bin/tc.o'
Unable to load program'

This is the system
'No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.1 LTS
Release: 22.04
Codename: jammy'
5.15.0-58-generic

Thanks to anyone who replies

brielino · Answer 1 · Fri Feb 10 2023 19:45:08 GMT+0800 (China Standard Time)

brielino commented a year ago

Marcos Bajo · Answer 2 · Fri Feb 10 2023 20:28:38 GMT+0800 (China Standard Time)

Hello again,

The error you are getting means that the eBPF verifier is rejecting the TC program because of not passing the checks it performs before being getting it loaded into the kernel. Specifically, it seems that it does not like the addition you are doing inside the if for checking the length of the packet.

The verifier is picky and in my experience what is ok for one machine it does not pass for others. I myself just ran this program in Ubuntu 21.04 successfully tho, but you will have to modify the code for running it under 22.04. Also, you will probably get more verifier errors for other parts of the program, not only TC, so I encourage you to try and port it yourself to 22.04.

Let me give you some context about what you are doing there and what you may try to solve it:

Any TC program needs to check the format of the packet before performing any operation over it (e.g. reading, writing). First, I am checking the length of the packet (defined by data and data_end pointer), and whether it contains an ethernet frame. This is a necessary step, and it will not work if you remove it.
Once you have check the boundaries of ethernet header, you have to check the boundaries of each network layer header in order (ip, tcp). After that, you can safely access the packet.

Some things you may try:

Perform the if clause in some other way. Instead of
if((void*)eth + sizeof(struct ethhdr) > data_end)
try separating it:
void* eth_end = (void*)eth + sizeof(struct ethhdr); if((void*)eth_end > data_end)
Try using sizeof(eth) instead of sizeof(struct ethhdr)

In general, try any variation of what I've done, sometimes it is something small and silly, others not. As a general rule of thumb for your task, be cautious about operations with pointers, loops and accessing the parameters of eBPF functions. Comment the rest of the code and ensure that each piece of the eBPF program can be loaded by itself. It may happen that the eBPF verifier is giving you that error at line 32, but it is because later in the program you are operating with eth and it does not like it. So my advice for porting this is that you start from a TC program from scratch and then one by one start writing the functionality I have in my program.

Marcos Bajo · Answer 3 · Fri Feb 10 2023 20:35:37 GMT+0800 (China Standard Time)

You can also just use Ubuntu 21.04 which is what I used when I developed this, but if you want it for the latest Ubuntu version (and I assume you do given what you told me by email) then this is a task you'll have to do.

Also, if you are going to do this, check out the following comment by me in another thread where I mention other problems you will encounter (seems that you got eBPF working tho, so ignore the first one)
#41 (comment)

brielino · Answer 4 · Fri Feb 10 2023 20:36:17 GMT+0800 (China Standard Time)

Thanks a lot! Then if i will try in Ubuntu 21.04 that will work?

Marcos Bajo · Answer 5 · Fri Feb 10 2023 20:36:42 GMT+0800 (China Standard Time)

Yes it will

Marcos Bajo · Answer 6 · Fri Feb 10 2023 20:40:26 GMT+0800 (China Standard Time)

I am closing the issue since we clarified what is going on already. If you have any problems when using 21.04 or you end up porting it to 22.04 and want some advice, you can open another one.

brielino · Answer 7 · Fri Feb 10 2023 23:11:25 GMT+0800 (China Standard Time)

Hi Marcos, Ubuntu 21.04 is not supported How can try TripleCross? -- Inviato da Libero Mail

Marcos Bajo · Answer 8 · Sat Feb 11 2023 00:37:43 GMT+0800 (China Standard Time)

What do you mean? It is definitely supported, you can check the requirements here. If you are having any problem please open an issue

brielino · Answer 9 · Sat Feb 11 2023 02:09:18 GMT+0800 (China Standard Time)

I solved! but now it gives me error when I try to run sudo ./bin/kit -t enp0s3
These are the mistakes

Marcos Bajo · Answer 10 · Sun Feb 19 2023 06:46:02 GMT+0800 (China Standard Time)

Hi. I am moving your issue to a new thread since it is unrelated. Please check out #50