Quic packet tracker inspired by TLS tracker

Signed-off-by: Mohamed S. Mahmoud <mmahmoud2201@gmail.com>

Author: msherif1234

.mk/bc.mk

@@ -42,7 +42,8 @@ define MAPS
 	"filter_map":"lpm_trie",
 	"peer_filter_map":"lpm_trie",
 	"ipsec_ingress_map":"hash",
-	"ipsec_egress_map":"hash"
+	"ipsec_egress_map":"hash",
+	"quic_flows":"per_cpu_hash"
 }
 endef
 

bpf/configs.h

@@ -15,4 +15,5 @@ volatile const u8 enable_network_events_monitoring = 0;
 volatile const u8 network_events_monitoring_groupid = 0;
 volatile const u8 enable_pkt_translation_tracking = 0;
 volatile const u8 enable_ipsec = 0;
+volatile const u8 enable_quic_tracking = 0;
 #endif //__CONFIGS_H__

bpf/flows.c

@@ -57,6 +57,11 @@
  */
 #include "ipsec.h"
 
+/*
+ * Defines quic tracker
+ */
+#include "quic_tracker.h"
+
 // return 0 on success, 1 if capacity reached
 static __always_inline int add_observed_intf(flow_metrics *value, pkt_info *pkt, u32 if_index,
                                              u8 direction) {
@@ -179,6 +184,10 @@ static inline int flow_monitor(struct __sk_buff *skb, u8 direction) {
     if (enable_dns_tracking) {
         dns_errno = track_dns_packet(skb, &pkt);
     }
+    if (enable_quic_tracking) {
+        track_quic_packet(skb, &pkt, eth_protocol, direction, len);
+    }
+
     flow_metrics *aggregate_flow = (flow_metrics *)bpf_map_lookup_elem(&aggregated_flows, &id);
     if (aggregate_flow != NULL) {
         update_existing_flow(aggregate_flow, &pkt, len, flow_sampling, skb->ifindex, direction);

bpf/maps_definition.h

@@ -137,4 +137,14 @@ struct {
     __uint(pinning, LIBBPF_PIN_BY_NAME);
 } ipsec_egress_map SEC(".maps");
 
+// QUIC flow tracking map - keyed by flow_id (like other flow maps)
+struct {
+    __uint(type, BPF_MAP_TYPE_PERCPU_HASH);
+    __type(key, flow_id);
+    __type(value, quic_metrics);
+    __uint(max_entries, 1 << 16);
+    __uint(map_flags, BPF_F_NO_PREALLOC);
+    __uint(pinning, LIBBPF_PIN_BY_NAME);
+} quic_flows SEC(".maps");
+
 #endif //__MAPS_DEFINITION_H__

bpf/quic_tracker.h

@@ -0,0 +1,146 @@
+/*
+ * QUIC Flow Tracker - Kernel-observed metrics using QUIC Invariants (RFC 8999)
+ * Works with unmodified QUIC implementations (quiche, etc.)
+ *
+ * UDP Packet with QUIC:
+ * +------------------+------------------+------------------+------------------+
+ * |     Ethernet     |    IP Header     |   UDP Header     |   QUIC Payload   |
+ * |     14 bytes     |   20/40 bytes    |     8 bytes      |                  |
+ * +------------------+------------------+------------------+------------------+
+ *
+ * UDP Header (8 bytes):
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * |          Source Port          |       Destination Port        |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * |            Length             |           Checksum            |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *
+ * QUIC Long Header (handshake):
+ * +-+-+-+-+-+-+-+-+
+ * |1|1| Type |Res|  First byte: Form=1 (long), Fixed=1, Type (2 bits)
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * |                         Version (32)                         |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | DCID Len (8)  |          Destination Connection ID           |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | SCID Len (8)  |            Source Connection ID              |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * |                    [Type-Specific Fields...]                 |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *
+ * QUIC Short Header (post-handshake):
+ * +-+-+-+-+-+-+-+-+
+ * |0|1|S|R|R|K|P P|  First byte: Form=0 (short), Fixed=1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * |                 Destination Connection ID                    |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * |                    [Encrypted Payload...]                    |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#ifndef __QUIC_TRACKER_H__
+#define __QUIC_TRACKER_H__
+
+#include "utils.h"
+#include "maps_definition.h"
+
+#define QUIC_PORT 443
+#define QUIC_LONG_HEADER 0x80
+#define QUIC_FIXED_BIT 0x40
+#define QUIC_MIN_PACKET_SIZE 21
+
+// Parse QUIC header, returns: 0=not QUIC, 1=short header, 2=long header
+// If long header, version is set
+static __always_inline int parse_quic_header(struct __sk_buff *skb, u32 offset, u32 *version) {
+    u8 first_byte;
+    if (bpf_skb_load_bytes(skb, offset, &first_byte, 1) < 0)
+        return 0;
+
+    // QUIC packets must have fixed bit set
+    if (!(first_byte & QUIC_FIXED_BIT))
+        return 0;
+
+    if (first_byte & QUIC_LONG_HEADER) {
+        // Long header: read version (bytes 1-4)
+        u32 ver;
+        if (bpf_skb_load_bytes(skb, offset + 1, &ver, 4) < 0)
+            return 0;
+        *version = bpf_ntohl(ver);
+        return 2; // long header
+    }
+
+    return 1; // short header
+}
+
+static __always_inline int track_quic_packet(struct __sk_buff *skb, pkt_info *pkt, u16 eth_protocol,
+                                             u8 direction, u32 len) {
+    if (pkt->id->transport_protocol != IPPROTO_UDP)
+        return 0;
+
+    // Only track QUIC port
+    if (pkt->id->dst_port != QUIC_PORT && pkt->id->src_port != QUIC_PORT)
+        return 0;
+
+    struct udphdr *udp = (struct udphdr *)pkt->l4_hdr;
+    if (!udp)
+        return 0;
+
+    u16 udp_len = bpf_ntohs(udp->len);
+    if (udp_len < sizeof(struct udphdr) + QUIC_MIN_PACKET_SIZE)
+        return 0;
+
+    u32 quic_offset = (u32)((long)udp - (long)skb->data) + sizeof(struct udphdr);
+
+    // Parse QUIC header
+    u32 version = 0;
+    int hdr_type = parse_quic_header(skb, quic_offset, &version);
+    if (hdr_type == 0)
+        return 0;
+
+    u64 now = pkt->current_ts;
+    flow_id *id = pkt->id;
+
+    // Lookup or create QUIC metrics
+    quic_metrics *flow = bpf_map_lookup_elem(&quic_flows, id);
+    if (flow) {
+        flow->end_mono_time_ts = now;
+        flow->packets++;
+        flow->bytes += len;
+        if (hdr_type == 2) {
+            flow->seen_long_hdr = 1;
+            if (version != 0)
+                flow->version = version;
+        } else {
+            flow->seen_short_hdr = 1;
+        }
+    } else {
+        quic_metrics new_flow = {
+            .start_mono_time_ts = now,
+            .end_mono_time_ts = now,
+            .bytes = len,
+            .packets = 1,
+            .version = version,
+            .eth_protocol = eth_protocol,
+            .seen_long_hdr = (hdr_type == 2) ? 1 : 0,
+            .seen_short_hdr = (hdr_type == 1) ? 1 : 0,
+        };
+        long ret = bpf_map_update_elem(&quic_flows, id, &new_flow, BPF_NOEXIST);
+        if (ret != 0) {
+            if (trace_messages && ret != -EEXIST) {
+                bpf_printk("error adding quic flow %d\n", ret);
+            }
+            if (ret == -EEXIST) {
+                quic_metrics *flow = bpf_map_lookup_elem(&quic_flows, id);
+                if (flow) {
+                    flow->end_mono_time_ts = now;
+                    flow->packets++;
+                    flow->bytes += len;
+                }
+            }
+        }
+    }
+
+    return 0;
+}
+
+#endif /* __QUIC_TRACKER_H__ */

bpf/types.h

@@ -299,4 +299,19 @@ struct filter_value_t {
 // Force emitting enums/structs into the ELF
 const static struct filter_value_t *unused12 __attribute__((unused));
 
+// QUIC flow metrics
+typedef struct quic_metrics_t {
+    u64 start_mono_time_ts;
+    u64 end_mono_time_ts;
+    u64 bytes;
+    u32 packets;
+    u32 version;       // QUIC version (from long header), 0 if unknown
+    u16 eth_protocol;  // ETH_P_IP or ETH_P_IPV6
+    u8 seen_long_hdr;  // Saw handshake packets (long header)
+    u8 seen_short_hdr; // Saw established packets (short header)
+} quic_metrics;
+
+// Force emitting struct into the ELF
+const static struct quic_metrics_t *unused_quic_metrics __attribute__((unused));
+
 #endif /* __TYPES_H__ */

pkg/agent/agent.go

@@ -176,6 +176,7 @@ func FlowsAgent(cfg *config.Agent) (*Flows, error) {
 		UseEbpfManager:                 cfg.EbpfProgramManagerMode,
 		BpfManBpfFSPath:                cfg.BpfManBpfFSPath,
 		EnableIPsecTracker:             cfg.EnableIPsecTracking,
+		EnableQUICTracking:             cfg.EnableQUICTracking,
 		FilterConfig:                   filterRules,
 	}
 

pkg/config/config.go

@@ -279,6 +279,8 @@ type Agent struct {
 	// This setting is only used when the interface name could not be found for a given index and MAC.
 	// E.g. "0a:58=eth0" (used for ovn-kubernetes)
 	PreferredInterfaceForMACPrefix string `env:"PREFERRED_INTERFACE_FOR_MAC_PREFIX"`
+	// EnableQUICTracking enable QUIC tracking eBPF hook to track QUIC flows
+	EnableQUICTracking bool `env:"ENABLE_QUIC_TRACKING" envDefault:"false"`
 
 	/* Deprecated configs are listed below this line
 	 * See manageDeprecatedConfigs function for details

pkg/decode/decode_protobuf.go

@@ -170,6 +170,12 @@ func RecordToMap(fr *model.Record) config.GenericMap {
 		out["NetworkEvents"] = fr.NetworkMonitorEventsMD
 	}
 
+	if fr.Metrics.QuicMetrics != nil {
+		out["QuicVersion"] = fr.Metrics.QuicMetrics.Version
+		out["QuicSeenLongHdr"] = fr.Metrics.QuicMetrics.SeenLongHdr
+		out["QuicSeenShortHdr"] = fr.Metrics.QuicMetrics.SeenShortHdr
+	}
+
 	return out
 }
 

pkg/decode/decode_protobuf_test.go

@@ -100,6 +100,11 @@ func TestPBFlowToMap(t *testing.T) {
 		},
 		IpsecEncrypted:    1,
 		IpsecEncryptedRet: 0,
+		Quic: &pbflow.Quic{
+			Version:      1,
+			SeenLongHdr:  1,
+			SeenShortHdr: 1,
+		},
 	}
 
 	out := PBFlowToMap(flow)
@@ -151,13 +156,16 @@ func TestPBFlowToMap(t *testing.T) {
 				"Direction": "egress",
 			},
 		},
-		"XlatSrcAddr":  "1.2.3.4",
-		"XlatDstAddr":  "5.6.7.8",
-		"XlatSrcPort":  uint16(1),
-		"XlatDstPort":  uint16(2),
-		"ZoneId":       uint16(100),
-		"IPSecRetCode": int32(0),
-		"IPSecStatus":  "success",
+		"XlatSrcAddr":      "1.2.3.4",
+		"XlatDstAddr":      "5.6.7.8",
+		"XlatSrcPort":      uint16(1),
+		"XlatDstPort":      uint16(2),
+		"ZoneId":           uint16(100),
+		"IPSecRetCode":     int32(0),
+		"IPSecStatus":      "success",
+		"QuicVersion":      uint32(1),
+		"QuicSeenLongHdr":  uint8(1),
+		"QuicSeenShortHdr": uint8(1),
 	}, out)
 }