Add support for hard permit in connect() hook (#4558)

andrwli · liandrew-MSFT · web-flow · commit 22364aeaacb5 · 2025-09-27T01:03:17.000Z
* Add WFP hard permit support for connect hook

* clean up

* Add WFP hard permit support for connect hook

* clean up

* Run generate_expected_bpf2c_output

* Deal with edge cases in auth-connect, fix VMIsRemote workflow

* Add documentation

* rebase

* PR Feedback

* More feedback

* Organize caching into one function, handle redirected connected UDP case better, clean up

* Clean up

---------

Co-authored-by: Andrew Li &lt;liandrew@microsoft.com&gt;
diff --git a/docs/NativeCodeGeneration.md b/docs/NativeCodeGeneration.md
@@ -315,4 +315,6 @@ differ for each person regenerating them.
 
 These paths therefore need to be canonicalized to make them portable and this is done by running the following command
 from the ```ebpf-for-windows``` project root directory:
-``` .\scripts\generate_expected_bpf2c_output.ps1 .\x64\Debug\```
+``` .\scripts\generate_expected_bpf2c_output.ps1 .\x64\Debug\```.
+
+*Note: Tests may also fail if files generated by this script are formatted through clang-format.*
diff --git a/include/ebpf_nethooks.h b/include/ebpf_nethooks.h
@@ -56,6 +56,7 @@ bind_hook_t(bind_md_t* context);
 
 #define BPF_SOCK_ADDR_VERDICT_REJECT 0
 #define BPF_SOCK_ADDR_VERDICT_PROCEED 1
+#define BPF_SOCK_ADDR_VERDICT_PROCEED_HARD 2
 
 #ifdef _MSC_VER
 #pragma warning(push)
@@ -134,10 +135,11 @@ EBPF_HELPER(int, bpf_sock_addr_set_redirect_context, (bpf_sock_addr_t * ctx, voi
  *  \ref EBPF_ATTACH_TYPE_CGROUP_INET6_RECV_ACCEPT
  *
  * @param[in] context \ref bpf_sock_addr_t
- * @retval BPF_SOCK_ADDR_VERDICT_PROCEED Block the socket operation.
- * @retval BPF_SOCK_ADDR_VERDICT_REJECT Allow the socket operation.
+ * @retval BPF_SOCK_ADDR_VERDICT_REJECT Block the socket operation. Maps to a hard block in WFP.
+ * @retval BPF_SOCK_ADDR_VERDICT_PROCEED Allow the socket operation. Maps to a soft permit in WFP.
+ * @retval BPF_SOCK_ADDR_VERDICT_PROCEED_HARD Allow the socket operation. Maps to a hard permit in WFP.
  *
- * Any other return value other than the two mentioned above is treated as BPF_SOCK_ADDR_VERDICT_REJECT.
+ * Any return value other than the ones mentioned above is treated as BPF_SOCK_ADDR_VERDICT_REJECT.
  */
 typedef int
 sock_addr_hook_t(bpf_sock_addr_t* context);
diff --git a/netebpfext/net_ebpf_ext_sock_addr.c b/netebpfext/net_ebpf_ext_sock_addr.c
diff --git a/netebpfext/net_ebpf_ext_tracelog.h b/netebpfext/net_ebpf_ext_tracelog.h
@@ -378,15 +378,6 @@ net_ebpf_ext_log_message_uint64_uint64_uint64(
         }                                                  \
     } while (false);
 
-#define NET_EBPF_EXT_BAIL_ON_ERROR_STATUS(status)          \
-    do {                                                   \
-        NTSTATUS local_status = (status);                  \
-        if (!NT_SUCCESS(local_status)) {                   \
-            NET_EBPF_EXT_LOG_FUNCTION_ERROR(local_status); \
-            goto Exit;                                     \
-        }                                                  \
-    } while (false);
-
 #define NET_EBPF_EXT_BAIL_ON_ALLOC_FAILURE_RESULT(keyword, ptr, ptr_name, result)                                     \
     do {                                                                                                              \
         if ((ptr) == NULL) {                                                                                          \
diff --git a/scripts/common.psm1 b/scripts/common.psm1
@@ -15,7 +15,7 @@ function Write-Log
 
     process
     {
-        if (($null -ne $TraceMessage) -and ![System.String]::IsNullOrEmpty($TraceMessage)) {
+        if (![System.String]::IsNullOrEmpty($TraceMessage)) {
             $timestamp = (Get-Date).ToString('HH:mm:ss')
             Write-Host "[$timestamp] :: $TraceMessage"-ForegroundColor $ForegroundColor
             Write-Output "[$timestamp] :: $TraceMessage" | Out-File "$env:TEMP\$LogFileName" -Append
diff --git a/scripts/execute_ebpf_cicd_tests.ps1 b/scripts/execute_ebpf_cicd_tests.ps1
@@ -98,7 +98,7 @@ $Job = Start-Job -ScriptBlock {
         Run-KernelTests -Config $Config
         Write-Log "Running kernel tests completed"
 
-        Stop-eBPFComponents -GranularTracing $GranularTracing
+        Stop-eBPFComponents -GranularTracing $GranularTracing -LogFileName $script:LogFileName
     } catch [System.Management.Automation.RemoteException] {
         Write-Log $_.Exception.Message
         Write-Log $_.ScriptStackTrace
diff --git a/scripts/vm_run_tests.psm1 b/scripts/vm_run_tests.psm1
@@ -32,14 +32,19 @@ Import-Module .\common.psm1 -Force -ArgumentList ($LogFileName) -WarningAction S
 function Invoke-OnHostOrVM {
     param(
         [Parameter(Mandatory = $true, Position = 0)][ScriptBlock] $ScriptBlock,
-        [Parameter(Mandatory = $false)][object[]] $ArgumentList = @()
+        [Parameter(Mandatory = $false)][object[]] $ArgumentList = @(),
+        [Parameter(Mandatory = $false)][System.Management.Automation.Runspaces.PSSession] $Session
     )
     if ($script:ExecuteOnHost) {
         & $ScriptBlock @ArgumentList
     } elseif ($script:ExecuteOnVM) {
         $Credential = New-Credential -Username $script:Admin -AdminPassword $script:AdminPassword
         if ($script:VMIsRemote) {
-            Invoke-Command -ComputerName $script:VMName -Credential $Credential -ScriptBlock $ScriptBlock -ArgumentList $ArgumentList -ErrorAction Stop
+            if ($null -ne $Session) {
+                Invoke-Command -Session $Session -ScriptBlock $ScriptBlock -ArgumentList $ArgumentList -ErrorAction Stop
+            } else {
+                Invoke-Command -ComputerName $script:VMName -Credential $Credential -ScriptBlock $ScriptBlock -ArgumentList $ArgumentList -ErrorAction Stop
+            }
         } else {
             Invoke-Command -VMName $script:VMName -Credential $Credential -ScriptBlock $ScriptBlock -ArgumentList $ArgumentList -ErrorAction Stop
         }
@@ -120,7 +125,8 @@ function Remove-eBPFProgram {
 function Start-ProcessHelper {
     param (
         [Parameter(Mandatory = $true)] [string] $ProgramName,
-        [string] $Parameters
+        [string] $Parameters,
+        [Parameter(Mandatory = $false)][System.Management.Automation.Runspaces.PSSession] $Session
     )
     $scriptBlock = {
         param($ProgramName, $Parameters, $WorkingDirectory)
@@ -129,7 +135,7 @@ function Start-ProcessHelper {
     }
     $argList = @($ProgramName, $Parameters, $script:WorkingDirectory)
     Write-Log "Starting process $ProgramName with arguments $Parameters"
-    Invoke-OnHostOrVM -ScriptBlock $scriptBlock -ArgumentList $argList
+    Invoke-OnHostOrVM -ScriptBlock $scriptBlock -ArgumentList $argList -Session $Session
 }
 
 function Stop-ProcessHelper {
@@ -354,6 +360,11 @@ function Invoke-ConnectRedirectTestHelper
     $ProgramName = "tcp_udp_listener.exe"
     Add-FirewallRule -RuleName "Redirect_Test" -ProgramName $ProgramName -LogFileName $LogFileName
 
+    if ($script:VMIsRemote) {
+        $Credential = New-Credential -Username $script:Admin -AdminPassword $script:AdminPassword
+        $Session = New-PSSession -ComputerName $script:VMName -Credential $Credential
+    }
+
     if ($script:TestMode -eq "Regression") {
         # Previous versions of tcp_udp_listener did not suport the local_address parameter, use old parameter sets.
         $TcpServerParameters = "--protocol tcp --local-port $DestinationPort"
@@ -364,7 +375,7 @@ function Invoke-ConnectRedirectTestHelper
         $ParameterArray = @($TcpServerParameters, $TcpProxyParameters, $UdpServerParameters, $UdpProxyParameters)
         foreach ($parameter in $ParameterArray)
         {
-            Start-ProcessHelper -ProgramName $ProgramName -Parameters $parameter
+            Start-ProcessHelper -ProgramName $ProgramName -Parameters $parameter -Session $Session
         }
     } else {
         # Build array of all IP addresses from all interfaces
@@ -381,7 +392,7 @@ function Invoke-ConnectRedirectTestHelper
         foreach ($IPAddress in $IPAddresses) {
             foreach ($Protocol in $Protocols) {
                 foreach ($Port in $Ports) {
-                    Start-ProcessHelper -ProgramName $ProgramName -Parameters "--protocol $Protocol --local-port $Port --local-address $IPAddress"
+                    Start-ProcessHelper -ProgramName $ProgramName -Parameters "--protocol $Protocol --local-port $Port --local-address $IPAddress" -Session $Session
                 }
             }
         }
@@ -416,6 +427,11 @@ function Invoke-ConnectRedirectTestHelper
     Invoke-OnHostOrVM -ScriptBlock $scriptBlock -ArgumentList $argList
 
     Stop-ProcessHelper -ProgramName $ProgramName
+
+    if ($null -ne $Session)
+    {
+        Remove-PSSession -Session $Session -ErrorAction SilentlyContinue
+    }
 }
 
 function Stop-eBPFComponents {
diff --git a/tests/bpf2c_tests/expected/cgroup_sock_addr2_dll.c b/tests/bpf2c_tests/expected/cgroup_sock_addr2_dll.c
@@ -55,7 +55,7 @@ static map_entry_t _maps[] = {
      {
          BPF_MAP_TYPE_HASH, // Type of map.
          24,                // Size in bytes of a map key.
-         24,                // Size in bytes of a map value.
+         28,                // Size in bytes of a map value.
          100,               // Maximum number of entries allowed in the map.
          0,                 // Inner map index.
          LIBBPF_PIN_NONE,   // Pinning type for the map.
@@ -421,9 +421,9 @@ connect_redirect4(void* context, const program_runtime_context_t* runtime_contex
     // EBPF_OP_STXH pc=72 dst=r6 src=r1 offset=40 imm=0
 #line 80 "sample/cgroup_sock_addr2.c"
     WRITE_ONCE_16(r6, (uint16_t)r1, OFFSET(40));
-    // EBPF_OP_MOV64_IMM pc=73 dst=r1 src=r0 offset=0 imm=1
-#line 80 "sample/cgroup_sock_addr2.c"
-    r1 = IMMEDIATE(1);
+    // EBPF_OP_LDXW pc=73 dst=r1 src=r7 offset=24 imm=0
+#line 82 "sample/cgroup_sock_addr2.c"
+    READ_ONCE_32(r1, r7, OFFSET(24));
 label_2:
     // EBPF_OP_STXDW pc=74 dst=r10 src=r8 offset=-88 imm=0
 #line 43 "sample/cgroup_sock_addr2.c"
@@ -887,9 +887,9 @@ connect_redirect6(void* context, const program_runtime_context_t* runtime_contex
     // EBPF_OP_STXH pc=80 dst=r6 src=r1 offset=40 imm=0
 #line 118 "sample/cgroup_sock_addr2.c"
     WRITE_ONCE_16(r6, (uint16_t)r1, OFFSET(40));
-    // EBPF_OP_MOV64_IMM pc=81 dst=r1 src=r0 offset=0 imm=1
-#line 118 "sample/cgroup_sock_addr2.c"
-    r1 = IMMEDIATE(1);
+    // EBPF_OP_LDXW pc=81 dst=r1 src=r7 offset=24 imm=0
+#line 120 "sample/cgroup_sock_addr2.c"
+    READ_ONCE_32(r1, r7, OFFSET(24));
 label_2:
     // EBPF_OP_STXDW pc=82 dst=r10 src=r8 offset=-24 imm=0
 #line 43 "sample/cgroup_sock_addr2.c"
diff --git a/tests/bpf2c_tests/expected/cgroup_sock_addr2_raw.c b/tests/bpf2c_tests/expected/cgroup_sock_addr2_raw.c
@@ -25,7 +25,7 @@ static map_entry_t _maps[] = {
      {
          BPF_MAP_TYPE_HASH, // Type of map.
          24,                // Size in bytes of a map key.
-         24,                // Size in bytes of a map value.
+         28,                // Size in bytes of a map value.
          100,               // Maximum number of entries allowed in the map.
          0,                 // Inner map index.
          LIBBPF_PIN_NONE,   // Pinning type for the map.
@@ -391,9 +391,9 @@ connect_redirect4(void* context, const program_runtime_context_t* runtime_contex
     // EBPF_OP_STXH pc=72 dst=r6 src=r1 offset=40 imm=0
 #line 80 "sample/cgroup_sock_addr2.c"
     WRITE_ONCE_16(r6, (uint16_t)r1, OFFSET(40));
-    // EBPF_OP_MOV64_IMM pc=73 dst=r1 src=r0 offset=0 imm=1
-#line 80 "sample/cgroup_sock_addr2.c"
-    r1 = IMMEDIATE(1);
+    // EBPF_OP_LDXW pc=73 dst=r1 src=r7 offset=24 imm=0
+#line 82 "sample/cgroup_sock_addr2.c"
+    READ_ONCE_32(r1, r7, OFFSET(24));
 label_2:
     // EBPF_OP_STXDW pc=74 dst=r10 src=r8 offset=-88 imm=0
 #line 43 "sample/cgroup_sock_addr2.c"
@@ -857,9 +857,9 @@ connect_redirect6(void* context, const program_runtime_context_t* runtime_contex
     // EBPF_OP_STXH pc=80 dst=r6 src=r1 offset=40 imm=0
 #line 118 "sample/cgroup_sock_addr2.c"
     WRITE_ONCE_16(r6, (uint16_t)r1, OFFSET(40));
-    // EBPF_OP_MOV64_IMM pc=81 dst=r1 src=r0 offset=0 imm=1
-#line 118 "sample/cgroup_sock_addr2.c"
-    r1 = IMMEDIATE(1);
+    // EBPF_OP_LDXW pc=81 dst=r1 src=r7 offset=24 imm=0
+#line 120 "sample/cgroup_sock_addr2.c"
+    READ_ONCE_32(r1, r7, OFFSET(24));
 label_2:
     // EBPF_OP_STXDW pc=82 dst=r10 src=r8 offset=-24 imm=0
 #line 43 "sample/cgroup_sock_addr2.c"
diff --git a/tests/bpf2c_tests/expected/cgroup_sock_addr2_sys.c b/tests/bpf2c_tests/expected/cgroup_sock_addr2_sys.c
@@ -180,7 +180,7 @@ static map_entry_t _maps[] = {
      {
          BPF_MAP_TYPE_HASH, // Type of map.
          24,                // Size in bytes of a map key.
-         24,                // Size in bytes of a map value.
+         28,                // Size in bytes of a map value.
          100,               // Maximum number of entries allowed in the map.
          0,                 // Inner map index.
          LIBBPF_PIN_NONE,   // Pinning type for the map.
@@ -546,9 +546,9 @@ connect_redirect4(void* context, const program_runtime_context_t* runtime_contex
     // EBPF_OP_STXH pc=72 dst=r6 src=r1 offset=40 imm=0
 #line 80 "sample/cgroup_sock_addr2.c"
     WRITE_ONCE_16(r6, (uint16_t)r1, OFFSET(40));
-    // EBPF_OP_MOV64_IMM pc=73 dst=r1 src=r0 offset=0 imm=1
-#line 80 "sample/cgroup_sock_addr2.c"
-    r1 = IMMEDIATE(1);
+    // EBPF_OP_LDXW pc=73 dst=r1 src=r7 offset=24 imm=0
+#line 82 "sample/cgroup_sock_addr2.c"
+    READ_ONCE_32(r1, r7, OFFSET(24));
 label_2:
     // EBPF_OP_STXDW pc=74 dst=r10 src=r8 offset=-88 imm=0
 #line 43 "sample/cgroup_sock_addr2.c"
@@ -1012,9 +1012,9 @@ connect_redirect6(void* context, const program_runtime_context_t* runtime_contex
     // EBPF_OP_STXH pc=80 dst=r6 src=r1 offset=40 imm=0
 #line 118 "sample/cgroup_sock_addr2.c"
     WRITE_ONCE_16(r6, (uint16_t)r1, OFFSET(40));
-    // EBPF_OP_MOV64_IMM pc=81 dst=r1 src=r0 offset=0 imm=1
-#line 118 "sample/cgroup_sock_addr2.c"
-    r1 = IMMEDIATE(1);
+    // EBPF_OP_LDXW pc=81 dst=r1 src=r7 offset=24 imm=0
+#line 120 "sample/cgroup_sock_addr2.c"
+    READ_ONCE_32(r1, r7, OFFSET(24));
 label_2:
     // EBPF_OP_STXDW pc=82 dst=r10 src=r8 offset=-24 imm=0
 #line 43 "sample/cgroup_sock_addr2.c"
diff --git a/tests/connect_redirect/connect_redirect_tests.cpp b/tests/connect_redirect/connect_redirect_tests.cpp
@@ -326,7 +326,7 @@ _update_policy_map(
 
     // Insert / delete redirect policy entry in the map.
     destination_entry_key_t key = {0};
-    destination_entry_value_t value = {0};
+    destination_entry_value_t value = {.verdict = BPF_SOCK_ADDR_VERDICT_PROCEED};
 
     if (_globals.family == AF_INET && dual_stack) {
         struct sockaddr_in6* v6_destination = (struct sockaddr_in6*)&destination;
diff --git a/tests/libs/util/socket_helper.cpp b/tests/libs/util/socket_helper.cpp
@@ -229,7 +229,7 @@ _client_socket::complete_async_receive(int timeout_in_ms, bool timeout_or_error_
                 FAIL("Receiver socket did not receive any message in 1 second.");
             }
         } else {
-            FAIL("Waiting on receiver socket failed with " << error);
+            FAIL("Waiting on receiver socket failed with " << WSAGetLastError());
         }
     }
 }
@@ -459,7 +459,7 @@ _server_socket::complete_async_receive(int timeout_in_ms, receiver_mode mode)
                 FAIL("Receiver socket did not receive any message in 1 second.");
             }
         } else {
-            FAIL("Waiting on receiver socket failed with " << error);
+            FAIL("Waiting on receiver socket failed with " << WSAGetLastError());
         }
     }
 }
@@ -774,7 +774,7 @@ _stream_server_socket::complete_async_send(int timeout_in_ms)
         WSACloseEvent(overlapped.hEvent);
         overlapped.hEvent = INVALID_HANDLE_VALUE;
     } else {
-        FAIL("Waiting on receiver socket failed with " << error);
+        FAIL("Waiting on receiver socket failed with " << WSAGetLastError());
     }
 }
 
diff --git a/tests/netebpfext_unit/netebpf_ext_helper.cpp b/tests/netebpfext_unit/netebpf_ext_helper.cpp
@@ -8,7 +8,10 @@ DEVICE_OBJECT* _net_ebpf_ext_driver_device_object;
 
 constexpr uint32_t _test_destination_ipv4_address = 0x01020304;
 static FWP_BYTE_ARRAY16 _test_destination_ipv6_address = {1, 2, 3, 4};
-constexpr uint16_t _test_destination_port = 1234;
+// _get_sock_addr_action() uses destination_port % SOCK_ADDR_TEST_ACTION_ROUND_ROBIN
+// to get the expected verdict in sock_addr_thread_function().
+// If sock_addr_test_action_t is changed, _test_destination_port may need to be updated as well.
+constexpr uint16_t _test_destination_port = 1235;
 constexpr uint32_t _test_source_ipv4_address = 0x05060708;
 static FWP_BYTE_ARRAY16 _test_source_ipv6_address = {5, 6, 7, 8};
 constexpr uint16_t _test_source_port = 5678;
@@ -39,7 +42,8 @@ netebpfext_initialize_fwp_classify_parameters(_Out_ fwp_classify_parameters_t* p
 
 _netebpf_ext_helper::_netebpf_ext_helper(bool initialize_platform)
     : _netebpf_ext_helper(nullptr, nullptr, nullptr, initialize_platform)
-{}
+{
+}
 
 _netebpf_ext_helper::_netebpf_ext_helper(
     _In_opt_ const void* npi_specific_characteristics,
diff --git a/tests/netebpfext_unit/netebpfext_unit.cpp b/tests/netebpfext_unit/netebpfext_unit.cpp
diff --git a/tests/sample/cgroup_sock_addr2.c b/tests/sample/cgroup_sock_addr2.c
diff --git a/tests/socket/socket_tests.cpp b/tests/socket/socket_tests.cpp
diff --git a/tests/socket/socket_tests_common.h b/tests/socket/socket_tests_common.h

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ function Write-Log`
`15`	`15`
`16`	`16`	`process`
`17`	`17`	`{`
`18`		`- if (($null -ne $TraceMessage) -and ![System.String]::IsNullOrEmpty($TraceMessage)) {`
	`18`	`+ if (![System.String]::IsNullOrEmpty($TraceMessage)) {`
`19`	`19`	`$timestamp = (Get-Date).ToString('HH:mm:ss')`
`20`	`20`	`Write-Host "[$timestamp] :: $TraceMessage"-ForegroundColor $ForegroundColor`
`21`	`21`	`Write-Output "[$timestamp] :: $TraceMessage" \| Out-File "$env:TEMP\$LogFileName" -Append`