Allow sockops BPF programs to query the WFP flow_id #4763
+370
−8
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Alan Jowett <alan.jowett@microsoft.com>
Alan-Jowett
requested review from
LakshK98,
dthaler,
matthewige,
mikeagun,
mtfriesen,
poornagmsft,
saxena-anurag and
shankarseal
as code owners
| return 0; | ||
| } | ||
|
|
||
| static uint64_t |
There was a problem hiding this comment.
why is this needed in addition to the one in netebpfext/net_ebpf_ext_sock_ops.c ?
Member
Author
There was a problem hiding this comment.
This is for the mock layer that allows BPF programs to be run in unit_tests.exe, entirely in user mode with out netebpfext.sys.
Signed-off-by: Alan Jowett <alan.jowett@microsoft.com>
dthaler
approved these changes
Oct 29, 2025
|
|
||
| // Ring buffer event callback context. | ||
| std::unique_ptr<ring_buffer_test_event_context_t> context = std::make_unique<ring_buffer_test_event_context_t>(); | ||
| context->test_event_count = 2; // Expect 2 events for TCP connection (outbound and inbound) |
Collaborator
There was a problem hiding this comment.
Suggested change
| context->test_event_count = 2; // Expect 2 events for TCP connection (outbound and inbound) | |
| context->test_event_count = 2; // Expect 2 events for TCP connection (outbound and inbound). |
| local_flow_context->parameters.callout_id = net_ebpf_extension_get_callout_id_for_hook(hook_id); | ||
|
|
||
| // Store the flow_id in the sock_ops context for the helper function. | ||
| local_flow_context->context.flow_id = incoming_metadata_values->flowHandle; |
Member
There was a problem hiding this comment.
can we be particularly paranoid and follow WFP runtime checks?
local_flow_context->context.flow_id = 0;
if (FWPS_IS_METADATA_FIELD_PRESENT(incoming_metadata_values, FWPS_METADATA_FIELD_FLOW_HANDLE))
{
local_flow_context->context.flow_id = incoming_metadata_values->flowHandle;
}
CatalinFetoiu
approved these changes
Oct 29, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Moving this PR to draft until the corresponding issue is in the current milestone
Resolves: #4764
Description
This pull request introduces a new eBPF helper function for SOCK_OPS programs that allows retrieving the WFP flow ID associated with a socket operation context. The changes span the core extension, program info, test infrastructure, and add a new sample and test case to validate the helper. The most significant updates are grouped below.
New SOCK_OPS Helper Function: Flow ID
Added the
bpf_sock_ops_get_flow_idhelper function to the eBPF extension, allowing SOCK_OPS programs to access the WFP flow ID for the current connection via the context (bpf_sock_ops_t). This includes updates to the context struct, helper registration, and implementation. [1] [2] [3] [4] [5] [6]Registered the new helper in the program type-specific helper function tables and prototypes for both the extension and test environments, ensuring it is available to eBPF programs and properly mocked for tests. [1] [2] [3] [4]
Sample Program and Test Coverage
Added a new sample eBPF program (
sockops_flow_id.c) that uses the flow ID helper to audit and store flow IDs in maps for both IPv4 and IPv6 connections, demonstrating usage and providing a basis for validation.Added a comprehensive test case (
sock_ops_flow_id_helper_test) insocket_tests.cppthat attaches the sample program, triggers TCP connections, and verifies that the flow ID helper returns valid (non-zero) values via both ring buffer events and map lookups.Test Infrastructure and Minor Refactoring
These changes collectively add robust support for querying and validating WFP flow IDs in SOCK_OPS programs, improving observability and enabling new use cases for eBPF on Windows.
Testing
CI/CD
Documentation
Doxygen comments.
Installation
No.