From d82cb11507bd8a625704adb9b7f98787fbcfb97d Mon Sep 17 00:00:00 2001
From: Zhonghu Xu <xuzhonghu@huawei.com>
Date: Thu, 25 Apr 2024 20:00:35 +0800
Subject: [PATCH 1/2] Fix authz on ipv4/ipv6

Signed-off-by: Zhonghu Xu <xuzhonghu@huawei.com>
---
 bpf/kmesh/workload/sockops_tuple.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/bpf/kmesh/workload/sockops_tuple.c b/bpf/kmesh/workload/sockops_tuple.c
index 6a84435b2..97bf81cac 100644
--- a/bpf/kmesh/workload/sockops_tuple.c
+++ b/bpf/kmesh/workload/sockops_tuple.c
@@ -173,12 +173,15 @@ static inline bool conn_from_cni_sim_delete(struct bpf_sock_ops *skops)
 			(bpf_ntohl(skops->remote_port) == 0x3a2));
 }
 
+static inline bool ipv4_mapped_addr(__u32 ip6[4])
+{
+	return ip6[0] == 0 && ip6[1] == 0 && ip6[2] == 0xFFFF0000;
+}
 
 SEC("sockops")
 int record_tuple(struct bpf_sock_ops *skops)
 {
-	// only support IPV4
-	if (skops->family != AF_INET)
+	if (skops->family != AF_INET && !ipv4_mapped_addr(skops->local_ip6))
 		return 0;
 	switch (skops->op) {
 		case BPF_SOCK_OPS_TCP_CONNECT_CB:
@@ -202,10 +205,11 @@ int record_tuple(struct bpf_sock_ops *skops)
 			auth_ip_tuple(skops);
 			break;
 		case BPF_SOCK_OPS_STATE_CB:
-			if(skops->args[1] == BPF_TCP_CLOSE || skops->args[1] == BPF_TCP_CLOSE_WAIT 
-			|| skops->args[1] == BPF_TCP_FIN_WAIT1)
+			if (skops->args[1] == BPF_TCP_CLOSE || skops->args[1] == BPF_TCP_CLOSE_WAIT 
+			|| skops->args[1] == BPF_TCP_FIN_WAIT1) {
 				clean_auth_map(skops);
 				clean_dstinfo_map(skops);
+			}
 			break;
 		default:
 			break;

From 60c0e0b249b879aa45a8bc6bdce538708333fd88 Mon Sep 17 00:00:00 2001
From: Zhonghu Xu <xuzhonghu@huawei.com>
Date: Thu, 25 Apr 2024 20:07:16 +0800
Subject: [PATCH 2/2] remove space

Signed-off-by: Zhonghu Xu <xuzhonghu@huawei.com>
---
 bpf/kmesh/workload/sockops_tuple.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bpf/kmesh/workload/sockops_tuple.c b/bpf/kmesh/workload/sockops_tuple.c
index 97bf81cac..4e95246a3 100644
--- a/bpf/kmesh/workload/sockops_tuple.c
+++ b/bpf/kmesh/workload/sockops_tuple.c
@@ -205,7 +205,7 @@ int record_tuple(struct bpf_sock_ops *skops)
 			auth_ip_tuple(skops);
 			break;
 		case BPF_SOCK_OPS_STATE_CB:
-			if (skops->args[1] == BPF_TCP_CLOSE || skops->args[1] == BPF_TCP_CLOSE_WAIT 
+			if (skops->args[1] == BPF_TCP_CLOSE || skops->args[1] == BPF_TCP_CLOSE_WAIT
 			|| skops->args[1] == BPF_TCP_FIN_WAIT1) {
 				clean_auth_map(skops);
 				clean_dstinfo_map(skops);