eBPF Mystery: When is IPv4 not IPv4? When it's pretending to be IPv6
a year ago
- #IPv6
- #networking
- #eBPF
- The article discusses an eBPF program designed to redirect DNS requests on port 53 for a single program or Docker container.
- The initial setup used BPF_CGROUP_INET4_CONNECT to inspect and redirect traffic from within a cgroup.
- A problem arose when the dotnet CLI hung indefinitely, producing blocked IPv6 messages despite the machine not supporting IPv6.
- Investigation revealed that dotnet uses DualMode sockets, which handle IPv4 traffic via IPv6 sockets, encoding IPv4 addresses within IPv6 addresses.
- The solution involved updating the eBPF program to handle IPv4-mapped IPv6 addresses by parsing the IPv4 address from the IPv6 socket.
- Additional adjustments were needed in the egress eBPF program to distinguish between true IPv6 traffic and IPv4-mapped IPv6 traffic.