feat(ja4ebpf): add multi-interface TC, LPM_TRIE ignore_src, unit tests, and fix bugs

- Add multi-interface TC attachment (default "any" = all UP interfaces) - Add BPF LPM_TRIE map ignored_src for kernel-side CIDR filtering - Add userspace ignore_src filtering for SSL/accept4 path via net.IPNet.Contains() - Add AcceptCache for fd→SessionKey correlation with TTL and Close() - Add 5 test files covering writer, procutil, dispatcher, accept_cache, and cmd - Fix formatTCPOptions infinite loop on EOL (case 0 break→return) - Fix pseudoOrderToShort panic on empty slice (negative cap) - Fix AcceptCache goroutine leak (add done channel + Close()) - Update config.yml.example with interfaces, listen_ports, ignore_src - Rewrite docs/services/ja4ebpf.md (was massively stale: XDP, RingBuffer, etc.) - Fix stale XDP/RingBuffer references in docs/architecture.md, thesis, tls.go Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-16 01:49:26 +02:00
parent fd84aebc44
commit f0c8fe81c6
20 changed files with 3053 additions and 1261 deletions
--- a/services/ja4ebpf/internal/loader/ja4tc_x86_bpfel.go
+++ b/services/ja4ebpf/internal/loader/ja4tc_x86_bpfel.go
@ -116,19 +116,21 @@ type Ja4TcProgramSpecs struct {
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type Ja4TcMapSpecs struct {
-	HttpBuf     *ebpf.MapSpec `ebpf:"__http_buf"`
-	SslBuf      *ebpf.MapSpec `ebpf:"__ssl_buf"`
-	TlsBuf      *ebpf.MapSpec `ebpf:"__tls_buf"`
-	AcceptMap   *ebpf.MapSpec `ebpf:"accept_map"`
-	FdConnMap   *ebpf.MapSpec `ebpf:"fd_conn_map"`
-	PbAccept    *ebpf.MapSpec `ebpf:"pb_accept"`
-	PbHttpPlain *ebpf.MapSpec `ebpf:"pb_http_plain"`
-	PbSslData   *ebpf.MapSpec `ebpf:"pb_ssl_data"`
-	PbTcpSyn    *ebpf.MapSpec `ebpf:"pb_tcp_syn"`
-	PbTlsHello  *ebpf.MapSpec `ebpf:"pb_tls_hello"`
-	SslArgsMap  *ebpf.MapSpec `ebpf:"ssl_args_map"`
-	SslConnMap  *ebpf.MapSpec `ebpf:"ssl_conn_map"`
-	TcStats     *ebpf.MapSpec `ebpf:"tc_stats"`
+	HttpBuf      *ebpf.MapSpec `ebpf:"__http_buf"`
+	SslBuf       *ebpf.MapSpec `ebpf:"__ssl_buf"`
+	TlsBuf       *ebpf.MapSpec `ebpf:"__tls_buf"`
+	AcceptMap    *ebpf.MapSpec `ebpf:"accept_map"`
+	AllowedPorts *ebpf.MapSpec `ebpf:"allowed_ports"`
+	FdConnMap    *ebpf.MapSpec `ebpf:"fd_conn_map"`
+	IgnoredSrc   *ebpf.MapSpec `ebpf:"ignored_src"`
+	PbAccept     *ebpf.MapSpec `ebpf:"pb_accept"`
+	PbHttpPlain  *ebpf.MapSpec `ebpf:"pb_http_plain"`
+	PbSslData    *ebpf.MapSpec `ebpf:"pb_ssl_data"`
+	PbTcpSyn     *ebpf.MapSpec `ebpf:"pb_tcp_syn"`
+	PbTlsHello   *ebpf.MapSpec `ebpf:"pb_tls_hello"`
+	SslArgsMap   *ebpf.MapSpec `ebpf:"ssl_args_map"`
+	SslConnMap   *ebpf.MapSpec `ebpf:"ssl_conn_map"`
+	TcStats      *ebpf.MapSpec `ebpf:"tc_stats"`
 }

 // Ja4TcObjects contains all objects after they have been loaded into the kernel.
@ -150,19 +152,21 @@ func (o *Ja4TcObjects) Close() error {
 //
 // It can be passed to LoadJa4TcObjects or ebpf.CollectionSpec.LoadAndAssign.
 type Ja4TcMaps struct {
-	HttpBuf     *ebpf.Map `ebpf:"__http_buf"`
-	SslBuf      *ebpf.Map `ebpf:"__ssl_buf"`
-	TlsBuf      *ebpf.Map `ebpf:"__tls_buf"`
-	AcceptMap   *ebpf.Map `ebpf:"accept_map"`
-	FdConnMap   *ebpf.Map `ebpf:"fd_conn_map"`
-	PbAccept    *ebpf.Map `ebpf:"pb_accept"`
-	PbHttpPlain *ebpf.Map `ebpf:"pb_http_plain"`
-	PbSslData   *ebpf.Map `ebpf:"pb_ssl_data"`
-	PbTcpSyn    *ebpf.Map `ebpf:"pb_tcp_syn"`
-	PbTlsHello  *ebpf.Map `ebpf:"pb_tls_hello"`
-	SslArgsMap  *ebpf.Map `ebpf:"ssl_args_map"`
-	SslConnMap  *ebpf.Map `ebpf:"ssl_conn_map"`
-	TcStats     *ebpf.Map `ebpf:"tc_stats"`
+	HttpBuf      *ebpf.Map `ebpf:"__http_buf"`
+	SslBuf       *ebpf.Map `ebpf:"__ssl_buf"`
+	TlsBuf       *ebpf.Map `ebpf:"__tls_buf"`
+	AcceptMap    *ebpf.Map `ebpf:"accept_map"`
+	AllowedPorts *ebpf.Map `ebpf:"allowed_ports"`
+	FdConnMap    *ebpf.Map `ebpf:"fd_conn_map"`
+	IgnoredSrc   *ebpf.Map `ebpf:"ignored_src"`
+	PbAccept     *ebpf.Map `ebpf:"pb_accept"`
+	PbHttpPlain  *ebpf.Map `ebpf:"pb_http_plain"`
+	PbSslData    *ebpf.Map `ebpf:"pb_ssl_data"`
+	PbTcpSyn     *ebpf.Map `ebpf:"pb_tcp_syn"`
+	PbTlsHello   *ebpf.Map `ebpf:"pb_tls_hello"`
+	SslArgsMap   *ebpf.Map `ebpf:"ssl_args_map"`
+	SslConnMap   *ebpf.Map `ebpf:"ssl_conn_map"`
+	TcStats      *ebpf.Map `ebpf:"tc_stats"`
 }

 func (m *Ja4TcMaps) Close() error {
@ -171,7 +175,9 @@ func (m *Ja4TcMaps) Close() error {
 		m.SslBuf,
 		m.TlsBuf,
 		m.AcceptMap,
+		m.AllowedPorts,
 		m.FdConnMap,
+		m.IgnoredSrc,
 		m.PbAccept,
 		m.PbHttpPlain,
 		m.PbSslData,