eBPF Mystery: When is IPv4 not IPv4? When it's pretending to be IPv6

This adventures starts with a simple eBPF program to transparently redirect DNS requests on port 53 for a single program (or docker container). To do this I used BPF_CGROUP_INET4_CONNECT on a cgroup . That lets me inspect and redirect traffic when syscall.connect occurs from within the cgroup . Here is a simplified version 👇 int handle_connect_redirect ( struct bpf_sock_addr * ctx , __be32 original_ip , bool is_connect4 , struct redirect_result * result ) { __be32 new_ip = original_ip ; __be16 new_port = ctx -> user_port ; if ( ctx -> user_port == bpf_htons ( 53 )) { new_ip = const_mitm_proxy_address ; // Our MITM DNS server we're using for intercept new_port = bpf_htons ( const_dns_proxy_port ); } result -> is_redirected = did_redirect ; result -> ip = new_ip ; result -> port = new_port ; return 1 ; } SEC ( "cgroup/connect4" ) int connect4 ( struct bpf_sock_addr * ctx ) { struct redirect_result r = { . ip = ctx -> user_ip4 , . port = ctx -> user_port , . is_redirected = false , }; h ... Read full article.