eBPF, .NET 5, and the Mystery of IPv4 Disguised as IPv6
2025-05-09
This post details a debugging odyssey involving eBPF, .NET 5's DualMode sockets, and IPv4 masquerading as IPv6. The author used an eBPF program to redirect DNS requests on port 53, but encountered unexpected behavior with .NET 5 applications. .NET 5's SocketsHttpHandler uses DualMode sockets, sending IPv4 traffic over an IPv6 socket using IPv4-mapped IPv6 addresses. This tricked the eBPF program into blocking the IPv4 traffic as IPv6. The solution involved checking `skb->protocol` instead of `skb->family` to differentiate between true IPv6 and IPv4-mapped IPv6 addresses.
Read more
Development