diff --git a/netfilter-bpf/README.md b/netfilter-bpf/README.md new file mode 100644 index 00000000..76f96964 --- /dev/null +++ b/netfilter-bpf/README.md @@ -0,0 +1,48 @@ +# Introduction + +BPF_PROG_TYPE_NETFILTER was introduced in 6.4, now with a new kernel, a bpf program could attach to netfilter hooks and handles package in a similiar way as iptables/nftables. By now, 6.5.0, there is no bpf kfunc implemented yet for DNAT/SNAT, and the only thing a bpf program can do is to decide whether to DROP the package or not. + +* netfilter_ip4_blocklist.c/netfilter_ip4_blocklist.bpf.c + +This sample code implements a simple ipv4 blacklist. +The bpf program drops package if destination ip address hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE, +The userspace code would load the bpf program, attach it to netfilter's FORWARD/OUTPUT hook, and then write ip patterns into the bpf map. + + +# Build + +The sample code use several types newly introduced in kernel, and also use the "vmlinux.h" generated by libbpf. +The easiest way to compile is to take advantage of the structure in samples/bpf from kernel tree: just copy *.c files to samples/bpf, and make following changes to the Makefile + +``` +diff --git a/samples/bpf/Makefile b/samples/bpf/Makefile +index 4ccf4236031c..24941d8f1775 100644 +--- a/samples/bpf/Makefile ++++ b/samples/bpf/Makefile +@@ -46,6 +46,7 @@ tprogs-y += xdp_fwd + tprogs-y += task_fd_query + tprogs-y += ibumad + tprogs-y += hbm ++tprogs-y += netfilter_ip4_blocklist + + # Libbpf dependencies + LIBBPF_SRC = $(TOOLS_PATH)/lib/bpf +@@ -96,6 +97,7 @@ xdp_fwd-objs := xdp_fwd_user.o + task_fd_query-objs := task_fd_query_user.o $(TRACE_HELPERS) + ibumad-objs := ibumad_user.o + hbm-objs := hbm.o $(CGROUP_HELPERS) ++netfilter_ip4_blocklist-objs := netfilter_ip4_blocklist.o + + xdp_router_ipv4-objs := xdp_router_ipv4_user.o $(XDP_SAMPLE) + +@@ -149,6 +151,7 @@ always-y += task_fd_query_kern.o + always-y += ibumad_kern.o + always-y += hbm_out_kern.o + always-y += hbm_edt_kern.o ++always-y += netfilter_ip4_blocklist.bpf.o + + ifeq ($(ARCH), arm) + # Strip all except -D__LINUX_ARM_ARCH__ option needed to handle linux +``` + +And then run `make` in samples/bpf diff --git a/netfilter-bpf/netfilter_ip4_blocklist.bpf.c b/netfilter-bpf/netfilter_ip4_blocklist.bpf.c new file mode 100644 index 00000000..d315d64f --- /dev/null +++ b/netfilter-bpf/netfilter_ip4_blocklist.bpf.c @@ -0,0 +1,62 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include "vmlinux.h" +#include + + +#define NF_DROP 0 +#define NF_ACCEPT 1 + +int bpf_dynptr_from_skb(struct sk_buff *skb, + __u64 flags, struct bpf_dynptr *ptr__uninit) __ksym; +void *bpf_dynptr_slice(const struct bpf_dynptr *ptr, + uint32_t offset, void *buffer, uint32_t buffer__sz) __ksym; + + +struct ipv4_lpm_key { + __u32 prefixlen; + __u32 data; +}; + +struct { + __uint(type, BPF_MAP_TYPE_LPM_TRIE); + __type(key, struct ipv4_lpm_key); + __type(value, __u32); + __uint(map_flags, BPF_F_NO_PREALLOC); + __uint(max_entries, 200); +} ipv4_lpm_map SEC(".maps"); + + +SEC("netfilter") +int netfilter_ip4block(struct bpf_nf_ctx *ctx) +{ + struct sk_buff *skb = ctx->skb; + struct bpf_dynptr ptr; + struct iphdr *p, iph = {}; + struct ipv4_lpm_key key; + __u32 *pvalue; + + if (skb->len <= 20 || bpf_dynptr_from_skb(skb, 0, &ptr)) + return NF_ACCEPT; + p = bpf_dynptr_slice(&ptr, 0, &iph, sizeof(iph)); + if (!p) + return NF_ACCEPT; + + /* ip4 only */ + if (p->version != 4) + return NF_ACCEPT; + + /* search p->daddr in trie */ + key.prefixlen = 32; + key.data = p->daddr; + pvalue = bpf_map_lookup_elem(&ipv4_lpm_map, &key); + if (pvalue) { + /* cat /sys/kernel/debug/tracing/trace_pipe */ + bpf_printk("rule matched with %d...\n", *pvalue); + return NF_DROP; + } + return NF_ACCEPT; +} + +char _license[] SEC("license") = "GPL"; + diff --git a/netfilter-bpf/netfilter_ip4_blocklist.c b/netfilter-bpf/netfilter_ip4_blocklist.c new file mode 100644 index 00000000..167783d0 --- /dev/null +++ b/netfilter-bpf/netfilter_ip4_blocklist.c @@ -0,0 +1,96 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include +#include +#include +#include +#include +#include + + +static inline int sys_bpf(enum bpf_cmd cmd, union bpf_attr *attr, unsigned int size) +{ + return syscall(__NR_bpf, cmd, attr, size); +} +struct ipv4_lpm_key { + __u32 prefixlen; + __u32 data; +}; + +int main(int argc, char **argv) +{ + int prog_fd, map_fd; + int err; + struct bpf_object *obj; + struct bpf_program *prog; + union bpf_attr attr = { }; + + obj = bpf_object__open_file("./netfilter_ip4_blocklist.bpf.o", NULL); + if (libbpf_get_error(obj)) { + printf("fail to open bpf file\n"); + return 1; + } + prog = bpf_object__find_program_by_name(obj, "netfilter_ip4block"); + if (!prog) { + printf("fail to find bpf program\n"); + return 1; + } + bpf_program__set_type(prog, BPF_PROG_TYPE_NETFILTER); + if (bpf_object__load(obj)) { + printf("loading BPF object file failed\n"); + return 1; + } + map_fd = bpf_object__find_map_fd_by_name(obj, "ipv4_lpm_map"); + if (map_fd < 0) { + printf("Fail to locate trie ipv4_lpm_map\n"); + return 1; + } + /* attach to netfilter forward handler */ + prog_fd = bpf_program__fd(prog); + attr.link_create.prog_fd = prog_fd; + attr.link_create.attach_type = BPF_NETFILTER; + attr.link_create.netfilter.pf = NFPROTO_IPV4; + attr.link_create.netfilter.hooknum = NF_INET_FORWARD; + attr.link_create.netfilter.priority = -128; + err = sys_bpf(BPF_LINK_CREATE, &attr, sizeof(attr)); + if (err < 0) { + perror("Fail to link bpf program to netfilter forward hook\n"); + return 1; + } + /* attach to netfilter output handler */ + attr.link_create.netfilter.hooknum = NF_INET_LOCAL_OUT; + err = sys_bpf(BPF_LINK_CREATE, &attr, sizeof(attr)); + if (err < 0) { + perror("Fail to link bpf program to netfilter output hook\n"); + return 1; + } + printf("bpf program/map loaded....\n"); + /* add rules */ + { + struct ipv4_lpm_key key; + __u32 value = 0; + __u8 *p = (__u8 *) &key.data; + /* block 192.168.11.107/32 */ + key.prefixlen = 27; + /* same as key.data = 0x6B0BA8C0; on a little-endian machine */ + p[0] = 192; + p[1] = 168; + p[2] = 11; + p[3] = 107; + bpf_map_update_elem(map_fd, &key, &value, BPF_ANY); + /* block 192.168.11.107/24 */ + key.prefixlen = 24; + value++; + bpf_map_update_elem(map_fd, &key, &value, BPF_ANY); + /* block 192.168.11.107/27 */ + key.prefixlen = 32; + value++; + bpf_map_update_elem(map_fd, &key, &value, BPF_ANY); + /* remove rule */ + /* bpf_map_delete_elem(map_fd, &key); */ + printf("rules inserted, ready to work\n"); + } + while (1) + sleep(600); + return 0; +}