ebpf: add filter by maps on example filter

author Eric Leblond <eric@regit.org>

Thu, 29 Nov 2018 17:18:52 +0000 (18:18 +0100)

committer Victor Julien <victor@inliniac.net>

Tue, 18 Jun 2019 05:07:01 +0000 (07:07 +0200)
author Eric Leblond <eric@regit.org>
Thu, 29 Nov 2018 17:18:52 +0000 (18:18 +0100)
committer Victor Julien <victor@inliniac.net>
Tue, 18 Jun 2019 05:07:01 +0000 (07:07 +0200)
diff --git a/ebpf/filter.c b/ebpf/filter.c

index 4fe95d4fb0059a2ac9cf3ea5a080d20c8e19669d..fcd29e5b3d22cac8fe80e6b6edce72c2feaf8f13 100644 (file)
--- a/ebpf/filter.c
+++ b/ebpf/filter.c
@@ -27,32 +27,51 @@
  
  #include "bpf_helpers.h"
  
+#define DEBUG 0
+
  #define LINUX_VERSION_CODE 263682
  
+struct bpf_map_def SEC("maps") ipv4_drop = {
+    .type = BPF_MAP_TYPE_HASH,
+    .key_size = sizeof(__u32),
+    .value_size = sizeof(__u32),
+    .max_entries = 32768,
+};
+
  int SEC("filter") hashfilter(struct __sk_buff *skb) {
      __u32 nhoff = BPF_LL_OFF + ETH_HLEN;
+    __u32 ip = 0;
+    __u32 *value;
+
+    ip = load_word(skb, nhoff + offsetof(struct iphdr, saddr));
+    value = bpf_map_lookup_elem(&ipv4_drop, &ip);
+    if (value) {
+#if DEBUG
+        char fmt[] = "Found value for saddr: %u\n";
+        bpf_trace_printk(fmt, sizeof(fmt), value);
+#endif
+        __sync_fetch_and_add(value, 1);
+        return 0;
+    }
  
-    skb->cb[0] = nhoff;
-    switch (skb->protocol) {
-        case __constant_htons(ETH_P_IP):
-            return -1;
-        case __constant_htons(ETH_P_IPV6):
-            return 0;
-        default:
-#if 0
-            {
-                char fmt[] = "Got proto %u\n";
-                bpf_trace_printk(fmt, sizeof(fmt), h_proto);
-                break;
-            }
-#else
-            break;
+    ip = load_word(skb, nhoff + offsetof(struct iphdr, daddr));
+    value = bpf_map_lookup_elem(&ipv4_drop, &ip);
+    if (value) {
+#if DEBUG
+        char fmt[] = "Found value for daddr: %u\n";
+        bpf_trace_printk(fmt, sizeof(fmt), value);
  #endif
+        __sync_fetch_and_add(value, 1);
+        return 0;
      }
+
+#if DEBUG
+    char fmt[] = "Nothing so ok\n";
+    bpf_trace_printk(fmt, sizeof(fmt));
+#endif
      return -1;
  }
  
-
  char __license[] SEC("license") = "GPL";
  
  __u32 __version SEC("version") = LINUX_VERSION_CODE;
diff --git a/src/util-ebpf.c b/src/util-ebpf.c

index ed574e8f12192d97b2df6e46973e4680435b5193..e752b94dce0415f5914a5ba527d6f94328e8e7af 100644 (file)
--- a/src/util-ebpf.c
+++ b/src/util-ebpf.c
@@ -276,6 +276,7 @@ int EBPFLoadFile(const char *iface, const char *path, const char * section,
              return -1;
          }
          /* TODO pin */
+        /* sudo mount bpf -t bpf /sys/fs/bpf/ */
          SCLogNotice("Pinning: %d to %s", bpf_map_data->array[bpf_map_data->last].fd,
                      bpf_map_data->array[bpf_map_data->last].name);
          char buf[1024];
author	Eric Leblond <eric@regit.org>
	Thu, 29 Nov 2018 17:18:52 +0000 (18:18 +0100)
committer	Victor Julien <victor@inliniac.net>
	Tue, 18 Jun 2019 05:07:01 +0000 (07:07 +0200)
ebpf/filter.c		patch \| blob \| blame \| history
src/util-ebpf.c		patch \| blob \| blame \| history