eBPF
Collection of BPF programs for Linux.
Host Isolation
Programs
- KprobeConnectHook hooks into tcp_v4_connect and adds destination IP to allowlist if PID is allowed
- TcFilter attaches to network interface and filters packets based on allowed IPs
Demo
- UpdateIPsDemo Userspace tool for updating IP and subnet allowlist
- UpdatePidsDemo Userspace tool for updating PID allowlist
- KprobeConnectHookDemo Loader for KprobeConnectHook eBPF program
- TcLoaderDemo Loader for TcFilter eBPF program, attaches to ens33 interface by default
Run the demos
- Follow the build section to build the project so that you have the
build/folder - Run
cd build/target/ebpf - Run
sudo ../../non-GPL/TcLoader/TcLoaderDemo- packet filter is now attached to ens33 - Run
sudo ../../non-GPL/HostIsolation/KprobeConnectHook/KprobeConnectHookDemo- connect hook is attached - Run
firefoxin another tab - verify that all internet access is blocked - Run
pgrep firefoxto get the PID of the browser - Run
sudo ../../non-GPL/HostIsolationMapsUtil/UpdatePidsDemo <firefox PID> - Verify that firefox connects to any page
- Quit KprobeConnectHook with Ctrl+C and run
sudo ../../non-GPL/TcLoader/TcLoaderDemo unloadto detach both eBPF programs
Tests (BPF_PROG_TEST_RUN)
BPFTcFilterTests
BPFTcFilterTests test suite for the TcFilter.bpf.o program
Usage
cd build/target/ebpf
sudo ../test/BPFTcFilterTestsOr if you want to use a custom path for the eBPF object file.
sudo ELASTIC_EBPF_TC_FILTER_OBJ_PATH=build/target/ebpf/TcFilter.bpf.o build/target/test/BPFTcFilterTestsBuild dependencies
Some distros might not have bmake or an older CMake, compiling them from source is usually a good alternative.
bmake is the NetBSD make tool and it's used to build elftoolchain's libelf, the BSD Licensed ELF library we use as alternative to the GNU/Linux licensed elfutils's libelf.
Ubuntu/Debian
apt install clang llvm cmake bmake zlib1g-dev m4 gcc g++ libc6-dev-i386CentOS/Fedora/AL2
yum install gcc g++ clang llvm zlib-devel m4 bmake
Build
The build is a pretty standard CMake project.
mkdir build
cd build
cmake ..
make
Besides the usual CMake variables, you can set the following variables which are specific to this project.
| Variable | Description |
|---|---|
| -DTARGET_DIR | Directory to use to store the compiled targets |
| -DLIBBPF_CONTRIB | Alternative directory to use for libbpf sources instead of the bundled one |
target
├── ebpf
│ ├── KprobeConnectHook.bpf.o
│ └── TcFilter.bpf.o
├── include
│ ├── Common.h
│ ├── KprobeLoader.h
│ ├── TcLoader.h
│ └── UpdateMaps.h
├── libeBPF.a
└── test
└── BPFTcFilterTests
Directory layout:
contrib/external dependencies, librariescontrib/elftoolchainrepo: github.com/elftoolchain/elftoolchain@11d16eabcontrib/kernel_hdrsheaders with eBPF definitions, copied 1:1 from kernel sourcescontrib/libbpfrepo: github.com/libbpf/[email protected]contrib/googletestrepo: github.com/google/googletest@955c7f83
GPLeBPF programs which are GPL licensednon-GPLtools, utilities with Elastic non-GPL license
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent