palo/Netcat-eBPF-Demo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Small demo to show the power of eBPF
3 Commits 1 Branch 0 Tags 36 KiB
C 71.8%
Makefile 28.2%
main
Go to file
Palo palo 340dc7f5a6 Added explanation, installing instructions and demo commands in the 
README
2024-06-09 18:39:39 +02:00
includes First commit - implemented everything 2024-06-09 18:07:50 +02:00
src First commit - implemented everything 2024-06-09 18:07:50 +02:00
.gitignore First commit - implemented everything 2024-06-09 18:07:50 +02:00
.gitmodules First commit - implemented everything 2024-06-09 18:07:50 +02:00
Makefile Removed warning about casting 2024-06-09 18:28:02 +02:00
README.md Added explanation, installing instructions and demo commands in the 2024-06-09 18:39:39 +02:00

README.md

Netcat eBPF Demo

This is a demo program showcasing a simple eBPF application

Explanation

This demo shows how simple it is to do content-based redirection in eBPF (which means, directly in the kernel)

For this demo, two eBPF programs will be used:

  • one SOCKOPS program, that gets called each time a TCP event happens; this is used to intercept new connections and collect them in a map
  • one SK_SKB verdict program, that analyzes the content of the packets and redirects them to the appropriate socket

The setup is simple: there are two "stable" sockets, one to port 4444 and one to port 5555

Each time a new connection is made on port 3333, the packets of that connection are checked:

  • if the message starts with 'a', it will be redirected on the socket to port 4444
  • if the message starts with 'b', it will be redirected on the socket to port 5555
  • otherwise it will not be redirected and it will be sent to the socket on port 3333

All the redirecting is done entirely in the kernel, the userspace program just creates the "stable" connections and keeps them alive

Installing

To clone it, do

git clone https://git.abbiamoundominio.org/palo/Netcat-eBPF-Demo --recurse-submodules

this command will also include the library liblog

Other dependencies are:

  • libbpf
  • bpftool
  • clang+llvm

Just to be sure, on an (up-to-date, so at least kernel 5.18+) Debian/Ubuntu based machine do

sudo apt install bptools libbpf-dev netcat clang llvm libelf-dev gcc-multilib build-essential linux-headers-$(uname -r) linux-tools-common linux-tools-generic

To compile, just

sudo make -j

This will create a .output directory with all the intermediary files and the main executable, netcat_ebpf_demo

Demo Commands

Open a terminal and listen on netcat on port 4444:

nc -lvp 4444

Then do the same for port 5555:

nc -lvp 5555

And for port 3333:

nc -lvp 3333

Now, open a fourth terminal and start the program:

sudo ./netcat_ebpf_demo

This will open connections to both port 4444 and 5555

On a fifth (and final) terminal connect to port 3333:

nc 127.0.0.1 3333

In this terminal, try sending some messages: if the message starts with 'a', it will be appear on the terminal with socket 4444; if it starts with 'b', the same but on 5555; otherwise it will go to 3333