# Netcat eBPF Demo

This is a demo program showcasing a simple eBPF application

## Explanation

This demo shows how simple it is to do content-based redirection in eBPF (which means, directly in the kernel)

For this demo, two eBPF programs will be used:

+ one SOCKOPS program, that gets called each time a TCP event happens; this is used to intercept new connections and collect them in a map
+ one SK_SKB verdict program, that analyzes the content of the packets and redirects them to the appropriate socket

The setup is simple: there are two "stable" sockets, one to port 4444 and one to port 5555

Each time a new connection is made on port 3333, the packets of that connection are checked:

+ if the message starts with 'a', it will be redirected on the socket to port 4444
+ if the message starts with 'b', it will be redirected on the socket to port 5555
+ otherwise it will not be redirected and it will be sent to the socket on port 3333

All the redirecting is done entirely in the kernel, the userspace program just creates the "stable" connections and keeps them alive

## Installing

To clone it, do

```bash
git clone https://git.abbiamoundominio.org/palo/Netcat-eBPF-Demo --recurse-submodules
```

this command will also include the library [liblog](https://github.com/rxi/log.c)

Other dependencies are:

+ libbpf
+ bpftool
+ clang+llvm

Just to be sure, on an (up-to-date, so at least kernel 5.18+) Debian/Ubuntu based machine do

```bash
sudo apt install bptools libbpf-dev netcat clang llvm libelf-dev gcc-multilib build-essential linux-headers-$(uname -r) linux-tools-common linux-tools-generic
```

To compile, just

```bash
sudo make -j
```

This will create a .output directory with all the intermediary files and the main executable, ``netcat_ebpf_demo``

## Demo Commands

Open a terminal and listen on netcat on port 4444:

```bash
nc -lvp 4444
```

Then do the same for port 5555:

```bash
nc -lvp 5555
```

And for port 3333:

```bash
nc -lvp 3333
```

Now, open a fourth terminal and start the program:

```bash
sudo ./netcat_ebpf_demo
```

This will open connections to both port 4444 and 5555


On a fifth (and final) terminal connect to port 3333:

```bash
nc 127.0.0.1 3333
```

In this terminal, try sending some messages: if the message starts with 'a', it will be appear on the terminal with socket 4444; if it starts with 'b', the same but on 5555; otherwise it will go to 3333