Merge pull request #2 from sagarbhure/dev

LGTM

Author: sagarbhure

ebpfshield.c

@@ -0,0 +1,82 @@
+#include <linux/sched.h>
+#include <linux/socket.h>
+#include <linux/net.h>
+#include <linux/file.h>
+#include <net/sock.h>
+#include <uapi/linux/in.h>
+
+BPF_PERF_OUTPUT(events);
+
+struct netevent_t {
+    u32 pid;
+    u64 ts;
+    char comm[TASK_COMM_LEN];
+    int fd;
+    int uid;
+    unsigned short port;
+    unsigned int address;
+    int inet_family;
+};
+
+extern struct socket *sockfd_lookup(int fd, int *err);
+extern unsigned long __fdget(unsigned int fd);
+extern unsigned long __fdget_raw(unsigned int fd);
+
+
+int probe_connect_enter (struct pt_regs *ctx, int sockfd, struct sockaddr* addr, int addrlen) {
+    struct sockaddr_in* poop = (struct sockaddr_in*) addr;
+    if (poop->sin_family != AF_INET) {
+        return 0;
+    }
+
+    //__fdget_raw(sockfd);
+    //struct socket* test = sockfd_lookup(sockfd, NULL);
+    struct netevent_t netevent = {};
+    netevent.pid = bpf_get_current_pid_tgid();
+    netevent.ts  = bpf_ktime_get_ns();
+    //netevent.fd  = sk->__sk_common.skc_family;
+    netevent.uid = bpf_get_current_uid_gid();
+    netevent.port = poop->sin_port;
+    netevent.address = poop->sin_addr.s_addr;
+    bpf_get_current_comm(&netevent.comm, sizeof(netevent.comm));
+    events.perf_submit(ctx, &netevent, sizeof(netevent));
+
+    return 0;
+}
+
+int tcp_v4 (struct pt_regs *ctx, struct sock *sk, struct sockaddr *uaddr, int addr_len) {
+    struct sockaddr_in* poop = (struct sockaddr_in*) uaddr;
+    if (poop->sin_family != AF_INET) {
+        return 0;
+    }
+
+    struct netevent_t netevent = {};
+    netevent.pid = bpf_get_current_pid_tgid();
+    netevent.ts  = bpf_ktime_get_ns();
+    netevent.fd  = sk->__sk_common.skc_family;
+    netevent.uid = bpf_get_current_uid_gid();
+    netevent.port = poop->sin_port;
+    netevent.address = poop->sin_addr.s_addr;
+    bpf_get_current_comm(&netevent.comm, sizeof(netevent.comm));
+    events.perf_submit(ctx, &netevent, sizeof(netevent));
+
+    return 0;
+}
+
+int udp_v4 (struct pt_regs *ctx, struct sock *sk, struct msghdr *msg, size_t len) {
+    struct netevent_t netevent = {};
+    sk = (struct sock *)PT_REGS_PARM1(ctx);
+
+    netevent.pid = bpf_get_current_pid_tgid();
+    netevent.ts  = bpf_ktime_get_ns();
+    netevent.fd  = sk->__sk_common.skc_family;
+    netevent.uid = bpf_get_current_uid_gid();
+    netevent.port = 0x35;//poop->sin_port;
+    netevent.address = 0;//poop->sin_addr.s_addr;
+    strcpy(netevent.comm, "sagar");
+//    bpf_get_current_comm(&netevent.comm, sizeof(netevent.comm));
+    events.perf_submit(ctx, &netevent, sizeof(netevent));
+
+    return 0;
+}
+

ebpfshield/__init__.py

@@ -0,0 +1,37 @@
+
+from functools import reduce
+
+class TaggedIpList:
+    def __init__(self, tag, handle):
+        self.addresses = []
+        self.tag = tag
+        for line in handle:
+            line = line.strip()
+
+            if line and line[0] == "#":
+                continue
+
+            self.addresses.append(self.ip2int(line))
+
+        self.addresses = sorted(self.addresses)
+
+    def check_membership(self, ip_address):
+        ip_address = self.ip2int(ip_address)
+
+        low = 0
+        high = len(self.addresses)-1
+
+        while high >= low:
+            midpoint = (low + high)//2
+            if self.addresses[midpoint] == ip_address:
+                return True
+            elif self.addresses[midpoint] > ip_address:
+                high = midpoint-1
+            elif self.addresses[midpoint] < ip_address:
+                low = midpoint+1
+
+        return False
+
+    def ip2int(self, ip):
+        return reduce(lambda out, x: (out << 8) + int(x), ip.split('.'), 0)
+

ebpfshield/__pycache__/__init__.cpython-38.pyc

@@ -0,0 +1,3 @@
+# IP Feeds
+
+By default this is empty. Add new feeds by running `./update_feeds.sh` in the root directory of this project.