-
-
Notifications
You must be signed in to change notification settings - Fork 25
/
Copy pathmain.bpf.c
58 lines (47 loc) · 1.8 KB
/
main.bpf.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
#include "vmlinux.h"
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_tracing.h>
#include <bpf/bpf_core_read.h>
#include <bpf/bpf_endian.h>
#include "common.h"
#define ETH_P_IP 0x0800 /* Internet Protocol packet */ // ipv4
#define ETH_HLEN 14 /* Total octets in header. */
unsigned long long load_byte(void *skb,
unsigned long long off) asm("llvm.bpf.load.byte");
unsigned long long load_half(void *skb,
unsigned long long off) asm("llvm.bpf.load.half");
unsigned long long load_word(void *skb,
unsigned long long off) asm("llvm.bpf.load.word");
/* BPF ringbuf map */
struct {
__uint(type, BPF_MAP_TYPE_RINGBUF);
__uint(max_entries, 16 * 1024 /* 16 KB */);
} events SEC(".maps");
SEC("socket")
int socket__filter_icmp(struct __sk_buff *skb)
{
// Skip non-IP packets
if (load_half(skb, offsetof(struct ethhdr, h_proto)) != ETH_P_IP)
return 0;
// Skip non-ICMP packets
if (load_byte(skb, ETH_HLEN + offsetof(struct iphdr, protocol)) != IPPROTO_ICMP)
return 0;
u32 src_addr = load_word(skb, ETH_HLEN + offsetof(struct iphdr, saddr));
u32 dst_addr = load_word(skb, ETH_HLEN + offsetof(struct iphdr, daddr));
u8 type = load_byte(skb, ETH_HLEN + sizeof(struct iphdr) + offsetof(struct icmphdr, type));
u8 code = load_byte(skb, ETH_HLEN + sizeof(struct iphdr) + offsetof(struct icmphdr, code));
struct event_t *event;
event = bpf_ringbuf_reserve(&events, sizeof(*event), 0);
if (!event) {
return 0;
}
event->src_addr = bpf_ntohl(src_addr);
event->dst_addr = bpf_ntohl(dst_addr);
event->type = type;
event->code = code;
char fmt[] = "ICMP packet: %pI4 -> %pI4 %d";
bpf_trace_printk(fmt, sizeof(fmt), &event->src_addr, &event->dst_addr, event->type);
bpf_ringbuf_submit(event, 0);
return 0;
}
char _license[] SEC("license") = "GPL";