Skip to content
/ xdpdropper Public

WiP: A network packet dropper API implemented on top of eBPF XDP

License

MIT license
8 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

renanqts/xdpdropper

BranchesTags

Repository files navigation

XDPDropper

This is a small implementation of a dropper via eBPF XDP.
It provides a simple JSON API where an IP can be add/remove to be dropped,
meaning that all incoming packets in a certain interface with the source IP will be dropped.

What and Why eBPF XDP

XDP is a technology that allows to attach eBPF programs to low-level hooks, implemented by network device drivers in the Linux kernel, as well as generic hooks that run after the device driver.

XDP can be used to achieve high-performance packet processing in an eBPF architecture, in this case here, used to drop packets.
It can be very useful in case of DDoS attacks or others.

Configuration

This is a simple program, but some configuration is possible.
This is done via environment variables:

variable description type default required
XDPDROPPER_ADDRESS [address]:[port] of the HTTP API string 0.0.0.0:8080 no
XDPDROPPER_IFACE Name of the interface in which the packets should be dropped. The eBPF XDP program will be attached to this interface string yes
XDPDROPPER_LOGLEVEL Available log levels INFO, DEBUG string INFO yes

API

The current APIs available are:

context method content return code
/health GET NA 200
/metrics GET NA 200
/drop POST {"ip":"1.1.1.1"} 201
/drop DELETE {"ip":"1.1.1.1"} 204

Examples:

Dropping incoming packets with the source IP 1.1.1.1

curl -d '{"ip":"1.1.1.1"}' -H "Content-Type: application/json" http://localhost:8080/drop -v

To remove the IP from the list:

curl -d '{"ip":"1.1.1.1"}' -X DELETE -H "Content-Type: application/json" http://localhost:8080/drop -v

Local tests

For the time being, tests can be performed using vagrant VM.
For that, use:

vagrant up  # wait until is up and running
vagrant ssh # access the VM
sudo make test # to execute the tests

It also counts with a test via docker-compose.yml, it can be done:

docker-compose up

it must be performed inside the VM.

eBPF debug

In the case of BPF debug, use bpf_printk function. It is simmilar to Printf.
The output should show up at /sys/kernel/debug/tracing/trace_pipe.

sudo cat /sys/kernel/debug/tracing/trace_pipe

Reference

About

WiP: A network packet dropper API implemented on top of eBPF XDP

Resources

Readme

License

MIT license
Activity

Stars

8 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases 2

0.0.2 Latest
Aug 7, 2022
+ 1 release

Packages

No packages published

Contributors 2

  •  
  •  

Languages