Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/florianl/tc-skeleton
Simple project to demonstrate the loading of eBPF programs via florianl/go-tc.
https://github.com/florianl/tc-skeleton
ebpf kernel linux network-programming
Last synced: about 2 months ago
JSON representation
Simple project to demonstrate the loading of eBPF programs via florianl/go-tc.
- Host: GitHub
- URL: https://github.com/florianl/tc-skeleton
- Owner: florianl
- License: mit
- Created: 2020-12-07T20:12:52.000Z (about 4 years ago)
- Default Branch: main
- Last Pushed: 2024-04-06T07:29:19.000Z (9 months ago)
- Last Synced: 2024-06-20T08:09:13.880Z (6 months ago)
- Topics: ebpf, kernel, linux, network-programming
- Language: Go
- Homepage:
- Size: 19.5 KB
- Stars: 33
- Watchers: 5
- Forks: 6
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
tc-skeleton
===========Simple project to demonstrate the loading of eBPF programs via [florianl/go-tc](https://github.com/florianl/go-tc).
```
$ cd ebpf
$ make clean
$ make drop
$ cd ..
$ go run main.go
```Overview
--------
After the eBPF code is loaded from `ebpf/drop` the eBPF program `ingress_drop` is loaded into the kernel. In a next step this PoC creates a dummy interface. So it does not alter existing configurations or network interfaces. Then a [qdisc and filter](https://man7.org/linux/man-pages/man8/tc.8.html) are attached via the [netlink interface](https://man7.org/linux/man-pages/man7/netlink.7.html) of the kernel to this dummy interface. The file descriptor of the eBPF program `ingress_drop` is passed as argument of the filter to the kernel. With attaching the filter to the interface the eBPF program `ingress_drop` will run on every packet on the interface.Privileges
----------
This PoC uses the [`netlink`](https://man7.org/linux/man-pages/man7/netlink.7.html) and [`eBPF`](https://man7.org/linux/man-pages/man2/bpf.2.html) interface of the kernel and therefore it requires special privileges. You can provide this privileges by adjusting the `CAP_NET_ADMIN` capabilities.