forked from Qortal/Brooklyn
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
49 lines
1.2 KiB
49 lines
1.2 KiB
#include <uapi/linux/bpf.h> |
|
#include <linux/socket.h> |
|
#include <linux/net.h> |
|
#include <uapi/linux/in.h> |
|
#include <uapi/linux/in6.h> |
|
#include <bpf/bpf_helpers.h> |
|
|
|
SEC("cgroup/sock1") |
|
int bpf_prog1(struct bpf_sock *sk) |
|
{ |
|
char fmt[] = "socket: family %d type %d protocol %d\n"; |
|
char fmt2[] = "socket: uid %u gid %u\n"; |
|
__u64 gid_uid = bpf_get_current_uid_gid(); |
|
__u32 uid = gid_uid & 0xffffffff; |
|
__u32 gid = gid_uid >> 32; |
|
|
|
bpf_trace_printk(fmt, sizeof(fmt), sk->family, sk->type, sk->protocol); |
|
bpf_trace_printk(fmt2, sizeof(fmt2), uid, gid); |
|
|
|
/* block PF_INET6, SOCK_RAW, IPPROTO_ICMPV6 sockets |
|
* ie., make ping6 fail |
|
*/ |
|
if (sk->family == PF_INET6 && |
|
sk->type == SOCK_RAW && |
|
sk->protocol == IPPROTO_ICMPV6) |
|
return 0; |
|
|
|
return 1; |
|
} |
|
|
|
SEC("cgroup/sock2") |
|
int bpf_prog2(struct bpf_sock *sk) |
|
{ |
|
char fmt[] = "socket: family %d type %d protocol %d\n"; |
|
|
|
bpf_trace_printk(fmt, sizeof(fmt), sk->family, sk->type, sk->protocol); |
|
|
|
/* block PF_INET, SOCK_RAW, IPPROTO_ICMP sockets |
|
* ie., make ping fail |
|
*/ |
|
if (sk->family == PF_INET && |
|
sk->type == SOCK_RAW && |
|
sk->protocol == IPPROTO_ICMP) |
|
return 0; |
|
|
|
return 1; |
|
} |
|
|
|
char _license[] SEC("license") = "GPL";
|
|
|