Linux Application Level Firewall based on eBPF and NFQUEUE.

Last update: Dec 29, 2022

Related tags

Overview

eBPFSnitch

eBPFSnitch is a Linux Application Level Firewall based on eBPF and NFQUEUE. It is inspired by OpenSnitch, and Douane, but utilizing modern kernel abstractions, without a kernel module.

The eBPFSnitch daemon is implemented in C++ 20. The control interface is implemented in Python 3 utilizing Qt5.

Disclaimer

This is an experimental project. The security of this application has not been audited by a 3rd party, or even myself. There are likely mechanisms by which it could be bypassed. Currently the daemon control socket is unauthenticated, and an attacker could impersonate the user interface to self authorize.

Features

eBPFSnitch supports filtering all outgoing IPv4 based protocols (TCP / UDP / ICMP / etc). Filtering for IPv6, and incoming connections should be supported in the near future.

A core goal of this project is to integrate well with containerized applications. If an application is running in a container that container can be controlled independently of the base system or other containers.

Additionally targeting can occur against specific system users. Blanket permissions for every instance of Firefox for every user are not required.

Daemon Configuration

eBPFSnitch is configured via command line arguments. The available arguments can be listed with --help:

eBPFSnitch Allowed options:
  -h [ --help ]         produce help message
  -v [ --version ]      print version
  --remove-rules        remove iptables rules
  --group arg           group name for control socket
  --rules-path arg      file to load / store firewall rules

Control socket authorization

The control interface and daemon communicate utilizing a Unix socket. By default the socket can be accessed by any system user. It is recommended to associate a specific group with the socket to limit access. For example --group='wheel'.

Firewall rule persistence

Firewall rules that are marked as persistent are stored on the filesystem in a JSON encoding. By default the current working directory is used to store the file rules.json. To specify a custom path use the --rules-path option.

System requirements

eBPFSnitch currently requires a recent kernel. The minimum supported version is Linux 5.8. This required version may be lowered in the future.

How firewall rules operate

Each rule is comprised of a set of clauses, and a verdict. Each clause matches a property of a packet to value. If every clause in a rule matches then the packet matches the rule, and the verdict for that rule is used (allow / deny).

Rules are sorted by a configured priority. Each rule is tried until a match is found, and a verdict can be determined. If no rule matches a packet the daemon will send a query to the interface which then displays a dialog asking to create a new rule to match that packet.

By default rules are not persisted to disk, and when the daemon restarts rules will be lost. If through the dialog you check the persistent box, the new rule will be saved to disk, and be active when the daemon is restarted.

Dependencies

C++: pthread, libbpf, netfilter_queue, spdlog, fmt, nfnetlink, boost, libmnl

Python: PyQT5

Compilation and quick start instructions

Installing dependencies on Arch

sudo pacman -S clang cmake bpf libnetfilter_queue spdlog boost libmnl \
    nlohmann-json python3 python-pyqt5

Installing dependencies on Ubuntu 20.10 (minimum version)

sudo apt-get install cmake clang libboost-all-dev libspdlog-dev \
    libnetfilter-queue-dev libmnl-dev linux-tools-common nlohmann-json3-dev \
    libbpf-dev linux-tools-generic python3 python3-pyqt5

Setting up the daemon

From the eBPFSnitch repository directory:

mkdir build
cd build
cmake ..
make
sudo ./ebpfsnitch

Starting the GUI

From the eBPFSnitch repository directory:

cd ui
python3 main.py

eBPF bytecode assembler and compiler

An eBPF bytecode assembler and compiler that * Assembles the bytecode to object code. * Compiles the bytecode to C macro preprocessors. Symbolic

6 Jan 23, 2022

A Rust crate that simplifies the integration of Rust and eBPF programs written in C.

This crate simplifies the compilation of eBPF programs written in C integrating clang with Rust and the cargo build system with functions that can be

19 Mar 16, 2022

ebpfkit-monitor is a tool that detects and protects against eBPF powered rootkits

ebpfkit-monitor ebpfkit-monitor is an utility that you can use to statically analyse eBPF bytecode or monitor suspicious eBPF activity at runtime. It

79 Dec 18, 2022

Example how to run eBPF probes without a usermode process using fentry

Pinning eBPF Probes Simple example to demonstrate how to pin kernel function and syscall probes. Overview From my reading of the kernel code, KProbe a

3 Jun 7, 2021

eBPF implementation that runs on top of Windows

eBPF for Windows eBPF is a well-known technology for providing programmability and agility, especially for extending an OS kernel, for use cases such

1.7k Jan 9, 2023

A very basic eBPF Load Balancer in a few lines of C

An eBPF Load Balancer from scratch As seen at eBPF Summit 2021. This is not production ready :-) This uses libbpf as a git submodule. If you clone thi

168 Jan 8, 2023

skbtracer on ebpf

skbtracer skbtracer 基于 ebpf 技术的 skb 网络包路径追踪利器，实现代码基于 BCC (required Linux Kernel 4.15+) 使用样例 skbtracer.py # trace

54 Dec 30, 2022

some experiments with ebpf

Learning eBPF and some kernel tracing, probe DNS + TCP connection with portable bpf prog. DevEnv Ubuntu 20.04 Install go Install make, clang, llvm Ins

11 Aug 4, 2022

Small utility that leverages eBPF to dump the traffic of a unix domain socket

UnixDump UnixDump is a small eBPF powered utility that can be used to dump unix socket traffic. System requirements This project was developed on a Ub

8 Nov 19, 2022

Comments

Errors building on Ubuntu 20.10

I'm trying to build from source on Ubuntu 20.10 and am running into some issues. conntrack-tools doesn't seem to be an installable package:

[email protected]:/ebpfsnitch/build# apt install conntrack-tools
Reading package lists... Done
Building dependency tree       
Reading state information... Done
E: Unable to locate package conntrack-tools

I left out this package and proceeded trying to build, but partway through I see a lot of errors related to Boost, e.g.

[ 25%] Building CXX object CMakeFiles/ebpfsnitchd.dir/rule_engine.cpp.o
In file included from /ebpfsnitch/rule_engine.cpp:4:
In file included from /usr/include/boost/bimap.hpp:13:
In file included from /usr/include/boost/bimap/bimap.hpp:61:
/usr/include/boost/bimap/detail/bimap_core.hpp:408:35: error: no member named 'rebind' in 'std::allocator<void>'
            BOOST_NESTED_TEMPLATE rebind<relation>::other

The full build log is here.

Thanks in advance for any help resolving this!

opened by mrgnr 3

Compilation error with libnetfilter-queue on Fedora 33

Hi,

I tried to build ebpfsnitch on Fedora 33 (with all updates installed). Unfortunately build proccess fails with error: use of undeclared identifier 'nfq_nlmsg_put' and error: use of undeclared identifier 'NFQA_CFG_F_GSO'; did you mean 'NFQA_CFG_FLAGS'?

Is there any hint to make it work?

System info:

OS: Fedora 33 Kernel: 5.11.16-200.fc33.x86_64 BPF Support: Yes

Kernel BPF Flags

CONFIG_CGROUP_BPF=y
CONFIG_BPF=y
CONFIG_BPF_LSM=y
CONFIG_BPF_SYSCALL=y
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_JIT_DEFAULT_ON=y
CONFIG_BPF_PRELOAD=y
CONFIG_BPF_PRELOAD_UMD=m
CONFIG_IPV6_SEG6_BPF=y
CONFIG_NETFILTER_XT_MATCH_BPF=m
CONFIG_NET_CLS_BPF=m
CONFIG_NET_ACT_BPF=m
CONFIG_BPF_JIT=y
CONFIG_BPF_STREAM_PARSER=y
CONFIG_LWTUNNEL_BPF=y
CONFIG_HAVE_EBPF_JIT=y
CONFIG_BPF_LIRC_MODE2=y
CONFIG_BPF_EVENTS=y

I've attached build log below.

Build Log

λ  ebpfsnitch main ✓ mkdir build
λ  ebpfsnitch main ✓ cd build
λ  ebpfsnitch/build main ✓ cmake ..
-- The C compiler identification is Clang 11.0.0
-- The CXX compiler identification is Clang 11.0.0
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /usr/bin/clang - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: /usr/bin/clang++ - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Found Boost: /usr/include (found version "1.73.0") found components: container system program_options 
-- Configuring done
-- Generating done
-- Build files have been written to: /home/user/ebpfsnitch/build
λ  ebpfsnitch/build main ✓ make
[  4%] Generating vmlinux.h
Scanning dependencies of target probes
[  9%] Building C object CMakeFiles/probes.dir/probes.c.o
[  9%] Built target probes
[ 14%] Generating probes_compiled.h
Scanning dependencies of target libebpfsnitchd
[ 19%] Building CXX object CMakeFiles/libebpfsnitchd.dir/ebpfsnitch_daemon.cpp.o
[ 23%] Building CXX object CMakeFiles/libebpfsnitchd.dir/rule_engine.cpp.o
[ 28%] Building CXX object CMakeFiles/libebpfsnitchd.dir/misc.cpp.o
[ 33%] Building CXX object CMakeFiles/libebpfsnitchd.dir/bpf_wrapper.cpp.o
[ 38%] Building CXX object CMakeFiles/libebpfsnitchd.dir/nfq_wrapper.cpp.o
/home/user/ebpfsnitch/nfq_wrapper.cpp:28:33: error: use of undeclared identifier 'nfq_nlmsg_put'
    struct nlmsghdr *l_header = nfq_nlmsg_put(
                                ^
/home/user/ebpfsnitch/nfq_wrapper.cpp:48:16: error: use of undeclared identifier 'nfq_nlmsg_put'
    l_header = nfq_nlmsg_put(m_buffer.data(), NFQNL_MSG_CONFIG, p_queue_index);
               ^
/home/user/ebpfsnitch/nfq_wrapper.cpp:56:54: error: use of undeclared identifier 'NFQA_CFG_F_GSO'; did you mean 'NFQA_CFG_FLAGS'?
    mnl_attr_put_u32(l_header, NFQA_CFG_FLAGS, htonl(NFQA_CFG_F_GSO));
                                                     ^~~~~~~~~~~~~~
                                                     NFQA_CFG_FLAGS
/usr/include/libnetfilter_queue/linux_nfnetlink_queue.h:91:2: note: 'NFQA_CFG_FLAGS' declared here
        NFQA_CFG_FLAGS,                 /* value of these flags (__u32) */
        ^
/home/user/ebpfsnitch/nfq_wrapper.cpp:57:53: error: use of undeclared identifier 'NFQA_CFG_F_GSO'; did you mean 'NFQA_CFG_FLAGS'?
    mnl_attr_put_u32(l_header, NFQA_CFG_MASK, htonl(NFQA_CFG_F_GSO));
                                                    ^~~~~~~~~~~~~~
                                                    NFQA_CFG_FLAGS
/usr/include/libnetfilter_queue/linux_nfnetlink_queue.h:91:2: note: 'NFQA_CFG_FLAGS' declared here
        NFQA_CFG_FLAGS,                 /* value of these flags (__u32) */
        ^
/home/user/ebpfsnitch/nfq_wrapper.cpp:150:39: error: use of undeclared identifier 'nfq_nlmsg_put'
    struct nlmsghdr *const l_header = nfq_nlmsg_put(
                                      ^
5 errors generated.
make[2]: *** [CMakeFiles/libebpfsnitchd.dir/build.make:138: CMakeFiles/libebpfsnitchd.dir/nfq_wrapper.cpp.o] Error 1
make[1]: *** [CMakeFiles/Makefile2:157: CMakeFiles/libebpfsnitchd.dir/all] Error 2
make: *** [Makefile:160: all] Error 2
λ  ebpfsnitch/build main ✓ uname -r
5.11.16-200.fc33.x86_64
λ  ebpfsnitch main ✓ sudo dnf install libnetfilter_queue-devel       
Last metadata expiration check: 2:36:30 ago on Thu 20 May 2021 15:59:00 +06.
Package libnetfilter_queue-devel-1.0.2-16.fc33.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
λ  ebpfsnitch main ✓

opened by moldabekov 2

Arch Linux also requires package libbpf

In README.md, the line sudo pacman -S clang cmake bpf libnetfilter_queue spdlog boost libmnl \ nlohmann-json python3 python-pyqt5 should be changed to include libbpf.

opened by 9p4 1
compilation error where `cf-protection=return` isn't available
i suspect it has to do with my CPU (AMD Ryzen 5 5600X).

error: option 'cf-protection=return' cannot be specified on this target error: option 'cf-protection=branch' cannot be specified on this target

my knowledge of llvm is very little ~so i don't know how much of a deal-breaker removing this is, but it compiles nevertheless~ disregard, i tried it, it seems to work fine.

bonus: not worth including this in a separate ticket, but on arch linux you need to add vim to the dependencies since apparently xxd is included there – my excuse for not having vim installed is that i use neovim which apparently doesn't ship xxd.
opened by myyc 3

Releases(0.3.0)

0.3.0(Apr 11, 2021)
[0.3.0] - 2021-04-11

Limit DNS caching with LRU

Refactor for fasting shutdown

Better exception handling

Reap dead connections

Enable and fix extra warnings

Do not display container in UI if not a container

Do not display domain in UI if there is no known domain

Source code(tar.gz)
Source code(zip)
0.2.0(Apr 5, 2021)
[0.2.0] - 2021-04-04

Added IPv6 support

Refactor DNS caching

Source code(tar.gz)
Source code(zip)
0.1.0(Mar 20, 2021)

Source code(tar.gz)
Source code(zip)

Owner

Harpo Roeder

GitHub

Enable RDP and set firewall by Windows API.

fast-enable-rdp This toool Enable RDP and set firewall by Windows API. How to use？ enablerdp.exe -- this help enablerdp.exe any --

17 Nov 15, 2022

IP-Block is an XDP program, that is an IP firewall.

Description IP-Block is an XDP program, that is an IP firewall. use rules to allow/deny access to a range of IP addresses. Block ip behavior use XDP p

5 Aug 9, 2022

A lightweight firewall for nuttx

iptables-lite A lightweight firewall for nuttx Prerequisites The first step to get started with NuttX is to install a series of required tools. They c

2 Nov 14, 2021

pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities.

pwru (packet, where are you?) pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities. It allo

1.1k Dec 28, 2022

eBPF-based EDR for Linux

ebpf-edr A proof-of-concept eBPF-based EDR for Linux Seems to be working fine with the 20 basic rules implemented. Logs the alerts to stdout at the mo

15 Nov 9, 2022

Source-code based coverage for eBPF programs actually running in the Linux kernel

bpfcov Source-code based coverage for eBPF programs actually running in the Linux kernel This project provides 2 main components: libBPFCov.so - an ou

113 Nov 23, 2022

bpflock - eBPF driven security for locking and auditing Linux machines

bpflock - Lock Linux machines bpflock - eBPF driven security for locking and auditing Linux machines. This is a Work In Progress: bpflock is currently

113 Nov 28, 2022

Parca-agent - eBPF based always-on profiler auto-discovering targets in Kubernetes and systemd, zero code changes or restarts needed!

Parca Agent Parca Agent is an always-on sampling profiler that uses eBPF to capture raw profiling data with very low overhead. It observes user-space

254 Jan 1, 2023

Drogon: A C++14/17 based HTTP web application framework running on Linux/macOS/Unix/Windows

English | 简体中文 | 繁體中文 Overview Drogon is a C++14/17-based HTTP application framework. Drogon can be used to easily build various types of web applicat

8.5k Jan 5, 2023

libsinsp, libscap, the kernel module driver, and the eBPF driver sources

falcosecurity/libs As per the OSS Libraries Contribution Plan, this repository has been chosen to be the new home for libsinsp, libscap, the kernel mo

133 Dec 29, 2022