|
7 | 7 | #include <bpf/bpf_helpers.h> |
8 | 8 | #include <bpf/bpf_core_read.h> |
9 | 9 | #include <bpf/bpf_tracing.h> |
| 10 | +#include <stdbool.h> |
10 | 11 |
|
11 | 12 | #define sk_family __sk_common.skc_family |
12 | 13 | #define EPERM 1 |
@@ -34,11 +35,11 @@ struct { |
34 | 35 | __type(key, u32); |
35 | 36 | __type(value, u64); |
36 | 37 | __uint(pinning, LIBBPF_PIN_BY_NAME); |
37 | | -} event_counter SEC(".maps"); |
| 38 | +} iptables_block_event_counter SEC(".maps"); |
38 | 39 |
|
39 | 40 | // This function checks if the parent process of the current task is allowed to install iptables rules. |
40 | 41 | // It checks the parent's command name against a predefined list of allowed prefixes. |
41 | | -int is_allowed_parent () |
| 42 | +bool is_allowed_parent () |
42 | 43 | { |
43 | 44 | struct task_struct *task = (struct task_struct *)bpf_get_current_task(); |
44 | 45 | struct task_struct *parent_task = NULL; |
@@ -80,7 +81,7 @@ int is_allowed_parent () |
80 | 81 | // check if the current task is in the host network namespace |
81 | 82 | // This function compares the inode number of the current network namespace with the host's network namespace inode |
82 | 83 | // The host's network namespace inode is initialized by userspace when the BPF program is loaded. |
83 | | -int is_host_ns() { |
| 84 | +bool is_host_ns() { |
84 | 85 | struct task_struct *task = (struct task_struct *)bpf_get_current_task(); |
85 | 86 | struct nsproxy *nsproxy; |
86 | 87 | struct net *net_ns; |
@@ -109,12 +110,12 @@ void increment_event_counter() { |
109 | 110 | u32 key = 0; |
110 | 111 | u64 *value; |
111 | 112 |
|
112 | | - value = bpf_map_lookup_elem(&event_counter, &key); |
| 113 | + value = bpf_map_lookup_elem(&iptables_block_event_counter, &key); |
113 | 114 | if (value) { |
114 | 115 | __sync_fetch_and_add(value, 1); |
115 | 116 | } else { |
116 | 117 | u64 initial_value = 1; |
117 | | - bpf_map_update_elem(&event_counter, &key, &initial_value, BPF_ANY); |
| 118 | + bpf_map_update_elem(&iptables_block_event_counter, &key, &initial_value, BPF_ANY); |
118 | 119 | } |
119 | 120 | } |
120 | 121 |
|
@@ -144,18 +145,18 @@ int BPF_PROG(iptables_legacy_block, struct socket *sock, int level, int optname) |
144 | 145 | // blocking hook for iptables-nftables rule installation |
145 | 146 | SEC("lsm/netlink_send") |
146 | 147 | int BPF_PROG(iptables_nftables_block, struct sock *sk, struct sk_buff *skb) { |
147 | | - __u16 family = 0, proto = 0; |
148 | | - if (sk != NULL) { |
149 | | - bpf_probe_read_kernel(&family, sizeof(family), &sk->sk_family); |
| 148 | + if (sk == NULL || skb == NULL) { |
| 149 | + return 0; |
150 | 150 | } |
| 151 | + __u16 family = 0, proto = 0; |
| 152 | + bpf_probe_read_kernel(&family, sizeof(family), &sk->sk_family); |
151 | 153 |
|
152 | 154 | // Check if the socket family is AF_NETLINK (just a sanity check) |
153 | 155 | if (family != AF_NETLINK) |
154 | 156 | return 0; |
155 | 157 |
|
156 | | - if (sk != NULL) { |
157 | | - bpf_probe_read_kernel(&proto, sizeof(proto), &sk->sk_protocol); |
158 | | - } |
| 158 | + bpf_probe_read_kernel(&proto, sizeof(proto), &sk->sk_protocol); |
| 159 | + |
159 | 160 |
|
160 | 161 | // Check if the protocol is NETLINK_NETFILTER |
161 | 162 | // This is the protocol used for netfilter messages |
|
0 commit comments