Coder Social home page Coder Social logo

lvxiafei / iptables-trace Goto Github PK

View Code? Open in Web Editor NEW

This project forked from asphaltt/iptables-trace

0.0 0.0 0.0 759 KB

iptables-trace is an eBPF enhanced iptables-TRACE alternative iptables TRACE. GPL-3.0 license

License: GNU General Public License v3.0

C 99.47% Go 0.52% Makefile 0.01%

iptables-trace's Introduction

iptables-trace

iptables-trace is an eBPF enhanced iptables TRACE-alternative iptables TRACE.

Kernel

It requires 5.2+ kernel to run eBPF CO-RE.

Kernel module and kprobes and bpf progs

It's because eBPF is unable to modify skb->nf_trace and struct pt_regs. But kernel module has the ability.

In hence, it's to modify skb->nf_trace and struct pt_regs in kernel module, then run bpf progs in kernel module.

  1. Run the kprobe bpf prog on ipt_do_table/ip6t_do_table.
  2. skb->nf_trace = 1; to run nf_log_trace function later.
  3. Run the kprobe bpf prog on nf_log_trace.
  4. regs->si = 0; hijack and do not run the nf_log_trace() actually.
  5. Run the kretprobe bpf prog on ipt_do_table/ip6t_do_table.

Limit

Currently, it is only able to run on x86, not others like arm.

It's a little easy to update it to run on arm.

TODO

  • Run on arm64.

Build and run

# git clone https://github.com/Asphaltt/iptables-trace.git
# cd iptables-trace
# make
# ./iptables-trace -c 20
TIME       SKB                  NETWORK_NS   PID      CPU    INTERFACE          DEST_MAC           IP_LEN PKT_INFO                                               IPTABLES_INFO
[04:53:15] [0xffff8df402e052e8] [4026531840] 6888     3                         00:00:00:00:00:00  264    T_ACK,PSH:192.168.1.138:22->192.168.1.12:53030         ipttrace=[pf=PF_INET in= out=enp0s8 table=filter chain=OUTPUT hook=3 rulenum=1]
[04:53:15] [0xffff8df402e052e8] [4026531840] 6888     3                         00:00:00:00:00:00  264    T_ACK,PSH:192.168.1.138:22->192.168.1.12:53030         iptables=[pf=PF_INET table=filter hook=OUTPUT verdict=ACCEPT cost=77.425µs]
[04:53:15] [0xffff8df50291d200] [4026531840] 8432     1      enp0s8             08:00:27:39:de:94  52     T_PSH:192.168.1.12:53030->192.168.1.138:22             ipttrace=[pf=PF_INET in=enp0s8 out= table=filter chain=INPUT hook=1 rulenum=1]
[04:53:15] [0xffff8df50291d200] [4026531840] 8432     1      enp0s8             08:00:27:39:de:94  52     T_PSH:192.168.1.12:53030->192.168.1.138:22             iptables=[pf=PF_INET table=filter hook=INPUT verdict=ACCEPT cost=36.942µs]
[04:53:15] [0xffff8df402e050e8] [4026531840] 8432     1                         87:ab:0d:ea:d5:19  88     T_ACK,PSH:192.168.1.138:22->192.168.1.12:53030         ipttrace=[pf=PF_INET in= out=enp0s8 table=filter chain=OUTPUT hook=3 rulenum=1]
[04:53:15] [0xffff8df402e050e8] [4026531840] 8432     1                         87:ab:0d:ea:d5:19  88     T_ACK,PSH:192.168.1.138:22->192.168.1.12:53030         iptables=[pf=PF_INET table=filter hook=OUTPUT verdict=ACCEPT cost=40.266µs]
[04:53:15] [0xffff8df402e04ce8] [4026531840] 6888     3                         00:00:00:00:00:00  328    T_ACK,PSH:192.168.1.138:22->192.168.1.12:53030         ipttrace=[pf=PF_INET in= out=enp0s8 table=filter chain=OUTPUT hook=3 rulenum=1]
[04:53:15] [0xffff8df402e04ce8] [4026531840] 6888     3                         00:00:00:00:00:00  328    T_ACK,PSH:192.168.1.138:22->192.168.1.12:53030         iptables=[pf=PF_INET table=filter hook=OUTPUT verdict=ACCEPT cost=84.42µs]
[04:53:15] [0xffff8df50291db00] [4026531840] 8432     1      enp0s8             08:00:27:39:de:94  52     T_PSH:192.168.1.12:53030->192.168.1.138:22             ipttrace=[pf=PF_INET in=enp0s8 out= table=filter chain=INPUT hook=1 rulenum=1]
[04:53:15] [0xffff8df50291db00] [4026531840] 8432     1      enp0s8             08:00:27:39:de:94  52     T_PSH:192.168.1.12:53030->192.168.1.138:22             iptables=[pf=PF_INET table=filter hook=INPUT verdict=ACCEPT cost=38.611µs]
[04:53:15] [0xffff8df50291d000] [4026531840] 8432     1      enp0s8             08:00:27:39:de:94  52     T_PSH:192.168.1.12:53030->192.168.1.138:22             ipttrace=[pf=PF_INET in=enp0s8 out= table=filter chain=INPUT hook=1 rulenum=1]
[04:53:15] [0xffff8df50291d000] [4026531840] 8432     1      enp0s8             08:00:27:39:de:94  52     T_PSH:192.168.1.12:53030->192.168.1.138:22             iptables=[pf=PF_INET table=filter hook=INPUT verdict=ACCEPT cost=40.887µs]
[04:53:15] [0xffff8df50291d900] [4026531840] 8432     1      enp0s8             08:00:27:39:de:94  52     T_PSH:192.168.1.12:53030->192.168.1.138:22             ipttrace=[pf=PF_INET in=enp0s8 out= table=filter chain=INPUT hook=1 rulenum=1]
[04:53:15] [0xffff8df50291d900] [4026531840] 8432     1      enp0s8             08:00:27:39:de:94  52     T_PSH:192.168.1.12:53030->192.168.1.138:22             iptables=[pf=PF_INET table=filter hook=INPUT verdict=ACCEPT cost=48.685µs]
[04:53:15] [0xffff8df402e048e8] [4026531840] 6888     3                         00:00:00:00:00:00  328    T_ACK,PSH:192.168.1.138:22->192.168.1.12:53030         ipttrace=[pf=PF_INET in= out=enp0s8 table=filter chain=OUTPUT hook=3 rulenum=1]
[04:53:15] [0xffff8df402e048e8] [4026531840] 6888     3                         00:00:00:00:00:00  328    T_ACK,PSH:192.168.1.138:22->192.168.1.12:53030         iptables=[pf=PF_INET table=filter hook=OUTPUT verdict=ACCEPT cost=126.368µs]
[04:53:15] [0xffff8df50291df00] [4026531840] 8432     1      enp0s8             08:00:27:39:de:94  52     T_PSH:192.168.1.12:53030->192.168.1.138:22             ipttrace=[pf=PF_INET in=enp0s8 out= table=filter chain=INPUT hook=1 rulenum=1]
[04:53:15] [0xffff8df50291df00] [4026531840] 8432     1      enp0s8             08:00:27:39:de:94  52     T_PSH:192.168.1.12:53030->192.168.1.138:22             iptables=[pf=PF_INET table=filter hook=INPUT verdict=ACCEPT cost=38.087µs]
[04:53:15] [0xffff8df402e050e8] [4026531840] 6888     3                         87:ab:0d:ea:d5:19  1324   T_ACK,PSH:192.168.1.138:22->192.168.1.12:53030         ipttrace=[pf=PF_INET in= out=enp0s8 table=filter chain=OUTPUT hook=3 rulenum=1]
[04:53:15] [0xffff8df402e050e8] [4026531840] 6888     3                         87:ab:0d:ea:d5:19  1324   T_ACK,PSH:192.168.1.138:22->192.168.1.12:53030         iptables=[pf=PF_INET table=filter hook=OUTPUT verdict=ACCEPT cost=40.68µs]

The rulenum in ipttrace is the rule number in iptables -nvL --line-numbers.

License

GPL-3.0 license.

iptables-trace's People

Contributors

asphaltt avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.