Link to home
Start Free TrialLog in
Avatar of FireBall
FireBall

asked on

Netfilter BPF filter

Hello ,

I want to know if there is a possible way to apply BPF filter to drop packets on netfilter  


Thank you



#define __KERNEL__
#define MODULE
#include <linux/ip.h>             
#include <linux/kernel.h> 
#include <linux/module.h> 
#include <linux/netdevice.h>      
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h> 
#include <linux/skbuff.h>         
#include <linux/udp.h>      

#include <linux/ip.h>


              
static struct nf_hook_ops netfilter_ops;                        
static unsigned char *ip_address = "\x5D\xBB\xCD\x73"; 
static char *interface = "p1p2";                          
unsigned char *port = "\x00\x17";                       
struct sk_buff *sock_buff;                              
struct udphdr *udp_header;                              
unsigned int main_hook(unsigned int hooknum,
                  struct sk_buff **skb,
                  const struct net_device *in,
                  const struct net_device *out,
                  int (*okfn)(struct sk_buff*))
{
  if(strcmp(in->name,interface) == 0){ return NF_DROP; }  
  struct iphdr* iph = ip_hdr(skb);
  if(iph->saddr == *(unsigned int*)ip_address){ return NF_DROP; }   
        
        
        
	/**sock_buff = *skb;
	if(!sock_buff){ return NF_ACCEPT; }                   
	if(!(iph)){ return NF_ACCEPT; }              
	if(iph->protocol != 17){ return NF_ACCEPT; }                 
	udp_header = (struct udphdr *)(sock_buff->data + (iph->ihl *4)); 
	if((udp_header->dest) == *(unsigned short*)port){ return NF_DROP; }**/
	
	
return NF_ACCEPT;
}
int init_module()
{
        netfilter_ops.hook              =       main_hook;
        netfilter_ops.pf                =       PF_INET;        
        netfilter_ops.hooknum           =       NF_INET_PRE_ROUTING;
        netfilter_ops.priority          =       NF_IP_PRI_FIRST;
        nf_register_hook(&netfilter_ops);
        
return 0;
}
void cleanup_module() { nf_unregister_hook(&netfilter_ops); }

Open in new window

Avatar of David Favor
David Favor
Flag of United States of America image
Yes, well maybe.

If you're talking about porting BPF C code directly to Netfilter, you might search for a compatibility library.

Better to just rewrite the code to use Netfilter...

Or more simple use the iptables (old style) or nft (new style) Netfilter command line utilities.

https://netfilter.org/projects/nftables/ provides definitive docs.

Packet filtering can present complexities difficult to debug in C code.

If my project required C code, I'd first use iptables or nft to setup my rules + let the run for a while, to ensure my design was good.

Then convert my working rules to C code.
Avatar of FireBall
FireBall

ASKER

IPTables causing latency on netrecv module and netfilter rules working before iptables rules and does not make any problem with xt_contract nf_contrack and etc. Also use less cpu under heavy traffics.
So is there any documentation for netfilter library rules ?
should i regex the packet and drop depending on the xx-yy byte range search ?
Avatar of Duncan Roe
Duncan Roe
Flag of Australia image
BTW you have #include <linux/ip.h> twice, at lines 3 & 12
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.