-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbpf.go
122 lines (104 loc) · 2.61 KB
/
bpf.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
package main
import (
"bytes"
"encoding/binary"
"errors"
"log"
"net"
"os"
"os/signal"
"syscall"
"github.com/alphadose/haxmap"
"github.com/cilium/ebpf/link"
"github.com/cilium/ebpf/ringbuf"
"github.com/cilium/ebpf/rlimit"
"github.com/miekg/dns"
)
var (
cache = haxmap.New[string, *dns.Msg]()
stopper = make(chan os.Signal, 1)
startedBPF = make(chan bool, 1)
)
func BpfReceiver(config *Config) {
// Subscribe to signals for terminating the program.
log.Println("Starting BpfReceiver")
signal.Notify(stopper, os.Interrupt, syscall.SIGTERM)
// Remove resource limits for kernels <5.11.
if err := rlimit.RemoveMemlock(); err != nil {
log.Fatal("Removing memlock:", err)
}
// Load the compiled eBPF ELF and load it into the kernel.
var objs pugdnsObjects
if err := loadPugdnsObjects(&objs, nil); err != nil {
log.Fatal("Loading eBPF objects:", err)
}
defer objs.Close()
ifname := config.NIC // Change this to an interface on your machine.
iface, err := net.InterfaceByName(ifname)
if err != nil {
log.Fatalf("Getting interface %s: %s", ifname, err)
}
// Attach count_packets to the network interface.
link, err := link.AttachXDP(link.XDPOptions{
Program: objs.DumpDnsPackets,
Interface: iface.Index,
Flags: link.XDPGenericMode,
})
if err != nil {
log.Fatal("Attaching XDP:", err)
}
defer link.Close()
// Open a ringbuf reader from userspace RINGBUF map described in the
// eBPF C program.
rd, err := ringbuf.NewReader(objs.Events)
if err != nil {
log.Fatalf("opening ringbuf reader: %s", err)
}
defer rd.Close()
go func() {
<-stopper
if err := rd.Close(); err != nil {
log.Fatalf("closing ringbuf reader: %s", err)
}
}()
log.Println("Waiting for events..")
startedBPF <- true
// has to stop when signal is received
for {
select {
case <-stopper:
log.Println("Received signal, exiting..")
return
default:
record, err := rd.Read()
if err != nil {
if errors.Is(err, ringbuf.ErrClosed) {
log.Println("Received signal, exiting..")
return
}
log.Printf("reading from reader: %s", err)
continue
}
udpEvent := struct {
SrcPort uint16
DstPort uint16
Length uint16
Data [1500]byte
}{}
err = binary.Read(bytes.NewBuffer(record.RawSample), binary.LittleEndian, &udpEvent)
if err != nil {
log.Printf("reading from buffer: %s", err)
continue
}
udpData := udpEvent.Data[:udpEvent.Length]
// parse dns packet
msg := new(dns.Msg)
err = msg.Unpack(udpData)
if err != nil {
log.Printf("unpacking dns packet: %s", err)
continue
}
cache.Set(msg.Question[0].Name, msg)
}
}
}