Application-level Firewalling with eBPF Alexander Kurtz September - - PowerPoint PPT Presentation

Application-level Firewalling with eBPF

Alexander Kurtz September 18, 2017

Problem statement

◮ Server applications generally bind(2) to the wildcard address ◮ Most don’t actually need all packets from everywhere

but

◮ Firewalling is a system-wide and root-only operation ◮ No plugin-mechanism to install application-specific rules ◮ Even if there where, we would still need root priviledges

Motivation

What if we could install firewalling rules onto an application socket?

◮ Application developers could ship default rules with their

program

◮ Users would have a generic way to control the network

exposure of their applications

◮ Everything would be nicely isolated, no need for complex,

system-wide rules

Solution (1/3): eBPF

◮ eBPF is a general purpose VM in the Linux kernel ◮ eBPF bytecode can be attached to a socket to filter incoming

packets

◮ communication with user-space and local state possible with

eBPF maps

◮ arbitrary code execution in kernel-space, yet secure™ ◮ many other applications, e.g. tracing, load-balancing, . . .

Solution (2/3): bcc

◮ eBPF is byte code (although very high level) ◮ eBPF maps are file descriptors ◮ byte code needs to embed the value of these file descriptors ◮ did I mention you’ll have to write assembly?

bcc:

◮ LLVM/clang has a backend for eBPF ◮ bcc makes this available as an easy-to-use library

Solution (3/3): systemd socket activation

Old inetd-style socket activation:

◮ inetd calls bind(), listen(), and accept() ◮ the connection socket gets passed to the application as

stdin/stdout

◮ nice and simple, but also not very fast

New systemd-style socket activation

◮ systemd calls bind() and listen() ◮ the listening socket gets passed to the application as FD 3 ◮ still have dynamic server startup, but no performance penalty

Summary

• 1. Write an eBPF filter in C
• 2. Create a server socket / (take server socket from systemd)
• 3. Load and attach filter to socket with bcc
• 4. Pass socket to application via systemd socket activation

Overview

I n t e r n e t N e t w

• r

k

• l

e v e l F i r e w a l l T C P / U D P P

• r

t s S y s t e m

• l

e v e l F i r e w a l l A p p l i c a t i

• n
• l

e v e l F i r e w a l l H

• s

t A p p l i c a t i

• n
• l

e v e l F i r e w a l l A p p l i c a t i

• n
• l

e v e l F i r e w a l l A p p l i c a t i

• n

A p p l i c a t i

• n

A p p l i c a t i

• n

A p p l i c a t i

• n
• l

e v e l F i r e w a l l A p p l i c a t i

• n
• s

p e c i f i c r u l e s w r i t t e n i n C e B P F B y t e c

• d

e A p p l i c a t i

• n

S

• c

k e t F

• r

w a r d p a c k e t t

• a

p p l i c a t i

• n

D r

• p

p a c k e t L L V M / B C C A t t a c h a s f i l t e r K e r n e l V M

s y s t e m d S

• c

k e t P a s s i n g s y s t e m d S

• c

k e t P a s s i n g s y s t e m d S

• c

k e t P a s s i n g

Figure 1: Overview

Demo

A generic port-knocking filter

Questions

Questions?