Skip to content

kckeiks/pf-rs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

47 Commits
libpf-rs
libpf-rs
 
 
pf-rs
pf-rs
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pf-rs.conf
pf-rs.conf
 
 
todo.txt
todo.txt
 
 

Repository files navigation

Warning: This project is currently in development.

pf-rs

pf-rs allows you to easily create and maintain packet filters. You can specify the criteria for your filter via filter rules, that use Layer 3 & 4 header information, and pf-rs will create an eBPF program and attach it to the XDP hook for fast packet filtering.

The syntax to specify the rules was inspired by OpenBSD's pf.

Example

Given the rule below, pf-rs will create a filter to block any IPv4 packet with source address 10.11.4.2 or 10.11.5.2 to the destination address 10.11.3.2.

blocklist = {  10.11.4.2 10.11.5.2 }

block from $blocklist to 10.11.3.2

libpf-rs

A Rust library for implementing eBPF-based packet filters. It provides an API for creating filter rules via a Builder and building and attaching a packet filter via a Filter.

This library uses libbpf and the rust bindings for it libbpf-sys. Integration with libbpf-rs is planned once the API stabilizes.

Example

Given the code below, libpf-rs will create an eBPF program that filters (blocks) incoming packets based on the given addresses and loads it on the device with index 4.

use libpf_rs::filter::Filter;
use libpf_rs::rule::Builder;

fn main() {
    let ifindex: i32 = 4;
    let addrs = [
        ("10.11.4.2", "10.11.3.2"),
        ("10.11.6.2", "10.11.3.2"),
        ("10.11.5.2", "10.11.2.2"),
        ("10.11.127.2", "100.11.2.2"),
        ("0:0:0:0:0:FFFF:204.152.189.116", "1:0:0:0:0:0:0:8"),
        ("0:0:0:0:0:FFFF:204.152.189.116", "1:0:0:0:0:0:0:8"),
    ];

    let mut filter = Filter::new();

    for (src, dst) in addrs.into_iter() {
        filter.add_rule(
            Builder::new()
                .block()
                .from_addr(src)
                .to_addr(dst)
                .build()
                .unwrap(),
        );
    }

    let _link = filter.load_on(ifindex);
    
    // load_on() returns bpf_link
    // eBPF program will be detached once link is dropped
    // please see libbpf's doc for more info
    loop {}
}

Feature Checklist

Some of these are WIP.

pf-rs

  • supports macros
  • supports lists
  • supports default actions (pass all and block all)
  • support nested lists
  • support macro in lists

libpf-rs

  • supports IPv4 and IPv6
  • supports default actions (pass all and block all)
  • supports quick option (stops rule processing and performs action on first match)
  • supports UDP
  • supports stateless TCP (only port information)
  • supports stateful inspections
  • supports HTTP
  • supports SSH

About

Packet filter written in Rust

Topics

rust networking ebpf xdp bpf packet-filter

Resources

Readme

License

BSD-3-Clause license
Activity

Stars

7 stars

Watchers

3 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages