-
Notifications
You must be signed in to change notification settings - Fork 171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
netmanager:改名、更改架构、增加macfilter和路由优化及文档 #878
Merged
chenamy2017
merged 16 commits into
linuxkerneltravel:develop
from
zhangxianyu777:develop
Sep 6, 2024
Merged
Changes from 13 commits
Commits
Show all changes
16 commits
Select commit
Hold shift + click to select a range
479fc4d
fix the para of t and change the function of connect
7313b0f
Merge branch 'linuxkerneltravel:develop' into develop
zhangxianyu777 0389df0
Merge branch 'linuxkerneltravel:develop' into develop
zhangxianyu777 fd141ce
change the parm_in and add the output of match and add the document
f66d596
Merge branch 'linuxkerneltravel:develop' into develop
zhangxianyu777 5c1182d
Merge branch 'linuxkerneltravel:develop' into develop
zhangxianyu777 1c2644f
add the mac_filter and change the structure
27edf00
Merge branch 'develop' of github.com:zhangxianyu777/lmp into develop
551a07a
Update ebpf_net_manager.yml
zhangxianyu777 acd65b5
test
d5d31f6
Merge branch 'develop' of github.com:zhangxianyu777/lmp into develop
ce2f969
test 1
efae589
test2
4ae31e9
delete the binary files
2d8a5fa
redis message and stat the key
c14ce7b
delete
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file removed
BIN
-544 Bytes
eBPF_Supermarket/Network_Subsystem/net_manager/bpf_use_errno_test.o
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file added
BIN
+38.1 KB
eBPF_Supermarket/Network_Subsystem/net_manager/common/common_params.o
Binary file not shown.
Binary file added
BIN
+31.1 KB
eBPF_Supermarket/Network_Subsystem/net_manager/common/common_user_bpf_xdp.o
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 二进制文件不要提交仓库 |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
3 changes: 3 additions & 0 deletions
3
eBPF_Supermarket/Network_Subsystem/net_manager/conf.d/mac_load.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
00:0c:29:57:00:4d 00:00:00:00:00:00 ALLOW | ||
00:0c:29:00:00:00 00:00:00:00:00:00 DENY | ||
00:00:00:00:00:00 00:00:00:00:00:00 ALLOW |
File renamed without changes.
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
Binary file added
BIN
+73.4 KB
eBPF_Supermarket/Network_Subsystem/net_manager/document/image/mac_filter1.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+15.5 KB
eBPF_Supermarket/Network_Subsystem/net_manager/document/image/mac_filter2.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+55.2 KB
eBPF_Supermarket/Network_Subsystem/net_manager/document/image/mac_filter3.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+14.3 KB
eBPF_Supermarket/Network_Subsystem/net_manager/document/image/mac_filter4.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
116 changes: 116 additions & 0 deletions
116
eBPF_Supermarket/Network_Subsystem/net_manager/document/mac_filter.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,116 @@ | ||
## MAC过滤 | ||
|
||
### 概述 | ||
|
||
本工具通过XDP技术,在内核层实现了高效的MAC地址过滤,专注于基于设备物理地址的流量控制。MAC地址过滤能够在网络层面上直接识别和控制特定设备的访问权限,无需依赖上层协议的验证机制。通过配置特定设备的MAC地址黑白名单,能够有效防止未经授权的设备接入网络,确保网络安全性。 | ||
|
||
其主要应用在于 | ||
|
||
1. **硬件级别过滤**: MAC地址是网络接口卡的唯一标识,不会像IP地址那样频繁变化,因此在底层网络设备上做过滤更有效。 | ||
2. **物理位置绑定**: 在局域网中,MAC地址通常和设备物理位置绑定,有助于对物理设备进行精确控制。 | ||
3. **隔离内外网**:通过限制外部设备基于MAC地址接入本地网络,可以强化内外网隔离的策略,从而间接提高内部网络的安全性。 | ||
|
||
MAC地址仅在局域网中有效,跨路由器的网络(如广域网)无法通过MAC地址进行过滤 | ||
|
||
### 实现 | ||
|
||
总体框架流程如下: | ||
|
||
![image-20240825133247633](./image/mac_filter1.png) | ||
|
||
具体匹配策略如下: | ||
|
||
```c | ||
int mac_match(__u8 *conn_mac, __u8 *rule_mac) { | ||
__u8 zero_mac[ETH_ALEN] = {0}; // 全零的MAC地址 | ||
|
||
// 如果rule_mac全为零,匹配所有MAC地址 | ||
if (bpf_memcmp(rule_mac, zero_mac, ETH_ALEN) == 0) { | ||
return 1; | ||
} | ||
|
||
// 如果rule_mac的后三个字节为零,且前三个字节与conn_mac相同 | ||
if (bpf_memcmp(&rule_mac[3], zero_mac, 3) == 0) { | ||
if (bpf_memcmp(conn_mac, rule_mac, 3) == 0) { | ||
return 1; // 匹配前三字节 | ||
} | ||
} | ||
|
||
// 检查规则MAC与连接MAC是否完全匹配 | ||
if (bpf_memcmp(rule_mac, conn_mac, ETH_ALEN) == 0) { | ||
return 1; // 完全匹配 | ||
} | ||
|
||
return 0; // 不匹配 | ||
} | ||
``` | ||
|
||
### 使用方法 | ||
|
||
本功能的使用命令为 | ||
|
||
```c | ||
sudo ./netmanager -d ens33 -S --progname=xdp_entry_mac -m conf.d/mac_load.conf -t | ||
``` | ||
|
||
之后可以使用xdp-loader查看挂载程序及卸载 | ||
|
||
在 ./conf.d 目录里有样例规则文件 mac_load.conf 代表条目名单。程序会按顺序逐行加载进BPF Map,同样,XDP程序执行时也会逐行匹配规则,所以写在前面的规则具有更高的优先级。每行规则的格式为: | ||
|
||
``` | ||
[SOURCE_MAC] [DEST_MAC] [ALLOW/DENY] | ||
``` | ||
|
||
其中分别为源MAC地址、目的MAC地址及条目策略。 | ||
|
||
需要注意,**XDP只对收包路径上的数据有效,因此此处的源为另一端,而目的为本机**。 | ||
|
||
**当某段字段为0时,代表不进行此处的过滤,为全部匹配**。 | ||
|
||
若要实现黑名单,根据匹配的优先级顺序,则需要在规则的最后⼀条写上(也可不加),默认为ALLOW,当匹配不到其余规则时会默认进行PASS策略(但仍建议增添) | ||
|
||
```c | ||
00:00:00:00:00:00 00:00:00:00:00:00 ALLOW | ||
``` | ||
|
||
若要实现白名单,需要将最后⼀条规则写为(必须增添,否则没有实际效果) | ||
|
||
```c | ||
00:00:00:00:00:00 00:00:00:00:00:00 DENY | ||
``` | ||
|
||
我们还对某一厂商的MAC地址进行泛化匹配,当前三字节不为0(固定厂商)且后三字节为0时,可以对其进行泛化,匹配到所有改厂商的MAC地址,如 | ||
|
||
``` | ||
00:0c:29:00:00:00 00:00:00:00:00:00 ALLOW | ||
``` | ||
|
||
最终给出实例,我们在规则配置文件中写入 | ||
|
||
```c | ||
00:0c:29:57:00:4d 00:00:00:00:00:00 ALLOW | ||
00:0c:29:00:00:00 00:00:00:00:00:00 DENY | ||
00:00:00:00:00:00 00:00:00:00:00:00 ALLOW | ||
``` | ||
|
||
其中,00:0c:29开头的MAC地址是VMware虚拟网卡固定分配的前缀 | ||
|
||
之后加载到程序中 | ||
|
||
```shell | ||
sudo ./netmanager -d ens33 -S --progname=xdp_entry_mac -m conf.d/mac_load.conf -t | ||
``` | ||
|
||
之后通过不同虚拟机使用ping/curl来连接该主机 | ||
|
||
当MAC地址为00:0c:29:57:00:4d(特定主机),其可以正常连接 | ||
|
||
![image-20240825132436960](./image/mac_filter2.png) | ||
|
||
而其余虚拟机进行访问时会被拒绝 | ||
|
||
![image-20240825132526078](./image/mac_filter3.png) | ||
|
||
可以看到,相应报文已经被DROP | ||
|
||
![image-20240825132551308](./image/mac_filter4.png) |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
二进制文件不要提交仓库