Library to work with eBPF programs from Go

Overview

Go eBPF

Build Status Go Report Card Documentation

A nice and convenient way to work with eBPF programs / perf events from Go.

Requirements

  • Go 1.10+
  • Linux Kernel 4.15+

Supported eBPF features

  • eBPF programs
    • SocketFilter
    • XDP
    • Kprobe / Kretprobe
  • Perf Events

Support for other program types / features can be added in future. Meanwhile your contributions are warmly welcomed.. :)

Installation

# Main library
go get github.com/dropbox/goebpf

# Mock version (if needed)
go get github.com/dropbox/goebpf/goebpf_mock

Quick start

Consider very simple example of Read / Load / Attach

    // In order to be simple this examples does not handle errors
    bpf := goebpf.NewDefaultEbpfSystem()
    // Read clang compiled binary
    bpf.LoadElf("test.elf")
    // Load XDP program into kernel (name matches function name in C)
    xdp := bpf.GetProgramByName("xdp_test")
    xdp.Load()
    // Attach to interface
    xdp.Attach("eth0")
    defer xdp.Detach()
    // Work with maps
    test := bpf.GetMapByName("test")
    value, _ := test.LookupInt(0)
    fmt.Printf("Value at index 0 of map 'test': %d\n", )

Like it? Check our examples

Perf Events

Library currently has support for one, most popular use case of perf_events - where eBPF map key maps to cpu_id. So eBPF and go parts actually bind cpu_id to map index. It maybe as simple as:

    // Define special, perf_events map where key maps to CPU_ID
    BPF_MAP_DEF(perfmap) = {
        .map_type = BPF_MAP_TYPE_PERF_EVENT_ARRAY,
        .max_entries = 128,     // Max supported CPUs
    };
    BPF_MAP_ADD(perfmap);

    // ...

    // Emit perf event with "data" to map "perfmap" where index is current CPU_ID
    bpf_perf_event_output(ctx, &perfmap, BPF_F_CURRENT_CPU, &data, sizeof(data));

And the go part:

    perf, err := goebpf.NewPerfEvents("perfmap")
    // 4096 is ring buffer size
    perfEvents, err := perf.StartForAllProcessesAndCPUs(4096)
    defer perf.Stop()

    for {
        select {
            case data := <-perfEvents:
                fmt.Println(data)
        }
    }

Simple? Check full XDP dump example

Kprobes

Library currently has support for kprobes and kretprobes. It can be as simple as:

    // kprobe handler function
    SEC("kprobe/guess_execve")
    int execve_entry(struct pt_regs *ctx) {
      // ...
      buf_perf_output(ctx);
      return 0;
    }

And the go part:

	// Cleanup old probes
	err := goebpf.CleanupProbes()

	// Attach all probe programs
	for _, prog := range bpf.GetPrograms() {
		err := prog.Attach(nil)
	}

	// Create perf events
	eventsMap := p.bpf.GetMapByName("events")
	p.pe, err = goebpf.NewPerfEvents(eventsMap)
	events, err := p.pe.StartForAllProcessesAndCPUs(4096)
	defer events.Stop()

	for {
		select {
		case data := <-events:
			fmt.Println(data) // kProbe event
		}
	}

Simple? Check exec dump example

Good readings

Comments
  • XDP_TX | XDP_REDIRECT

    XDP_TX | XDP_REDIRECT

    Can you please tell me what conditions regarding the interface you need to fulfill in order for the return codes XDP_REDIRECT and XDP_TX to work correctly? For example, I change the destination port, and return the XDP_PASS code, the packet does not get in this interface to the server running on the port that I changed in the package: struct tcphdr *tcp = ctx->data_start + ctx->nh_offset; tcp->dest = (__u16)bpf_ntohs(some_port_value); // 5555 for example... Then I tried using the return code XDP_REDIRECT, followed by redirecting the packet to the external interface, but this just led to freezing the external network interface: ` INTERNAL __u32 redirect(struct context *ctx) { struct bpf_fib_lookup fib_params = {}; __u32 action = XDP_PASS;

    if (ctx->v4 && ctx->tcp)
    {
    
        /* populate the fib_params fields to prepare for the lookup */
    	fib_params.family	= AF_INET;
    	fib_params.tos		= ctx->v4->tos;
    	fib_params.l4_protocol	= ctx->v4->protocol;
    	fib_params.sport	= ctx->tcp->source;
    	fib_params.dport	= some_port_value;
    	fib_params.tot_len	= bpf_ntohs(ctx->v4->tot_len);
    	fib_params.ipv4_src	= ctx->v4->saddr;
    	fib_params.ipv4_dst	= ctx->v4->daddr;
        /* Set a proper destination address */
           memcpy(custom_ctx.eth->h_dest, , ETH_ALEN);
           action = bpf_redirect_map(&tx_port, 0, 0);
    }
    
    fib_params.ifindex = 1;
    /* this is where the FIB lookup happens. If the lookup is successful */
    /* it will populate the fib_params.ifindex with the egress interface index */
    __u16 h_proto = ctx->eth->h_proto;
    int rc = bpf_fib_lookup(ctx, &fib_params, sizeof(fib_params), 0);
    switch (rc) {
    case BPF_FIB_LKUP_RET_SUCCESS:         /* lookup successful */
     	   /* we are a router, so we need to decrease the ttl */
     	if (h_proto == bpf_htons(ETH_P_IP))
     		ip_decrease_ttl(ctx->v4);
     	else if (h_proto == bpf_htons(ETH_P_IPV6))
     		ctx->v6->hop_limit--;
     	/* set the correct new source and destionation mac addresses */
     	/* can be found in fib_params.dmac and fib_params.smac */
     	memcpy(ctx->eth->h_dest, fib_params.dmac, ETH_ALEN);
     	memcpy(ctx->eth->h_source, fib_params.smac, ETH_ALEN);
     	/* and done, now we set the action to bpf_redirect_map with fib_params.ifindex which is the egress port as paramater */
     	action = bpf_redirect_map(&tx_port, fib_params.ifindex, 0);
     	break;
     case BPF_FIB_LKUP_RET_BLACKHOLE:    /* dest is blackholed; can be dropped */
     case BPF_FIB_LKUP_RET_UNREACHABLE:  /* dest is unreachable; can be dropped */
     case BPF_FIB_LKUP_RET_PROHIBIT:     /* dest not allowed; can be dropped */
     	action = XDP_DROP;
     	break;
     case BPF_FIB_LKUP_RET_NOT_FWDED:    /* packet is not forwarded */
     case BPF_FIB_LKUP_RET_FWD_DISABLED: /* fwding is not enabled on ingress */
     case BPF_FIB_LKUP_RET_UNSUPP_LWT:   /* fwd requires encapsulation */
     case BPF_FIB_LKUP_RET_NO_NEIGH:     /* no neighbor entry for nh */
     case BPF_FIB_LKUP_RET_FRAG_NEEDED:  /* fragmentation required to fwd */
     	/* PASS */
     	break;
     }
    
    return action; 
    

    } `

    opened by alex60217101990 5
  • mocks: A proposal to override default implementation

    mocks: A proposal to override default implementation

    Hello,

    First of all, thank you for working on this library. So far I've had a very positive experience using it, especially with the included examples and documentation.

    I do have one suggestion regarding the mocks package. What are your thoughts on providing a way to override the default implementation each mock has? To give you an example:

    Currently the LoadElf() method from mock_ebpf.go looks something like the following:

    func (m *MockSystem) LoadElf(fn string) error {
    	return nil
    }
    

    This is great but it doesn't let the user override with a different behaviour for LoadElf(), one that could be potentially a non happy-path that returns an error. So with that in mind it would look something like the following:

    func (m *MockSystem) LoadElf(fn string) error {
            if m.loadElf != nil {
                 return m.loadElf(fn)
            }
    	return nil
    }
    

    Where loadElf is a member of the struct MockSystem and can be overriden as needed during a unit test where various implementations of LoadElf() are needed.

    Let me know your thoughts, I can draft a PR to incorporate this.

    opened by simar7 5
  • LoadElf() loads without error but elfSystem is empty

    LoadElf() loads without error but elfSystem is empty

    Loading elf files run smoothly without any errors but afterwards it returns empty maps and empty programs (with GetMaps() and GetPrograms()) :( However, eBPF/XDP programs run fine if loaded for example with ip tool. llvm-objdump also show all code and objects! Trying to understand what is the problem? Any help appreciated!

    opened by ErvinsK 4
  • removing get_next_key function from kernel-side code

    removing get_next_key function from kernel-side code

    this removes get_next_key function from kernel code (bpf_helpers.h), as this functionality is supposed to be used only in userland code.

    src/goebpf/itest# make test
    ././itest_test -test.v
    === RUN   TestKprobeSuite
    === RUN   TestKprobeSuite/TestElfLoad
    === RUN   TestKprobeSuite/TestKprobeEvents
    --- PASS: TestKprobeSuite (0.51s)
        --- PASS: TestKprobeSuite/TestElfLoad (0.29s)
        --- PASS: TestKprobeSuite/TestKprobeEvents (0.23s)
    === RUN   TestMapSuite
    === RUN   TestMapSuite/TestArrayOfMaps
    === RUN   TestMapSuite/TestGetNextKeyInt
    === RUN   TestMapSuite/TestGetNextKeyString
    === RUN   TestMapSuite/TestHashOfMaps
    === RUN   TestMapSuite/TestMapArrayInt
    === RUN   TestMapSuite/TestMapArrayInt16
    === RUN   TestMapSuite/TestMapArrayUInt64
    === RUN   TestMapSuite/TestMapDoubleClose
    === RUN   TestMapSuite/TestMapFromExistingByFd
    === RUN   TestMapSuite/TestMapHash
    === RUN   TestMapSuite/TestMapLPMTrieIPv4
    === RUN   TestMapSuite/TestMapLPMTrieIPv6
    === RUN   TestMapSuite/TestMapPersistent
    === RUN   TestMapSuite/TestMapProgArray
    --- PASS: TestMapSuite (0.21s)
        --- PASS: TestMapSuite/TestArrayOfMaps (0.11s)
        --- PASS: TestMapSuite/TestGetNextKeyInt (0.00s)
        --- PASS: TestMapSuite/TestGetNextKeyString (0.00s)
        --- PASS: TestMapSuite/TestHashOfMaps (0.10s)
        --- PASS: TestMapSuite/TestMapArrayInt (0.00s)
        --- PASS: TestMapSuite/TestMapArrayInt16 (0.00s)
        --- PASS: TestMapSuite/TestMapArrayUInt64 (0.00s)
        --- PASS: TestMapSuite/TestMapDoubleClose (0.00s)
        --- PASS: TestMapSuite/TestMapFromExistingByFd (0.00s)
        --- PASS: TestMapSuite/TestMapHash (0.00s)
        --- PASS: TestMapSuite/TestMapLPMTrieIPv4 (0.00s)
        --- PASS: TestMapSuite/TestMapLPMTrieIPv6 (0.00s)
        --- PASS: TestMapSuite/TestMapPersistent (0.00s)
        --- PASS: TestMapSuite/TestMapProgArray (0.00s)
    === RUN   TestPerfEvents
    --- PASS: TestPerfEvents (0.01s)
    === RUN   TestGetNumOfPossibleCpus
    --- PASS: TestGetNumOfPossibleCpus (0.00s)
    === RUN   TestXdpSuite
    === RUN   TestXdpSuite/TestElfLoad
    === RUN   TestXdpSuite/TestProgramInfo
    --- PASS: TestXdpSuite (0.03s)
        --- PASS: TestXdpSuite/TestElfLoad (0.03s)
        --- PASS: TestXdpSuite/TestProgramInfo (0.00s)
    PASS
    

    https://travis-ci.org/github/dropbox/goebpf/builds/728180572

    opened by bersoare 4
  • Attach the same program to multiple interfaces

    Attach the same program to multiple interfaces

    Hi,

    Does xdpProgram support attaching the same program to multiple interfaces? As far as I can tell from the code, a xdpProgram has one ifname and only detach the the program from this interface. If multiple Attach() are called with different interfaces, only the last one will be detached in the Detach() call. Is this intended? Is there any way to attach the same program to different interfaces?

    Thanks!

    help wanted 
    opened by chenwng 4
  • Invalid BPF instruction while bpf map lookup after having called `htons` or `bpf_htons`

    Invalid BPF instruction while bpf map lookup after having called `htons` or `bpf_htons`

    Hey all, at first I want to thank for the great work you've done so far with this package, I really like the simple API and had a very easy quickstart with this.

    At the moment, I struggle with having the error LoadElf() failed: loadPrograms() failed: Invalid BPF instruction (at 144): &{133 0 1 0 4294967295} with the following code:

    BPF_MAP_DEF(rxcnt) = {
        .map_type = BPF_MAP_TYPE_PERCPU_ARRAY,
        .key_size = sizeof(__u32),
        .value_size = sizeof(__u64),
        .max_entries = 256,
    };
    BPF_MAP_ADD(rxcnt);
    
    static inline void count_tx(__u32 protocol)
    {
    	__u64 *rxcnt_count;
        rxcnt_count = bpf_map_lookup_elem(&rxcnt, &protocol);
        
        if (rxcnt_count)
            *rxcnt_count += 1;
    }
    
    SEC("xdp") int xdp_sock(struct xdp_md *ctx) {
        void *data = (void *)(long)ctx->data;
        void *data_end = (void *)(long)ctx->data_end;
    
        size_t offset = sizeof(struct ether_header) +
                        sizeof(struct iphdr);
              
        if(data + offset > data_end) {
            return XDP_PASS; // too short
        }
        count_tx(0);
        const struct ether_header *eh = (const struct ether_header *)data;
        // FIXME: Without htons|bpf_htons it works as expected, with one of them we got
        // LoadElf() failed: loadPrograms() failed: Invalid BPF instruction (at 144): &{133 0 1 0 4294967295}
        if(eh->ether_type != htons(ETHERTYPE_IP)) {
           return XDP_PASS; // not IP
        }
    
        // FIXME: THis somehow depends on this instruction
        // If we have a map lookup after this htons instructions, the error occurs
        count_tx(1);
        return XDP_PASS;
    }
    

    Since I'm new to ebpf, not sure if I'm doing something wrong, but loading the respective ELF file with another approach (https://github.com/xdp-project/xdp-tutorial) works as expected. A full setup to reproduce this can be found here: https://github.com/martenwallewein/goepf-repro.

    It would be nice if you could have a look at this if I'm doing something wrong or if there is a bug in the loadPrograms function.

    Best, Marten

    opened by martenwallewein 3
  • all tests fail

    all tests fail

    I compiled tests with make and ran them with sudo ./itest_test All tests failed with errors like

    loadAndCreateMaps() failed: map.Create() failed: ebpf_create_map() failed: Operation not permitted

    ebpf_create_map() failed: Operation not permitted

    go version go1.15.7 linux/amd64 Ubuntu 20.04 kernel 5.8.0-41

    opened by themighty1 3
  • adding bpf_fib_lookup struct and enriching xdp_md struct

    adding bpf_fib_lookup struct and enriching xdp_md struct

    added ingress_ifindex, rx_queue_index, egress_ifindex fields to xdp_md struct (https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/bpf.h#L3909) adjusted argument types for bpf_redirect_map prototype (https://man7.org/linux/man-pages/man7/bpf-helpers.7.html) added struct bpf_fib_lookup, as well as the constants for flags and return codes (https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/bpf.h#L4303) added simple example of bpf_fib_lookup and bpf_redirect_map used in conjunction

    opened by bersoare 3
  • Read pinned maps

    Read pinned maps

    This PR fixes a couple of issues with PERCPU maps centered around the value array size, and builds on them to introduce NewMapFromExistingMapByPath function that's able to read (and update contents of) pinned maps.

    Source for the userspace value size on a PERCPU map: https://github.com/torvalds/linux/blob/47ec5303d73ea344e84f46660fff693c57641386/kernel/bpf/syscall.c#L1103 ( https://github.com/torvalds/linux/commit/15a07b33814d14ca817887dbea8530728dc0fbe4 )

    opened by kzemek 3
  • Question on BPF_MAP_TYPE_HASH lookup errors

    Question on BPF_MAP_TYPE_HASH lookup errors

    Hi there, I have been running in to issue trying to read a hash type map with this goebpf package. Is that supported yet? no matter which lookup type i try results in ebpf_map_lookup_elem() failed: No such file or directory.

    map def:

    BPF_MAP_DEF(stat) = {
        .map_type = BPF_MAP_TYPE_HASH,
        .key_size = sizeof(__u32),
        .value_size = sizeof(__u64),
        .max_entries = MAX_BPF_IP,
    };
    BPF_MAP_ADD(stat);
    

    populating it with key ip_stat and value is a counter.

    struct ip_stat {
        __u32 saddr;
        __u32 daddr;
        __u32 action;
        __u8 proto;
    };
    
    opened by RebelIT 3
  • examples/basic_firewall

    examples/basic_firewall

    The basic_firewall does not work, I made the following change, can work properly. Is this related to the environment?

    My system environment kernel: 5.4.2 llvm: 9.0

    xdp_fw.c

    // XDP program //
    SEC("xdp")
      ...
      __u64 *rule_idx = bpf_map_lookup_elem(&blacklist, &ip->saddr); 
      ...
    }
    
    // XDP program //
    SEC("xdp")
      ...
    struct {
        __u32 prefixlen;
        __u32 saddr;
      } key;
    
      key.prefixlen = 32;
      key.saddr = ip->saddr;
    
      // Lookup SRC IP in blacklisted IPs
      __u64 *rule_idx = bpf_map_lookup_elem(&blacklist, &key);
      ...
    }
    
    opened by pangbit 3
  • xdp.Attach error when bind to eth0 on aws-ubuntu 22.04.1

    xdp.Attach error when bind to eth0 on aws-ubuntu 22.04.1

    xdp.Attach("eth0"): "LinkSetXdpFd() failed: invalid argument"

    ubuntu version: 5.15.0-1017-aws

    however it could run normally when attaching lo (127.0.0.1)

    opened by wujunzhuo 0
  • [bpf_get_next_key] add helper to fetch first key in map

    [bpf_get_next_key] add helper to fetch first key in map

    build showing the issue in the tests: https://app.travis-ci.com/github/dropbox/goebpf/jobs/575825851

    if we use the uninitialized value as the first key, it ends up skipping one of the keys.

    opened by bersoare 5
  • kprobe_events: device or resource busy / no such file or directory

    kprobe_events: device or resource busy / no such file or directory

    The operation process is as follows: git clone https://github.com/dropbox/goebpf.git cd goebpf/examples/kprobe/exec_dump/ make ./main

    Program failed to run,error: write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: no such file or directory write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy write: write /sys/kernel/debug/tracing/kprobe_events: device or resource busy

    opened by junqiang1992 0
  • can't run xdp_dump

    can't run xdp_dump

    [[email protected] xdp_dump]# go build

    github.com/dropbox/goebpf

    In file included from ../../../map.go:13:0: ./bpf_helpers.h:957:15: error: expected declaration specifiers or '...' before 'sizeof' static_assert(sizeof(__u8) == 1, "wrong_u8_size"); ^ ./bpf_helpers.h:957:34: error: expected declaration specifiers or '...' before string constant static_assert(sizeof(__u8) == 1, "wrong_u8_size"); ^ ./bpf_helpers.h:958:15: error: expected declaration specifiers or '...' before 'sizeof' static_assert(sizeof(__u16) == 2, "wrong_u16_size"); ^ ./bpf_helpers.h:958:35: error: expected declaration specifiers or '...' before string constant static_assert(sizeof(__u16) == 2, "wrong_u16_size"); ^ ./bpf_helpers.h:959:15: error: expected declaration specifiers or '...' before 'sizeof' static_assert(sizeof(__u32) == 4, "wrong_u32_size"); ^ ./bpf_helpers.h:959:35: error: expected declaration specifiers or '...' before string constant static_assert(sizeof(__u32) == 4, "wrong_u32_size"); ^ ./bpf_helpers.h:960:15: error: expected declaration specifiers or '...' before 'sizeof' static_assert(sizeof(__u64) == 8, "wrong_u64_size"); ^ ./bpf_helpers.h:960:35: error: expected declaration specifiers or '...' before string constant static_assert(sizeof(__u64) == 8, "wrong_u64_size"); ^ [[email protected] xdp_dump]#

    opened by FrelDX 6
Owner
Dropbox
Dropbox
eBPF library for Go based on Linux libbpf

libbpfgo libbpfgo is a Go library for working with Linux's eBPF. It was created for Tracee, our open source Runtime Security and eBPF tracing tools wr

Aqua Security 354 Sep 25, 2022
eBPF Library for Go

eBPF eBPF is a pure Go library that provides utilities for loading, compiling, and debugging eBPF programs. It has minimal external dependencies and i

Cilium 3.4k Sep 24, 2022
eBPF based TCP observability.

TCPDog is a total solution from exporting TCP statistics from Linux kernel by eBPF very efficiently to store them at your Elasticsearch or InfluxDB da

Mehrdad Arshad Rad 201 Sep 12, 2022
Trace Go program execution with uprobes and eBPF

Weaver PLEASE READ! - I am currently refactoring Weaver to use libbpf instead of bcc which would include various other major improvements. If you're c

grantseltzer 254 Sep 21, 2022
A tool based on eBPF, prometheus and grafana to monitor network connectivity.

Connectivity Monitor Tracks the connectivity of a kubernetes cluster to its api server and exposes meaningful connectivity metrics. Uses ebpf to obser

Gardener 25 Aug 30, 2022
A distributed Layer 2 Direct Server Return (L2DSR) load balancer for Linux using XDP/eBPF

VC5 A distributed Layer 2 Direct Server Return (L2DSR) load balancer for Linux using XDP/eBPF This is very much a proof of concept at this stage - mos

David Coles 33 Aug 29, 2022
eBPF-based EDR for Linux

ebpf-edr A proof-of-concept eBPF-based EDR for Linux Seems to be working fine with the 20 basic rules implemented. Logs the alerts to stdout at the mo

null 15 Aug 3, 2022
Edb - An eBPF program debugger

EDB (eBPF debugger) edb is a debugger(like gdb and dlv) for eBPF programs. Norma

null 140 Sep 4, 2022
An ebpf's tool to watch traffic

watch-dog watch-dog利用ebpf的能力,监听指定网卡的流量来达到旁路检测流量的目的,并使用图数据库neo4j保存节点之间的流量关系。 Get go get github.com/TomatoMr/watch-dog Install make build Usage sudo ./w

null 0 Feb 5, 2022
SailFirewall - Linux firewall powered by eBPF and XDP

SailFirewall Linux firewall powered by eBPF and XDP Requirements Go 1.16+ Linux

Hevienz 0 May 4, 2022
[WIP] gg is a portable tool to redirect the traffic of a given program to your modern proxy without installing any other programs.

gg gg (go-graft), was inspired by graftcp. go-graft is a pure golang implementation with more useful features. TODO: Use system DNS as the fallback. R

mzz 208 Sep 25, 2022
go-jsonc provides a way to work with commented json by converting it to plain json.

JSON with comments for GO Decodes a "commented json" to "json". Provided, the input must be a valid jsonc document. Supports io.Reader With this, we c

Akshay Bharambe 9 Apr 6, 2022
🍔 Product-storage service, work on gRPC. Client sends the URL to download products, and requests the result.

?? Product-storage service, work on gRPC. Client sends the URL to download products, and requests the result. The server transfer request to a third-party resource for .csv-file uploading and saves the products to own database.

Pavel V 9 Dec 16, 2021
A simple proxy to work with tcp connection

Proxy It is simple proxy to work with tcp connection HTTP TCP Getting Started pr

Altynbek Kaliakbarov 0 Dec 16, 2021
A library for the MIGP (Might I Get Pwned) protocolA library for the MIGP (Might I Get Pwned) protocol

MIGP library This contains a library for the MIGP (Might I Get Pwned) protocol. MIGP can be used to build privacy-preserving compromised credential ch

Cloudflare 21 Dec 16, 2021
A library to simplify writing applications using TCP sockets to stream protobuff messages

BuffStreams Streaming Protocol Buffers messages over TCP in Golang What is BuffStreams? BuffStreams is a set of abstraction over TCPConns for streamin

Sean Kelly 250 Sep 2, 2022
DNS library in Go

Alternative (more granular) approach to a DNS library Less is more. Complete and usable DNS library. All Resource Records are supported, including the

Miek Gieben 6.5k Sep 22, 2022
🚀Gev is a lightweight, fast non-blocking TCP network library based on Reactor mode. Support custom protocols to quickly and easily build high-performance servers.

gev 中文 | English gev is a lightweight, fast non-blocking TCP network library based on Reactor mode. Support custom protocols to quickly and easily bui

徐旭 1.5k Sep 21, 2022