opensnitch/ebpf_prog/Makefile

# OpenSnitch - 2023
#
# On Debian based distros we need the following 2 directories.
# Otherwise, just use the kernel headers from the kernel sources.
#
KERNEL_DIR ?= /lib/modules/$(shell uname -r)/source
KERNEL_HEADERS ?= /usr/src/linux-headers-$(shell uname -r)/
CLANG ?= clang
LLC ?= llc
LLVM_STRIP ?= llvm-strip -g
ARCH ?= $(shell uname -m)

# as in /usr/src/linux-headers-*/arch/
# TODO: extract correctly the archs, and add more if needed.
ifeq ($(ARCH),x86_64)
	ARCH := x86
else ifeq ($(ARCH),i686)
	ARCH := x86
else ifeq ($(ARCH),armv7l)
	ARCH := arm
else ifeq ($(ARCH),aarch64)
	ARCH := arm64
endif

ifeq ($(ARCH),arm)
	# on previous archs, it fails with "SMP not supported on pre-ARMv6"
	EXTRA_FLAGS = "-D__LINUX_ARM_ARCH__=7"
endif

BIN := opensnitch.o opensnitch-procs.o opensnitch-dns.o
CLANG_FLAGS = -I. \
	-I$(KERNEL_HEADERS)/arch/$(ARCH)/include/generated/ \
	-I$(KERNEL_HEADERS)/include \
	-include $(KERNEL_DIR)/include/linux/kconfig.h \
	-I$(KERNEL_DIR)/include \
	-I$(KERNEL_DIR)/include/uapi \
	-I$(KERNEL_DIR)/include/generated/uapi \
	-I$(KERNEL_DIR)/arch/$(ARCH)/include \
	-I$(KERNEL_DIR)/arch/$(ARCH)/include/generated \
	-I$(KERNEL_DIR)/arch/$(ARCH)/include/uapi \
	-I$(KERNEL_DIR)/arch/$(ARCH)/include/generated/uapi \
	-I$(KERNEL_DIR)/tools/testing/selftests/bpf/ \
	-D__KERNEL__ -D__BPF_TRACING__ -Wno-unused-value -Wno-pointer-sign \
	-D__TARGET_ARCH_$(ARCH) -Wno-compare-distinct-pointer-types \
	$(EXTRA_FLAGS) \
	-Wunused \
	-Wno-unused-value \
	-Wno-gnu-variable-sized-type-not-at-end \
	-Wno-address-of-packed-member \
	-Wno-tautological-compare \
	-Wno-unknown-warning-option  \
	-fno-stack-protector \
	-g -O2 -emit-llvm

all: $(BIN)

%.o: %.c
	$(CLANG) $(CLANG_FLAGS) -c $< -o $@.partial
	$(LLC) -march=bpf -mcpu=generic -filetype=obj -o $@ $@.partial
	rm -f $@.partial

clean:
	rm -f *.o *.partial
ebpf: new way of compiling the modules - Don't rename libbpf's bpf_map_def struct, and distribute the needed bpf headers. The bpf_map_def struct has been deprecated for quite some time now, and it was been removed on >= 6.2 anyway. We still need it, because we use gobpf. - Improved compilation behaviour: - We don't require the kernel sources anymore. We can just use the kernel headers from the distribution. - There's no need to copy the sources to the kernel tree, the modules can be compiled from the ebpf_prog/ dir. - Compiling against kernels 6.x seems to solve the problem we had with VPNs, where connections were not intercepted with modules compiled against 5.8, on kernels >= 5.19. The modules has been tested on kernels 4.17, 5.4, 5.10, 5.15, 6.1 and 6.2 (kernel connections included). Closes: #939 2023-05-17 01:20:53 +02:00			`# OpenSnitch - 2023`
			`#`
			`# On Debian based distros we need the following 2 directories.`
			`# Otherwise, just use the kernel headers from the kernel sources.`
			`#`
			`KERNEL_DIR ?= /lib/modules/$(shell uname -r)/source`
			`KERNEL_HEADERS ?= /usr/src/linux-headers-$(shell uname -r)/`
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" \| make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com> 2021-04-05 09:28:16 +00:00			`CLANG ?= clang`
ebpf: new way of compiling the modules - Don't rename libbpf's bpf_map_def struct, and distribute the needed bpf headers. The bpf_map_def struct has been deprecated for quite some time now, and it was been removed on >= 6.2 anyway. We still need it, because we use gobpf. - Improved compilation behaviour: - We don't require the kernel sources anymore. We can just use the kernel headers from the distribution. - There's no need to copy the sources to the kernel tree, the modules can be compiled from the ebpf_prog/ dir. - Compiling against kernels 6.x seems to solve the problem we had with VPNs, where connections were not intercepted with modules compiled against 5.8, on kernels >= 5.19. The modules has been tested on kernels 4.17, 5.4, 5.10, 5.15, 6.1 and 6.2 (kernel connections included). Closes: #939 2023-05-17 01:20:53 +02:00			`LLC ?= llc`
			`LLVM_STRIP ?= llvm-strip -g`
use temporary files instead of piping in ebpf Makefile 2023-07-07 13:28:58 +03:00			`ARCH ?= $(shell uname -m)`
ebpf: new way of compiling the modules - Don't rename libbpf's bpf_map_def struct, and distribute the needed bpf headers. The bpf_map_def struct has been deprecated for quite some time now, and it was been removed on >= 6.2 anyway. We still need it, because we use gobpf. - Improved compilation behaviour: - We don't require the kernel sources anymore. We can just use the kernel headers from the distribution. - There's no need to copy the sources to the kernel tree, the modules can be compiled from the ebpf_prog/ dir. - Compiling against kernels 6.x seems to solve the problem we had with VPNs, where connections were not intercepted with modules compiled against 5.8, on kernels >= 5.19. The modules has been tested on kernels 4.17, 5.4, 5.10, 5.15, 6.1 and 6.2 (kernel connections included). Closes: #939 2023-05-17 01:20:53 +02:00
			`# as in /usr/src/linux-headers-*/arch/`
			`# TODO: extract correctly the archs, and add more if needed.`
			`ifeq ($(ARCH),x86_64)`
			`ARCH := x86`
			`else ifeq ($(ARCH),i686)`
			`ARCH := x86`
			`else ifeq ($(ARCH),armv7l)`
			`ARCH := arm`
			`else ifeq ($(ARCH),aarch64)`
			`ARCH := arm64`
			`endif`

			`ifeq ($(ARCH),arm)`
			`# on previous archs, it fails with "SMP not supported on pre-ARMv6"`
			`EXTRA_FLAGS = "-D__LINUX_ARM_ARCH__=7"`
			`endif`

			`BIN := opensnitch.o opensnitch-procs.o opensnitch-dns.o`
			`CLANG_FLAGS = -I. \`
ebpf modules compilation fixes - don't import hardcoded architecture. - use generic cpu (-mcpu=generic) - removed linux/version.h from modules. related #954 2023-05-28 15:24:33 +02:00			`-I$(KERNEL_HEADERS)/arch/$(ARCH)/include/generated/ \`
ebpf: new way of compiling the modules - Don't rename libbpf's bpf_map_def struct, and distribute the needed bpf headers. The bpf_map_def struct has been deprecated for quite some time now, and it was been removed on >= 6.2 anyway. We still need it, because we use gobpf. - Improved compilation behaviour: - We don't require the kernel sources anymore. We can just use the kernel headers from the distribution. - There's no need to copy the sources to the kernel tree, the modules can be compiled from the ebpf_prog/ dir. - Compiling against kernels 6.x seems to solve the problem we had with VPNs, where connections were not intercepted with modules compiled against 5.8, on kernels >= 5.19. The modules has been tested on kernels 4.17, 5.4, 5.10, 5.15, 6.1 and 6.2 (kernel connections included). Closes: #939 2023-05-17 01:20:53 +02:00			`-I$(KERNEL_HEADERS)/include \`
			`-include $(KERNEL_DIR)/include/linux/kconfig.h \`
			`-I$(KERNEL_DIR)/include \`
			`-I$(KERNEL_DIR)/include/uapi \`
			`-I$(KERNEL_DIR)/include/generated/uapi \`
			`-I$(KERNEL_DIR)/arch/$(ARCH)/include \`
			`-I$(KERNEL_DIR)/arch/$(ARCH)/include/generated \`
			`-I$(KERNEL_DIR)/arch/$(ARCH)/include/uapi \`
			`-I$(KERNEL_DIR)/arch/$(ARCH)/include/generated/uapi \`
			`-I$(KERNEL_DIR)/tools/testing/selftests/bpf/ \`
			`-D__KERNEL__ -D__BPF_TRACING__ -Wno-unused-value -Wno-pointer-sign \`
			`-D__TARGET_ARCH_$(ARCH) -Wno-compare-distinct-pointer-types \`
			`$(EXTRA_FLAGS) \`
updated ebpf makefile - Added -fno-stack-protector: https://lore.kernel.org/bpf/194f38f2dc7d521375e5a660baaf1be31536be9a.camel@gmail.com/ https://reviews.llvm.org/D142046 - Added -Wno-unused-value, -Wunused to warn on unitialized/not used variables. kudos to @planetoryd for reporting this (#1080). 2024-02-06 00:18:16 +01:00			`-Wunused \`
			`-Wno-unused-value \`
ebpf: new way of compiling the modules - Don't rename libbpf's bpf_map_def struct, and distribute the needed bpf headers. The bpf_map_def struct has been deprecated for quite some time now, and it was been removed on >= 6.2 anyway. We still need it, because we use gobpf. - Improved compilation behaviour: - We don't require the kernel sources anymore. We can just use the kernel headers from the distribution. - There's no need to copy the sources to the kernel tree, the modules can be compiled from the ebpf_prog/ dir. - Compiling against kernels 6.x seems to solve the problem we had with VPNs, where connections were not intercepted with modules compiled against 5.8, on kernels >= 5.19. The modules has been tested on kernels 4.17, 5.4, 5.10, 5.15, 6.1 and 6.2 (kernel connections included). Closes: #939 2023-05-17 01:20:53 +02:00			`-Wno-gnu-variable-sized-type-not-at-end \`
updated ebpf makefile - Added -fno-stack-protector: https://lore.kernel.org/bpf/194f38f2dc7d521375e5a660baaf1be31536be9a.camel@gmail.com/ https://reviews.llvm.org/D142046 - Added -Wno-unused-value, -Wunused to warn on unitialized/not used variables. kudos to @planetoryd for reporting this (#1080). 2024-02-06 00:18:16 +01:00			`-Wno-address-of-packed-member \`
			`-Wno-tautological-compare \`
ebpf: new way of compiling the modules - Don't rename libbpf's bpf_map_def struct, and distribute the needed bpf headers. The bpf_map_def struct has been deprecated for quite some time now, and it was been removed on >= 6.2 anyway. We still need it, because we use gobpf. - Improved compilation behaviour: - We don't require the kernel sources anymore. We can just use the kernel headers from the distribution. - There's no need to copy the sources to the kernel tree, the modules can be compiled from the ebpf_prog/ dir. - Compiling against kernels 6.x seems to solve the problem we had with VPNs, where connections were not intercepted with modules compiled against 5.8, on kernels >= 5.19. The modules has been tested on kernels 4.17, 5.4, 5.10, 5.15, 6.1 and 6.2 (kernel connections included). Closes: #939 2023-05-17 01:20:53 +02:00			`-Wno-unknown-warning-option \`
updated ebpf makefile - Added -fno-stack-protector: https://lore.kernel.org/bpf/194f38f2dc7d521375e5a660baaf1be31536be9a.camel@gmail.com/ https://reviews.llvm.org/D142046 - Added -Wno-unused-value, -Wunused to warn on unitialized/not used variables. kudos to @planetoryd for reporting this (#1080). 2024-02-06 00:18:16 +01:00			`-fno-stack-protector \`
ebpf: new way of compiling the modules - Don't rename libbpf's bpf_map_def struct, and distribute the needed bpf headers. The bpf_map_def struct has been deprecated for quite some time now, and it was been removed on >= 6.2 anyway. We still need it, because we use gobpf. - Improved compilation behaviour: - We don't require the kernel sources anymore. We can just use the kernel headers from the distribution. - There's no need to copy the sources to the kernel tree, the modules can be compiled from the ebpf_prog/ dir. - Compiling against kernels 6.x seems to solve the problem we had with VPNs, where connections were not intercepted with modules compiled against 5.8, on kernels >= 5.19. The modules has been tested on kernels 4.17, 5.4, 5.10, 5.15, 6.1 and 6.2 (kernel connections included). Closes: #939 2023-05-17 01:20:53 +02:00			`-g -O2 -emit-llvm`

			`all: $(BIN)`

			`%.o: %.c`
use temporary files instead of piping in ebpf Makefile 2023-07-07 13:28:58 +03:00			`$(CLANG) $(CLANG_FLAGS) -c $< -o $@.partial`
			`$(LLC) -march=bpf -mcpu=generic -filetype=obj -o $@ $@.partial`
			`rm -f $@.partial`

Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" \| make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com> 2021-04-05 09:28:16 +00:00			`clean:`
use temporary files instead of piping in ebpf Makefile 2023-07-07 13:28:58 +03:00			`rm -f .o .partial`