Skip to content

angelopoerio/tinyfw

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
.cargo
.cargo
 
 
tinyfw-common
tinyfw-common
 
 
tinyfw-ebpf
tinyfw-ebpf
 
 
tinyfw
tinyfw
 
 
xtask
xtask
 
 
Cargo.toml
Cargo.toml
 
 
README.md
README.md
 
 

Repository files navigation

tinyfw

Introduction

tinyfw is a toy firewall built in Rust and leveraging the eBPF technology. The network policies can be attached to any supported network interface. It is also containers aware, the containerd runtime is supported.

IMPORTANT: at the moment the network policy is hardcoded, it simply drops all the TCP traffic directed to the following ports: 80, 20, 21,23,25, 110,143,139,445,1521,161,162, 70. If you want to change it, take a look here.

Prerequisites

  1. Install a rust stable toolchain: rustup install stable
  2. Install a rust nightly toolchain: rustup install nightly
  3. Install bpf-linker: cargo install bpf-linker

Build eBPF

cargo xtask build-ebpf

To perform a release build you can use the --release flag. You may also change the target architecture with the --target flag

Build Userspace

cargo build

To perform a release build you can use the --release flag.

Run

cargo xtask run

How to use

The tool can be used in two ways:

  • attach to a user specified network interface. Flag is --iface
  • containers mode: it will try to connect to the unix socket of the local running containerd daemon listening for new spawned containers, so that XDP/eBPF rules can be attached on demand. You can use the flag --cmode for this.

Run on Kubernetes

It is possible to run the tool as a Kubernetes daemonset. In order for it to work the following conditions must be met:

  • Run as a privileged daemonset. This is required to list the network interfaces on the host and attach ebpf code to them. Learn more here
  • Mount the containerd unix socket as an hostpath. Learn more here.

Troubleshooting

A useful tool to trobleshoot tinyfw (and any ebpf based networking tool) is bpftool. For example to inspect the ebpf programs attached to the veth interfaces (the network interfaces used by the containers) of an host you can type the following command:

bpftool net show
xdp:
veth7c2e2820(19) driver id 295
veth183ae1ae(23) driver id 295
veth8c690d33(24) driver id 295
vethff389ec(31) driver id 295

tc:

flow_dissector:

IMPORTANT: Remember to set the env variable RUST_LOG=info before running tinyfw to have runtime informations of what it's going on!

Why support only containerd?

Containerd is becoming the standard de facto for containers runtime. AWS EKS is for example moving to it as the default runtime.

Misc & Links

The author of this project is Angelo Poerio angelo.poerio@gmail.com

IMPORTANT: THIS TOOL IS NOT PRODUCTION READY. Use it at your own risks!

Useful links:

TODO:

  • Better way to correlate veth(s) interfaces to containers
  • Make network policies configurable and not hardcoded

About

A toy containers aware firewall built in Rust

Topics

kubernetes rust devops sre ebpf containerd

Resources

Readme
Activity

Stars

21 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages