1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2 
3 /* <linux/bpf.h> must precede <bpf/bpf_helpers.h> due to integer types
4  * in bpf helpers signatures.
5  */
6 #include <linux/bpf.h>
7 #include <bpf/bpf_helpers.h>
8 
9 const volatile __u8 is_allow_list = 0;
10 
11 /* Map containing the network interfaces indexes.
12  * The interpretation of the map depends on the value of is_allow_list.
13  */
14 struct {
15         __uint(type, BPF_MAP_TYPE_HASH);
16         __type(key, __u32);
17         __type(value, __u8);
18 } sd_restrictif SEC(".maps");
19 
20 #define DROP 0
21 #define PASS 1
22 
restrict_network_interfaces_impl(const struct __sk_buff * sk)23 static inline int restrict_network_interfaces_impl(const struct __sk_buff *sk) {
24         __u32 zero = 0, ifindex;
25         __u8 *lookup_result;
26 
27         ifindex = sk->ifindex;
28         lookup_result = bpf_map_lookup_elem(&sd_restrictif, &ifindex);
29         if (is_allow_list) {
30                 /* allow-list: let the packet pass if iface in the list */
31                 if (lookup_result)
32                         return PASS;
33         } else {
34             /* deny-list: let the packet pass if iface *not* in the list */
35                 if (!lookup_result)
36                         return PASS;
37         }
38 
39         return DROP;
40 }
41 
42 SEC("cgroup_skb/egress")
sd_restrictif_e(const struct __sk_buff * sk)43 int sd_restrictif_e(const struct __sk_buff *sk) {
44         return restrict_network_interfaces_impl(sk);
45 }
46 
47 SEC("cgroup_skb/ingress")
sd_restrictif_i(const struct __sk_buff * sk)48 int sd_restrictif_i(const struct __sk_buff *sk) {
49         return restrict_network_interfaces_impl(sk);
50 }
51 
52 static const char _license[] SEC("license") = "LGPL-2.1-or-later";
53