Skip to content
/ contain Public

BPF based per-process per-container egress filter

License

GPL-3.0 license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

gr455/contain

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

33 Commits
attach
attach
 
 
bpf
bpf
 
 
images
images
 
 
scripts
scripts
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
allowlist.json
allowlist.json
 
 
containd.py
containd.py
 
 
docker_filter.py
docker_filter.py
 
 

Repository files navigation

Contain

BPF based per-process per-container egress filter.

Filters outgoing traffic from containers based on the container and the process the traffic originated from. Once containd is running, it automatically detects any new containers.

Run

Requires cgroup v2

  1. Update blacklist.json with your own allow list.

  2. To start Contain daemon, run

python3 containd.py

When the daemon is running, it detects any newly started containers and applies policies to them.

Once started, the allow list

[
	{	
		"container_name": "curler", // Only add a single object per container
		"policy": [
			{
				"process": "curl", // Only add a single object per process, add one/multiple objects per container
				"allow": [
					{
						"cidr4": "1.1.1.0/24",
						"ports": [80, 443]
					}
				]
			}
		]
	}
]

Gives

Result

This BPF filter uses BPF_PROG_TYPE_CGROUP_SKB and a kretprobe to kernel function net/socket/sock_alloc_file for per-process, per-container socket filtering.

Tested on Linux 5.19.0 - 6.2.0

About

BPF based per-process per-container egress filter

Resources

Readme

License

GPL-3.0 license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages