`Hi All,
I am trying to block/drop socket connection at trace point hooking at "sys_enter_connect" and "sys_enter_bind" for some specific process. my code snippet below:
SEC("tracepoint/syscalls/sys_enter_connect")
int tracepoint_connect_enter(struct enter_connect_format *ctx){
// check for PID and process name, then if condition matches, block the socket connection
return -1; // to block the socket connection
// else
return 0;
}
// I do the same for bind also
SEC("tracepoint/syscalls/sys_enter_bind")
int tracepoint_bind_enter(struct enter_bind_format *ctx)
{
// same as above
return -1;
// else
return 0;
}
But, I am not able to get the desired result; still, network packet send and receive captured for that specific process. Any input will be appreciable.
You can't use tracepoint to block anything. For your case, you can try using bpf_override_return
(with kprobe), lsm, TC, XDP, or cgroup-related program/attach types.