kaffa/XDP-Firewall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add typedefs and organize code.

Browse Source
This commit is contained in:
Christian Deacon
2025-02-22 10:24:21 -05:00
parent 1b9e805207
commit 09491e1462
12 changed files with 72 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
src/common/types.h
View File

@@ -2,7 +2,7 @@
#include <common/int_types.h> #include <common/int_types.h>
struct tcpopts struct tcp_opts
{ {
unsigned int enabled : 1; unsigned int enabled : 1;
@@ -36,9 +36,9 @@ struct tcpopts
unsigned int do_cwr : 1; unsigned int do_cwr : 1;
unsigned int cwr : 1; unsigned int cwr : 1;
}; } typedef tcp_opts_t;
struct udpopts struct udp_opts
{ {
unsigned int enabled : 1; unsigned int enabled : 1;
@@ -47,9 +47,9 @@ struct udpopts
unsigned int do_dport : 1; unsigned int do_dport : 1;
u16 dport; u16 dport;
}; } typedef udp_opts_t;
struct icmpopts struct icmp_opts
{ {
unsigned int enabled : 1; unsigned int enabled : 1;
@@ -58,7 +58,7 @@ struct icmpopts
unsigned int do_type : 1; unsigned int do_type : 1;
u8 type; u8 type;
}; } typedef icmp_opts_t;
struct filter struct filter
{ {
@@ -93,42 +93,42 @@ struct filter
u8 tos; u8 tos;
unsigned int do_pps : 1; unsigned int do_pps : 1;
__u64 pps; u64 pps;
unsigned int do_bps : 1; unsigned int do_bps : 1;
__u64 bps; u64 bps;
__u64 blocktime; u64 blocktime;
struct tcpopts tcpopts; tcp_opts_t tcpopts;
struct udpopts udpopts; udp_opts_t udpopts;
struct icmpopts icmpopts; icmp_opts_t icmpopts;
} __attribute__((__aligned__(8))); } __attribute__((__aligned__(8))) typedef filter_t;
struct stats struct stats
{ {
__u64 allowed; u64 allowed;
__u64 dropped; u64 dropped;
__u64 passed; u64 passed;
}; } typedef stats_t;
struct ip_stats struct ip_stats
{ {
__u64 pps; u64 pps;
__u64 bps; u64 bps;
__u64 next_update; u64 next_update;
}; } typedef ip_stats_t ;
struct flow struct flow
{ {
u32 ip; u32 ip;
u16 port; u16 port;
u8 protocol; u8 protocol;
}; } typedef flow_t;
struct flow6 struct flow6
{ {
u128 ip; u128 ip;
u16 port; u16 port;
u8 protocol; u8 protocol;
}; } typedef flow6_t;

22
src/loader/loader.c
View File

@@ -43,7 +43,7 @@ void SignalHndl(int tmp)
* *
* @return Void * @return Void
*/ */
void UpdateFilters(struct config *cfg) void UpdateFilters(config__t *cfg)
{ {
// Loop through all filters and delete the map. We do this in the case rules were edited and were put out of order since the key doesn't uniquely map to a specific rule. // Loop through all filters and delete the map. We do this in the case rules were edited and were put out of order since the key doesn't uniquely map to a specific rule.
for (u8 i = 0; i < MAX_FILTERS; i++) for (u8 i = 0; i < MAX_FILTERS; i++)
@@ -63,7 +63,7 @@ void UpdateFilters(struct config *cfg)
} }
// Create value array (max CPUs in size) since we're using a per CPU map. // Create value array (max CPUs in size) since we're using a per CPU map.
struct filter filter[MAX_CPUS]; filter_t filter[MAX_CPUS];
for (int j = 0; j < MAX_CPUS; j++) for (int j = 0; j < MAX_CPUS; j++)
{ {
@@ -86,7 +86,7 @@ void UpdateFilters(struct config *cfg)
* *
* @return 0 on success or -1 on error. * @return 0 on success or -1 on error.
*/ */
int UpdateConfig(struct config *cfg, char *cfgfile) int UpdateConfig(config__t *cfg, char *cfgfile)
{ {
// Open config file. // Open config file.
if (OpenCfg(cfgfile) != 0) if (OpenCfg(cfgfile) != 0)
@@ -180,7 +180,7 @@ struct xdp_program *LoadBpfObj(const char *filename)
* *
* @return 0 on success and 1 on error. * @return 0 on success and 1 on error.
*/ */
int AttachXdp(struct xdp_program *prog, int ifidx, u8 detach, struct cmdline *cmd) int AttachXdp(struct xdp_program *prog, int ifidx, u8 detach, cmdline_t *cmd)
{ {
int err; int err;
@@ -273,7 +273,7 @@ struct stat conf_stat;
int main(int argc, char *argv[]) int main(int argc, char *argv[])
{ {
// Parse the command line. // Parse the command line.
struct cmdline cmd = cmdline_t cmd =
{ {
.cfgfile = "/etc/xdpfw/xdpfw.conf", .cfgfile = "/etc/xdpfw/xdpfw.conf",
.help = 0, .help = 0,
@@ -315,7 +315,7 @@ int main(int argc, char *argv[])
} }
// Initialize config. // Initialize config.
struct config cfg = {0}; config__t cfg = {0};
SetCfgDefaults(&cfg); SetCfgDefaults(&cfg);
@@ -332,7 +332,7 @@ int main(int argc, char *argv[])
for (uint16_t i = 0; i < MAX_FILTERS; i++) for (uint16_t i = 0; i < MAX_FILTERS; i++)
{ {
struct filter *filter = &cfg.filters[i]; filter_t *filter = &cfg.filters[i];
if (filter->id < 1) if (filter->id < 1)
{ {
@@ -521,12 +521,12 @@ int main(int argc, char *argv[])
if (!cfg.nostats) if (!cfg.nostats)
{ {
u32 key = 0; u32 key = 0;
struct stats stats[MAX_CPUS]; stats_t stats[MAX_CPUS];
//memset(stats, 0, sizeof(struct stats) * MAX_CPUS); //memset(stats, 0, sizeof(struct stats) * MAX_CPUS);
__u64 allowed = 0; u64 allowed = 0;
__u64 dropped = 0; u64 dropped = 0;
__u64 passed = 0; u64 passed = 0;
if (bpf_map_lookup_elem(statsmap, &key, stats) != 0) if (bpf_map_lookup_elem(statsmap, &key, stats) != 0)
{ {

2
src/loader/utils/cmdline.c
View File

@@ -22,7 +22,7 @@ const struct option opts[] =
* *
* @return Void * @return Void
*/ */
void ParseCommandLine(struct cmdline *cmd, int argc, char *argv[]) void ParseCommandLine(cmdline_t *cmd, int argc, char *argv[])
{ {
int c; int c;

4
src/loader/utils/cmdline.h
View File

@@ -8,6 +8,6 @@ struct cmdline
unsigned int time; unsigned int time;
unsigned int list : 1; unsigned int list : 1;
unsigned int help : 1; unsigned int help : 1;
}; } typedef cmdline_t;
void ParseCommandLine(struct cmdline *cmd, int argc, char *argv[]); void ParseCommandLine(cmdline_t *cmd, int argc, char *argv[]);

8
src/loader/utils/config.c
View File

@@ -11,7 +11,7 @@ FILE *file;
* *
* @return Void * @return Void
*/ */
void SetCfgDefaults(struct config *cfg) void SetCfgDefaults(config__t *cfg)
{ {
cfg->updatetime = 0; cfg->updatetime = 0;
cfg->interface = NULL; cfg->interface = NULL;
@@ -111,7 +111,7 @@ int OpenCfg(const char *filename)
* *
* @return 0 on success or 1/-1 on error. * @return 0 on success or 1/-1 on error.
*/ */
int ReadCfg(struct config *cfg) int ReadCfg(config__t *cfg)
{ {
// Not sure why this would be set to NULL after checking for it in OpenConfig(), but just for safety. // Not sure why this would be set to NULL after checking for it in OpenConfig(), but just for safety.
if (file == NULL) if (file == NULL)
@@ -225,7 +225,7 @@ int ReadCfg(struct config *cfg)
if (config_setting_lookup_string(filter, "src_ip", &sip)) if (config_setting_lookup_string(filter, "src_ip", &sip))
{ {
struct ip ip = ParseIp(sip); ip_range_t ip = ParseIpCidr(sip);
cfg->filters[i].src_ip = ip.ip; cfg->filters[i].src_ip = ip.ip;
cfg->filters[i].src_cidr = ip.cidr; cfg->filters[i].src_cidr = ip.cidr;
@@ -236,7 +236,7 @@ int ReadCfg(struct config *cfg)
if (config_setting_lookup_string(filter, "dst_ip", &dip)) if (config_setting_lookup_string(filter, "dst_ip", &dip))
{ {
struct ip ip = ParseIp(dip); ip_range_t ip = ParseIpCidr(dip);
cfg->filters[i].dst_ip = ip.ip; cfg->filters[i].dst_ip = ip.ip;
cfg->filters[i].dst_cidr = ip.cidr; cfg->filters[i].dst_cidr = ip.cidr;

8
src/loader/utils/config.h
View File

@@ -16,9 +16,9 @@ struct config
u16 updatetime; u16 updatetime;
unsigned int nostats : 1; unsigned int nostats : 1;
int stdout_update_time; int stdout_update_time;
struct filter filters[MAX_FILTERS]; filter_t filters[MAX_FILTERS];
}; } typedef config__t; // config_t is taken by libconfig -.-
void SetCfgDefaults(struct config *cfg); void SetCfgDefaults(config__t *cfg);
int OpenCfg(const char *filename); int OpenCfg(const char *filename);
int ReadCfg(struct config *cfg); int ReadCfg(config__t *cfg);

4
src/loader/utils/helpers.c
View File

@@ -7,9 +7,9 @@
* *
* @return Returns an IP structure with IP and CIDR. * @return Returns an IP structure with IP and CIDR.
*/ */
struct ip ParseIp(const char *ip) ip_range_t ParseIpCidr(const char *ip)
{ {
struct ip ret = {0}; ip_range_t ret = {0};
ret.cidr = 32; ret.cidr = 32;
char *token = strtok((char *) ip, "/"); char *token = strtok((char *) ip, "/");

6
src/loader/utils/helpers.h
View File

@@ -7,10 +7,10 @@
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
struct ip struct ip_range
{ {
u32 ip; u32 ip;
u32 cidr; u32 cidr;
}; } typedef ip_range_t;
struct ip ParseIp(const char *ip); ip_range_t ParseIpCidr(const char *ip);

16
src/xdp/prog.c
View File

@@ -44,7 +44,7 @@ int xdp_prog_main(struct xdp_md *ctx)
} }
u8 action = 0; u8 action = 0;
__u64 blocktime = 1; u64 blocktime = 1;
// Initialize IP headers. // Initialize IP headers.
struct iphdr *iph = NULL; struct iphdr *iph = NULL;
@@ -81,12 +81,12 @@ int xdp_prog_main(struct xdp_md *ctx)
// Get stats map. // Get stats map.
u32 key = 0; u32 key = 0;
struct stats *stats = bpf_map_lookup_elem(&stats_map, &key); stats_t*stats = bpf_map_lookup_elem(&stats_map, &key);
__u64 now = bpf_ktime_get_ns(); u64 now = bpf_ktime_get_ns();
// Check blacklist map. // Check blacklist map.
__u64 *blocked = NULL; u64 *blocked = NULL;
if (iph6) if (iph6)
{ {
@@ -234,8 +234,8 @@ int xdp_prog_main(struct xdp_md *ctx)
} }
// Update client stats (PPS/BPS). // Update client stats (PPS/BPS).
__u64 pps = 0; u64 pps = 0;
__u64 bps = 0; u64 bps = 0;
if (iph6) if (iph6)
{ {
@@ -250,7 +250,7 @@ int xdp_prog_main(struct xdp_md *ctx)
{ {
u32 key = i; u32 key = i;
struct filter *filter = bpf_map_lookup_elem(&filters_map, &key); filter_t *filter = bpf_map_lookup_elem(&filters_map, &key);
// Check if ID is above 0 (if 0, it's an invalid rule). // Check if ID is above 0 (if 0, it's an invalid rule).
if (!filter || filter->id < 1) if (!filter || filter->id < 1)
@@ -534,7 +534,7 @@ int xdp_prog_main(struct xdp_md *ctx)
// Before dropping, update the blacklist map. // Before dropping, update the blacklist map.
if (blocktime > 0) if (blocktime > 0)
{ {
__u64 newTime = now + (blocktime * NANO_TO_SEC); u64 newTime = now + (blocktime * NANO_TO_SEC);
if (iph6) if (iph6)
{ {

4
src/xdp/utils/maps.h
View File

@@ -38,7 +38,7 @@ struct
__uint(type, BPF_MAP_TYPE_LRU_HASH); __uint(type, BPF_MAP_TYPE_LRU_HASH);
__uint(max_entries, MAX_TRACK_IPS); __uint(max_entries, MAX_TRACK_IPS);
__type(key, u32); __type(key, u32);
__type(value, __u64); __type(value, u64);
} ip_blacklist_map SEC(".maps"); } ip_blacklist_map SEC(".maps");
struct struct
@@ -58,5 +58,5 @@ struct
__uint(type, BPF_MAP_TYPE_LRU_HASH); __uint(type, BPF_MAP_TYPE_LRU_HASH);
__uint(max_entries, MAX_TRACK_IPS); __uint(max_entries, MAX_TRACK_IPS);
__type(key, u128); __type(key, u128);
__type(value, __u64); __type(value, u64);
} ip6_blacklist_map SEC(".maps"); } ip6_blacklist_map SEC(".maps");

20
src/xdp/utils/rl.c
View File

@@ -13,17 +13,17 @@
* *
* @return void * @return void
*/ */
static __always_inline void UpdateIpStats(__u64 *pps, __u64 *bps, u32 ip, u16 port, u8 protocol, u16 pkt_len, __u64 now) static __always_inline void UpdateIpStats(u64 *pps, u64 *bps, u32 ip, u16 port, u8 protocol, u16 pkt_len, u64 now)
{ {
#ifdef USE_FLOW_RL #ifdef USE_FLOW_RL
struct flow key = {0}; flow_t key = {0};
key.ip = ip; key.ip = ip;
key.port = port; key.port = port;
key.protocol = protocol; key.protocol = protocol;
struct ip_stats *ip_stats = bpf_map_lookup_elem(&ip_stats_map, &key); ip_stats_t *ip_stats = bpf_map_lookup_elem(&ip_stats_map, &key);
#else #else
struct ip_stats *ip_stats = bpf_map_lookup_elem(&ip_stats_map, &ip); ip_stats_t *ip_stats = bpf_map_lookup_elem(&ip_stats_map, &ip);
#endif #endif
if (ip_stats) if (ip_stats)
@@ -48,7 +48,7 @@ static __always_inline void UpdateIpStats(__u64 *pps, __u64 *bps, u32 ip, u16 po
else else
{ {
// Create new entry. // Create new entry.
struct ip_stats new = {0}; ip_stats_t new = {0};
new.pps = 1; new.pps = 1;
new.bps = pkt_len; new.bps = pkt_len;
@@ -78,17 +78,17 @@ static __always_inline void UpdateIpStats(__u64 *pps, __u64 *bps, u32 ip, u16 po
* *
* @return void * @return void
*/ */
static __always_inline void UpdateIp6Stats(__u64 *pps, __u64 *bps, u128 *ip, u16 port, u8 protocol, u16 pkt_len, __u64 now) static __always_inline void UpdateIp6Stats(u64 *pps, u64 *bps, u128 *ip, u16 port, u8 protocol, u16 pkt_len, u64 now)
{ {
#ifdef USE_FLOW_RL #ifdef USE_FLOW_RL
struct flow6 key = {0}; flow6_t key = {0};
key.ip = *ip; key.ip = *ip;
key.port = port; key.port = port;
key.protocol = protocol; key.protocol = protocol;
struct ip_stats *ip_stats = bpf_map_lookup_elem(&ip_stats_map, &key); ip_stats_t *ip_stats = bpf_map_lookup_elem(&ip_stats_map, &key);
#else #else
struct ip_stats *ip_stats = bpf_map_lookup_elem(&ip_stats_map, ip); ip_stats_t *ip_stats = bpf_map_lookup_elem(&ip_stats_map, ip);
#endif #endif
if (ip_stats) if (ip_stats)
@@ -113,7 +113,7 @@ static __always_inline void UpdateIp6Stats(__u64 *pps, __u64 *bps, u128 *ip, u16
else else
{ {
// Create new entry. // Create new entry.
struct ip_stats new = {0}; ip_stats_t new = {0};
new.pps = 1; new.pps = 1;
new.bps = pkt_len; new.bps = pkt_len;

4
src/xdp/utils/rl.h
View File

@@ -6,8 +6,8 @@
#include <xdp/utils/maps.h> #include <xdp/utils/maps.h>
static __always_inline void UpdateIpStats(__u64 *pps, __u64 *bps, u32 ip, u16 port, u8 protocol, u16 pkt_len, __u64 now); static __always_inline void UpdateIpStats(u64 *pps, u64 *bps, u32 ip, u16 port, u8 protocol, u16 pkt_len, u64 now);
static __always_inline void UpdateIp6Stats(__u64 *pps, __u64 *bps, u128 *ip, u16 port, u8 protocol, u16 pkt_len, __u64 now); static __always_inline void UpdateIp6Stats(u64 *pps, u64 *bps, u128 *ip, u16 port, u8 protocol, u16 pkt_len, u64 now);
// NOTE: We include the C source file below because we can't link object files which includes the function logic into the main XDP program because we need to ensure the function is always inlined for performance which doesn't work with linked objects. // NOTE: We include the C source file below because we can't link object files which includes the function logic into the main XDP program because we need to ensure the function is always inlined for performance which doesn't work with linked objects.
// More Info: https://stackoverflow.com/questions/24289599/always-inline-does-not-work-when-function-is-implemented-in-different-file // More Info: https://stackoverflow.com/questions/24289599/always-inline-does-not-work-when-function-is-implemented-in-different-file