kaffa/XDP-Firewall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add typedefs and organize code.

Browse Source
This commit is contained in:
Christian Deacon
2025-02-22 10:24:21 -05:00
parent 1b9e805207
commit 09491e1462
12 changed files with 72 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
src/common/types.h
View File

@@ -2,7 +2,7 @@
#include <common/int_types.h>
struct tcpopts
struct tcp_opts
{
unsigned int enabled : 1;
@@ -36,9 +36,9 @@ struct tcpopts
unsigned int do_cwr : 1;
unsigned int cwr : 1;
};
} typedef tcp_opts_t;
struct udpopts
struct udp_opts
{
unsigned int enabled : 1;
@@ -47,9 +47,9 @@ struct udpopts
unsigned int do_dport : 1;
u16 dport;
};
} typedef udp_opts_t;
struct icmpopts
struct icmp_opts
{
unsigned int enabled : 1;
@@ -58,7 +58,7 @@ struct icmpopts
unsigned int do_type : 1;
u8 type;
};
} typedef icmp_opts_t;
struct filter
{
@@ -93,42 +93,42 @@ struct filter
u8 tos;
unsigned int do_pps : 1;
__u64 pps;
u64 pps;
unsigned int do_bps : 1;
__u64 bps;
u64 bps;
__u64 blocktime;
u64 blocktime;
struct tcpopts tcpopts;
struct udpopts udpopts;
struct icmpopts icmpopts;
} __attribute__((__aligned__(8)));
tcp_opts_t tcpopts;
udp_opts_t udpopts;
icmp_opts_t icmpopts;
} __attribute__((__aligned__(8))) typedef filter_t;
struct stats
{
__u64 allowed;
__u64 dropped;
__u64 passed;
};
u64 allowed;
u64 dropped;
u64 passed;
} typedef stats_t;
struct ip_stats
{
__u64 pps;
__u64 bps;
__u64 next_update;
};
u64 pps;
u64 bps;
u64 next_update;
} typedef ip_stats_t ;
struct flow
{
u32 ip;
u16 port;
u8 protocol;
};
} typedef flow_t;
struct flow6
{
u128 ip;
u16 port;
u8 protocol;
};
} typedef flow6_t;

22
src/loader/loader.c
View File

@@ -43,7 +43,7 @@ void SignalHndl(int tmp)
*
* @return Void
*/
void UpdateFilters(struct config *cfg)
void UpdateFilters(config__t *cfg)
{
// Loop through all filters and delete the map. We do this in the case rules were edited and were put out of order since the key doesn't uniquely map to a specific rule.
for (u8 i = 0; i < MAX_FILTERS; i++)
@@ -63,7 +63,7 @@ void UpdateFilters(struct config *cfg)
}
// Create value array (max CPUs in size) since we're using a per CPU map.
struct filter filter[MAX_CPUS];
filter_t filter[MAX_CPUS];
for (int j = 0; j < MAX_CPUS; j++)
{
@@ -86,7 +86,7 @@ void UpdateFilters(struct config *cfg)
*
* @return 0 on success or -1 on error.
*/
int UpdateConfig(struct config *cfg, char *cfgfile)
int UpdateConfig(config__t *cfg, char *cfgfile)
{
// Open config file.
if (OpenCfg(cfgfile) != 0)
@@ -180,7 +180,7 @@ struct xdp_program *LoadBpfObj(const char *filename)
*
* @return 0 on success and 1 on error.
*/
int AttachXdp(struct xdp_program *prog, int ifidx, u8 detach, struct cmdline *cmd)
int AttachXdp(struct xdp_program *prog, int ifidx, u8 detach, cmdline_t *cmd)
{
int err;
@@ -273,7 +273,7 @@ struct stat conf_stat;
int main(int argc, char *argv[])
{
// Parse the command line.
struct cmdline cmd =
cmdline_t cmd =
{
.cfgfile = "/etc/xdpfw/xdpfw.conf",
.help = 0,
@@ -315,7 +315,7 @@ int main(int argc, char *argv[])
}
// Initialize config.
struct config cfg = {0};
config__t cfg = {0};
SetCfgDefaults(&cfg);
@@ -332,7 +332,7 @@ int main(int argc, char *argv[])
for (uint16_t i = 0; i < MAX_FILTERS; i++)
{
struct filter *filter = &cfg.filters[i];
filter_t *filter = &cfg.filters[i];
if (filter->id < 1)
{
@@ -521,12 +521,12 @@ int main(int argc, char *argv[])
if (!cfg.nostats)
{
u32 key = 0;
struct stats stats[MAX_CPUS];
stats_t stats[MAX_CPUS];
//memset(stats, 0, sizeof(struct stats) * MAX_CPUS);
__u64 allowed = 0;
__u64 dropped = 0;
__u64 passed = 0;
u64 allowed = 0;
u64 dropped = 0;
u64 passed = 0;
if (bpf_map_lookup_elem(statsmap, &key, stats) != 0)
{

2
src/loader/utils/cmdline.c
View File

@@ -22,7 +22,7 @@ const struct option opts[] =
*
* @return Void
*/
void ParseCommandLine(struct cmdline *cmd, int argc, char *argv[])
void ParseCommandLine(cmdline_t *cmd, int argc, char *argv[])
{
int c;

4
src/loader/utils/cmdline.h
View File

@@ -8,6 +8,6 @@ struct cmdline
unsigned int time;
unsigned int list : 1;
unsigned int help : 1;
};
} typedef cmdline_t;
void ParseCommandLine(struct cmdline *cmd, int argc, char *argv[]);
void ParseCommandLine(cmdline_t *cmd, int argc, char *argv[]);

8
src/loader/utils/config.c
View File

@@ -11,7 +11,7 @@ FILE *file;
*
* @return Void
*/
void SetCfgDefaults(struct config *cfg)
void SetCfgDefaults(config__t *cfg)
{
cfg->updatetime = 0;
cfg->interface = NULL;
@@ -111,7 +111,7 @@ int OpenCfg(const char *filename)
*
* @return 0 on success or 1/-1 on error.
*/
int ReadCfg(struct config *cfg)
int ReadCfg(config__t *cfg)
{
// Not sure why this would be set to NULL after checking for it in OpenConfig(), but just for safety.
if (file == NULL)
@@ -225,7 +225,7 @@ int ReadCfg(struct config *cfg)
if (config_setting_lookup_string(filter, "src_ip", &sip))
{
struct ip ip = ParseIp(sip);
ip_range_t ip = ParseIpCidr(sip);
cfg->filters[i].src_ip = ip.ip;
cfg->filters[i].src_cidr = ip.cidr;
@@ -236,7 +236,7 @@ int ReadCfg(struct config *cfg)
if (config_setting_lookup_string(filter, "dst_ip", &dip))
{
struct ip ip = ParseIp(dip);
ip_range_t ip = ParseIpCidr(dip);
cfg->filters[i].dst_ip = ip.ip;
cfg->filters[i].dst_cidr = ip.cidr;

8
src/loader/utils/config.h
View File

@@ -16,9 +16,9 @@ struct config
u16 updatetime;
unsigned int nostats : 1;
int stdout_update_time;
struct filter filters[MAX_FILTERS];
};
filter_t filters[MAX_FILTERS];
} typedef config__t; // config_t is taken by libconfig -.-
void SetCfgDefaults(struct config *cfg);
void SetCfgDefaults(config__t *cfg);
int OpenCfg(const char *filename);
int ReadCfg(struct config *cfg);
int ReadCfg(config__t *cfg);

4
src/loader/utils/helpers.c
View File

@@ -7,9 +7,9 @@
*
* @return Returns an IP structure with IP and CIDR.
*/
struct ip ParseIp(const char *ip)
ip_range_t ParseIpCidr(const char *ip)
{
struct ip ret = {0};
ip_range_t ret = {0};
ret.cidr = 32;
char *token = strtok((char *) ip, "/");

6
src/loader/utils/helpers.h
View File

@@ -7,10 +7,10 @@
#include <stdio.h>
#include <stdlib.h>
struct ip
struct ip_range
{
u32 ip;
u32 cidr;
};
} typedef ip_range_t;
struct ip ParseIp(const char *ip);
ip_range_t ParseIpCidr(const char *ip);

16
src/xdp/prog.c
View File

@@ -44,7 +44,7 @@ int xdp_prog_main(struct xdp_md *ctx)
}
u8 action = 0;
__u64 blocktime = 1;
u64 blocktime = 1;
// Initialize IP headers.
struct iphdr *iph = NULL;
@@ -81,12 +81,12 @@ int xdp_prog_main(struct xdp_md *ctx)
// Get stats map.
u32 key = 0;
struct stats *stats = bpf_map_lookup_elem(&stats_map, &key);
stats_t*stats = bpf_map_lookup_elem(&stats_map, &key);
__u64 now = bpf_ktime_get_ns();
u64 now = bpf_ktime_get_ns();
// Check blacklist map.
__u64 *blocked = NULL;
u64 *blocked = NULL;
if (iph6)
{
@@ -234,8 +234,8 @@ int xdp_prog_main(struct xdp_md *ctx)
}
// Update client stats (PPS/BPS).
__u64 pps = 0;
__u64 bps = 0;
u64 pps = 0;
u64 bps = 0;
if (iph6)
{
@@ -250,7 +250,7 @@ int xdp_prog_main(struct xdp_md *ctx)
{
u32 key = i;
struct filter *filter = bpf_map_lookup_elem(&filters_map, &key);
filter_t *filter = bpf_map_lookup_elem(&filters_map, &key);
// Check if ID is above 0 (if 0, it's an invalid rule).
if (!filter || filter->id < 1)
@@ -534,7 +534,7 @@ int xdp_prog_main(struct xdp_md *ctx)
// Before dropping, update the blacklist map.
if (blocktime > 0)
{
__u64 newTime = now + (blocktime * NANO_TO_SEC);
u64 newTime = now + (blocktime * NANO_TO_SEC);
if (iph6)
{

4
src/xdp/utils/maps.h
View File

@@ -38,7 +38,7 @@ struct
__uint(type, BPF_MAP_TYPE_LRU_HASH);
__uint(max_entries, MAX_TRACK_IPS);
__type(key, u32);
__type(value, __u64);
__type(value, u64);
} ip_blacklist_map SEC(".maps");
struct
@@ -58,5 +58,5 @@ struct
__uint(type, BPF_MAP_TYPE_LRU_HASH);
__uint(max_entries, MAX_TRACK_IPS);
__type(key, u128);
__type(value, __u64);
__type(value, u64);
} ip6_blacklist_map SEC(".maps");

20
src/xdp/utils/rl.c
View File

@@ -13,17 +13,17 @@
*
* @return void
*/
static __always_inline void UpdateIpStats(__u64 *pps, __u64 *bps, u32 ip, u16 port, u8 protocol, u16 pkt_len, __u64 now)
static __always_inline void UpdateIpStats(u64 *pps, u64 *bps, u32 ip, u16 port, u8 protocol, u16 pkt_len, u64 now)
{
#ifdef USE_FLOW_RL
struct flow key = {0};
flow_t key = {0};
key.ip = ip;
key.port = port;
key.protocol = protocol;
struct ip_stats *ip_stats = bpf_map_lookup_elem(&ip_stats_map, &key);
ip_stats_t *ip_stats = bpf_map_lookup_elem(&ip_stats_map, &key);
#else
struct ip_stats *ip_stats = bpf_map_lookup_elem(&ip_stats_map, &ip);
ip_stats_t *ip_stats = bpf_map_lookup_elem(&ip_stats_map, &ip);
#endif
if (ip_stats)
@@ -48,7 +48,7 @@ static __always_inline void UpdateIpStats(__u64 *pps, __u64 *bps, u32 ip, u16 po
else
{
// Create new entry.
struct ip_stats new = {0};
ip_stats_t new = {0};
new.pps = 1;
new.bps = pkt_len;
@@ -78,17 +78,17 @@ static __always_inline void UpdateIpStats(__u64 *pps, __u64 *bps, u32 ip, u16 po
*
* @return void
*/
static __always_inline void UpdateIp6Stats(__u64 *pps, __u64 *bps, u128 *ip, u16 port, u8 protocol, u16 pkt_len, __u64 now)
static __always_inline void UpdateIp6Stats(u64 *pps, u64 *bps, u128 *ip, u16 port, u8 protocol, u16 pkt_len, u64 now)
{
#ifdef USE_FLOW_RL
struct flow6 key = {0};
flow6_t key = {0};
key.ip = *ip;
key.port = port;
key.protocol = protocol;
struct ip_stats *ip_stats = bpf_map_lookup_elem(&ip_stats_map, &key);
ip_stats_t *ip_stats = bpf_map_lookup_elem(&ip_stats_map, &key);
#else
struct ip_stats *ip_stats = bpf_map_lookup_elem(&ip_stats_map, ip);
ip_stats_t *ip_stats = bpf_map_lookup_elem(&ip_stats_map, ip);
#endif
if (ip_stats)
@@ -113,7 +113,7 @@ static __always_inline void UpdateIp6Stats(__u64 *pps, __u64 *bps, u128 *ip, u16
else
{
// Create new entry.
struct ip_stats new = {0};
ip_stats_t new = {0};
new.pps = 1;
new.bps = pkt_len;

4
src/xdp/utils/rl.h
View File

@@ -6,8 +6,8 @@
#include <xdp/utils/maps.h>
static __always_inline void UpdateIpStats(__u64 *pps, __u64 *bps, u32 ip, u16 port, u8 protocol, u16 pkt_len, __u64 now);
static __always_inline void UpdateIp6Stats(__u64 *pps, __u64 *bps, u128 *ip, u16 port, u8 protocol, u16 pkt_len, __u64 now);
static __always_inline void UpdateIpStats(u64 *pps, u64 *bps, u32 ip, u16 port, u8 protocol, u16 pkt_len, u64 now);
static __always_inline void UpdateIp6Stats(u64 *pps, u64 *bps, u128 *ip, u16 port, u8 protocol, u16 pkt_len, u64 now);
// NOTE: We include the C source file below because we can't link object files which includes the function logic into the main XDP program because we need to ensure the function is always inlined for performance which doesn't work with linked objects.
// More Info: https://stackoverflow.com/questions/24289599/always-inline-does-not-work-when-function-is-implemented-in-different-file