kaffa/XDP-Firewall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Change config syntax for L4 protocols and update README.

Browse Source
This commit is contained in:
gamemann
2020-12-18 02:12:05 +00:00
parent f30f992468
commit 0e80306f0f
2 changed files with 140 additions and 174 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
README.md
View File

@@ -37,33 +37,31 @@ Config option `filters` is an array. Each filter includes the following options:
* `blocktime` => The time in seconds to block the source IP if the rule matches and the action is block (0). Default value is `1`. * `blocktime` => The time in seconds to block the source IP if the rule matches and the action is block (0). Default value is `1`.
#### TCP Options #### TCP Options
The config option `tcpopts` within a filter is an array including TCP options. This should only be one array per filter. Options include: TCP options exist in the main filter array and start with `tcp_`. Please see below.
* `enabled` => If true, check for TCP-specific matches. * `tcp_enabled` => If true, check for TCP-specific matches.
* `sport` => The source port the packet must match. * `tcp_sport` => The source port the packet must match.
* `dport` => The destination port the packet must match. * `tcp_dport` => The destination port the packet must match.
* `urg` => If true, the packet must have the `URG` flag set to match. * `tcp_urg` => If true, the packet must have the `URG` flag set to match.
* `ack` => If true, the packet must have the `ACK` flag set to match. * `tcp_ack` => If true, the packet must have the `ACK` flag set to match.
* `rst` => If true, the packet must have the `RST` flag set to match. * `tcp_rst` => If true, the packet must have the `RST` flag set to match.
* `psh` => If true, the packet must have the `PSH` flag set to match. * `tcp_psh` => If true, the packet must have the `PSH` flag set to match.
* `syn` => If true, the packet must have the `SYN` flag set to match. * `tcp_syn` => If true, the packet must have the `SYN` flag set to match.
* `fin` => If true, the packet must have the `FIN` flag set to match. * `tcp_fin` => If true, the packet must have the `FIN` flag set to match.
#### UDP Options #### UDP Options
UDP options exist in the main filter array and start with `udp_`. Please see below.
The config option `udpopts` within a filter is an array including UDP options. This should only be one array per filter. Options include: * `udp_enabled` => If true, check for UDP-specific matches.
* `udp_sport` => The source port the packet must match.
* `enabled` => If true, check for UDP-specific matches. * `udp_dport` => The destination port the packet must match.
* `sport` => The source port the packet must match.
* `dport` => The destination port the packet must match.
#### ICMP Options #### ICMP Options
ICMP options exist in the main filter array and start with `icmp_`. Please see below.
The config option `icmpopts` within a filter is an array including ICMP options. This should only be one array per filter. Options include: * `icmp_enabled` => If true, check for ICMP-specific matches.
* `icmp_code` => The ICMP code the packet must match.
* `enabled` => If true, check for ICMP-specific matches. * `icmp_type` => The ICMP type the packet must match.
* `code` => The ICMP code the packet must match.
* `type` => The ICMP type the packet must match.
**Note** - Everything besides the main `enabled` and `action` options within a filter are **not** required. This means you do not have to define them within your config. **Note** - Everything besides the main `enabled` and `action` options within a filter are **not** required. This means you do not have to define them within your config.

132
src/config.c
View File

@@ -321,173 +321,141 @@ int ReadConfig(struct config_map *cfg)
cfg->filters[i].blockTime = 1; cfg->filters[i].blockTime = 1;
} }
// Check for TCP options. /* TCP options */
config_setting_t* tcpopts = config_setting_lookup(filter, "tcpopts");
// Check TCP options.
if (tcpopts != NULL)
{
for (uint16_t j = 0; j < config_setting_length(tcpopts); j++)
{
config_setting_t* tcp = config_setting_get_elem(tcpopts, j);
// Enabled. // Enabled.
int enabled; int tcpenabled;
if (config_setting_lookup_bool(tcp, "enabled", &enabled)) if (config_setting_lookup_bool(filter, "tcp_enabled", &tcpenabled))
{ {
cfg->filters[i].tcpopts.enabled = enabled; cfg->filters[i].tcpopts.enabled = tcpenabled;
} }
// Source port. // Source port.
long long sport; long long tcpsport;
if (config_setting_lookup_int64(tcp, "sport", &sport)) if (config_setting_lookup_int64(filter, "tcp_sport", &tcpsport))
{ {
cfg->filters[i].tcpopts.sport = (uint16_t)sport; cfg->filters[i].tcpopts.sport = (uint16_t)tcpsport;
cfg->filters[i].tcpopts.do_sport = 1; cfg->filters[i].tcpopts.do_sport = 1;
} }
// Destination port. // Destination port.
long long dport; long long tcpdport;
if (config_setting_lookup_int64(tcp, "dport", &dport)) if (config_setting_lookup_int64(filter, "tcp_dport", &tcpdport))
{ {
cfg->filters[i].tcpopts.dport = (uint16_t)dport; cfg->filters[i].tcpopts.dport = (uint16_t)tcpdport;
cfg->filters[i].tcpopts.do_dport = 1; cfg->filters[i].tcpopts.do_dport = 1;
} }
// URG flag. // URG flag.
int urg; int tcpurg;
if (config_setting_lookup_bool(tcp, "urg", &urg)) if (config_setting_lookup_bool(filter, "tcp_urg", &tcpurg))
{ {
cfg->filters[i].tcpopts.urg = urg; cfg->filters[i].tcpopts.urg = tcpurg;
cfg->filters[i].tcpopts.do_urg = 1; cfg->filters[i].tcpopts.do_urg = 1;
} }
// ACK flag. // ACK flag.
int ack; int tcpack;
if (config_setting_lookup_bool(tcp, "ack", &ack)) if (config_setting_lookup_bool(filter, "tcp_ack", &tcpack))
{ {
cfg->filters[i].tcpopts.ack = ack; cfg->filters[i].tcpopts.ack = tcpack;
cfg->filters[i].tcpopts.do_ack = 1; cfg->filters[i].tcpopts.do_ack = 1;
} }
// RST flag.
int rst;
if (config_setting_lookup_bool(tcp, "rst", &rst)) // RST flag.
int tcprst;
if (config_setting_lookup_bool(filter, "tcp_rst", &tcprst))
{ {
cfg->filters[i].tcpopts.rst = rst; cfg->filters[i].tcpopts.rst = tcprst;
cfg->filters[i].tcpopts.do_rst = 1; cfg->filters[i].tcpopts.do_rst = 1;
} }
// PSH flag. // PSH flag.
int psh; int tcppsh;
if (config_setting_lookup_bool(tcp, "psh", &psh)) if (config_setting_lookup_bool(filter, "tcp_psh", &tcppsh))
{ {
cfg->filters[i].tcpopts.psh = psh; cfg->filters[i].tcpopts.psh = tcppsh;
cfg->filters[i].tcpopts.do_psh = 1; cfg->filters[i].tcpopts.do_psh = 1;
} }
// SYN flag. // SYN flag.
int syn; int tcpsyn;
if (config_setting_lookup_bool(tcp, "syn", &syn)) if (config_setting_lookup_bool(filter, "tcp_syn", &tcpsyn))
{ {
cfg->filters[i].tcpopts.syn = syn; cfg->filters[i].tcpopts.syn = tcpsyn;
cfg->filters[i].tcpopts.do_syn = 1; cfg->filters[i].tcpopts.do_syn = 1;
} }
// FIN flag. // FIN flag.
int fin; int tcpfin;
if (config_setting_lookup_bool(tcp, "fin", &fin)) if (config_setting_lookup_bool(filter, "tcp_fin", &tcpfin))
{ {
cfg->filters[i].tcpopts.fin = fin; cfg->filters[i].tcpopts.fin = tcpfin;
cfg->filters[i].tcpopts.do_fin = 1; cfg->filters[i].tcpopts.do_fin = 1;
} }
}
}
// Check for UDP options.
config_setting_t* udpopts = config_setting_lookup(filter, "udpopts");
// Check UDP options.
if (udpopts != NULL)
{
for (uint16_t j = 0; j < config_setting_length(udpopts); j++)
{
config_setting_t* udp = config_setting_get_elem(udpopts, j);
/* UDP options */
// Enabled. // Enabled.
int enabled; int udpenabled;
if (config_setting_lookup_bool(udp, "enabled", &enabled)) if (config_setting_lookup_bool(filter, "udp_enabled", &udpenabled))
{ {
cfg->filters[i].udpopts.enabled = enabled; cfg->filters[i].udpopts.enabled = udpenabled;
} }
// Source port. // Source port.
long long sport; long long udpsport;
if (config_setting_lookup_int64(udp, "sport", &sport)) if (config_setting_lookup_int64(filter, "udp_sport", &udpsport))
{ {
cfg->filters[i].udpopts.sport = (uint16_t)sport; cfg->filters[i].udpopts.sport = (uint16_t)udpsport;
cfg->filters[i].udpopts.do_sport = 1; cfg->filters[i].udpopts.do_sport = 1;
} }
// Destination port. // Destination port.
long long dport; long long udpdport;
if (config_setting_lookup_int64(udp, "dport", &dport)) if (config_setting_lookup_int64(filter, "udp_dport", &udpdport))
{ {
cfg->filters[i].udpopts.dport = (uint16_t)dport; cfg->filters[i].udpopts.dport = (uint16_t)udpdport;
cfg->filters[i].udpopts.do_dport = 1; cfg->filters[i].udpopts.do_dport = 1;
} }
}
}
// Check for ICMP options.
config_setting_t* icmpopts = config_setting_lookup(filter, "icmpopts");
// Check UDP options.
if (icmpopts != NULL)
{
for (uint16_t j = 0; j < config_setting_length(icmpopts); j++)
{
config_setting_t* icmp = config_setting_get_elem(icmpopts, j);
/* ICMP options */
// Enabled. // Enabled.
int enabled; int icmpenabled;
if (config_setting_lookup_bool(icmp, "enabled", &enabled)) if (config_setting_lookup_bool(filter, "icmp_enabled", &icmpenabled))
{ {
cfg->filters[i].icmpopts.enabled = enabled; cfg->filters[i].icmpopts.enabled = icmpenabled;
} }
// ICMP code. // ICMP code.
int code; int icmpcode;
if (config_setting_lookup_int(icmp, "code", &code)) if (config_setting_lookup_int(filter, "icmp_code", &icmpcode))
{ {
cfg->filters[i].icmpopts.code = (uint8_t)code; cfg->filters[i].icmpopts.code = (uint8_t)icmpcode;
cfg->filters[i].icmpopts.do_code = 1; cfg->filters[i].icmpopts.do_code = 1;
} }
// ICMP type. // ICMP type.
int type; int icmptype;
if (config_setting_lookup_int(icmp, "type", &type)) if (config_setting_lookup_int(filter, "icmp_type", &icmptype))
{ {
cfg->filters[i].icmpopts.type = (uint8_t)type; cfg->filters[i].icmpopts.type = (uint8_t)icmptype;
cfg->filters[i].icmpopts.do_type = 1; cfg->filters[i].icmpopts.do_type = 1;
} }
}
}
// Assign ID. // Assign ID.
cfg->filters[i].id = filters + 1; cfg->filters[i].id = filters + 1;