kaffa/XDP-Firewall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Change config syntax for L4 protocols and update README.

Browse Source
This commit is contained in:
gamemann
2020-12-18 02:12:05 +00:00
parent f30f992468
commit 0e80306f0f
2 changed files with 140 additions and 174 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
README.md
View File

@@ -37,33 +37,31 @@ Config option `filters` is an array. Each filter includes the following options:
* `blocktime` => The time in seconds to block the source IP if the rule matches and the action is block (0). Default value is `1`.
#### TCP Options
The config option `tcpopts` within a filter is an array including TCP options. This should only be one array per filter. Options include:
TCP options exist in the main filter array and start with `tcp_`. Please see below.
* `enabled` => If true, check for TCP-specific matches.
* `sport` => The source port the packet must match.
* `dport` => The destination port the packet must match.
* `urg` => If true, the packet must have the `URG` flag set to match.
* `ack` => If true, the packet must have the `ACK` flag set to match.
* `rst` => If true, the packet must have the `RST` flag set to match.
* `psh` => If true, the packet must have the `PSH` flag set to match.
* `syn` => If true, the packet must have the `SYN` flag set to match.
* `fin` => If true, the packet must have the `FIN` flag set to match.
* `tcp_enabled` => If true, check for TCP-specific matches.
* `tcp_sport` => The source port the packet must match.
* `tcp_dport` => The destination port the packet must match.
* `tcp_urg` => If true, the packet must have the `URG` flag set to match.
* `tcp_ack` => If true, the packet must have the `ACK` flag set to match.
* `tcp_rst` => If true, the packet must have the `RST` flag set to match.
* `tcp_psh` => If true, the packet must have the `PSH` flag set to match.
* `tcp_syn` => If true, the packet must have the `SYN` flag set to match.
* `tcp_fin` => If true, the packet must have the `FIN` flag set to match.
#### UDP Options
UDP options exist in the main filter array and start with `udp_`. Please see below.
The config option `udpopts` within a filter is an array including UDP options. This should only be one array per filter. Options include:
* `enabled` => If true, check for UDP-specific matches.
* `sport` => The source port the packet must match.
* `dport` => The destination port the packet must match.
* `udp_enabled` => If true, check for UDP-specific matches.
* `udp_sport` => The source port the packet must match.
* `udp_dport` => The destination port the packet must match.
#### ICMP Options
ICMP options exist in the main filter array and start with `icmp_`. Please see below.
The config option `icmpopts` within a filter is an array including ICMP options. This should only be one array per filter. Options include:
* `enabled` => If true, check for ICMP-specific matches.
* `code` => The ICMP code the packet must match.
* `type` => The ICMP type the packet must match.
* `icmp_enabled` => If true, check for ICMP-specific matches.
* `icmp_code` => The ICMP code the packet must match.
* `icmp_type` => The ICMP type the packet must match.
**Note** - Everything besides the main `enabled` and `action` options within a filter are **not** required. This means you do not have to define them within your config.

268
src/config.c
View File

@@ -321,172 +321,140 @@ int ReadConfig(struct config_map *cfg)
cfg->filters[i].blockTime = 1;
}
// Check for TCP options.
config_setting_t* tcpopts = config_setting_lookup(filter, "tcpopts");
/* TCP options */
// Enabled.
int tcpenabled;
// Check TCP options.
if (tcpopts != NULL)
if (config_setting_lookup_bool(filter, "tcp_enabled", &tcpenabled))
{
for (uint16_t j = 0; j < config_setting_length(tcpopts); j++)
{
config_setting_t* tcp = config_setting_get_elem(tcpopts, j);
// Enabled.
int enabled;
if (config_setting_lookup_bool(tcp, "enabled", &enabled))
{
cfg->filters[i].tcpopts.enabled = enabled;
}
// Source port.
long long sport;
if (config_setting_lookup_int64(tcp, "sport", &sport))
{
cfg->filters[i].tcpopts.sport = (uint16_t)sport;
cfg->filters[i].tcpopts.do_sport = 1;
}
// Destination port.
long long dport;
if (config_setting_lookup_int64(tcp, "dport", &dport))
{
cfg->filters[i].tcpopts.dport = (uint16_t)dport;
cfg->filters[i].tcpopts.do_dport = 1;
}
// URG flag.
int urg;
if (config_setting_lookup_bool(tcp, "urg", &urg))
{
cfg->filters[i].tcpopts.urg = urg;
cfg->filters[i].tcpopts.do_urg = 1;
}
// ACK flag.
int ack;
if (config_setting_lookup_bool(tcp, "ack", &ack))
{
cfg->filters[i].tcpopts.ack = ack;
cfg->filters[i].tcpopts.do_ack = 1;
}
// RST flag.
int rst;
if (config_setting_lookup_bool(tcp, "rst", &rst))
{
cfg->filters[i].tcpopts.rst = rst;
cfg->filters[i].tcpopts.do_rst = 1;
}
// PSH flag.
int psh;
if (config_setting_lookup_bool(tcp, "psh", &psh))
{
cfg->filters[i].tcpopts.psh = psh;
cfg->filters[i].tcpopts.do_psh = 1;
}
// SYN flag.
int syn;
if (config_setting_lookup_bool(tcp, "syn", &syn))
{
cfg->filters[i].tcpopts.syn = syn;
cfg->filters[i].tcpopts.do_syn = 1;
}
// FIN flag.
int fin;
if (config_setting_lookup_bool(tcp, "fin", &fin))
{
cfg->filters[i].tcpopts.fin = fin;
cfg->filters[i].tcpopts.do_fin = 1;
}
}
cfg->filters[i].tcpopts.enabled = tcpenabled;
}
// Check for UDP options.
config_setting_t* udpopts = config_setting_lookup(filter, "udpopts");
// Source port.
long long tcpsport;
// Check UDP options.
if (udpopts != NULL)
if (config_setting_lookup_int64(filter, "tcp_sport", &tcpsport))
{
for (uint16_t j = 0; j < config_setting_length(udpopts); j++)
{
config_setting_t* udp = config_setting_get_elem(udpopts, j);
// Enabled.
int enabled;
if (config_setting_lookup_bool(udp, "enabled", &enabled))
{
cfg->filters[i].udpopts.enabled = enabled;
}
// Source port.
long long sport;
if (config_setting_lookup_int64(udp, "sport", &sport))
{
cfg->filters[i].udpopts.sport = (uint16_t)sport;
cfg->filters[i].udpopts.do_sport = 1;
}
// Destination port.
long long dport;
if (config_setting_lookup_int64(udp, "dport", &dport))
{
cfg->filters[i].udpopts.dport = (uint16_t)dport;
cfg->filters[i].udpopts.do_dport = 1;
}
}
cfg->filters[i].tcpopts.sport = (uint16_t)tcpsport;
cfg->filters[i].tcpopts.do_sport = 1;
}
// Check for ICMP options.
config_setting_t* icmpopts = config_setting_lookup(filter, "icmpopts");
// Destination port.
long long tcpdport;
// Check UDP options.
if (icmpopts != NULL)
if (config_setting_lookup_int64(filter, "tcp_dport", &tcpdport))
{
for (uint16_t j = 0; j < config_setting_length(icmpopts); j++)
{
config_setting_t* icmp = config_setting_get_elem(icmpopts, j);
cfg->filters[i].tcpopts.dport = (uint16_t)tcpdport;
cfg->filters[i].tcpopts.do_dport = 1;
}
// Enabled.
int enabled;
// URG flag.
int tcpurg;
if (config_setting_lookup_bool(icmp, "enabled", &enabled))
{
cfg->filters[i].icmpopts.enabled = enabled;
}
if (config_setting_lookup_bool(filter, "tcp_urg", &tcpurg))
{
cfg->filters[i].tcpopts.urg = tcpurg;
cfg->filters[i].tcpopts.do_urg = 1;
}
// ICMP code.
int code;
// ACK flag.
int tcpack;
if (config_setting_lookup_int(icmp, "code", &code))
{
cfg->filters[i].icmpopts.code = (uint8_t)code;
cfg->filters[i].icmpopts.do_code = 1;
}
if (config_setting_lookup_bool(filter, "tcp_ack", &tcpack))
{
cfg->filters[i].tcpopts.ack = tcpack;
cfg->filters[i].tcpopts.do_ack = 1;
}
// ICMP type.
int type;
if (config_setting_lookup_int(icmp, "type", &type))
{
cfg->filters[i].icmpopts.type = (uint8_t)type;
cfg->filters[i].icmpopts.do_type = 1;
}
}
// RST flag.
int tcprst;
if (config_setting_lookup_bool(filter, "tcp_rst", &tcprst))
{
cfg->filters[i].tcpopts.rst = tcprst;
cfg->filters[i].tcpopts.do_rst = 1;
}
// PSH flag.
int tcppsh;
if (config_setting_lookup_bool(filter, "tcp_psh", &tcppsh))
{
cfg->filters[i].tcpopts.psh = tcppsh;
cfg->filters[i].tcpopts.do_psh = 1;
}
// SYN flag.
int tcpsyn;
if (config_setting_lookup_bool(filter, "tcp_syn", &tcpsyn))
{
cfg->filters[i].tcpopts.syn = tcpsyn;
cfg->filters[i].tcpopts.do_syn = 1;
}
// FIN flag.
int tcpfin;
if (config_setting_lookup_bool(filter, "tcp_fin", &tcpfin))
{
cfg->filters[i].tcpopts.fin = tcpfin;
cfg->filters[i].tcpopts.do_fin = 1;
}
/* UDP options */
// Enabled.
int udpenabled;
if (config_setting_lookup_bool(filter, "udp_enabled", &udpenabled))
{
cfg->filters[i].udpopts.enabled = udpenabled;
}
// Source port.
long long udpsport;
if (config_setting_lookup_int64(filter, "udp_sport", &udpsport))
{
cfg->filters[i].udpopts.sport = (uint16_t)udpsport;
cfg->filters[i].udpopts.do_sport = 1;
}
// Destination port.
long long udpdport;
if (config_setting_lookup_int64(filter, "udp_dport", &udpdport))
{
cfg->filters[i].udpopts.dport = (uint16_t)udpdport;
cfg->filters[i].udpopts.do_dport = 1;
}
/* ICMP options */
// Enabled.
int icmpenabled;
if (config_setting_lookup_bool(filter, "icmp_enabled", &icmpenabled))
{
cfg->filters[i].icmpopts.enabled = icmpenabled;
}
// ICMP code.
int icmpcode;
if (config_setting_lookup_int(filter, "icmp_code", &icmpcode))
{
cfg->filters[i].icmpopts.code = (uint8_t)icmpcode;
cfg->filters[i].icmpopts.do_code = 1;
}
// ICMP type.
int icmptype;
if (config_setting_lookup_int(filter, "icmp_type", &icmptype))
{
cfg->filters[i].icmpopts.type = (uint8_t)icmptype;
cfg->filters[i].icmpopts.do_type = 1;
}
// Assign ID.