From 1c41ac296b91df2aefbad67c766364405c55a8df Mon Sep 17 00:00:00 2001
From: gamemann <gamemann@gflclan.com>
Date: Sat, 27 Aug 2022 15:56:29 +0000
Subject: [PATCH] Add TCP ECE and CWR flags support.

---
 src/config.c     | 20 ++++++++++++++++++++
 src/xdpfw.c      | 14 +++++++++-----
 src/xdpfw.h      |  6 ++++++
 src/xdpfw_kern.c | 12 ++++++++++++
 4 files changed, 47 insertions(+), 5 deletions(-)

diff --git a/src/config.c b/src/config.c
index e0d0fe8..0546f84 100644
--- a/src/config.c
+++ b/src/config.c
@@ -70,6 +70,8 @@ void setcfgdefaults(struct config *cfg)
         cfg->filters[i].tcpopts.do_psh = 0;
         cfg->filters[i].tcpopts.do_syn = 0;
         cfg->filters[i].tcpopts.do_fin = 0;
+        cfg->filters[i].tcpopts.do_ece = 0;
+        cfg->filters[i].tcpopts.do_cwr = 0;
 
         cfg->filters[i].udpopts.enabled = 0;
         cfg->filters[i].udpopts.do_sport = 0;
@@ -425,6 +427,24 @@ int readcfg(struct config *cfg)
             cfg->filters[i].tcpopts.do_fin = 1;
         }
 
+        // ECE flag.
+        int tcpece;
+
+        if (config_setting_lookup_bool(filter, "tcp_ece", &tcpece))
+        {
+            cfg->filters[i].tcpopts.ece = tcpece;
+            cfg->filters[i].tcpopts.do_ece = 1;
+        }
+
+        // CWR flag.
+        int tcpcwr;
+
+        if (config_setting_lookup_bool(filter, "tcp_cwr", &tcpcwr))
+        {
+            cfg->filters[i].tcpopts.cwr = tcpcwr;
+            cfg->filters[i].tcpopts.do_cwr = 1;
+        }
+
         /* UDP options */
         // Enabled.
         int udpenabled;
diff --git a/src/xdpfw.c b/src/xdpfw.c
index 086a08a..c6a1176 100644
--- a/src/xdpfw.c
+++ b/src/xdpfw.c
@@ -368,8 +368,10 @@ int main(int argc, char *argv[])
             fprintf(stdout, "\tEnabled => %d\n", cfg.filters[i].enabled);
             fprintf(stdout, "\tAction => %d (0 = Block, 1 = Allow).\n\n", cfg.filters[i].action);
 
+            // IP Options.
             fprintf(stdout, "\tIP Options\n");
-            // IP addresses.
+
+            // IP addresses require additional code for string printing.
             struct sockaddr_in sin;
             sin.sin_addr.s_addr = cfg.filters[i].srcip;
             fprintf(stdout, "\t\tSource IP => %s\n", inet_ntoa(sin.sin_addr));
@@ -388,8 +390,8 @@ int main(int argc, char *argv[])
             fprintf(stdout, "\t\tBPS => %llu\n", cfg.filters[i].bps);
             fprintf(stdout, "\t\tBlock Time => %llu\n\n", cfg.filters[i].blocktime);
 
-            fprintf(stdout, "\tTCP Options\n");
             // TCP Options.
+            fprintf(stdout, "\tTCP Options\n");
             fprintf(stdout, "\t\tTCP Enabled => %d\n", cfg.filters[i].tcpopts.enabled);
             fprintf(stdout, "\t\tTCP Source Port => %d\n", cfg.filters[i].tcpopts.sport);
             fprintf(stdout, "\t\tTCP Destination Port => %d\n", cfg.filters[i].tcpopts.dport);
@@ -398,16 +400,18 @@ int main(int argc, char *argv[])
             fprintf(stdout, "\t\tTCP RST Flag => %d\n", cfg.filters[i].tcpopts.rst);
             fprintf(stdout, "\t\tTCP PSH Flag => %d\n", cfg.filters[i].tcpopts.psh);
             fprintf(stdout, "\t\tTCP SYN Flag => %d\n", cfg.filters[i].tcpopts.syn);
-            fprintf(stdout, "\t\tTCP FIN Flag => %d\n\n", cfg.filters[i].tcpopts.fin);
+            fprintf(stdout, "\t\tTCP FIN Flag => %d\n", cfg.filters[i].tcpopts.fin);
+            fprintf(stdout, "\t\tTCP ECE Flag => %d\n", cfg.filters[i].tcpopts.ece);
+            fprintf(stdout, "\t\tTCP CWR Flag => %d\n\n", cfg.filters[i].tcpopts.cwr);
 
-            fprintf(stdout, "\tUDP Options\n");
             // UDP Options.
+            fprintf(stdout, "\tUDP Options\n");
             fprintf(stdout, "\t\tUDP Enabled => %d\n", cfg.filters[i].udpopts.enabled);
             fprintf(stdout, "\t\tUDP Source Port => %d\n", cfg.filters[i].udpopts.sport);
             fprintf(stdout, "\t\tUDP Destination Port => %d\n\n", cfg.filters[i].udpopts.dport);
 
-            fprintf(stdout, "\tICMP Options\n");
             // ICMP Options.
+            fprintf(stdout, "\tICMP Options\n");
             fprintf(stdout, "\t\tICMP Enabled => %d\n", cfg.filters[i].icmpopts.enabled);
             fprintf(stdout, "\t\tICMP Code => %d\n", cfg.filters[i].icmpopts.code);
             fprintf(stdout, "\t\tICMP Type => %d\n", cfg.filters[i].icmpopts.type);
diff --git a/src/xdpfw.h b/src/xdpfw.h
index 45401fc..b66389f 100644
--- a/src/xdpfw.h
+++ b/src/xdpfw.h
@@ -58,6 +58,12 @@ struct tcpopts
 
     unsigned int do_fin : 1;
     unsigned int fin : 1;
+
+    unsigned int do_ece : 1;
+    unsigned int ece : 1;
+
+    unsigned int do_cwr : 1;
+    unsigned int cwr : 1;
 };
 
 struct udpopts
diff --git a/src/xdpfw_kern.c b/src/xdpfw_kern.c
index da04046..c3ff32c 100644
--- a/src/xdpfw_kern.c
+++ b/src/xdpfw_kern.c
@@ -510,6 +510,18 @@ int xdp_prog_main(struct xdp_md *ctx)
             {
                 continue;
             }
+
+            // ECE flag.
+            if (filter->tcpopts.do_ece && filter->tcpopts.ece != tcph->ece)
+            {
+                continue;
+            }
+
+            // CWR flag.
+            if (filter->tcpopts.do_cwr && filter->tcpopts.cwr != tcph->cwr)
+            {
+                continue;
+            }
         }
         else if (filter->udpopts.enabled)
         {