kaffa/XDP-Firewall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add TCP ECE and CWR flags support.

Browse Source
This commit is contained in:
gamemann
2022-08-27 15:56:29 +00:00
parent 4c3f6950f9
commit 1c41ac296b
4 changed files with 47 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/config.c
View File

@@ -70,6 +70,8 @@ void setcfgdefaults(struct config *cfg)
cfg->filters[i].tcpopts.do_psh = 0;
cfg->filters[i].tcpopts.do_syn = 0;
cfg->filters[i].tcpopts.do_fin = 0;
cfg->filters[i].tcpopts.do_ece = 0;
cfg->filters[i].tcpopts.do_cwr = 0;
cfg->filters[i].udpopts.enabled = 0;
cfg->filters[i].udpopts.do_sport = 0;
@@ -425,6 +427,24 @@ int readcfg(struct config *cfg)
cfg->filters[i].tcpopts.do_fin = 1;
}
// ECE flag.
int tcpece;
if (config_setting_lookup_bool(filter, "tcp_ece", &tcpece))
{
cfg->filters[i].tcpopts.ece = tcpece;
cfg->filters[i].tcpopts.do_ece = 1;
}
// CWR flag.
int tcpcwr;
if (config_setting_lookup_bool(filter, "tcp_cwr", &tcpcwr))
{
cfg->filters[i].tcpopts.cwr = tcpcwr;
cfg->filters[i].tcpopts.do_cwr = 1;
}
/* UDP options */
// Enabled.
int udpenabled;

14
src/xdpfw.c
View File

@@ -368,8 +368,10 @@ int main(int argc, char *argv[])
fprintf(stdout, "\tEnabled => %d\n", cfg.filters[i].enabled);
fprintf(stdout, "\tAction => %d (0 = Block, 1 = Allow).\n\n", cfg.filters[i].action);
// IP Options.
fprintf(stdout, "\tIP Options\n");
// IP addresses.
// IP addresses require additional code for string printing.
struct sockaddr_in sin;
sin.sin_addr.s_addr = cfg.filters[i].srcip;
fprintf(stdout, "\t\tSource IP => %s\n", inet_ntoa(sin.sin_addr));
@@ -388,8 +390,8 @@ int main(int argc, char *argv[])
fprintf(stdout, "\t\tBPS => %llu\n", cfg.filters[i].bps);
fprintf(stdout, "\t\tBlock Time => %llu\n\n", cfg.filters[i].blocktime);
fprintf(stdout, "\tTCP Options\n");
// TCP Options.
fprintf(stdout, "\tTCP Options\n");
fprintf(stdout, "\t\tTCP Enabled => %d\n", cfg.filters[i].tcpopts.enabled);
fprintf(stdout, "\t\tTCP Source Port => %d\n", cfg.filters[i].tcpopts.sport);
fprintf(stdout, "\t\tTCP Destination Port => %d\n", cfg.filters[i].tcpopts.dport);
@@ -398,16 +400,18 @@ int main(int argc, char *argv[])
fprintf(stdout, "\t\tTCP RST Flag => %d\n", cfg.filters[i].tcpopts.rst);
fprintf(stdout, "\t\tTCP PSH Flag => %d\n", cfg.filters[i].tcpopts.psh);
fprintf(stdout, "\t\tTCP SYN Flag => %d\n", cfg.filters[i].tcpopts.syn);
fprintf(stdout, "\t\tTCP FIN Flag => %d\n\n", cfg.filters[i].tcpopts.fin);
fprintf(stdout, "\t\tTCP FIN Flag => %d\n", cfg.filters[i].tcpopts.fin);
fprintf(stdout, "\t\tTCP ECE Flag => %d\n", cfg.filters[i].tcpopts.ece);
fprintf(stdout, "\t\tTCP CWR Flag => %d\n\n", cfg.filters[i].tcpopts.cwr);
fprintf(stdout, "\tUDP Options\n");
// UDP Options.
fprintf(stdout, "\tUDP Options\n");
fprintf(stdout, "\t\tUDP Enabled => %d\n", cfg.filters[i].udpopts.enabled);
fprintf(stdout, "\t\tUDP Source Port => %d\n", cfg.filters[i].udpopts.sport);
fprintf(stdout, "\t\tUDP Destination Port => %d\n\n", cfg.filters[i].udpopts.dport);
fprintf(stdout, "\tICMP Options\n");
// ICMP Options.
fprintf(stdout, "\tICMP Options\n");
fprintf(stdout, "\t\tICMP Enabled => %d\n", cfg.filters[i].icmpopts.enabled);
fprintf(stdout, "\t\tICMP Code => %d\n", cfg.filters[i].icmpopts.code);
fprintf(stdout, "\t\tICMP Type => %d\n", cfg.filters[i].icmpopts.type);

6
src/xdpfw.h
View File

@@ -58,6 +58,12 @@ struct tcpopts
unsigned int do_fin : 1;
unsigned int fin : 1;
unsigned int do_ece : 1;
unsigned int ece : 1;
unsigned int do_cwr : 1;
unsigned int cwr : 1;
};
struct udpopts

12
src/xdpfw_kern.c
View File

@@ -510,6 +510,18 @@ int xdp_prog_main(struct xdp_md *ctx)
{
continue;
}
// ECE flag.
if (filter->tcpopts.do_ece && filter->tcpopts.ece != tcph->ece)
{
continue;
}
// CWR flag.
if (filter->tcpopts.do_cwr && filter->tcpopts.cwr != tcph->cwr)
{
continue;
}
}
else if (filter->udpopts.enabled)
{