kaffa/XDP-Firewall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Continue preparing Loader for new features.

Browse Source
This commit is contained in:
Christian Deacon
2025-03-01 10:39:11 -05:00
parent ff1ac4e817
commit 2019029a4d
5 changed files with 739 additions and 410 deletions
Download Patch File Download Diff File Expand all files Collapse all files

150
src/loader/prog.c
View File

@@ -22,16 +22,47 @@ int cont = 1;
int doing_stats = 0;
/**
* Unpins filter-specific BPF maps from file system.
* Unpins required BPF maps from file system.
*
* @param cfg A pointer to the config structure.
* @param obj A pointer to the BPF object.
* @param ignore_errors Whether to ignore errors.
*/
static void UnpinFilterMaps(config__t* cfg, struct bpf_object* obj, int ignore_errors)
static void UnpinNeededMaps(config__t* cfg, struct bpf_object* obj, int ignore_errors)
{
int ret;
// Unpin block map.
if ((ret = UnpinBpfMap(obj, XDP_MAP_PIN_DIR, "map_block")) != 0)
{
if (!ignore_errors)
{
LogMsg(cfg, 1, 0, "[WARNING] Failed to un-pin BPF map 'map_block' from file system (%d).", ret);
}
}
// Unpin block (IPv6) map.
if ((ret = UnpinBpfMap(obj, XDP_MAP_PIN_DIR, "map_block6")) != 0)
{
if (!ignore_errors)
{
LogMsg(cfg, 1, 0, "[WARNING] Failed to un-pin BPF map 'map_block6' from file system (%d).", ret);
}
}
#ifdef ENABLE_IP_RANGE_DROP
// Unpin IPv4 range drop map.
if ((ret = UnpinBpfMap(obj, XDP_MAP_PIN_DIR, "map_range_drop")) != 0)
{
if (!ignore_errors)
{
LogMsg(cfg, 1, 0, "[WARNING] Failed to un-pin BPF map 'map_range_drop' from file system (%d).", ret);
}
}
#endif
#ifdef ENABLE_FILTERS
// Unpin filters map.
if ((ret = UnpinBpfMap(obj, XDP_MAP_PIN_DIR, "map_filters")) != 0)
{
if (!ignore_errors)
@@ -40,6 +71,8 @@ static void UnpinFilterMaps(config__t* cfg, struct bpf_object* obj, int ignore_e
}
}
#ifdef ENABLE_FILTER_LOGGING
// Unpin filters log map.
if ((ret = UnpinBpfMap(obj, XDP_MAP_PIN_DIR, "map_filter_log")) != 0)
{
if (!ignore_errors)
@@ -47,6 +80,8 @@ static void UnpinFilterMaps(config__t* cfg, struct bpf_object* obj, int ignore_e
LogMsg(cfg, 1, 0, "[WARNING] Failed to un-pin BPF map 'map_filter_log' from file system (%d).", ret);
}
}
#endif
#endif
}
int main(int argc, char *argv[])
@@ -55,7 +90,7 @@ int main(int argc, char *argv[])
// Parse the command line.
cmdline_t cmd = {0};
cmd.cfgfile = CONFIG_DEFAULT_PATH;
cmd.cfg_file = CONFIG_DEFAULT_PATH;
cmd.verbose = -1;
cmd.pin_maps = -1;
cmd.update_time = -1;
@@ -90,9 +125,9 @@ int main(int argc, char *argv[])
cfg_overrides.stdout_update_time = cmd.stdout_update_time;
// Load config.
if ((ret = LoadConfig(&cfg, cmd.cfgfile, &cfg_overrides)) != 0)
if ((ret = LoadConfig(&cfg, cmd.cfg_file, &cfg_overrides)) != 0)
{
fprintf(stderr, "[ERROR] Failed to load config from file system (%s)(%d).\n", cmd.cfgfile, ret);
fprintf(stderr, "[ERROR] Failed to load config from file system (%s)(%d).\n", cmd.cfg_file, ret);
return EXIT_FAILURE;
}
@@ -185,6 +220,16 @@ int main(int argc, char *argv[])
LogMsg(&cfg, 2, 0, "Retrieving BPF map FDs...");
// Retrieve BPF maps.
int map_stats = FindMapFd(prog, "map_stats");
if (map_stats < 0)
{
LogMsg(&cfg, 0, 1, "[ERROR] Failed to find 'map_stats' BPF map.\n");
return EXIT_FAILURE;
}
#ifdef ENABLE_FILTERS
int map_filters = FindMapFd(prog, "map_filters");
// Check for valid maps.
@@ -197,17 +242,9 @@ int main(int argc, char *argv[])
LogMsg(&cfg, 3, 0, "map_filters FD => %d.", map_filters);
int map_stats = FindMapFd(prog, "map_stats");
if (map_stats < 0)
{
LogMsg(&cfg, 0, 1, "[ERROR] Failed to find 'map_stats' BPF map.\n");
return EXIT_FAILURE;
}
#ifdef ENABLE_FILTER_LOGGING
int map_filter_log = FindMapFd(prog, "map_filter_log");
struct ring_buffer* rb = NULL;
if (map_filter_log < 0)
@@ -221,6 +258,20 @@ int main(int argc, char *argv[])
rb = ring_buffer__new(map_filter_log, HandleRbEvent, &cfg, NULL);
}
#endif
#endif
#ifdef ENABLE_IP_RANGE_DROP
int map_range_drop = FindMapFd(prog, "map_range_drop");
if (map_range_drop < 0)
{
LogMsg(&cfg, 1, 0, "[WARNING] Failed to find 'map_range_drop' BPF map. IP range drops will be disabled...");
}
else
{
LogMsg(&cfg, 3, 0, "map_range_drop FD => %d.", map_range_drop);
}
#endif
LogMsg(&cfg, 3, 0, "map_stats FD => %d.", map_stats);
@@ -233,8 +284,41 @@ int main(int argc, char *argv[])
// There are times where the BPF maps from the last run weren't cleaned up properly.
// So it's best to attempt to unpin the maps before pinning while ignoring errors.
UnpinFilterMaps(&cfg, obj, 1);
UnpinNeededMaps(&cfg, obj, 1);
// Pin the block maps.
if ((ret = PinBpfMap(obj, XDP_MAP_PIN_DIR, "map_block")) != 0)
{
LogMsg(&cfg, 1, 0, "[WARNING] Failed to pin 'map_block' to file system (%d)...", ret);
}
else
{
LogMsg(&cfg, 3, 0, "BPF map 'map_block' pinned to '%s/map_block'.", XDP_MAP_PIN_DIR);
}
if ((ret = PinBpfMap(obj, XDP_MAP_PIN_DIR, "map_block6")) != 0)
{
LogMsg(&cfg, 1, 0, "[WARNING] Failed to pin 'map_block6' to file system (%d)...", ret);
}
else
{
LogMsg(&cfg, 3, 0, "BPF map 'map_block6' pinned to '%s/map_block6'.", XDP_MAP_PIN_DIR);
}
#ifdef ENABLE_IP_RANGE_DROP
// Pin the IPv4 range drop map.
if ((ret = PinBpfMap(obj, XDP_MAP_PIN_DIR, "map_range_drop")) != 0)
{
LogMsg(&cfg, 1, 0, "[WARNING] Failed to pin 'map_range_drop' to file system (%d)...", ret);
}
else
{
LogMsg(&cfg, 3, 0, "BPF map 'map_range_drop' pinned to '%s/map_range_drop'.", XDP_MAP_PIN_DIR);
}
#endif
#ifdef ENABLE_FILTERS
// Pin the filters map.
if ((ret = PinBpfMap(obj, XDP_MAP_PIN_DIR, "map_filters")) != 0)
{
LogMsg(&cfg, 1, 0, "[WARNING] Failed to pin 'map_filters' to file system (%d)...", ret);
@@ -244,6 +328,8 @@ int main(int argc, char *argv[])
LogMsg(&cfg, 3, 0, "BPF map 'map_filters' pinned to '%s/map_filters'.", XDP_MAP_PIN_DIR);
}
#ifdef ENABLE_FILTER_LOGGING
// Pin the filters log map.
if ((ret = PinBpfMap(obj, XDP_MAP_PIN_DIR, "map_filter_log")) != 0)
{
LogMsg(&cfg, 1, 0, "[WARNING] Failed to pin 'map_filter_log' to file system (%d)...", ret);
@@ -252,12 +338,26 @@ int main(int argc, char *argv[])
{
LogMsg(&cfg, 3, 0, "BPF map 'map_filter_log' pinned to '%s/map_filter_log'.", XDP_MAP_PIN_DIR);
}
#endif
#endif
}
#ifdef ENABLE_FILTERS
LogMsg(&cfg, 2, 0, "Updating filters...");
// Update BPF maps.
// Update filters.
UpdateFilters(map_filters, &cfg);
#endif
#ifdef ENABLE_IP_RANGE_DROP
if (map_range_drop > -1)
{
LogMsg(&cfg, 2, 0, "Updating IP drop ranges...");
// Update IP range drops.
UpdateRangeDrops(map_range_drop, &cfg);
}
#endif
// Signal.
signal(SIGINT, SignalHndl);
@@ -299,17 +399,19 @@ int main(int argc, char *argv[])
if (cfg.update_time > 0 && (cur_time - last_update_check) > cfg.update_time)
{
// Check if config file have been modified
if (stat(cmd.cfgfile, &conf_stat) == 0 && conf_stat.st_mtime > last_config_check) {
// Update config.
if ((ret = LoadConfig(&cfg, cmd.cfgfile, &cfg_overrides)) != 0)
if (stat(cmd.cfg_file, &conf_stat) == 0 && conf_stat.st_mtime > last_config_check) {
// Reload config.
if ((ret = LoadConfig(&cfg, cmd.cfg_file, &cfg_overrides)) != 0)
{
LogMsg(&cfg, 1, 0, "[WARNING] Failed to load config after update check (%d)...\n", ret);
}
// Update BPF maps.
#ifdef ENABLE_FILTERS
// Update filters.
UpdateFilters(map_filters, &cfg);
#endif
// Update timer
// Update last check timer
last_config_check = time(NULL);
// Make sure we set doing stats if needed.
@@ -332,7 +434,7 @@ int main(int argc, char *argv[])
}
}
#ifdef ENABLE_FILTER_LOGGING
#if defined(ENABLE_FILTERS) && defined(ENABLE_FILTER_LOGGING)
PollFiltersRb(rb);
#endif
@@ -343,7 +445,7 @@ int main(int argc, char *argv[])
LogMsg(&cfg, 2, 0, "Cleaning up...");
#ifdef ENABLE_FILTER_LOGGING
#if defined(ENABLE_FILTERS) && defined(ENABLE_FILTER_LOGGING)
if (rb)
{
ring_buffer__free(rb);
@@ -365,7 +467,7 @@ int main(int argc, char *argv[])
struct bpf_object* obj = GetBpfObj(prog);
UnpinFilterMaps(&cfg, obj, 0);
UnpinNeededMaps(&cfg, obj, 0);
}
// Lastly, close the XDP program.