Change default log file path and clean up some code.
This commit is contained in:
Christian Deacon
2
Makefile
2
Makefile
@@ -13,7 +13,6 @@ LOADER_DIR = $(SRC_DIR)/loader
|
|||||||
XDP_DIR = $(SRC_DIR)/xdp
|
XDP_DIR = $(SRC_DIR)/xdp
|
||||||
|
|
||||||
ETC_DIR = /etc/xdpfw
|
ETC_DIR = /etc/xdpfw
|
||||||
LOG_DIR = /var/log/xdpfw
|
|
||||||
|
|
||||||
# Additional build directories.
|
# Additional build directories.
|
||||||
BUILD_LOADER_DIR = $(BUILD_DIR)/loader
|
BUILD_LOADER_DIR = $(BUILD_DIR)/loader
|
||||||
@@ -135,7 +134,6 @@ libxdp_clean:
|
|||||||
|
|
||||||
install:
|
install:
|
||||||
mkdir -p $(ETC_DIR)
|
mkdir -p $(ETC_DIR)
|
||||||
mkdir -p $(LOG_DIR)
|
|
||||||
|
|
||||||
cp -n xdpfw.conf.example $(ETC_DIR)/xdpfw.conf
|
cp -n xdpfw.conf.example $(ETC_DIR)/xdpfw.conf
|
||||||
|
|
||||||
|
|||||||
@@ -136,7 +136,7 @@ The following table quickly explains the data types used within the configuratio
|
|||||||
| Name | Type | Default | Description |
|
| Name | Type | Default | Description |
|
||||||
| ---- | ---- | ------- | ----------- |
|
| ---- | ---- | ------- | ----------- |
|
||||||
| verbose | int | `2` | The verbose level for logging (0 - 5 supported so far). |
|
| verbose | int | `2` | The verbose level for logging (0 - 5 supported so far). |
|
||||||
| log_file | string | `/var/log/xdpfw/xdpfw.log` | The log file location. If the string is empty (`""`), the log file is disabled. |
|
| log_file | string | `/var/log/xdpfw.log` | The log file location. If the string is empty (`""`), the log file is disabled. |
|
||||||
| interface | string | `NULL` | The network interface name to attach the XDP program to (usually retrieved with `ip a` or `ifconfig`). |
|
| interface | string | `NULL` | The network interface name to attach the XDP program to (usually retrieved with `ip a` or `ifconfig`). |
|
||||||
| update_time | uint | `0` | How often to update the config and filtering rules from the file system in seconds (0 disables). |
|
| update_time | uint | `0` | How often to update the config and filtering rules from the file system in seconds (0 disables). |
|
||||||
| no_stats | bool | `false` | Whether to enable or disable packet counters. Disabling packet counters will improve performance, but result in less visibility on what the XDP Firewall is doing. |
|
| no_stats | bool | `false` | Whether to enable or disable packet counters. Disabling packet counters will improve performance, but result in less visibility on what the XDP Firewall is doing. |
|
||||||
|
|||||||
@@ -98,7 +98,7 @@ struct filter
|
|||||||
unsigned int do_bps : 1;
|
unsigned int do_bps : 1;
|
||||||
u64 bps;
|
u64 bps;
|
||||||
|
|
||||||
u64 blocktime;
|
u64 block_time;
|
||||||
|
|
||||||
tcp_opts_t tcpopts;
|
tcp_opts_t tcpopts;
|
||||||
udp_opts_t udpopts;
|
udp_opts_t udpopts;
|
||||||
|
|||||||
@@ -46,7 +46,7 @@ int LoadConfig(config__t *cfg, char *cfg_file, config_overrides_t* overrides)
|
|||||||
void SetCfgDefaults(config__t *cfg)
|
void SetCfgDefaults(config__t *cfg)
|
||||||
{
|
{
|
||||||
cfg->verbose = 2;
|
cfg->verbose = 2;
|
||||||
cfg->log_file = strdup("/var/log/xdpfw/xdpfw.log");
|
cfg->log_file = strdup("/var/log/xdpfw.log");
|
||||||
cfg->update_time = 0;
|
cfg->update_time = 0;
|
||||||
cfg->interface = NULL;
|
cfg->interface = NULL;
|
||||||
cfg->no_stats = 0;
|
cfg->no_stats = 0;
|
||||||
@@ -90,7 +90,7 @@ void SetCfgDefaults(config__t *cfg)
|
|||||||
filter->do_bps = 0;
|
filter->do_bps = 0;
|
||||||
filter->bps = 0;
|
filter->bps = 0;
|
||||||
|
|
||||||
filter->blocktime = 1;
|
filter->block_time = 1;
|
||||||
|
|
||||||
filter->tcpopts.enabled = 0;
|
filter->tcpopts.enabled = 0;
|
||||||
filter->tcpopts.do_dport = 0;
|
filter->tcpopts.do_dport = 0;
|
||||||
@@ -465,15 +465,15 @@ int ReadCfg(config__t *cfg, config_overrides_t* overrides)
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Block time (default 1).
|
// Block time (default 1).
|
||||||
long long blocktime;
|
long long block_time;
|
||||||
|
|
||||||
if (config_setting_lookup_int64(filter_cfg, "block_time", &blocktime) == CONFIG_TRUE)
|
if (config_setting_lookup_int64(filter_cfg, "block_time", &block_time) == CONFIG_TRUE)
|
||||||
{
|
{
|
||||||
filter->blocktime = blocktime;
|
filter->block_time = block_time;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
filter->blocktime = 1;
|
filter->block_time = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* TCP options */
|
/* TCP options */
|
||||||
@@ -729,7 +729,7 @@ void PrintConfig(config__t* cfg)
|
|||||||
printf("\t\t\t\tTOS => %d\n", filter->tos);
|
printf("\t\t\t\tTOS => %d\n", filter->tos);
|
||||||
printf("\t\t\t\tPPS => %llu\n", filter->pps);
|
printf("\t\t\t\tPPS => %llu\n", filter->pps);
|
||||||
printf("\t\t\t\tBPS => %llu\n", filter->bps);
|
printf("\t\t\t\tBPS => %llu\n", filter->bps);
|
||||||
printf("\t\t\t\tBlock Time => %llu\n\n", filter->blocktime);
|
printf("\t\t\t\tBlock Time => %llu\n\n", filter->block_time);
|
||||||
|
|
||||||
// TCP Options.
|
// TCP Options.
|
||||||
printf("\t\t\tTCP Options\n");
|
printf("\t\t\tTCP Options\n");
|
||||||
|
|||||||
@@ -164,7 +164,7 @@ int HandleRbEvent(void* ctx, void* data, size_t sz)
|
|||||||
|
|
||||||
const char* protocol_str = GetProtocolStrById(e->protocol);
|
const char* protocol_str = GetProtocolStrById(e->protocol);
|
||||||
|
|
||||||
LogMsg(cfg, 0, 0, "[FILTER %d] %s %s packet '%s:%d' => '%s:%d' (PPS => %llu, BPS => %llu, Filter Block Time => %llu)...", e->filter_id + 1, action, protocol_str, src_ip_str, htons(e->src_port), dst_ip_str, htons(e->dst_port), e->pps, e->bps, filter->blocktime);
|
LogMsg(cfg, 0, 0, "[FILTER %d] %s %s packet '%s:%d' => '%s:%d' (PPS => %llu, BPS => %llu, Filter Block Time => %llu)...", e->filter_id + 1, action, protocol_str, src_ip_str, htons(e->src_port), dst_ip_str, htons(e->dst_port), e->pps, e->bps, filter->block_time);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@@ -45,7 +45,7 @@ int xdp_prog_main(struct xdp_md *ctx)
|
|||||||
}
|
}
|
||||||
|
|
||||||
u8 action = 0;
|
u8 action = 0;
|
||||||
u64 blocktime = 1;
|
u64 block_time = 1;
|
||||||
|
|
||||||
// Initialize IP headers.
|
// Initialize IP headers.
|
||||||
struct iphdr *iph = NULL;
|
struct iphdr *iph = NULL;
|
||||||
@@ -539,7 +539,7 @@ int xdp_prog_main(struct xdp_md *ctx)
|
|||||||
|
|
||||||
// Matched.
|
// Matched.
|
||||||
action = filter->action;
|
action = filter->action;
|
||||||
blocktime = filter->blocktime;
|
block_time = filter->block_time;
|
||||||
|
|
||||||
goto matched;
|
goto matched;
|
||||||
}
|
}
|
||||||
@@ -555,17 +555,17 @@ int xdp_prog_main(struct xdp_md *ctx)
|
|||||||
if (action == 0)
|
if (action == 0)
|
||||||
{
|
{
|
||||||
// Before dropping, update the blacklist map.
|
// Before dropping, update the blacklist map.
|
||||||
if (blocktime > 0)
|
if (block_time > 0)
|
||||||
{
|
{
|
||||||
u64 newTime = now + (blocktime * NANO_TO_SEC);
|
u64 new_time = now + (block_time * NANO_TO_SEC);
|
||||||
|
|
||||||
if (iph6)
|
if (iph6)
|
||||||
{
|
{
|
||||||
bpf_map_update_elem(&ip6_blacklist_map, &src_ip6, &newTime, BPF_ANY);
|
bpf_map_update_elem(&ip6_blacklist_map, &src_ip6, &new_time, BPF_ANY);
|
||||||
}
|
}
|
||||||
else if (iph)
|
else if (iph)
|
||||||
{
|
{
|
||||||
bpf_map_update_elem(&ip_blacklist_map, &iph->saddr, &newTime, BPF_ANY);
|
bpf_map_update_elem(&ip_blacklist_map, &iph->saddr, &new_time, BPF_ANY);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
verbose = 2;
|
verbose = 2;
|
||||||
log_file = "/var/log/xdpfw/xdpfw.log";
|
log_file = "/var/log/xdpfw.log";
|
||||||
interface = "ens18";
|
interface = "ens18";
|
||||||
update_time = 15;
|
update_time = 15;
|
||||||
no_stats = false;
|
no_stats = false;
|
||||||
|
|||||||
Reference in New Issue
Block a user