From 4c9c11c6b1b177723517aaf7a9d60e3c53fb1b7a Mon Sep 17 00:00:00 2001 From: Christian Deacon Date: Sat, 25 Jul 2020 14:24:05 +0000 Subject: [PATCH] Remove references to payload matching. --- README.md | 3 --- src/config.c | 30 ---------------------------- src/include/xdpfw.h | 4 ---- src/xdpfw_kern.c | 48 --------------------------------------------- src/xdpfw_loader.c | 15 +------------- 5 files changed, 1 insertion(+), 99 deletions(-) diff --git a/README.md b/README.md index ece5547..9314d43 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,6 @@ Config option `filters` is an array. Each filter includes the following options: * `pps` => The maximum packets per second a source IP can send before matching. * `bps` => The maximum amount of bytes per second a source IP can send before matching. * `blocktime` => The time in seconds to block the source IP if the rule matches and the action is block (0). Default value is `1`. -* `payloadmatch` => The payload (L4 data) the packet must have to match. The format is in hexadecimal and each byte is separated by a space. An example includes: `FF FF FF FF 59`. #### TCP Options The config option `tcpopts` within a filter is an array including TCP options. This should only be one array per filter. Options include: @@ -65,8 +64,6 @@ The config option `icmpopts` within a filter is an array including ICMP options. **Note** - Everything besides the main `enabled` and `action` options within a filter are **not** required. This means you do not have to define them within your config. -**Note** - As of right now, the `payloadmatch` option does not work. I am planning to implement functionality for this soon. Unfortunately, BPF hasn't liked the matching methods I've used so far. - ## Configuration Example Here's an example of a config: diff --git a/src/config.c b/src/config.c index 4eb46d0..798250e 100644 --- a/src/config.c +++ b/src/config.c @@ -64,13 +64,6 @@ void SetConfigDefaults(struct config_map *cfg) cfg->filters[i].icmpopts.enabled = 0; cfg->filters[i].icmpopts.do_code = 0; cfg->filters[i].icmpopts.do_type = 0; - - for (uint16_t j = 0; j < MAX_PAYLOAD_LENGTH - 1; j++) - { - cfg->filters[i].payloadMatch[j] = 0; - } - - cfg->filters[i].payloadLen = 0; } } @@ -292,29 +285,6 @@ int ReadConfig(struct config_map *cfg) cfg->filters[i].blockTime = 1; } - // Payload match. - const char *payload; - - if (config_setting_lookup_string(filter, "payloadmatch", &payload)) - { - // We need to split the string and scan everything into the uint8_t payload. - char *split; - - char *str = malloc((strlen(payload) + 1) * sizeof(char)); - strcpy(str, payload); - - split = strtok(str, " "); - - while (split != NULL) - { - sscanf(split, "%2hhx", &cfg->filters[i].payloadMatch[cfg->filters[i].payloadLen]); - - cfg->filters[i].payloadLen++; - - split = strtok(NULL, " "); - } - } - // Check for TCP options. config_setting_t* tcpopts = config_setting_lookup(filter, "tcpopts"); diff --git a/src/include/xdpfw.h b/src/include/xdpfw.h index 8f088b3..97e8e99 100644 --- a/src/include/xdpfw.h +++ b/src/include/xdpfw.h @@ -6,7 +6,6 @@ #define MAX_PCKT_LENGTH 65535 #define MAX_FILTERS 50 #define MAX_TRACK_IPS 100000 -#define MAX_PAYLOAD_LENGTH 1500 struct tcpopts { @@ -94,9 +93,6 @@ struct filter uint64_t blockTime; - uint8_t payloadMatch[MAX_PAYLOAD_LENGTH]; - uint16_t payloadLen; - struct tcpopts tcpopts; struct udpopts udpopts; struct icmpopts icmpopts; diff --git a/src/xdpfw_kern.c b/src/xdpfw_kern.c index 3a37a11..b0b9f89 100644 --- a/src/xdpfw_kern.c +++ b/src/xdpfw_kern.c @@ -333,54 +333,6 @@ int xdp_prog_main(struct xdp_md *ctx) continue; } - // Payload matching. - /* - if (filter[i]->payloadLen > 0) - { - unsigned int offset = sizeof(struct ethhdr) + (iph->ihl * 4) + l4headerLen; - void *pos; - unsigned int j; - uint8_t *ptr; - - pos = data; - - int cont = 1; - - for (j = 0; j < MAX_PAYLOAD_LENGTH; j++) - { - if ((j + 1) > filter[i]->payloadLen) - { - goto out; - } - - if ((pos + offset) + 1 > data_end) - { - goto out; - } - - ptr = pos + offset; - - if (*ptr == filter[i]->payloadMatch[j]) - { - offset++; - - continue; - } - - cont = 0; - goto exitloop; - } - - exitloop: - if (!cont) - { - continue; - } - } - - out: - */ - // Do TCP options. if (iph->protocol == IPPROTO_TCP && filter[i]->tcpopts.enabled) { diff --git a/src/xdpfw_loader.c b/src/xdpfw_loader.c index 8b72ef7..6d001a3 100644 --- a/src/xdpfw_loader.c +++ b/src/xdpfw_loader.c @@ -296,7 +296,7 @@ int main(int argc, char *argv[]) // Initialize config. struct config_map *conf = malloc(sizeof(struct config_map)); - + SetConfigDefaults(conf); // Create last updated variable. @@ -367,19 +367,6 @@ int main(int argc, char *argv[]) fprintf(stdout, "ICMP Code => %" PRIu8 "\n", conf->filters[i].icmpopts.code); fprintf(stdout, "ICMP Type => %" PRIu8 "\n", conf->filters[i].icmpopts.type); - // Payload. - if (conf->filters[i].payloadLen > 0) - { - fprintf(stdout, "\nPayload (%d) => ", conf->filters[i].payloadLen); - - for(uint16_t j = 0; j < conf->filters[i].payloadLen; j++) - { - fprintf(stdout, "%2hhx ", conf->filters[i].payloadMatch[j]); - } - - fprintf(stdout, "\n"); - } - fprintf(stdout, "\n\n"); }