kaffa/XDP-Firewall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove references to payload matching.

Browse Source
This commit is contained in:
Christian Deacon
2020-07-25 14:24:05 +00:00
parent 60ded19f6f
commit 4c9c11c6b1
5 changed files with 1 additions and 99 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@@ -32,7 +32,6 @@ Config option `filters` is an array. Each filter includes the following options:
* `pps` => The maximum packets per second a source IP can send before matching. * `pps` => The maximum packets per second a source IP can send before matching.
* `bps` => The maximum amount of bytes per second a source IP can send before matching. * `bps` => The maximum amount of bytes per second a source IP can send before matching.
* `blocktime` => The time in seconds to block the source IP if the rule matches and the action is block (0). Default value is `1`. * `blocktime` => The time in seconds to block the source IP if the rule matches and the action is block (0). Default value is `1`.
* `payloadmatch` => The payload (L4 data) the packet must have to match. The format is in hexadecimal and each byte is separated by a space. An example includes: `FF FF FF FF 59`.
#### TCP Options #### TCP Options
The config option `tcpopts` within a filter is an array including TCP options. This should only be one array per filter. Options include: The config option `tcpopts` within a filter is an array including TCP options. This should only be one array per filter. Options include:
@@ -65,8 +64,6 @@ The config option `icmpopts` within a filter is an array including ICMP options.
**Note** - Everything besides the main `enabled` and `action` options within a filter are **not** required. This means you do not have to define them within your config. **Note** - Everything besides the main `enabled` and `action` options within a filter are **not** required. This means you do not have to define them within your config.
**Note** - As of right now, the `payloadmatch` option does not work. I am planning to implement functionality for this soon. Unfortunately, BPF hasn't liked the matching methods I've used so far.
## Configuration Example ## Configuration Example
Here's an example of a config: Here's an example of a config:

30
src/config.c
View File

@@ -64,13 +64,6 @@ void SetConfigDefaults(struct config_map *cfg)
cfg->filters[i].icmpopts.enabled = 0; cfg->filters[i].icmpopts.enabled = 0;
cfg->filters[i].icmpopts.do_code = 0; cfg->filters[i].icmpopts.do_code = 0;
cfg->filters[i].icmpopts.do_type = 0; cfg->filters[i].icmpopts.do_type = 0;
for (uint16_t j = 0; j < MAX_PAYLOAD_LENGTH - 1; j++)
{
cfg->filters[i].payloadMatch[j] = 0;
}
cfg->filters[i].payloadLen = 0;
} }
} }
@@ -292,29 +285,6 @@ int ReadConfig(struct config_map *cfg)
cfg->filters[i].blockTime = 1; cfg->filters[i].blockTime = 1;
} }
// Payload match.
const char *payload;
if (config_setting_lookup_string(filter, "payloadmatch", &payload))
{
// We need to split the string and scan everything into the uint8_t payload.
char *split;
char *str = malloc((strlen(payload) + 1) * sizeof(char));
strcpy(str, payload);
split = strtok(str, " ");
while (split != NULL)
{
sscanf(split, "%2hhx", &cfg->filters[i].payloadMatch[cfg->filters[i].payloadLen]);
cfg->filters[i].payloadLen++;
split = strtok(NULL, " ");
}
}
// Check for TCP options. // Check for TCP options.
config_setting_t* tcpopts = config_setting_lookup(filter, "tcpopts"); config_setting_t* tcpopts = config_setting_lookup(filter, "tcpopts");

4
src/include/xdpfw.h
View File

@@ -6,7 +6,6 @@
#define MAX_PCKT_LENGTH 65535 #define MAX_PCKT_LENGTH 65535
#define MAX_FILTERS 50 #define MAX_FILTERS 50
#define MAX_TRACK_IPS 100000 #define MAX_TRACK_IPS 100000
#define MAX_PAYLOAD_LENGTH 1500
struct tcpopts struct tcpopts
{ {
@@ -94,9 +93,6 @@ struct filter
uint64_t blockTime; uint64_t blockTime;
uint8_t payloadMatch[MAX_PAYLOAD_LENGTH];
uint16_t payloadLen;
struct tcpopts tcpopts; struct tcpopts tcpopts;
struct udpopts udpopts; struct udpopts udpopts;
struct icmpopts icmpopts; struct icmpopts icmpopts;

48
src/xdpfw_kern.c
View File

@@ -333,54 +333,6 @@ int xdp_prog_main(struct xdp_md *ctx)
continue; continue;
} }
// Payload matching.
/*
if (filter[i]->payloadLen > 0)
{
unsigned int offset = sizeof(struct ethhdr) + (iph->ihl * 4) + l4headerLen;
void *pos;
unsigned int j;
uint8_t *ptr;
pos = data;
int cont = 1;
for (j = 0; j < MAX_PAYLOAD_LENGTH; j++)
{
if ((j + 1) > filter[i]->payloadLen)
{
goto out;
}
if ((pos + offset) + 1 > data_end)
{
goto out;
}
ptr = pos + offset;
if (*ptr == filter[i]->payloadMatch[j])
{
offset++;
continue;
}
cont = 0;
goto exitloop;
}
exitloop:
if (!cont)
{
continue;
}
}
out:
*/
// Do TCP options. // Do TCP options.
if (iph->protocol == IPPROTO_TCP && filter[i]->tcpopts.enabled) if (iph->protocol == IPPROTO_TCP && filter[i]->tcpopts.enabled)
{ {

13
src/xdpfw_loader.c
View File

@@ -367,19 +367,6 @@ int main(int argc, char *argv[])
fprintf(stdout, "ICMP Code => %" PRIu8 "\n", conf->filters[i].icmpopts.code); fprintf(stdout, "ICMP Code => %" PRIu8 "\n", conf->filters[i].icmpopts.code);
fprintf(stdout, "ICMP Type => %" PRIu8 "\n", conf->filters[i].icmpopts.type); fprintf(stdout, "ICMP Type => %" PRIu8 "\n", conf->filters[i].icmpopts.type);
// Payload.
if (conf->filters[i].payloadLen > 0)
{
fprintf(stdout, "\nPayload (%d) => ", conf->filters[i].payloadLen);
for(uint16_t j = 0; j < conf->filters[i].payloadLen; j++)
{
fprintf(stdout, "%2hhx ", conf->filters[i].payloadMatch[j]);
}
fprintf(stdout, "\n");
}
fprintf(stdout, "\n\n"); fprintf(stdout, "\n\n");
} }