kaffa/XDP-Firewall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implement both IP and flow-based rate limiting.

Browse Source
This commit is contained in:
Christian Deacon
2025-03-23 20:35:08 -04:00
parent 2727740a64
commit 5aa3270f82
15 changed files with 420 additions and 149 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
src/loader/utils/config.c
View File

@@ -404,20 +404,36 @@ int parse_cfg(config__t *cfg, const char* data, config_overrides_t* overrides)
filter->block_time = block_time;
}
// PPS (not required).
s64 pps;
// IP PPS (not required).
s64 ip_pps;
if (config_setting_lookup_int64(filter_cfg, "pps", &pps) == CONFIG_TRUE)
if (config_setting_lookup_int64(filter_cfg, "ip_pps", &ip_pps) == CONFIG_TRUE)
{
filter->pps = pps;
filter->ip_pps = ip_pps;
}
// BPS (not required).
s64 bps;
// IP BPS (not required).
s64 ip_bps;
if (config_setting_lookup_int64(filter_cfg, "bps", &bps) == CONFIG_TRUE)
if (config_setting_lookup_int64(filter_cfg, "ip_bps", &ip_bps) == CONFIG_TRUE)
{
filter->bps = bps;
filter->ip_bps = ip_bps;
}
// Flow PPS (not required).
s64 flow_pps;
if (config_setting_lookup_int64(filter_cfg, "flow_pps", &flow_pps) == CONFIG_TRUE)
{
filter->flow_pps = flow_pps;
}
// Flow BPS (not required).
s64 flow_bps;
if (config_setting_lookup_int64(filter_cfg, "flow_bps", &flow_bps) == CONFIG_TRUE)
{
filter->flow_bps = flow_bps;
}
/* IP Options */
@@ -874,18 +890,32 @@ int save_cfg(config__t* cfg, const char* file_path)
config_setting_set_int(block_time, filter->block_time);
}
// Add PPS.
if (filter->pps > -1)
// Add IP PPS.
if (filter->ip_pps > -1)
{
config_setting_t* pps = config_setting_add(filter_cfg, "pps", CONFIG_TYPE_INT64);
config_setting_set_int64(pps, filter->pps);
config_setting_t* pps = config_setting_add(filter_cfg, "ip_pps", CONFIG_TYPE_INT64);
config_setting_set_int64(pps, filter->ip_pps);
}
// Add BPS.
if (filter->bps > -1)
// Add IP BPS.
if (filter->ip_bps > -1)
{
config_setting_t* bps = config_setting_add(filter_cfg, "bps", CONFIG_TYPE_INT64);
config_setting_set_int64(bps, filter->bps);
config_setting_t* bps = config_setting_add(filter_cfg, "ip_bps", CONFIG_TYPE_INT64);
config_setting_set_int64(bps, filter->ip_bps);
}
// Add flow PPS.
if (filter->flow_pps > -1)
{
config_setting_t* pps = config_setting_add(filter_cfg, "flow_pps", CONFIG_TYPE_INT64);
config_setting_set_int64(pps, filter->flow_pps);
}
// Add flow BPS.
if (filter->flow_bps > -1)
{
config_setting_t* bps = config_setting_add(filter_cfg, "flow_bps", CONFIG_TYPE_INT64);
config_setting_set_int64(bps, filter->flow_bps);
}
// Add source IPv4.
@@ -1130,8 +1160,10 @@ void set_filter_defaults(filter_rule_cfg_t* filter)
filter->action = 1;
filter->block_time = 1;
filter->pps = -1;
filter->bps = -1;
filter->ip_pps = -1;
filter->ip_bps = -1;
filter->flow_pps = -1;
filter->flow_bps = -1;
if (filter->ip.src_ip)
{
@@ -1299,8 +1331,11 @@ void print_filter(filter_rule_cfg_t* filter, int idx)
printf("\t\tAction => %d (0 = Block, 1 = Allow).\n", filter->action);
printf("\t\t\tBlock Time => %d\n\n", filter->block_time);
printf("\t\t\tPPS => %lld\n", filter->pps);
printf("\t\t\tBPS => %lld\n\n", filter->bps);
printf("\t\t\tIP PPS => %lld\n", filter->ip_pps);
printf("\t\t\tIP BPS => %lld\n", filter->ip_bps);
printf("\t\t\tFlow PPS => %lld\n", filter->flow_pps);
printf("\t\t\tFlow BPS => %lld\n", filter->flow_bps);
// IP Options.
printf("\t\tIP Options\n");

7
src/loader/utils/config.h
View File

@@ -72,8 +72,11 @@ struct filter_rule_cfg
int action;
int block_time;
s64 pps;
s64 bps;
s64 ip_pps;
s64 ip_bps;
s64 flow_pps;
s64 flow_bps;
filter_rule_ip_opts_t ip;

2
src/loader/utils/logging.c
View File

@@ -163,7 +163,7 @@ int hdl_filters_rb_event(void* ctx, void* data, size_t sz)
const char* protocol_str = get_protocol_str_by_id(e->protocol);
log_msg(cfg, 0, 0, "[FILTER %d] %s %s packet '%s:%d' => '%s:%d' (PPS => %llu, BPS => %llu, Filter Block Time => %llu, length => %d)...", e->filter_id + 1, action, protocol_str, src_ip_str, htons(e->src_port), dst_ip_str, htons(e->dst_port), e->pps, e->bps, filter->block_time, e->length);
log_msg(cfg, 0, 0, "[FILTER %d] %s %s packet '%s:%d' => '%s:%d' (IP PPS => %llu, IP BPS => %llu, Flow PPS => %llu, Flow BPS => %llu Filter Block Time => %llu, length => %d)...", e->filter_id + 1, action, protocol_str, src_ip_str, htons(e->src_port), dst_ip_str, htons(e->dst_port), e->ip_pps, e->ip_bps, e->flow_pps, e->flow_bps, filter->block_time, e->length);
return 0;
}

30
src/loader/utils/xdp.c
View File

@@ -257,19 +257,37 @@ int update_filter(int map_filters, filter_rule_cfg_t* filter_cfg, int idx)
filter.block_time = filter_cfg->block_time;
}
if (filter_cfg->pps > -1)
#ifdef ENABLE_RL_IP
if (filter_cfg->ip_pps > -1)
{
filter.do_pps = 1;
filter.do_ip_pps = 1;
filter.pps = (u64) filter_cfg->pps;
filter.ip_pps = (u64) filter_cfg->ip_pps;
}
if (filter_cfg->bps > -1)
if (filter_cfg->ip_bps > -1)
{
filter.do_bps = 1;
filter.do_ip_bps = 1;
filter.bps = (u64) filter_cfg->bps;
filter.ip_bps = (u64) filter_cfg->ip_bps;
}
#endif
#ifdef ENABLE_RL_FLOW
if (filter_cfg->flow_pps > -1)
{
filter.do_flow_pps = 1;
filter.flow_pps = (u64) filter_cfg->flow_pps;
}
if (filter_cfg->flow_bps > -1)
{
filter.do_flow_bps = 1;
filter.flow_bps = (u64) filter_cfg->flow_bps;
}
#endif
if (filter_cfg->ip.src_ip)
{