From 786b47228752b1010f5c2d3727fb52cdb9a18451 Mon Sep 17 00:00:00 2001
From: Christian Deacon <christianmdeacon@gmail.com>
Date: Sat, 1 Mar 2025 13:35:21 -0500
Subject: [PATCH] Improve xdpfw-add util.

---
 README.md                    |  7 +++++-
 src/rule_add/prog.c          | 45 +++++++++++++++++++++++++++---------
 src/rule_add/utils/cmdline.c | 25 ++++++++++++++++++++
 src/rule_add/utils/cmdline.h |  7 ++++++
 4 files changed, 72 insertions(+), 12 deletions(-)

diff --git a/README.md b/README.md
index fbb3465..cee4c03 100644
--- a/README.md
+++ b/README.md
@@ -54,7 +54,8 @@ sudo apt install -y libconfig-dev llvm clang libelf-dev build-essential
 # Install dependencies for building LibXDP and LibBPF.
 sudo apt install -y libpcap-dev m4 gcc-multilib
 
-# You may need tools for your Linux kernel since BPFTool is required. If this doesn't work and you still run into issues, I'd suggest building BPFTool from source (https://github.com/libbpf/bpftool).
+# You may need tools for your Linux kernel since BPFTool is required.
+# If this doesn't work and you still run into issues, I'd suggest building BPFTool from source (https://github.com/libbpf/bpftool).
 sudo apt install -y linux-tools-$(uname -r)
 ```
 
@@ -306,6 +307,10 @@ The following CLI arguments are supported.
 | Name | Example | Description |
 | ---- | ------- | ----------- |
 | -e, --expires | `-e 60` | When the source IP block expires in seconds when running in IP block list mode. |
+| --enabled | `--enabled 0` | Enables or disables dynamic filter. |
+| --action | `--action 1` | The action to perform on packets that match the filter (0 = drop, 1 = allow). |
+| --log | `--log 1` | Enables or disables logging for the dynamic filter. |
+| --block-time | `--block-time 60` | How long to block the source IP for if the packet is matched and the action is drop in the dynamic filter (0 = no time). | 
 | --sip | `--sip 192.168.1.0/24` | The source IPv4 address/range to match with the dynamic filter. |
 | --dip | `--sip 10.90.0.0/24` | The destination IPv4 address/range to match with the dynamic filter. |
 | --sip6 | `--sip 192.168.1.0/24` | The source IPv6 address to match with the dynamic filter. |
diff --git a/src/rule_add/prog.c b/src/rule_add/prog.c
index 7b3b1d4..105dcde 100644
--- a/src/rule_add/prog.c
+++ b/src/rule_add/prog.c
@@ -23,6 +23,10 @@ int main(int argc, char *argv[])
     cmd.cfg_file = CONFIG_DEFAULT_PATH;
 
     // We need to set integers for dynamic filters to -1 since we consider -1 as 'unset'.
+    cmd.enabled = -1;
+    cmd.action = -1;
+    cmd.log = -1;
+
     cmd.min_ttl = -1;
     cmd.max_ttl = -1;
     cmd.min_len = -1;
@@ -47,7 +51,7 @@ int main(int argc, char *argv[])
     cmd.udp_enabled = -1;
     cmd.udp_sport = -1;
     cmd.udp_dport = -1;
-    
+
     cmd.icmp_enabled = -1;
     cmd.icmp_code = -1;
     cmd.icmp_type = -1;
@@ -72,6 +76,11 @@ int main(int argc, char *argv[])
         printf("  -e, --expires     How long to block the IP for in seconds (for mode 2).\n\n");
 
         printf("Filter Mode Options:\n");
+        printf("  --enabled         Enables or disables the dynamic filter.\n");
+        printf("  --action          The action when a packet matches (0 = drop, 1 = allow).\n");
+        printf("  --log             Enables or disables logging for this filter.\n");
+        printf("  --block-time      How long to add the source IP to the block list for if matched and the action is drop (0 = no time).\n\n");
+
         printf("  --sip             The source IPv4 address (with CIDR support).\n");
         printf("  --dip             The destination IPv4 address (with CIDR support).\n");
         printf("  --sip6            The source IPv6 address.\n");
@@ -99,7 +108,7 @@ int main(int argc, char *argv[])
 
         printf("  --udp             Enable or disables matching on the UDP protocol.\n");
         printf("  --usport          The UDP source port to match on.\n");
-        printf("  --udport          The UDP destination port to match on.\n");
+        printf("  --udport          The UDP destination port to match on.\n\n");
 
         printf("  --icmp            Enable or disables matching on the ICMP protocol.\n");
         printf("  --code            The ICMP code to match on.\n");
@@ -136,14 +145,6 @@ int main(int argc, char *argv[])
     {
         printf("Using filters mode (0)...\n");
 
-        // Check index.
-        if (cmd.idx < 1)
-        {
-            fprintf(stderr, "Invalid filter index. Index must start from 1.\n");
-
-            return EXIT_FAILURE;
-        }
-
         // Retrieve filters map FD.
         int map_filters = GetMapPinFd(XDP_MAP_PIN_DIR, "map_filters");
 
@@ -160,6 +161,8 @@ int main(int argc, char *argv[])
         filter_t new_filter = {0};
         SetFilterDefaults(&new_filter);
 
+        new_filter.set = 1;
+
         // Determine what index we'll be storing this filter at.
         int idx = -1;
 
@@ -180,6 +183,26 @@ int main(int argc, char *argv[])
         }
 
         // Fill out new filter.
+        if (cmd.enabled > -1)
+        {
+            new_filter.enabled = cmd.enabled;
+        }
+
+        if (cmd.action > -1)
+        {
+            new_filter.action = cmd.action;
+        }
+
+        if (cmd.log > -1)
+        {
+            new_filter.log = cmd.log;
+        }
+
+        if (cmd.block_time > -1)
+        {
+            new_filter.block_time = cmd.block_time;
+        }
+
         if (cmd.src_ip)
         {
             ip_range_t range = ParseIpCidr(cmd.src_ip);
@@ -371,7 +394,7 @@ int main(int argc, char *argv[])
         cfg.filters[idx] = new_filter;
 
         // Update filters.
-        fprintf(stdout, "Updating filters...\n");
+        fprintf(stdout, "Updating filters (index %d)...\n", idx);
 
         UpdateFilters(map_filters, &cfg);
     }
diff --git a/src/rule_add/utils/cmdline.c b/src/rule_add/utils/cmdline.c
index a5794e2..fae6347 100644
--- a/src/rule_add/utils/cmdline.c
+++ b/src/rule_add/utils/cmdline.c
@@ -15,6 +15,11 @@ const struct option opts[] =
     { "v6", no_argument, NULL, 'v' },
     { "expires", required_argument, NULL, 'e' },
 
+    { "enabled", required_argument, NULL, 28 },
+    { "action", required_argument, NULL, 29 },
+    { "log", required_argument, NULL, 30 },
+    { "block-time", required_argument, NULL, 31 },
+
     { "sip", required_argument, NULL, 0 },
     { "dip", required_argument, NULL, 1 },
     { "sip6", required_argument, NULL, 2 },
@@ -99,6 +104,26 @@ void ParseCommandLine(cmdline_t* cmd, int argc, char* argv[])
 
                 break;
 
+            case 28:
+                cmd->enabled = atoi(optarg);
+
+                break;
+
+            case 29:
+                cmd->action = atoi(optarg);
+
+                break;
+
+            case 30:
+                cmd->log = atoi(optarg);
+
+                break;
+
+            case 31:
+                cmd->block_time = strtoll(optarg, NULL, 10);
+
+                break;
+
             case 0:
                 cmd->src_ip = optarg;
 
diff --git a/src/rule_add/utils/cmdline.h b/src/rule_add/utils/cmdline.h
index 4ade24e..89e598d 100644
--- a/src/rule_add/utils/cmdline.h
+++ b/src/rule_add/utils/cmdline.h
@@ -6,6 +6,8 @@
 #include <stdlib.h>
 #include <getopt.h>
 
+#include <string.h>
+
 struct cmdline
 {
     const char* cfg_file;
@@ -23,6 +25,11 @@ struct cmdline
 
     s64 expires;
 
+    int enabled;
+    int log;
+    int action;
+    s64 block_time;
+
     const char* src_ip;
     const char* dst_ip;