kaffa/XDP-Firewall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Improve xdpfw-add util.

Browse Source
This commit is contained in:
Christian Deacon
2025-03-01 13:35:21 -05:00
parent b0385f975d
commit 786b472287
4 changed files with 72 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@@ -54,7 +54,8 @@ sudo apt install -y libconfig-dev llvm clang libelf-dev build-essential
# Install dependencies for building LibXDP and LibBPF.
sudo apt install -y libpcap-dev m4 gcc-multilib
# You may need tools for your Linux kernel since BPFTool is required. If this doesn't work and you still run into issues, I'd suggest building BPFTool from source (https://github.com/libbpf/bpftool).
# You may need tools for your Linux kernel since BPFTool is required.
# If this doesn't work and you still run into issues, I'd suggest building BPFTool from source (https://github.com/libbpf/bpftool).
sudo apt install -y linux-tools-$(uname -r)
```
@@ -306,6 +307,10 @@ The following CLI arguments are supported.
| Name | Example | Description |
| ---- | ------- | ----------- |
| -e, --expires | `-e 60` | When the source IP block expires in seconds when running in IP block list mode. |
| --enabled | `--enabled 0` | Enables or disables dynamic filter. |
| --action | `--action 1` | The action to perform on packets that match the filter (0 = drop, 1 = allow). |
| --log | `--log 1` | Enables or disables logging for the dynamic filter. |
| --block-time | `--block-time 60` | How long to block the source IP for if the packet is matched and the action is drop in the dynamic filter (0 = no time). |
| --sip | `--sip 192.168.1.0/24` | The source IPv4 address/range to match with the dynamic filter. |
| --dip | `--sip 10.90.0.0/24` | The destination IPv4 address/range to match with the dynamic filter. |
| --sip6 | `--sip 192.168.1.0/24` | The source IPv6 address to match with the dynamic filter. |

45
src/rule_add/prog.c
View File

@@ -23,6 +23,10 @@ int main(int argc, char *argv[])
cmd.cfg_file = CONFIG_DEFAULT_PATH;
// We need to set integers for dynamic filters to -1 since we consider -1 as 'unset'.
cmd.enabled = -1;
cmd.action = -1;
cmd.log = -1;
cmd.min_ttl = -1;
cmd.max_ttl = -1;
cmd.min_len = -1;
@@ -47,7 +51,7 @@ int main(int argc, char *argv[])
cmd.udp_enabled = -1;
cmd.udp_sport = -1;
cmd.udp_dport = -1;
cmd.icmp_enabled = -1;
cmd.icmp_code = -1;
cmd.icmp_type = -1;
@@ -72,6 +76,11 @@ int main(int argc, char *argv[])
printf(" -e, --expires How long to block the IP for in seconds (for mode 2).\n\n");
printf("Filter Mode Options:\n");
printf(" --enabled Enables or disables the dynamic filter.\n");
printf(" --action The action when a packet matches (0 = drop, 1 = allow).\n");
printf(" --log Enables or disables logging for this filter.\n");
printf(" --block-time How long to add the source IP to the block list for if matched and the action is drop (0 = no time).\n\n");
printf(" --sip The source IPv4 address (with CIDR support).\n");
printf(" --dip The destination IPv4 address (with CIDR support).\n");
printf(" --sip6 The source IPv6 address.\n");
@@ -99,7 +108,7 @@ int main(int argc, char *argv[])
printf(" --udp Enable or disables matching on the UDP protocol.\n");
printf(" --usport The UDP source port to match on.\n");
printf(" --udport The UDP destination port to match on.\n");
printf(" --udport The UDP destination port to match on.\n\n");
printf(" --icmp Enable or disables matching on the ICMP protocol.\n");
printf(" --code The ICMP code to match on.\n");
@@ -136,14 +145,6 @@ int main(int argc, char *argv[])
{
printf("Using filters mode (0)...\n");
// Check index.
if (cmd.idx < 1)
{
fprintf(stderr, "Invalid filter index. Index must start from 1.\n");
return EXIT_FAILURE;
}
// Retrieve filters map FD.
int map_filters = GetMapPinFd(XDP_MAP_PIN_DIR, "map_filters");
@@ -160,6 +161,8 @@ int main(int argc, char *argv[])
filter_t new_filter = {0};
SetFilterDefaults(&new_filter);
new_filter.set = 1;
// Determine what index we'll be storing this filter at.
int idx = -1;
@@ -180,6 +183,26 @@ int main(int argc, char *argv[])
}
// Fill out new filter.
if (cmd.enabled > -1)
{
new_filter.enabled = cmd.enabled;
}
if (cmd.action > -1)
{
new_filter.action = cmd.action;
}
if (cmd.log > -1)
{
new_filter.log = cmd.log;
}
if (cmd.block_time > -1)
{
new_filter.block_time = cmd.block_time;
}
if (cmd.src_ip)
{
ip_range_t range = ParseIpCidr(cmd.src_ip);
@@ -371,7 +394,7 @@ int main(int argc, char *argv[])
cfg.filters[idx] = new_filter;
// Update filters.
fprintf(stdout, "Updating filters...\n");
fprintf(stdout, "Updating filters (index %d)...\n", idx);
UpdateFilters(map_filters, &cfg);
}

25
src/rule_add/utils/cmdline.c
View File

@@ -15,6 +15,11 @@ const struct option opts[] =
{ "v6", no_argument, NULL, 'v' },
{ "expires", required_argument, NULL, 'e' },
{ "enabled", required_argument, NULL, 28 },
{ "action", required_argument, NULL, 29 },
{ "log", required_argument, NULL, 30 },
{ "block-time", required_argument, NULL, 31 },
{ "sip", required_argument, NULL, 0 },
{ "dip", required_argument, NULL, 1 },
{ "sip6", required_argument, NULL, 2 },
@@ -99,6 +104,26 @@ void ParseCommandLine(cmdline_t* cmd, int argc, char* argv[])
break;
case 28:
cmd->enabled = atoi(optarg);
break;
case 29:
cmd->action = atoi(optarg);
break;
case 30:
cmd->log = atoi(optarg);
break;
case 31:
cmd->block_time = strtoll(optarg, NULL, 10);
break;
case 0:
cmd->src_ip = optarg;

7
src/rule_add/utils/cmdline.h
View File

@@ -6,6 +6,8 @@
#include <stdlib.h>
#include <getopt.h>
#include <string.h>
struct cmdline
{
const char* cfg_file;
@@ -23,6 +25,11 @@ struct cmdline
s64 expires;
int enabled;
int log;
int action;
s64 block_time;
const char* src_ip;
const char* dst_ip;