Restructure project and organize code.

src/common/all.h

@@ -0,0 +1,6 @@
+#pragma once
+
+#include <common/config.h>
+#include <common/constants.h>
+#include <common/int_types.h>
+#include <common/types.h>

src/common/config.h

@@ -0,0 +1,12 @@
+#pragma once
+
+// Feel free to comment this out if you don't want the `blocked` entry on the stats map to be incremented every single time a packet is dropped from the source IP being on the blocked map. Commenting this line out should increase performance when blocking malicious traffic.
+#define DOSTATSONBLOCKMAP
+
+// When this is defined, a check will occur inside the IPv4 and IPv6 filters. For IPv6 packets, if no IPv6 source/destination IP addresses are set, but there is an IPv4 address, it will ignore the filter. The same goes for IPv4, if there is no IPv4 source/destination IP addresses set, if an IPv6 address is set, it will ignore the filter.
+#define ALLOWSINGLEIPV4V6
+
+// If uncommented, rate limits for clients are determined using the source IP, port, and protocol instead of just the source IP.
+// This allows for more precise rate limits (connection-specific instead of a single source IP).
+// I decided not to include the destination IP/port because the source IP, port, and protocol should be represent a unique connection.
+#define USE_FLOW_RL

src/common/constants.h

@@ -0,0 +1,7 @@
+#pragma once
+
+#define MAX_PCKT_LENGTH 65535
+#define MAX_FILTERS 60
+#define MAX_TRACK_IPS 100000
+#define MAX_CPUS 256
+#define NANO_TO_SEC 1000000000

src/common/int_types.h

@@ -0,0 +1,17 @@
+#pragma once
+
+#include <linux/types.h>
+
+typedef __uint128_t u128;
+typedef __u64 u64;
+typedef __u32 u32;
+typedef __u16 u16;
+typedef __u8 u8;
+
+typedef __s64 s64;
+typedef __s32 s32;
+typedef __s16 s16;
+
+typedef __be64 be64;
+typedef __be32 be32;
+typedef __be16 be16;

src/common/types.h

@@ -0,0 +1,134 @@
+#pragma once
+
+#include <common/int_types.h>
+
+struct tcpopts
+{
+    unsigned int enabled : 1;
+
+    unsigned int do_sport : 1;
+    u16 sport;
+
+    unsigned int do_dport : 1;
+    u16 dport;
+
+    // TCP flags.
+    unsigned int do_urg : 1;
+    unsigned int urg : 1;
+
+    unsigned int do_ack : 1;
+    unsigned int ack : 1;
+
+    unsigned int do_rst : 1;
+    unsigned int rst : 1;
+
+    unsigned int do_psh : 1;
+    unsigned int psh : 1;
+
+    unsigned int do_syn : 1;
+    unsigned int syn : 1;
+
+    unsigned int do_fin : 1;
+    unsigned int fin : 1;
+
+    unsigned int do_ece : 1;
+    unsigned int ece : 1;
+
+    unsigned int do_cwr : 1;
+    unsigned int cwr : 1;
+};
+
+struct udpopts
+{
+    unsigned int enabled : 1;
+
+    unsigned int do_sport : 1;
+    u16 sport;
+
+    unsigned int do_dport : 1;
+    u16 dport;
+};
+
+struct icmpopts
+{
+    unsigned int enabled : 1;
+
+    unsigned int do_code : 1;
+    u8 code;
+
+    unsigned int do_type : 1;
+    u8 type;
+};
+
+struct filter
+{
+    u8 id;
+
+    unsigned int enabled : 1;
+
+    u8 action;
+
+    u32 src_ip;
+    u8 src_cidr;
+
+    u32 dst_ip;
+    u8 dst_cidr;
+
+    u32 src_ip6[4];
+    u32 dst_ip6[4];
+
+    unsigned int do_min_ttl : 1;
+    u8 min_ttl;
+
+    unsigned int do_max_ttl : 1;
+    u8 max_ttl;
+
+    unsigned int do_min_len : 1;
+    u16 min_len;
+
+    unsigned int do_max_len : 1;
+    u16 max_len;
+
+    unsigned int do_tos : 1;
+    u8 tos;
+
+    unsigned int do_pps : 1;
+    __u64 pps;
+
+    unsigned int do_bps : 1;
+    __u64 bps;
+
+    __u64 blocktime;
+
+    struct tcpopts tcpopts;
+    struct udpopts udpopts;
+    struct icmpopts icmpopts;
+} __attribute__((__aligned__(8)));
+
+struct stats
+{
+    __u64 allowed;
+    __u64 dropped;
+    __u64 passed;
+};
+
+struct ip_stats
+{
+    __u64 pps;
+    __u64 bps;
+    __u64 next_update;
+};
+
+struct flow
+{
+    u32 ip;
+    u16 port;
+    u8 protocol;
+};
+
+struct flow6
+{
+    u128 ip;
+    u16 port;
+    u8 protocol;
+};