From a521cc1f6fc7df040d79c0dec655cd1b39657a95 Mon Sep 17 00:00:00 2001 From: gamemann Date: Fri, 12 Nov 2021 17:21:30 +0000 Subject: [PATCH] Rename variable and function names, use different integer types, and organize code. --- src/config.c | 83 ++++++++++++++++----------------- src/config.h | 6 ++- src/xdpfw.c | 116 +++++++++++++++++++++++------------------------ src/xdpfw.h | 54 +++++++++++----------- src/xdpfw_kern.c | 68 +++++++++++++-------------- 5 files changed, 165 insertions(+), 162 deletions(-) diff --git a/src/config.c b/src/config.c index 2dd8df6..f13b727 100644 --- a/src/config.c +++ b/src/config.c @@ -2,6 +2,7 @@ #include #include #include +#include #include @@ -12,22 +13,22 @@ FILE *file; void setcfgdefaults(struct config *cfg) { - cfg->updateTime = 0; + cfg->updatetime = 0; cfg->interface = "eth0"; cfg->nostats = 0; - for (uint16_t i = 0; i < MAX_FILTERS; i++) + for (__u16 i = 0; i < MAX_FILTERS; i++) { cfg->filters[i].id = 0; cfg->filters[i].enabled = 0; cfg->filters[i].action = 0; - cfg->filters[i].srcIP = 0; - cfg->filters[i].dstIP = 0; + cfg->filters[i].srcip = 0; + cfg->filters[i].dstip = 0; - for (uint8_t j = 0; j < 4; j++) + for (__u8 j = 0; j < 4; j++) { - cfg->filters[i].srcIP6[j] = 0; - cfg->filters[i].dstIP6[j] = 0; + cfg->filters[i].srcip6[j] = 0; + cfg->filters[i].dstip6[j] = 0; } cfg->filters[i].do_min_len = 0; @@ -51,7 +52,7 @@ void setcfgdefaults(struct config *cfg) cfg->filters[i].do_bps = 0; cfg->filters[i].bps = 0; - cfg->filters[i].blockTime = 1; + cfg->filters[i].blocktime = 1; cfg->filters[i].tcpopts.enabled = 0; cfg->filters[i].tcpopts.do_dport = 0; @@ -73,7 +74,7 @@ void setcfgdefaults(struct config *cfg) } } -int opencfg(const char *FileName) +int opencfg(const char *filename) { // Close any existing files. if (file != NULL) @@ -83,7 +84,7 @@ int opencfg(const char *FileName) file = NULL; } - file = fopen(FileName, "r"); + file = fopen(filename, "r"); if (file == NULL) { @@ -132,9 +133,9 @@ int readcfg(struct config *cfg) cfg->interface = strdup(interface); // Get auto update time. - int updateTime; + int updatetime; - if (!config_lookup_int(&conf, "updatetime", &updateTime)) + if (!config_lookup_int(&conf, "updatetime", &updatetime)) { fprintf(stderr, "Error from LibConfig when reading 'updatetime' setting - %s\n\n", config_error_text(&conf)); @@ -143,7 +144,7 @@ int readcfg(struct config *cfg) return 1; } - cfg->updateTime = updateTime; + cfg->updatetime = updatetime; // Get no stats. int nostats; @@ -169,7 +170,7 @@ int readcfg(struct config *cfg) // Set filter count. int filters = 0; - for (uint8_t i = 0; i < config_setting_length(setting); i++) + for (__u8 i = 0; i < config_setting_length(setting); i++) { config_setting_t* filter = config_setting_get_elem(setting, i); @@ -201,48 +202,48 @@ int readcfg(struct config *cfg) cfg->filters[i].action = action; // Source IP (not required). - const char *sIP; + const char *sip; - if (config_setting_lookup_string(filter, "srcip", &sIP)) + if (config_setting_lookup_string(filter, "srcip", &sip)) { - cfg->filters[i].srcIP = inet_addr(sIP); + cfg->filters[i].srcip = inet_addr(sip); } // Destination IP (not required). - const char *dIP; + const char *dip; - if (config_setting_lookup_string(filter, "dstip", &dIP)) + if (config_setting_lookup_string(filter, "dstip", &dip)) { - cfg->filters[i].dstIP = inet_addr(dIP); + cfg->filters[i].dstip = inet_addr(dip); } // Source IP (IPv6) (not required). - const char *sIP6; + const char *sip6; - if (config_setting_lookup_string(filter, "srcip6", &sIP6)) + if (config_setting_lookup_string(filter, "srcip6", &sip6)) { struct in6_addr in; - inet_pton(AF_INET6, sIP6, &in); + inet_pton(AF_INET6, sip6, &in); - for (uint8_t j = 0; j < 4; j++) + for (__u8 j = 0; j < 4; j++) { - cfg->filters[i].srcIP6[j] = in.__in6_u.__u6_addr32[j]; + cfg->filters[i].srcip6[j] = in.__in6_u.__u6_addr32[j]; } } // Destination IP (IPv6) (not required). - const char *dIP6; + const char *dip6; - if (config_setting_lookup_string(filter, "dstip6", &dIP6)) + if (config_setting_lookup_string(filter, "dstip6", &dip6)) { struct in6_addr in; - inet_pton(AF_INET6, dIP6, &in); + inet_pton(AF_INET6, dip6, &in); - for (uint8_t j = 0; j < 4; j++) + for (__u8 j = 0; j < 4; j++) { - cfg->filters[i].dstIP6[j] = in.__in6_u.__u6_addr32[j]; + cfg->filters[i].dstip6[j] = in.__in6_u.__u6_addr32[j]; } } @@ -251,7 +252,7 @@ int readcfg(struct config *cfg) if (config_setting_lookup_int(filter, "min_ttl", &min_ttl)) { - cfg->filters[i].min_ttl = (uint8_t)min_ttl; + cfg->filters[i].min_ttl = (__u8)min_ttl; cfg->filters[i].do_min_ttl = 1; } @@ -260,7 +261,7 @@ int readcfg(struct config *cfg) if (config_setting_lookup_int(filter, "max_ttl", &max_ttl)) { - cfg->filters[i].max_ttl = (uint8_t)max_ttl; + cfg->filters[i].max_ttl = (__u8)max_ttl; cfg->filters[i].do_max_ttl = 1; } @@ -287,7 +288,7 @@ int readcfg(struct config *cfg) if (config_setting_lookup_int(filter, "tos", &tos)) { - cfg->filters[i].tos = (uint8_t)tos; + cfg->filters[i].tos = (__u8)tos; cfg->filters[i].do_tos = 1; } @@ -314,11 +315,11 @@ int readcfg(struct config *cfg) if (config_setting_lookup_int64(filter, "blocktime", &blocktime)) { - cfg->filters[i].blockTime = blocktime; + cfg->filters[i].blocktime = blocktime; } else { - cfg->filters[i].blockTime = 1; + cfg->filters[i].blocktime = 1; } /* TCP options */ @@ -335,7 +336,7 @@ int readcfg(struct config *cfg) if (config_setting_lookup_int64(filter, "tcp_sport", &tcpsport)) { - cfg->filters[i].tcpopts.sport = (uint16_t)tcpsport; + cfg->filters[i].tcpopts.sport = (__u16)tcpsport; cfg->filters[i].tcpopts.do_sport = 1; } @@ -344,7 +345,7 @@ int readcfg(struct config *cfg) if (config_setting_lookup_int64(filter, "tcp_dport", &tcpdport)) { - cfg->filters[i].tcpopts.dport = (uint16_t)tcpdport; + cfg->filters[i].tcpopts.dport = (__u16)tcpdport; cfg->filters[i].tcpopts.do_dport = 1; } @@ -417,7 +418,7 @@ int readcfg(struct config *cfg) if (config_setting_lookup_int64(filter, "udp_sport", &udpsport)) { - cfg->filters[i].udpopts.sport = (uint16_t)udpsport; + cfg->filters[i].udpopts.sport = (__u16)udpsport; cfg->filters[i].udpopts.do_sport = 1; } @@ -426,7 +427,7 @@ int readcfg(struct config *cfg) if (config_setting_lookup_int64(filter, "udp_dport", &udpdport)) { - cfg->filters[i].udpopts.dport = (uint16_t)udpdport; + cfg->filters[i].udpopts.dport = (__u16)udpdport; cfg->filters[i].udpopts.do_dport = 1; } @@ -444,7 +445,7 @@ int readcfg(struct config *cfg) if (config_setting_lookup_int(filter, "icmp_code", &icmpcode)) { - cfg->filters[i].icmpopts.code = (uint8_t)icmpcode; + cfg->filters[i].icmpopts.code = (__u8)icmpcode; cfg->filters[i].icmpopts.do_code = 1; } @@ -453,7 +454,7 @@ int readcfg(struct config *cfg) if (config_setting_lookup_int(filter, "icmp_type", &icmptype)) { - cfg->filters[i].icmpopts.type = (uint8_t)icmptype; + cfg->filters[i].icmpopts.type = (__u8)icmptype; cfg->filters[i].icmpopts.do_type = 1; } diff --git a/src/config.h b/src/config.h index 7cd36e5..a4711ac 100644 --- a/src/config.h +++ b/src/config.h @@ -1,15 +1,17 @@ #pragma once +#include + #include "xdpfw.h" struct config { char *interface; - uint16_t updateTime; + __u16 updatetime; unsigned int nostats : 1; struct filter filters[MAX_FILTERS]; }; void setcfgdefaults(struct config *cfg); -int opencfg(const char *FileName); +int opencfg(const char *filename); int readcfg(struct config *cfg); \ No newline at end of file diff --git a/src/xdpfw.c b/src/xdpfw.c index e883173..d736212 100644 --- a/src/xdpfw.c +++ b/src/xdpfw.c @@ -4,7 +4,7 @@ #include #include #include -#include +#include #include #include #include @@ -22,9 +22,9 @@ #include "cmdline.h" // Other variables. -static uint8_t cont = 1; -static int filter_map_fd = -1; -static int stats_map_fd = -1; +static __u8 cont = 1; +static int filtersmap = -1; +static int statsmap = -1; void signalHndl(int tmp) { @@ -34,15 +34,15 @@ void signalHndl(int tmp) void updatefilters(struct config *cfg) { // Loop through all filters and delete the map. - for (uint8_t i = 0; i < MAX_FILTERS; i++) + for (__u8 i = 0; i < MAX_FILTERS; i++) { - uint32_t key = i; + __u32 key = i; - bpf_map_delete_elem(filter_map_fd, &key); + bpf_map_delete_elem(filtersmap, &key); } // Add a filter to the filter maps. - for (uint32_t i = 0; i < MAX_FILTERS; i++) + for (__u32 i = 0; i < MAX_FILTERS; i++) { // Check if we have a valid ID. if (cfg->filters[i].id < 1) @@ -51,7 +51,7 @@ void updatefilters(struct config *cfg) } // Attempt to update BPF map. - if (bpf_map_update_elem(filter_map_fd, &i, &cfg->filters[i], BPF_ANY) == -1) + if (bpf_map_update_elem(filtersmap, &i, &cfg->filters[i], BPF_ANY) == -1) { fprintf(stderr, "Error updating BPF item #%d\n", i); } @@ -70,7 +70,7 @@ int updateconfig(struct config *cfg, char *cfgfile) setcfgdefaults(cfg); - for (uint16_t i = 0; i < MAX_FILTERS; i++) + for (__u16 i = 0; i < MAX_FILTERS; i++) { cfg->filters[i] = (struct filter) {0}; } @@ -121,8 +121,8 @@ int loadbpfobj(const char *filename) return -1; } - filter_map_fd = findmapfd(obj, "filters_map"); - stats_map_fd = findmapfd(obj, "stats_map"); + filtersmap = findmapfd(obj, "filters_map"); + statsmap = findmapfd(obj, "stats_map"); return first_prog_fd; } @@ -142,8 +142,8 @@ int attachxdp(int ifidx, int progfd, struct cmdline *cmd) char *smode; - uint32_t flags = XDP_FLAGS_UPDATE_IF_NOEXIST; - uint32_t mode = XDP_FLAGS_DRV_MODE; + __u32 flags = XDP_FLAGS_UPDATE_IF_NOEXIST; + __u32 mode = XDP_FLAGS_DRV_MODE; smode = "DRV/native"; @@ -270,8 +270,8 @@ int main(int argc, char *argv[]) setcfgdefaults(&cfg); // Create last updated variable. - time_t lastUpdated = time(NULL); - time_t statsLastUpdated = time(NULL); + time_t lastupdated = time(NULL); + time_t statslastupdated = time(NULL); // Update config. updateconfig(&cfg, cmd.cfgfile); @@ -281,7 +281,7 @@ int main(int argc, char *argv[]) { fprintf(stdout, "Details:\n"); fprintf(stdout, "Interface Name => %s\n", cfg.interface); - fprintf(stdout, "Update Time => %" PRIu16 "\n", cfg.updateTime); + fprintf(stdout, "Update Time => %d\n", cfg.updatetime); for (uint16_t i = 0; i < MAX_FILTERS; i++) { @@ -290,52 +290,52 @@ int main(int argc, char *argv[]) break; } - fprintf(stdout, "Filter #%" PRIu16 ":\n", (i + 1)); + fprintf(stdout, "Filter #%d:\n", (i + 1)); // Main. fprintf(stdout, "ID => %d\n", cfg.filters[i].id); - fprintf(stdout, "Enabled => %" PRIu8 "\n", cfg.filters[i].enabled); - fprintf(stdout, "Action => %" PRIu8 " (0 = Block, 1 = Allow).\n", cfg.filters[i].action); + fprintf(stdout, "Enabled => %d\n", cfg.filters[i].enabled); + fprintf(stdout, "Action => %d (0 = Block, 1 = Allow).\n", cfg.filters[i].action); // IP addresses. struct sockaddr_in sin; - sin.sin_addr.s_addr = cfg.filters[i].srcIP; + sin.sin_addr.s_addr = cfg.filters[i].srcip; fprintf(stdout, "Source IP => %s\n", inet_ntoa(sin.sin_addr)); struct sockaddr_in din; - din.sin_addr.s_addr = cfg.filters[i].dstIP; + din.sin_addr.s_addr = cfg.filters[i].dstip; fprintf(stdout, "Destination IP => %s\n", inet_ntoa(din.sin_addr)); // Other IP header information. - fprintf(stdout, "Max Length => %" PRIu16 "\n", cfg.filters[i].max_len); - fprintf(stdout, "Min Length => %" PRIu16 "\n", cfg.filters[i].min_len); - fprintf(stdout, "Max TTL => %" PRIu8 "\n", cfg.filters[i].max_ttl); - fprintf(stdout, "Min TTL => %" PRIu8 "\n", cfg.filters[i].min_ttl); - fprintf(stdout, "TOS => %" PRIu8 "\n", cfg.filters[i].tos); - fprintf(stdout, "PPS => %" PRIu64 "\n", cfg.filters[i].pps); - fprintf(stdout, "BPS => %" PRIu64 "\n\n", cfg.filters[i].bps); - fprintf(stdout, "Block Time => %" PRIu64 "\n\n", cfg.filters[i].blockTime); + fprintf(stdout, "Max Length => %d\n", cfg.filters[i].max_len); + fprintf(stdout, "Min Length => %d\n", cfg.filters[i].min_len); + fprintf(stdout, "Max TTL => %d\n", cfg.filters[i].max_ttl); + fprintf(stdout, "Min TTL => %d\n", cfg.filters[i].min_ttl); + fprintf(stdout, "TOS => %d\n", cfg.filters[i].tos); + fprintf(stdout, "PPS => %llu\n", cfg.filters[i].pps); + fprintf(stdout, "BPS => %llu\n\n", cfg.filters[i].bps); + fprintf(stdout, "Block Time => %llu\n\n", cfg.filters[i].blocktime); // TCP Options. - fprintf(stdout, "TCP Enabled => %" PRIu8 "\n", cfg.filters[i].tcpopts.enabled); - fprintf(stdout, "TCP Source Port => %" PRIu16 "\n", cfg.filters[i].tcpopts.sport); - fprintf(stdout, "TCP Destination Port => %" PRIu16 "\n", cfg.filters[i].tcpopts.dport); - fprintf(stdout, "TCP URG Flag => %" PRIu8 "\n", cfg.filters[i].tcpopts.urg); - fprintf(stdout, "TCP ACK Flag => %" PRIu8 "\n", cfg.filters[i].tcpopts.ack); - fprintf(stdout, "TCP RST Flag => %" PRIu8 "\n", cfg.filters[i].tcpopts.rst); - fprintf(stdout, "TCP PSH Flag => %" PRIu8 "\n", cfg.filters[i].tcpopts.psh); - fprintf(stdout, "TCP SYN Flag => %" PRIu8 "\n", cfg.filters[i].tcpopts.syn); - fprintf(stdout, "TCP FIN Flag => %" PRIu8 "\n\n", cfg.filters[i].tcpopts.fin); + fprintf(stdout, "TCP Enabled => %d\n", cfg.filters[i].tcpopts.enabled); + fprintf(stdout, "TCP Source Port => %d\n", cfg.filters[i].tcpopts.sport); + fprintf(stdout, "TCP Destination Port => %d\n", cfg.filters[i].tcpopts.dport); + fprintf(stdout, "TCP URG Flag => %d\n", cfg.filters[i].tcpopts.urg); + fprintf(stdout, "TCP ACK Flag => %d\n", cfg.filters[i].tcpopts.ack); + fprintf(stdout, "TCP RST Flag => %d\n", cfg.filters[i].tcpopts.rst); + fprintf(stdout, "TCP PSH Flag => %d\n", cfg.filters[i].tcpopts.psh); + fprintf(stdout, "TCP SYN Flag => %d\n", cfg.filters[i].tcpopts.syn); + fprintf(stdout, "TCP FIN Flag => %d\n\n", cfg.filters[i].tcpopts.fin); // UDP Options. - fprintf(stdout, "UDP Enabled => %" PRIu8 "\n", cfg.filters[i].udpopts.enabled); - fprintf(stdout, "UDP Source Port => %" PRIu16 "\n", cfg.filters[i].udpopts.sport); - fprintf(stdout, "UDP Destination Port => %" PRIu16 "\n\n", cfg.filters[i].udpopts.dport); + fprintf(stdout, "UDP Enabled => %d\n", cfg.filters[i].udpopts.enabled); + fprintf(stdout, "UDP Source Port => %d\n", cfg.filters[i].udpopts.sport); + fprintf(stdout, "UDP Destination Port => %d\n\n", cfg.filters[i].udpopts.dport); // ICMP Options. - fprintf(stdout, "ICMP Enabled => %" PRIu8 "\n", cfg.filters[i].icmpopts.enabled); - fprintf(stdout, "ICMP Code => %" PRIu8 "\n", cfg.filters[i].icmpopts.code); - fprintf(stdout, "ICMP Type => %" PRIu8 "\n", cfg.filters[i].icmpopts.type); + fprintf(stdout, "ICMP Enabled => %d\n", cfg.filters[i].icmpopts.enabled); + fprintf(stdout, "ICMP Code => %d\n", cfg.filters[i].icmpopts.code); + fprintf(stdout, "ICMP Type => %d\n", cfg.filters[i].icmpopts.type); fprintf(stdout, "\n\n"); } @@ -378,14 +378,14 @@ int main(int argc, char *argv[]) } // Check for valid maps. - if (filter_map_fd < 0) + if (filtersmap < 0) { fprintf(stderr, "Error finding 'filters_map' BPF map.\n"); return EXIT_FAILURE; } - if (stats_map_fd < 0) + if (statsmap < 0) { fprintf(stderr, "Error finding 'stats_map' BPF map.\n"); @@ -407,7 +407,7 @@ int main(int argc, char *argv[]) time_t curTime = time(NULL); // Check for auto-update. - if (cfg.updateTime > 0 && (curTime - lastUpdated) > cfg.updateTime) + if (cfg.updatetime > 0 && (curTime - lastupdated) > cfg.updatetime) { // Update config. updateconfig(&cfg, cmd.cfgfile); @@ -416,30 +416,30 @@ int main(int argc, char *argv[]) updatefilters(&cfg); // Update last updated variable. - lastUpdated = time(NULL); + lastupdated = time(NULL); } // Update stats. - if ((curTime - statsLastUpdated) > 2 && !cfg.nostats) + if ((curTime - statslastupdated) > 2 && !cfg.nostats) { - uint32_t key = 0; - struct xdpfw_stats stats[cpus]; + __u32 key = 0; + struct stats stats[cpus]; - uint64_t allowed = 0; - uint64_t dropped = 0; + __u64 allowed = 0; + __u64 dropped = 0; - bpf_map_lookup_elem(stats_map_fd, &key, &stats); + bpf_map_lookup_elem(statsmap, &key, &stats); for (int i = 0; i < cpus; i++) { allowed += stats[i].allowed; - dropped += stats[i].blocked; + dropped += stats[i].dropped; } fflush(stdout); - fprintf(stdout, "\rPackets Allowed: %" PRIu64 " | Packets Blocked: %" PRIu64, allowed, dropped); + fprintf(stdout, "\rPackets Allowed: %llu | Packets Dropped: %llu", allowed, dropped); - statsLastUpdated = time(NULL); + statslastupdated = time(NULL); } sleep(1); diff --git a/src/xdpfw.h b/src/xdpfw.h index ed2593c..6d4ebdf 100644 --- a/src/xdpfw.h +++ b/src/xdpfw.h @@ -1,6 +1,6 @@ #pragma once -#include +#include #define MAX_PCKT_LENGTH 65535 #define MAX_FILTERS 100 @@ -11,10 +11,10 @@ struct tcpopts unsigned int enabled : 1; unsigned int do_sport : 1; - uint16_t sport; + __u16 sport; unsigned int do_dport : 1; - uint16_t dport; + __u16 dport; // TCP flags. unsigned int do_urg : 1; @@ -41,10 +41,10 @@ struct udpopts unsigned int enabled : 1; unsigned int do_sport : 1; - uint16_t sport; + __u16 sport; unsigned int do_dport : 1; - uint16_t dport; + __u16 dport; }; struct icmpopts @@ -52,63 +52,63 @@ struct icmpopts unsigned int enabled : 1; unsigned int do_code : 1; - uint8_t code; + __u8 code; unsigned int do_type : 1; - uint8_t type; + __u8 type; }; struct filter { - uint8_t id; + __u8 id; unsigned int enabled : 1; - uint8_t action; + __u8 action; - uint32_t srcIP; - uint32_t dstIP; + __u32 srcip; + __u32 dstip; - uint32_t srcIP6[4]; - uint32_t dstIP6[4]; + __u32 srcip6[4]; + __u32 dstip6[4]; unsigned int do_min_ttl : 1; - uint8_t min_ttl; + __u8 min_ttl; unsigned int do_max_ttl : 1; - uint8_t max_ttl; + __u8 max_ttl; unsigned int do_min_len : 1; - uint16_t min_len; + __u16 min_len; unsigned int do_max_len : 1; - uint16_t max_len; + __u16 max_len; unsigned int do_tos : 1; int8_t tos; unsigned int do_pps : 1; - uint64_t pps; + __u64 pps; unsigned int do_bps : 1; - uint64_t bps; + __u64 bps; - uint64_t blockTime; + __u64 blocktime; struct tcpopts tcpopts; struct udpopts udpopts; struct icmpopts icmpopts; }; -struct xdpfw_stats +struct stats { - uint64_t allowed; - uint64_t blocked; + __u64 allowed; + __u64 dropped; }; -struct xdpfw_ip_stats +struct ip_stats { - uint64_t pps; - uint64_t bps; - uint64_t tracking; + __u64 pps; + __u64 bps; + __u64 tracking; }; \ No newline at end of file diff --git a/src/xdpfw_kern.c b/src/xdpfw_kern.c index 4088a39..7e4f0e0 100644 --- a/src/xdpfw_kern.c +++ b/src/xdpfw_kern.c @@ -52,7 +52,7 @@ struct bpf_map_def SEC("maps") filters_map = { .type = BPF_MAP_TYPE_ARRAY, - .key_size = sizeof(uint32_t), + .key_size = sizeof(__u32), .value_size = sizeof(struct filter), .max_entries = MAX_FILTERS }; @@ -60,24 +60,24 @@ struct bpf_map_def SEC("maps") filters_map = struct bpf_map_def SEC("maps") stats_map = { .type = BPF_MAP_TYPE_PERCPU_ARRAY, - .key_size = sizeof(uint32_t), - .value_size = sizeof(struct xdpfw_stats), + .key_size = sizeof(__u32), + .value_size = sizeof(struct stats), .max_entries = 1 }; struct bpf_map_def SEC("maps") ip_stats_map = { .type = BPF_MAP_TYPE_LRU_HASH, - .key_size = sizeof(uint32_t), - .value_size = sizeof(struct xdpfw_ip_stats), + .key_size = sizeof(__u32), + .value_size = sizeof(struct ip_stats), .max_entries = MAX_TRACK_IPS }; struct bpf_map_def SEC("maps") ip_blacklist_map = { .type = BPF_MAP_TYPE_LRU_HASH, - .key_size = sizeof(uint32_t), - .value_size = sizeof(uint64_t), + .key_size = sizeof(__u32), + .value_size = sizeof(__u64), .max_entries = MAX_TRACK_IPS }; @@ -85,7 +85,7 @@ struct bpf_map_def SEC("maps") ip6_stats_map = { .type = BPF_MAP_TYPE_LRU_HASH, .key_size = sizeof(uint128_t), - .value_size = sizeof(struct xdpfw_ip_stats), + .value_size = sizeof(struct ip_stats), .max_entries = MAX_TRACK_IPS }; @@ -93,7 +93,7 @@ struct bpf_map_def SEC("maps") ip6_blacklist_map = { .type = BPF_MAP_TYPE_LRU_HASH, .key_size = sizeof(uint128_t), - .value_size = sizeof(uint64_t), + .value_size = sizeof(__u64), .max_entries = MAX_TRACK_IPS }; @@ -119,8 +119,8 @@ int xdp_prog_main(struct xdp_md *ctx) return XDP_PASS; } - uint8_t action = 0; - uint64_t blocktime = 1; + __u8 action = 0; + __u64 blocktime = 1; // Initialize IP headers. struct iphdr *iph; @@ -159,13 +159,13 @@ int xdp_prog_main(struct xdp_md *ctx) } // Get stats map. - uint32_t key = 0; - struct xdpfw_stats *stats = bpf_map_lookup_elem(&stats_map, &key); + __u32 key = 0; + struct stats *stats = bpf_map_lookup_elem(&stats_map, &key); - uint64_t now = bpf_ktime_get_ns(); + __u64 now = bpf_ktime_get_ns(); // Check blacklist map. - uint64_t *blocked = NULL; + __u64 *blocked = NULL; if (ethhdr->h_proto == htons(ETH_P_IPV6)) { @@ -179,7 +179,7 @@ int xdp_prog_main(struct xdp_md *ctx) if (blocked != NULL && *blocked > 0) { #ifdef DEBUG - bpf_printk("Checking for blocked packet... Block time %" PRIu64 "\n", *blocked); + bpf_printk("Checking for blocked packet... Block time %llu.\n", *blocked); #endif if (now > *blocked) @@ -200,7 +200,7 @@ int xdp_prog_main(struct xdp_md *ctx) // Increase blocked stats entry. if (stats) { - stats->blocked++; + stats->dropped++; } #endif @@ -210,10 +210,10 @@ int xdp_prog_main(struct xdp_md *ctx) } // Update IP stats (PPS/BPS). - uint64_t pps = 0; - uint64_t bps = 0; + __u64 pps = 0; + __u64 bps = 0; - struct xdpfw_ip_stats *ip_stats = NULL; + struct ip_stats *ip_stats = NULL; if (ethhdr->h_proto == htons(ETH_P_IPV6)) { @@ -244,7 +244,7 @@ int xdp_prog_main(struct xdp_md *ctx) else { // Create new entry. - struct xdpfw_ip_stats new; + struct ip_stats new; new.pps = 1; new.bps = ctx->data_end - ctx->data; @@ -352,9 +352,9 @@ int xdp_prog_main(struct xdp_md *ctx) } } - for (uint8_t i = 0; i < MAX_FILTERS; i++) + for (__u8 i = 0; i < MAX_FILTERS; i++) { - uint32_t key = i; + __u32 key = i; struct filter *filter = bpf_map_lookup_elem(&filters_map, &key); @@ -379,19 +379,19 @@ int xdp_prog_main(struct xdp_md *ctx) } // Source address. - if (filter->srcIP6[0] != 0 && (iph6->saddr.in6_u.u6_addr32[0] != filter->srcIP6[0] || iph6->saddr.in6_u.u6_addr32[1] != filter->srcIP6[1] || iph6->saddr.in6_u.u6_addr32[2] != filter->srcIP6[2] || iph6->saddr.in6_u.u6_addr32[3] != filter->srcIP6[3])) + if (filter->srcip6[0] != 0 && (iph6->saddr.in6_u.u6_addr32[0] != filter->srcip6[0] || iph6->saddr.in6_u.u6_addr32[1] != filter->srcip6[1] || iph6->saddr.in6_u.u6_addr32[2] != filter->srcip6[2] || iph6->saddr.in6_u.u6_addr32[3] != filter->srcip6[3])) { continue; } // Destination address. - if (filter->dstIP6[0] != 0 && (iph6->daddr.in6_u.u6_addr32[0] != filter->dstIP6[0] || iph6->daddr.in6_u.u6_addr32[1] != filter->dstIP6[1] || iph6->daddr.in6_u.u6_addr32[2] != filter->dstIP6[2] || iph6->daddr.in6_u.u6_addr32[3] != filter->dstIP6[3])) + if (filter->dstip6[0] != 0 && (iph6->daddr.in6_u.u6_addr32[0] != filter->dstip6[0] || iph6->daddr.in6_u.u6_addr32[1] != filter->dstip6[1] || iph6->daddr.in6_u.u6_addr32[2] != filter->dstip6[2] || iph6->daddr.in6_u.u6_addr32[3] != filter->dstip6[3])) { continue; } #ifdef ALLOWSINGLEIPV4V6 - if (filter->srcIP != 0 || filter->dstIP != 0) + if (filter->srcip != 0 || filter->dstip != 0) { continue; } @@ -424,19 +424,19 @@ int xdp_prog_main(struct xdp_md *ctx) else { // Source address. - if (filter->srcIP != 0 && iph->saddr != filter->srcIP) + if (filter->srcip && iph->saddr != filter->srcip) { continue; } // Destination address. - if (filter->dstIP != 0 && iph->daddr != filter->dstIP) + if (filter->dstip != 0 && iph->daddr != filter->dstip) { continue; } #ifdef ALLOWSINGLEIPV4V6 - if ((filter->srcIP6[0] != 0 || filter->srcIP6[1] != 0 || filter->srcIP6[2] != 0 || filter->srcIP6[3] != 0) || (filter->dstIP6[0] != 0 || filter->dstIP6[1] != 0 || filter->dstIP6[2] != 0 || filter->dstIP6[3] != 0)) + if ((filter->srcip6[0] != 0 || filter->srcip6[1] != 0 || filter->srcip6[2] != 0 || filter->srcip6[3] != 0) || (filter->dstip6[0] != 0 || filter->dstip6[1] != 0 || filter->dstip6[2] != 0 || filter->dstip6[3] != 0)) { continue; } @@ -599,11 +599,11 @@ int xdp_prog_main(struct xdp_md *ctx) // Matched. #ifdef DEBUG - bpf_printk("Matched rule ID #%" PRIu8 ".\n", filter->id); + bpf_printk("Matched rule ID #%d.\n", filter->id); #endif action = filter->action; - blocktime = filter->blockTime; + blocktime = filter->blocktime; goto matched; } @@ -614,13 +614,13 @@ int xdp_prog_main(struct xdp_md *ctx) if (action == 0) { #ifdef DEBUG - //bpf_printk("Matched with protocol %" PRIu8 " and sAddr %" PRIu32 ".\n", iph->protocol, iph->saddr); + //bpf_printk("Matched with protocol %d and sAddr %lu.\n", iph->protocol, iph->saddr); #endif // Before dropping, update the blacklist map. if (blocktime > 0) { - uint64_t newTime = now + (blocktime * 1000000000); + __u64 newTime = now + (blocktime * 1000000000); if (ethhdr->h_proto == htons(ETH_P_IPV6)) { @@ -634,7 +634,7 @@ int xdp_prog_main(struct xdp_md *ctx) if (stats) { - stats->blocked++; + stats->dropped++; } return XDP_DROP;