kaffa/XDP-Firewall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add pass counter for packets that don't match any rules and are passed to user-space.

Browse Source
This commit is contained in:
Christian Deacon
2024-06-13 19:54:50 -04:00
parent 648dbff479
commit bbacda45b3
3 changed files with 45 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/xdpfw.c
View File

@@ -316,11 +316,6 @@ int main(int argc, char *argv[])
setcfgdefaults(&cfg); setcfgdefaults(&cfg);
// Create last updated variable.
time_t lastupdatecheck = time(NULL);
time_t statslastupdated = time(NULL);
time_t lastupdated = time(NULL);
// Update config. // Update config.
updateconfig(&cfg, cmd.cfgfile); updateconfig(&cfg, cmd.cfgfile);
@@ -474,6 +469,11 @@ int main(int argc, char *argv[])
unsigned int endTime = (cmd.time > 0) ? time(NULL) + cmd.time : 0; unsigned int endTime = (cmd.time > 0) ? time(NULL) + cmd.time : 0;
// Create last updated variable.
time_t lastupdatecheck = time(NULL);
time_t statslastupdated = time(NULL);
time_t lastupdated = time(NULL);
while (cont) while (cont)
{ {
// Get current time. // Get current time.
@@ -517,6 +517,7 @@ int main(int argc, char *argv[])
__u64 allowed = 0; __u64 allowed = 0;
__u64 dropped = 0; __u64 dropped = 0;
__u64 passed = 0;
if (bpf_map_lookup_elem(statsmap, &key, stats) != 0) if (bpf_map_lookup_elem(statsmap, &key, stats) != 0)
{ {
@@ -539,15 +540,16 @@ int main(int argc, char *argv[])
allowed += stats[i].allowed; allowed += stats[i].allowed;
dropped += stats[i].dropped; dropped += stats[i].dropped;
passed += stats[i].passed;
} }
fflush(stdout); fflush(stdout);
fprintf(stdout, "\rPackets Allowed: %llu | Packets Dropped: %llu", allowed, dropped); fprintf(stdout, "\rAllowed: %llu | Dropped: %llu | Passed: %llu", allowed, dropped, passed);
statslastupdated = time(NULL); statslastupdated = time(NULL);
} }
sleep(1); usleep(500);
} }
// Detach XDP program. // Detach XDP program.

1
src/xdpfw.h
View File

@@ -135,6 +135,7 @@ struct stats
{ {
__u64 allowed; __u64 allowed;
__u64 dropped; __u64 dropped;
__u64 passed;
}; };
struct ip_stats struct ip_stats

63
src/xdpfw_kern.c
View File

@@ -594,46 +594,51 @@ int xdp_prog_main(struct xdp_md *ctx)
goto matched; goto matched;
} }
if (stats)
{
stats->passed++;
}
return XDP_PASS; return XDP_PASS;
matched: matched:
if (action == 0) if (action == 0)
{
#ifdef DEBUG
//bpf_printk("Matched with protocol %d and sAddr %lu.\n", iph->protocol, iph->saddr);
#endif
// Before dropping, update the blacklist map.
if (blocktime > 0)
{ {
#ifdef DEBUG __u64 newTime = now + (blocktime * 1000000000);
//bpf_printk("Matched with protocol %d and sAddr %lu.\n", iph->protocol, iph->saddr);
#endif
// Before dropping, update the blacklist map. if (iph6)
if (blocktime > 0)
{ {
__u64 newTime = now + (blocktime * 1000000000); bpf_map_update_elem(&ip6_blacklist_map, &srcip6, &newTime, BPF_ANY);
if (iph6)
{
bpf_map_update_elem(&ip6_blacklist_map, &srcip6, &newTime, BPF_ANY);
}
else if (iph)
{
bpf_map_update_elem(&ip_blacklist_map, &iph->saddr, &newTime, BPF_ANY);
}
} }
else if (iph)
if (stats)
{ {
stats->dropped++; bpf_map_update_elem(&ip_blacklist_map, &iph->saddr, &newTime, BPF_ANY);
}
return XDP_DROP;
}
else
{
if (stats)
{
stats->allowed++;
} }
} }
return XDP_PASS; if (stats)
{
stats->dropped++;
}
return XDP_DROP;
}
else
{
if (stats)
{
stats->allowed++;
}
}
return XDP_PASS;
} }
char _license[] SEC("license") = "GPL"; char _license[] SEC("license") = "GPL";