Add pass counter for packets that don't match any rules and are passed to user-space.

src/xdpfw.c

@@ -316,11 +316,6 @@ int main(int argc, char *argv[])
 
     setcfgdefaults(&cfg);
 
-    // Create last updated variable.
-    time_t lastupdatecheck = time(NULL);
-    time_t statslastupdated = time(NULL);
-    time_t lastupdated = time(NULL);
-
     // Update config.
     updateconfig(&cfg, cmd.cfgfile);
 
@@ -474,6 +469,11 @@ int main(int argc, char *argv[])
 
     unsigned int endTime = (cmd.time > 0) ? time(NULL) + cmd.time : 0;
 
+    // Create last updated variable.
+    time_t lastupdatecheck = time(NULL);
+    time_t statslastupdated = time(NULL);
+    time_t lastupdated = time(NULL);
+
     while (cont)
     {
         // Get current time.
@@ -517,6 +517,7 @@ int main(int argc, char *argv[])
 
             __u64 allowed = 0;
             __u64 dropped = 0;
+            __u64 passed = 0;
             
             if (bpf_map_lookup_elem(statsmap, &key, stats) != 0)
             {
@@ -539,15 +540,16 @@ int main(int argc, char *argv[])
 
                 allowed += stats[i].allowed;
                 dropped += stats[i].dropped;
+                passed += stats[i].passed;
             }
 
             fflush(stdout);
-            fprintf(stdout, "\rPackets Allowed: %llu | Packets Dropped: %llu", allowed, dropped);
+            fprintf(stdout, "\rAllowed: %llu | Dropped: %llu | Passed: %llu", allowed, dropped, passed);
         
             statslastupdated = time(NULL);
         }
 
-        sleep(1);
+        usleep(500);
     }
 
     // Detach XDP program.

src/xdpfw.h

@@ -135,6 +135,7 @@ struct stats
 {
     __u64 allowed;
     __u64 dropped;
+    __u64 passed;
 };
 
 struct ip_stats

src/xdpfw_kern.c

@@ -594,46 +594,51 @@ int xdp_prog_main(struct xdp_md *ctx)
         goto matched;
     }
 
+    if (stats)
+    {
+        stats->passed++;
+    }
+            
     return XDP_PASS;
 
     matched:
-        if (action == 0)
+    if (action == 0)
+    {
+        #ifdef DEBUG
+        //bpf_printk("Matched with protocol %d and sAddr %lu.\n", iph->protocol, iph->saddr);
+        #endif
+
+        // Before dropping, update the blacklist map.
+        if (blocktime > 0)
         {
-            #ifdef DEBUG
-            //bpf_printk("Matched with protocol %d and sAddr %lu.\n", iph->protocol, iph->saddr);
-            #endif
+            __u64 newTime = now + (blocktime * 1000000000);
             
-            // Before dropping, update the blacklist map.
-            if (blocktime > 0)
+            if (iph6)
             {
-                __u64 newTime = now + (blocktime * 1000000000);
-                
-                if (iph6)
-                {
-                    bpf_map_update_elem(&ip6_blacklist_map, &srcip6, &newTime, BPF_ANY);
-                }
-                else if (iph)
-                {
-                    bpf_map_update_elem(&ip_blacklist_map, &iph->saddr, &newTime, BPF_ANY);
-                }
+                bpf_map_update_elem(&ip6_blacklist_map, &srcip6, &newTime, BPF_ANY);
             }
-
-            if (stats)
+            else if (iph)
             {
-                stats->dropped++;
-            }
-
-            return XDP_DROP;
-        }
-        else
-        {
-            if (stats)
-            {
-                stats->allowed++;
+                bpf_map_update_elem(&ip_blacklist_map, &iph->saddr, &newTime, BPF_ANY);
             }
         }
 
-        return XDP_PASS;
+        if (stats)
+        {
+            stats->dropped++;
+        }
+
+        return XDP_DROP;
+    }
+    else
+    {
+        if (stats)
+        {
+            stats->allowed++;
+        }
+    }
+
+    return XDP_PASS;
 }
 
 char _license[] SEC("license") = "GPL";