Add pass counter for packets that don't match any rules and are passed to user-space.

2024-06-13 19:54:50 -04:00
parent 648dbff479
commit bbacda45b3
3 changed files with 45 additions and 37 deletions
--- a/src/xdpfw.c
+++ b/src/xdpfw.c
@@ -315,11 +315,6 @@ int main(int argc, char *argv[])
    struct config cfg = {0};

    setcfgdefaults(&cfg);
-    
-    // Create last updated variable.
-    time_t lastupdatecheck = time(NULL);
-    time_t statslastupdated = time(NULL);
-    time_t lastupdated = time(NULL);

    // Update config.
    updateconfig(&cfg, cmd.cfgfile);
@@ -474,6 +469,11 @@ int main(int argc, char *argv[])

    unsigned int endTime = (cmd.time > 0) ? time(NULL) + cmd.time : 0;

+    // Create last updated variable.
+    time_t lastupdatecheck = time(NULL);
+    time_t statslastupdated = time(NULL);
+    time_t lastupdated = time(NULL);
+
    while (cont)
    {
        // Get current time.
@@ -517,6 +517,7 @@ int main(int argc, char *argv[])

            __u64 allowed = 0;
            __u64 dropped = 0;
+            __u64 passed = 0;
            
            if (bpf_map_lookup_elem(statsmap, &key, stats) != 0)
            {
@@ -539,15 +540,16 @@ int main(int argc, char *argv[])

                allowed += stats[i].allowed;
                dropped += stats[i].dropped;
+                passed += stats[i].passed;
            }

            fflush(stdout);
-            fprintf(stdout, "\rPackets Allowed: %llu | Packets Dropped: %llu", allowed, dropped);
+            fprintf(stdout, "\rAllowed: %llu | Dropped: %llu | Passed: %llu", allowed, dropped, passed);
        
            statslastupdated = time(NULL);
        }

-        sleep(1);
+        usleep(500);
    }

    // Detach XDP program.
--- a/src/xdpfw.h
+++ b/src/xdpfw.h
@@ -135,6 +135,7 @@ struct stats
 {
    __u64 allowed;
    __u64 dropped;
+    __u64 passed;
 };

 struct ip_stats
--- a/src/xdpfw_kern.c
+++ b/src/xdpfw_kern.c
@@ -593,47 +593,52 @@ int xdp_prog_main(struct xdp_md *ctx)

        goto matched;
    }
+
+    if (stats)
+    {
+        stats->passed++;
+    }
            
    return XDP_PASS;

    matched:
-        if (action == 0)
+    if (action == 0)
+    {
+        #ifdef DEBUG
+        //bpf_printk("Matched with protocol %d and sAddr %lu.\n", iph->protocol, iph->saddr);
+        #endif
+
+        // Before dropping, update the blacklist map.
+        if (blocktime > 0)
        {
-            #ifdef DEBUG
-            //bpf_printk("Matched with protocol %d and sAddr %lu.\n", iph->protocol, iph->saddr);
-            #endif
-
-            // Before dropping, update the blacklist map.
-            if (blocktime > 0)
+            __u64 newTime = now + (blocktime * 1000000000);
+            
+            if (iph6)
            {
-                __u64 newTime = now + (blocktime * 1000000000);
-                
-                if (iph6)
-                {
-                    bpf_map_update_elem(&ip6_blacklist_map, &srcip6, &newTime, BPF_ANY);
-                }
-                else if (iph)
-                {
-                    bpf_map_update_elem(&ip_blacklist_map, &iph->saddr, &newTime, BPF_ANY);
-                }
+                bpf_map_update_elem(&ip6_blacklist_map, &srcip6, &newTime, BPF_ANY);
            }
-
-            if (stats)
+            else if (iph)
            {
-                stats->dropped++;
-            }
-
-            return XDP_DROP;
-        }
-        else
-        {
-            if (stats)
-            {
-                stats->allowed++;
+                bpf_map_update_elem(&ip_blacklist_map, &iph->saddr, &newTime, BPF_ANY);
            }
        }

-        return XDP_PASS;
+        if (stats)
+        {
+            stats->dropped++;
+        }
+
+        return XDP_DROP;
+    }
+    else
+    {
+        if (stats)
+        {
+            stats->allowed++;
+        }
+    }
+
+    return XDP_PASS;
 }

 char _license[] SEC("license") = "GPL";